FINTECH 2024
BULGARIA
Damian Simeonov, Nikolay Zisov, Svetlina Kortenska, Georgi Drenski, Stela Sabeva
FINTECH LANDSCAPE AND INITIATIVES
General innovation climate
- What is the general state of fintech innovation in your jurisdiction?
According to recent statistics reported by the Bulgarian Fintech Association, in 2022 there were 156 fintech companies in the country, most of them being small and medium-sized enterprises. In addition to these companies, most of the traditional financial institutions have made significant progress in digitalization of their financial services. Currently, most of the Bulgarian banks offer advanced digital solutions, including mobile banking applications, digital customer loans and instant digital payments (e.g, ApplePay). Some telecom operators also provide digital wallets and the ability to make payments through them. According to recent industry analysis, the largest contributor to the peak performance in the sector seems to be the digital payments segment, followed by enterprise technology provisioning companies, which enable application programming interface, management, cloud computing, artificial intelligence, machine learning and natural language processing, et cetera.
Government and regulatory support
- Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?
The Bulgarian government supports the fintech industry in various ways.
The competent regulator, the Financial Supervision Commission, is increasingly active in the sector. It adopted a strategy for monitoring financial innovation for the period 2021–2024. The strategy outlines the main approaches of action – monitoring of fintech development, assessing possible risks for the market and the consumers, and potential actions and measures to minimize them to maximize the benefits of growing interest in innovative financial products or technologies in compliance with regulatory requirements. InvestBulgaria, the Bulgarian investment promotions agency, provides active assistance and governmental support to foreign investors in the fintech sector. The agency aims to facilitate potential and existing direct investors with the implementation and establishment of their investment projects in Bulgaria through the provision of individualized administrative services and the implementation of various incentive measures.
Last, the Bulgarian government and private universities in Bulgaria encourage and develop various educational initiatives and programmes in the fintech sector. In February 2021, the Council of Ministers adopted the National Financial Literacy Strategy and respective Action Plan 2021–2025. The Action Plan provides specific measures aimed at developing educational content for digital financial services and products.
FINANCIAL REGULATION
Regulatory bodies
- Which bodies regulate the provision of fintech products and services?
The Bulgarian National Bank (being the national central bank, as well as the banking regulator) regulates the activities of credit institutions (banks), non-banking financial institutions, e-money institutions and providers of payment services. The activity of investment firms is regulated by the Financial Supervision Commission.
Regulated activities
- Which activities trigger a licensing requirement in your jurisdiction?
Pursuant to article 2 of the Credit Institutions Act, receiving deposits or other repayable funds from the public, as well as acceptance of valuables on deposit and acting as a depository or trustee institution within the territory of the Republic of Bulgaria, may be carried out only by a bank licensed by the Bulgarian National Bank, a bank that has been granted a banking license by the competent bodies of a European Economic Area (EEA) member state or a bank from a third country, which has been granted a license by the Bulgarian National Bank to conduct banking business in Bulgaria through a branch. ‘Receiving deposits or other repayable funds from the public‘ means receiving deposits or other repayable funds from more than 30 persons who are not banks or other institutional investors. Where bonds or other debt securities are issued under terms and procedures other than the Public Offering of Securities Act, receiving deposits or other repayable funds from the public exists where:
- bond issues or other debt securities issues have been acquired at an initial offering by more than 30 persons who are not banks or other institutional investors;
- this is one of the principal activities of the issuer; and
- the issuer grants credits by the nature of trade thereof or provides other financial services by the nature of trade thereof.
Pursuant to the Credit Institutions Act, only a financial institution established and registered in Bulgaria and entered into a register maintained by the Bulgarian National Bank or a financial institution having its registered office in an EEA member state that has passported its activity in Bulgaria, may perform the following activities on the territory of Bulgaria as business and if this activity represents an essential part of its overall activity:
- financial leasing;
- guarantee transactions;
- acquisition of loan receivable and other types of financing (factoring, forfeiting, et cetera);
- acquiring shareholdings; and
- granting loans with funds that have not been raised from receiving deposits or other repayable funds from the public.
The requirements for such registration and the criteria to determine ‘essential activity‘ are set out in an ordinance issued by the Bulgarian National Bank.
The provision of investment services requires an investment intermediary‘s license issued or ‘passported‘ for Bulgaria in accordance with the Bulgarian Markets in Financial Instruments Act, which transposes Markets in Financial Instruments Directive II (MiFID II). Bulgaria is an EU member state thus applying directly the Markets in Financial Instruments Regulation and related EU regulations with respect to requirements on undertaking investment services activities.
To sum up, investment services may be provided either by credit institutions licensed or passported to provide investment services or by investment intermediaries licensed or passported to provide investment services. While the Bulgarian National Bank is the primary regulator for credit institutions acting in cooperation with the Financial Supervision Commission so far as MiFID II activities are concerned, the Financial Supervision Commission is the exclusive regulator for investment intermediaries.
Consumer lending
- Is consumer lending regulated in your jurisdiction?
Lending to consumers may be provided as a business only by banks licensed by the Bulgarian National Bank or passported for the territory of Bulgaria or by financial institutions registered in the register of financial institutions maintained by the Bulgarian National Bank or operating from their seat outside Bulgaria on an unsolicited cross-border basis.
Secondary market loan trading
- Are there restrictions on trading loans in the secondary market in your jurisdiction?
Banks are allowed to purchase loan receivables provided that this activity is a part of their license. A non-banking entity can perform such activity on the territory of Bulgaria, if such activity represents an essential part of its overall activity, only after it has been registered as a financial institution by the Bulgarian National Bank or has passported its activity for Bulgaria. Lending activity is deemed ‘essential‘ when it represents not less than 30 percent of the overall activity of the entity pursuant to its financial statements.
Collective investment schemes
- Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.
Collective investment schemes (CIS) in Bulgaria are regulated by the Collective Investment Schemes and Other Undertakings for Collective Investments Act (CISOUCIA).
The activities of CISs and other collective undertakings, as well as of the CIS managers and terms of conduct of their business, are regulated by the Financial Supervision Commission (FSC), Investment Activity Supervision Department, and respectively by the Deputy Chairperson of the FSC in charge of Investment Activity Supervision. A license for pursuit of business as a CIS or for common fund organization and management is granted by the FSC.
The Bulgarian CISOUCIA (as in other EU jurisdictions) adopts a holistic approach to all CIS (including regulation of alternative investment funds, undertakings for collective investments in transferable securities and exchange-traded funds). It also outlines the rules on regulatory authorization of the administration, marketing and compliance with investment rules. In principle, management and distribution of CISs (namely, marketing, promotion and advertising) may only be carried out by licensed or authorized entities.
The FSC applies in its supervisory practice the recommendations and guidelines of the European Securities and Markets Authority and of the European Banking Authority in accordance with article 13, paragraph 1, item 26 of the Financial Supervision Commission Act.
Crowdfunding is subject to Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (Crowdfunding Regulation). The application of the EU Crowdfunding Regulation is effective since the end of 2021 and its national application is secured by specific references in the Bulgarian Public Offering of Securities Act.
Whether a fintech company falls within the scope of this regulatory regime will depend on the exact nature of its business and the type of activities being carried out. The regulatory assessment shall be made in each particular case of companies providing alternative finance products, including peer-to-peer lending or crowdfunding platforms.
Alternative investment funds
- Are managers of alternative investment funds regulated?
Bulgaria is an EU member state and applies the Alternative Investment Fund Managers Directive 2011/61/EU as transposed in the CISOUCIA. Hence, a license is required for alternative investment fund managers if they manage directly or indirectly alternative investment funds, the value of whose assets, as determined under Commission Delegated Regulation (EU) No. 231/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision (OJ L 83/1 of 22 March 2013) in the aggregate exceeds:
- the Bulgarian leva equivalent of €100 million, including assets acquired using leverage; and
- the Bulgarian leva equivalent of €500 million, where portfolios consist of alternative investment funds not making use of leverage, and for which the right of redemption may not be exercised for a period of five years from the date of the initial investment in each of these alternative investment funds.
An EU management company will be able to undertake activity in Bulgaria either under the right to establishment or under the freedom to provide services following the conduct of the respective EU passporting procedure as set out in the CISOUCIA by notification made via its home regulator to the FSC.
An alternative fund manager requires registration in the FSC if it meets the regulatory qualification requirements that are set out in the CISOUCIA.
Peer-to-peer and marketplace lending
- Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.
Bulgarian law does not regulate specifically peer-to-peer lending. If such activity is performed on the territory of Bulgaria the general regulatory regime of lending applies unless it is considered crowdfunding where the respective EU crowdfunding regulatory regime would be applicable.
Crowdfunding
- Describe any specific regulation of crowdfunding in your jurisdiction.
Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business is in force and applies directly in Bulgaria. Bulgarian legislation provides that the competent authority under the Regulation, including for licensing, shall be the Financial Supervision Commission or, with respect to the banks, the Bulgarian National Bank.
Invoice trading
- Describe any specific regulation of invoice trading in your jurisdiction.
The regulatory regime of invoice trading follows the general regime of factoring.
Factoring services can be performed as a business by a licensed bank (if a part of its license) or by a financial institution entered into a register maintained by the Bulgarian National Bank, or by a financial institution having its registered office in an EEA member state that has passported its activity in Bulgaria.
Pursuant to Regulation (EC) No. 593/2008 of the European Parliament and of the Council of 17 June 2008 on the Law Applicable to Contractual Obligations (Rome I), the law governing the assigned receivable, shall determine, inter alia, its assignability, the relationship between the assignee and the debtor, the conditions under which the assignment or subrogation can be invoked against the debtor and whether the debtor‘s obligations have been discharged. As a matter of Bulgarian law, receivables are generally transferable by way of assignment unless the law, the nature of the receivables or the contract do not permit it.
In general, assignment of invoice receivables is not restricted by law or the nature of the receivables but the underlying agreement may prohibit such assignment.
Pursuant to the Consumer Credit Act and the Consumer Credits Related to Immovable Property Act, a creditor may assign its receivables under a consumer loan agreement to a third party only where the consumer loan agreement provides for such a possibility.
Payment services
- Are payment services regulated in your jurisdiction?
Payment services are regulated in the Bulgarian Payment Services and Payment Systems Act (PSPSA), which transposes the EU Payment Services Directive (PSD2). Subject to PSD2 exemptions as set out in article 2 of the Bulgarian PSPSA, an entity intending to provide payment services will need to obtain a license as a payment services provider from the Bulgarian National Bank.
Under the PSPSA, payment services providers are:
- banks within the meaning of the Credit Institutions Act;
- electronic money institutions within the meaning of the PSPSA;
- payment institutions within the meaning of the PSPSA; and
- the European Central Bank and the national central banks of the EU member states when they do not act as monetary policy authorities or bodies performing public authority functions.
EU payment service providers may provide payment services in Bulgaria under the right to establishment or under the freedom to provide services following the conduct of the EU passporting procedure by notifying the Bulgarian National Bank via its home regulator in accordance with the provisions of the PSPSA transposing the respective provisions of PSD2.
Open banking
- Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?
No, there are no such specific laws or regulations although with the transposition of PSD2 in the PSPSA and the regulation of the payment initiation services, and the account information services as payment services, the basic framework for introducing open banking standards (including via application programming interfaces or otherwise) are generally in place.
Robo-advice
- Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.
There are no specific regulations for robo-advisers or other companies that provide retail customers with automated access to investment products. Automated access to investment products through fintech companies in Bulgaria is only possible if the FSC has issued respective investment services licenses.
Fintech companies may provide automated activities related to investment advice (when referring to specific financial instruments after taking into account the personal circumstance of the investor) and portfolio management, but these activities trigger investment intermediary licensing requirements and compliance with the applicable market standards and regulations under MiFID II, MiFIR and the related secondary acts.
Insurance products
- Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?
Selling or marketing insurance products in Bulgaria is a regulated activity and entities providing such service fall under the relevant Bulgarian insurance regulations (which transpose the rules of Directive (EU) 2016/97 (Insurance Distribution Directive)). In this regard, a fintech company may sell or market insurance products under the form of a regulated entity – either as an insurance company, an insurance intermediary (broker or agent) or an ancillary insurance intermediary. The competent regulatory and supervisory body is the Financial Supervision Commission (and its deputy chair in charge for Insurance Supervision), which is empowered to issue licenses to insurance companies (or acknowledge the passportization in Bulgaria of such licenses issued in other EU member countries) and to maintain a register of local insurance intermediaries (or acknowledge the passportization in Bulgaria of similar licenses or registrations issued in other EU member countries).
Credit references
- Are there any restrictions on providing credit references or credit information services in your jurisdiction?
Regulation (EU) No. 462/2013 of the European Parliament and of the Council of 21 May 2013 amending Regulation (EC) No. 1060/2009 on credit rating agencies applies directly in Bulgaria.
CROSS-BORDER REGULATION
Passporting
- Can regulated activities be passported into your jurisdiction?
EU-regulated entities licensed by their EU home regulators are entitled to provide services in Bulgaria under the EU right to establishment or under the EU freedom to provide services in Bulgaria following completion of the respective regulated industry‘s European Economic Area (EEA) passporting procedures for Bulgaria.
The EEA passporting procedure requires notification to be made via the competent home regulatory authority to the respective competent Bulgarian regulators. The notified Bulgarian regulators, namely – the Financial Supervision Commission for insurance, investment services and fund management services, or the Bulgarian National Bank – for credit institutions, payment institutions or e-money institutions, shall recognize the authorization given to the EU regulated entity by its home regulator and shall notify the companies providing services in Bulgaria of any rules of public order or general good (for insurance businesses) to which these have to adhere when operating in Bulgaria and providing regulated services to Bulgarian customers on a cross-border basis.
EU financial institutions (other than credit institutions, payment institutions, e-money institutions, insurance companies or brokers or investment intermediaries) that are subsidiaries of credit institutions can also benefit from an alleviated regulatory authorization to provide lending, financial leasing, factoring and forfeiting services. These shall be registered in the register of financial institutions of the Bulgarian National Bank on the basis of a certificate issued by the home regulator. This alleviated procedure is not available to financial institutions that are not subsidiaries of EU credit institutions because they are not able to obtain a certificate from their home regulator. Such institutions need to establish a Bulgarian entity and register it in the register of financial institutions maintained by the Bulgarian National Bank or provide services from their seat on a non-solicited and irregular basis.
The industry-specific passporting procedures, notifications and documental requirements vary for the different regulated industries but are generally available for EU-licensed institutions.
Requirement for a local presence
- Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?
A fintech company licensed in another EEA member state may passport its activity in Bulgaria and thus would be able to provide services through a branch or directly. In general, a fintech company licensed in a third country needs a license from a Bulgarian regulator.
SALES AND MARKETING
Restrictions
- What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?
In general, marketing of regulated services or activities shall be performed only by an entity that is licensed for such services and activities.
Marketing of financial instruments is subject to the regulatory framework set out in Directive 2014/65/EU on markets in financial instruments. Pursuant to the Markets in Financial Instruments Act, the information that the investment firms provide to their clients and potential clients, including in their advertising materials, must be correct, clear and not misleading. Advertising materials of investment firms must be clearly designated as such.
Marketing of crowdfunding performed in Bulgaria must be done in the Bulgarian language.
CRYPTOASSETS AND TOKENS
Distributed ledger technology
- Are there rules or regulations governing the use of distributed ledger technology or blockchains?
At present, there are no such domestic regulations. Regulation (EU) 2022/858 on Distributed Ledger Technology Market Infrastructures (DLTR), which sets out a pilot regime for the regulation of crypto-assets that qualify as financial instruments within the Union, applies (with some exceptions) as of 23 March 2023. The DLTR defines ‘distributed ledger‘ as an information repository that keeps records of transactions and that is shared across, and synchronized between, a set of DLT network nodes using a consensus mechanism. DLT financial instruments are defined as financial instruments issued, recorded, transferred and stored using distributed ledger technology.
Cryptoassets
- Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?
At present, Bulgarian law does not specifically regulate cryptocurrencies, except for the purposes of anti-money laundering measures. Implementing Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, Bulgarian law defines virtual currencies and custodian wallet provider and provides for registration of providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, with the National Revenue Agency (NRA). These providers are obliged entities under the AML legislation.
In addition, the NRA has issued non-binding interpretations on the tax treatment of mining and selling cryptocurrencies. As per these interpretations, cryptocurrencies are considered assets.
When services related to cryptocurrencies are performed as investment, ancillary services or activities under the Markets in Financial Instruments Directive (MiFID), including if financial instruments (such as, eg, contracts for differences or derivatives) are based on cryptocurrencies (namely, a cryptocurrency is the underlying asset of the financial instrument), all requirements of MiFID as implemented in Bulgaria would apply, including the licensing requirements.
If any services related to cryptocurrencies should be qualified as regulated services or activities under CRDIV (Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC), MiFID, PSDII (Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No. 1093/2010, and repealing Directive 2007/64/EC) or e-money European regulations (collectively, the European Legislation), the respective requirements and restrictions of the European Legislation, which have been implemented in Bulgaria, would apply.
We are not aware of any proposed future developments in cryptocurrency regulation at the national level in Bulgaria.
The EU Markets in Crypto Assets Regulation will apply in Bulgaria from its effective date (estimated within the second half of 2024).
Token issuance
- Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?
No.
ARTIFICIAL INTELLIGENCE
Artificial intelligence
- Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?
No. At the end of 2020, the Bulgarian government adopted the Concept Document for the Development of Artificial Intelligence in Bulgaria until 2030. This document clearly shows that Bulgaria prefers to avoid over-regulation (so as not to hamper innovation) and is inclined to leave the regulation of the use of artificial intelligence primarily in the hands of the institutions of the European Union, while dedicating its efforts to the adoption of national transposition measures.
For instance, a draft law for the amendment of the Copyright and Neighboring Rights Protection Act submitted to the Bulgarian parliament in April 2023 aims at transposing into national law the EU DSM Directive 2019/790 providing for certain exceptions allowing for the use of data to train artificial intelligence. However, as at 31 May 2023, said draft has not yet been passed into law.
CHANGE OF CONTROL
Notification and consent
- Describe any rules relating to notification or consent requirements if a regulated business changes control.
The direct and indirect acquisition or increase of qualified participation or control (namely, more than 10, 20, 33 or 50 percent of the total shares or voting rights) in credit institutions, investment intermediaries and insurance companies (and with some variations – in other regulated entities) require preliminary authorization by the competent Bulgarian regulator, subject to restrictions on the right to exercise voting rights until such authorization is obtained or either invalidity or an obligation to transfer the acquired participation in the case no authorization is obtained.
In particular, prior authorization by the Bulgarian National Bank is required for direct or indirect acquisition of a qualified participation or control in a credit institution. Such authorization is granted following notification and submission of supporting documents to the Bank Supervision Department of the Bulgarian National Bank in line with the Credit Institutions Act and the European Banking Authority‘s Guidelines, within 60 days of the receipt of confirmation from the regulator that the notification and the necessary documents are in place.
In extraordinary and objectively occurred circumstances when the acquisition was made before the filing of a notification (e.g, at a stock exchange or indirectly as a result of parent acquisition, a business combination or in cases of corporate reorganizations), the notification may be filed after the acquisition but the acquirer may be prevented from exercising the voting rights until approved by the regulator or the regulator may impose compulsory measures – to restrict the exercise of voting rights or to instruct the sale to diminish the acquirer‘s share participation.
Respectively, a prior authorization is required for the direct or indirect acquisition or increase of a qualified participation in an investment intermediary or an insurance company. The procedure is similar to the procedure applicable to the authorization of the acquisition of a qualified participation or control of credit institutions, save that the competent regulatory authority is the Financial Supervision Commission (FSC), the Investment Activity Supervision Department (for investment firms), and respectively the Insurance Supervision Department (for insurance and reinsurance companies).
The terms for the authorization, as well as the consequences of failure to file and receive authorization, are similar to those applicable to credit institutions. In particular, if the acquisition of a qualified participation and control in an insurance company is made despite a prohibition issued by the FSC, the FSC is entitled to seek invalidation of a decision of the general meeting of shareholders.
A specific instrument to prevent violation of regulatory approval requirements in the case of a direct acquisition of shares in banks and insurance companies is the requirement to submit an opinion to the Central Depositary (banks and insurance companies in Bulgaria issue book-entry shares that are registered in the Central Depositary) issued by the respective regulator (the Bulgarian National Bank or the FSC) on the acquisition before the transfer of shares is registered in the Central Depositary.
In the case of other regulated entities such as financial institutions or insurance brokers, the notification follows the acquisition and does not per se prevent the exercise of voting rights.
FINANCIAL CRIME
Anti-bribery and anti-money laundering procedures
- Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?
Corruption and bribery represent general criminal offenses under the Bulgarian Criminal Code. The Bulgarian Criminal Code also provides for a number of provisions pursuing financial crimes (crimes against the financial and credit system) and cybercrimes. The Criminal Code provides as well that the conduct of a regulated business without a license or permit when such license or permit is required constitutes a criminal offence.
In addition to the criminal offence in cases of corruption, there is a special act of general application aimed at pursuing corruption and providing for civil confiscation of the benefits of crimes separately from the confiscation as a penalty under the Criminal Code.
Regulated fintech companies (credit, payment or e-money institutions, investment intermediaries, insurance companies or insurance brokers) established in Bulgaria, including digital currency exchanges and digital currency custody services providers registered with the National Revenue Agency, are required to apply the Bulgarian anti-money laundering and combating of terrorism financing legislation, as well as specific sanctions under the EU Sanctions regulations.
The anti-money laundering provisions set out in the Bulgarian Measures against Money Laundering Act and the measures on combating terrorism financing set out in the Measures Against the Financing of Terrorism Act apply accordingly.
Financial sector institutions are required to adopt and apply internal rules and apply respective measures to prevent money laundering (customer due diligence and transaction due diligence involving client identification and verification of identification, collecting and safeguarding documents on the purposes and sources of financing, the origin of fund establishment and reporting to the Bulgarian financial intelligence unit – the Financial Intelligence Directorate to the State Agency National Security – in cases of suspicious clients and suspicious transactions).
Financial sector institutions are also obliged to apply measures aimed at preventing of financing of terrorism. They are obliged to freeze the assets of specifically listed persons. Respective sanctions regimes are also applicable either generally or particularly by the respective financial sector institutions, depending on the type and legal grounds of the respective restrictive measures.
Guidance
- Is there regulatory or industry anti-financial crime guidance for fintech companies?
There is no national regulatory or industry anti-financial crime guidance designed in particular for fintech companies although some guidance documents exist, for example, for credit institutions (by the European Banking Authority).
DATA PROTECTION AND CYBERSECURITY
Data protection
- What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The main legislative act on personal data protection in the European Union is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)), which became directly applicable in Bulgaria as of 25 May 2018.
Rules supplementing the GDPR can be found in the Bulgarian Personal Data Protection Act, which contains a few local rules on data protection and ensures the effective enforcement of the GDPR by the local supervisory authority – the Bulgarian Commission on Personal Data Protection.
The rules on personal data protection do not apply to anonymous or anonymized data as it does not relate to identified or identifiable natural persons and therefore does not constitute personal data.
Bulgarian law does not have significant deviations from the general EU-wide rules. As such, the processing of personal data must comply with the same basic rules and principles applicable within the European Union: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, accountability, privacy by design and by default. Processing of personal data is lawful when based on one of the expressly listed legal grounds: consent, contractual necessity, legal obligation, and legitimate interests, with an additional legal basis required for special categories of personal data. The GDPR imposes significant requirements in view of validity of consent – it must be freely given, specific, informed and unambiguous indication of the data subject‘s wishes given by means of a statement or by a clear affirmative action. Data subjects may benefit from the rights to request access to and rectification or erasure of personal data, or restriction of processing, to object to processing, to withdraw their consent to processing, to data portability, and to lodge a complaint with a supervisory authority.
It is notable that the GDPR imposes a significant burden on businesses in view of keeping detailed records of processing activities, notifying the authorities and affected data subjects regarding data protection breaches, carrying out detailed data protection impact assessments, and appointing a designated data protection officer. The transparency and accountability principles mentioned above also require significant effort in view of detailed notifications to data subjects and keeping documental proof of compliance with the requirements of the GDPR.
Non-compliance with the GDPR could result in administrative sanctions reaching up to €20 million, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
On the topic of international transfer of personal data to third countries outside the European Union and the European Economic Area, those are permissible in the following cases:
- If the European Commission has decided that the third country ensures an adequate level of protection. Such adequacy decisions have been issued with regard to Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom and Uruguay.
- In the absence of an adequacy decision, the transfer of personal data is permissible if one of the following appropriate safeguards is implemented, as long as enforceable data subject rights and effective legal remedies for data subjects are available:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the European Commission; currently, valid are the modernized standard contractual clauses adopted by means of Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
- standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects‘ rights; and
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects‘ rights.
- In the absence of an adequacy decision or of appropriate safeguards, a transfer of personal data to a third country is permitted only in view of the following derogations for specific situations:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject‘s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defense of legal claims;
- the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and
- the transfer is made from a register that according to law is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by law for consultation are fulfilled in the particular case.
- In all other cases, a transfer of personal data to a third country is permissible only if it is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller that are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. In such cases, the controller must inform the supervisory authority.
It is important to note that the decision of the Court of Justice of the European Union on Schrems II (Case C-311/18) has further raised the bar for the validity of data transfers to non-adequate third countries, both in view of carrying out a prior transfer impact assessment and in implementing additional safeguards for the protection of personal data (encryption, pseudonymization, et cetera). The European Data Protection Board has issued detailed recommendations on the expected compliance measures in this regard.
Cybersecurity
- What cybersecurity regulations or standards apply to fintech businesses?
The financial services sector is heavily regulated and cybersecurity provisions are already included in various laws and regulations, including those implementing PSD2, Markets in Financial Instruments Directive II and others.
The main pieces of cybersecurity legislation in Bulgaria are the Cybersecurity Act adopted in 2018 and the Ordinance for Minimal Requirements for Network and Information Security adopted in 2019. Those acts implement the NIS Directive with minimal derogations and deviations. They provide for the minimum specific requirements for network and information security that the obliged entities, providers of essential and digital services, public and regulatory authorities, and other providers of public services must observe to create a resilient and stable digital environment. Credit institutions (banks) are included in the list of providers of essential services that are obliged to implement cybersecurity measures as provided in the legislation.
In addition to the local legislation, in 2019, the European Banking Authority adopted ‘Guidelines on ICT and security risk management‘. The Guidelines establish requirements for credit institutions, investment firms and payment service providers on the mitigation and management of their information and communication technology risks and aim to ensure a consistent and robust approach across the single market. Those are generally applicable to payment and e-money institutions.
Insurance companies are under statutory obligation to observe the IT security requirements under the European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on information and communication technology security and governance‘ (EIOPA-BoS-20-600). The Bulgarian Financial Supervision has issued special guidance in this respect.
OUTSOURCING AND CLOUD COMPUTING
Outsourcing
- Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?
There are legal requirements on outsourcing by financial services companies of key functions or material aspects of their business in the applicable Bulgarian laws (e.g, the Payment Services and Payment Systems Act). Although there are no national regulatory guidance documents, Bulgarian regulators strictly apply and follow the EU industry guidance documents such as those adopted by the European Banking Authority (EBA), the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority (EIOPA).
Cloud computing
- Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?
At the national level, there are no specific legal requirements or regulatory guidance for the use of cloud computing in the financial services industry.
It should be noted, however, that the bank supervision authorities have quite broad powers to request and collect information from financial institutions, including to perform on-site inspections. They have the right to free access to all IT systems and offices of financial institutions. Those inspection rights apply also to the IT systems and offices of the subcontractors and service providers, including providers of cloud-based services.
Operators of essential services and key digital service providers, such as search engines, cloud computing services and online marketplaces have to comply with the security and notification requirements under the Cybersecurity Act.
Credit institutions are also strongly recommended to comply with the EBA Recommendations on outsourcing to cloud service providers. The recommendations are intended to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing.
Insurance companies are obliged to follow the EIOPA ‘Guidelines on outsourcing to cloud service providers‘ (EIOPA-BoS-20-002).
INTELLECTUAL PROPERTY RIGHTS
IP protection for software
- Which intellectual property rights are available to protect software, and how do you obtain those rights?
Computer programs and databases are subject to copyright protection under the Bulgarian Copyright and Neighboring Rights Act. Computer programs are protected as literary works and the protection applies to the expression of a computer program in any form. Ideas and principles that underlie any element of a computer program, including those that underlie its interfaces, are not protected by copyright.
Bulgarian law does not provide for a copyright registration regime or any other administrative measures for the copyright to occur. Copyright arises automatically from the moment of creation of the work, provided that the computer program is original, in the sense that it is the author‘s own intellectual creation and is fixed in tangible form.
Business methods and computer programs as such are not patentable under Bulgarian law. Under certain circumstances, computer-implemented inventions may be subject to patent protection if the patent claims show the presence of a technical effect.
IP developed by employees and contractors
- Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?
As a general rule, the holder of the copyright is the author (namely, the natural person whose creative efforts have resulted in the creation of the respective work). However, as an exception to this rule, the Bulgarian Copyright and Neighboring Rights Act explicitly provides that, unless agreed upon otherwise, copyright in computer programs and databases developed under an employment contract shall belong to the employer. This means that the copyright in software is acquired by the employer with the mere fact of creation of the software (namely, it occurs automatically and no transferring is required to take place).
If the employees in the course of their employment develop any works subject to copyright protection that are different from software and databases (non-software works), then the applicable rule is that the copyright belongs to the employee who created the work (the author). In this case, by operation of law, the employer has the exclusive right to use the product for its purposes that are in line with its usual activities, without the consent of the author and without paying compensation to the author. In practice, this means that the employer cannot obtain the full title in such works but has an exclusive statutory worldwide license to use the product for its purposes that are in line with its usual activities.
The above provisions, however, do not apply if the computer programs or other copyrightable works are developed by contractors or consultants. In such a case, the general rule is that, unless agreed upon otherwise, the holder of the copyright would be the author, and the ordering party may only use the work without the permission of the author for the purposes for which it was ordered. Therefore, in cases of works created by contractors or consultants the intellectual property matters should be dealt with in a contract that should clearly allocate the ownership and the rights of use of the IP assets developed under such cooperation.
Joint ownership
- Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?
In cases of works subject to copyright protection (including software) created by a group of natural persons jointly, the general rule is that the exclusive rights are owned jointly, irrespective of whether the works constitute one indivisible whole or consist of separate parts each having individual significance. The consent of all co-owners is required for any modification of the work or for granting a license for the use of the work. If the co-owners fail to reach agreement among themselves, the issue is to be resolved by the court. The license fee due to the authors for the use of their work shall be distributed among them in shares by mutual agreement. In the absence of an agreement, it shall be considered that all the joint authors‘ shares are equal. In the case of disputes, individual shares shall be determined in court in accordance with the contribution of each of the authors.
In cases of co-ownership of inventions and patents, unless otherwise agreed, each owner may use the invention, but the patent may be assigned or licensed only with the consent of all co-owners.
Trade secrets
- How are trade secrets protected? Are trade secrets kept confidential during court proceedings?
The Trade Secrets Directive (EU) 2016/943 was implemented in Bulgaria by means of the Trade Secret Protection Act, in force as of 5 April 2019.
Apart from the civil law protection introduced by the above Act, trade secrets are also protected under the unfair competition law. In line with the Trade Secrets Directive the Bulgarian Trade Secret Protection Act provides for a legal definition of the term ‘trade secret‘. According to this definition, any information is a trade secret if it meets the following requirements:
- it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
- it has commercial value because it is secret; and
- it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
The most notable element is the reasonable measures that the trade secret owners are required to implement to identify and protect their trade secrets. If companies are unable to show that such steps have been taken, the information may lose its trade secret status. The case law of the Bulgarian courts provides useful guidance with regard to the adequacy of such ‘reasonable steps‘.
The law protects trade secrets against direct unlawful acts – the acquisition, use or disclosure as well as against indirect infringements. The legal remedies available to trade secret owners in the case of unlawful action are generally the same as the legal remedies in cases of IP infringements (namely, stopping the unlawful use and further disclosure of misappropriated trade secrets; removal from the market of goods that have been manufactured on the basis of a trade secret that has been illegally acquired; and right to compensation for the damages caused by the unlawful use or disclosure).
As for the protection of trade secrets in court proceedings, the Bulgarian Trade Secret Protection Act sets forth a special set of rules in this respect. Upon a duly reasoned application by an interested party, the court may take specific measures to preserve the confidentiality of any trade secret or alleged trade secret used or referred to in the course of legal proceedings. In particular, the court may impose the following measures: restricting access to any document containing trade secrets; restricting access to court hearings and to relevant records and minutes by ruling the case to be examined or certain actions to be performed in-camera; making available a non-confidential version of any judicial decision, in which the passages containing trade secrets have been removed or redacted. The court may not restrict access to the information to the persons who are parties to the proceedings and their procedural representatives. However, these persons are obliged to keep the relevant information confidential, otherwise, they will be subject to a fine to be imposed by the court.
Branding
- What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?
Brands can be protected either by registration of national trademarks with the Bulgarian Patent Office or by registration of EU trademarks with the EU Intellectual Property Office. Certain logo designs may also be protected by copyright as artistic works.
Prior to launching their brand or choosing their company name to be used on the local market, fintech businesses should conduct due diligence, including clearance searches in the databases of the Bulgarian Commercial Registry and the databases of the Bulgarian Patent Office and the EU Intellectual Property Office to make sure that the respective brand or company name are not in conflict with earlier third- party rights and are available for registration and use.
Remedies for infringement of IP
- What remedies are available to individuals or companies whose intellectual property rights have been infringed?
There are various remedies against infringements of intellectual property rights under Bulgarian civil and criminal law.
The main remedy is filing a civil litigation case for IP rights infringement where the right holder may request from the court to:
- establish the infringing activity;
- issue against the defendant an injunction prohibiting the continuation of the infringement;
- order the destruction of infringing goods; and
- award compensation for the damages suffered by the plaintiff as a result of the infringement.
In the course of such litigation, it is also possible to file a request for preliminary injunctive measures, such as prohibition on a provisional basis of the continuation of the infringement.
COMPETITION
Sector-specific issues
- Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?
The fintech industry has not been the focus of attention of the Bulgarian competition enforcement authorities yet, and there are no notable local cases and precedents specific to fintech.
That said, in line with the trends in the rest of Europe, the Bulgarian competition authority is showing increasing interest in the digital economy. An illustration of this is the recently initiated sector inquiry into the e-commerce sector, which matches a similar sector inquiry conducted at the EU level previously, by the European Commission.
TAX
Incentives
- Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?
There are no specific tax incentives applicable to the fintech companies. They could benefit from some of the general tax exemptions such as:
- accelerated amortization of the products created for the company as a result of research and development activities of scientific institutes in connection with the main object of activity of the company – the value of the asset could be 100 percent deducted from the company‘s financial results during the year of the acquisition of the asset;
- payment of scholarships to university students – these are recognized as company expenses (subject to certain conditions); and
- hiring of unemployed people – possibility to reduce the financial results for corporate income tax purposes by the amounts paid as salary and social security contributions (certain conditions apply).
Apart from the tax incentives, investments in startups or in existing businesses leading to certain positive results for the economy could be subject to other forms of incentives. An investment in a startup or expansion of an existing business operating in the field of creation of computer program products, activities in the IT field or the provision of information services could become subject to such incentives. The incentives could include various measures, such as accelerated administrative processing in relation to certain administrative processes (often irrelevant to startups in the IT sector that are not to acquire or build buildings) as well as financial incentives (e.g, partial compensation of the expenses incurred in connection with the salaries paid to the newly hired employees, such as social security and medical security expenses or payment of scholarships to the newly recruited employees to complete their education or acquire professional qualification). The provision of different incentives is subject to numerous conditions.
Increased tax burden
- Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?
To the best of our knowledge, Bulgaria is not to develop its own initiatives regarding digital taxation, fintech businesses included. Most likely, if a political decision within the European Union is reached, Bulgaria would follow the rules and policies so determined. However, we could not find any position paper or statement by the Bulgarian government that could shed light on this topic.
IMMIGRATION
Sector-specific schemes
- What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?
Citizens of countries within the European Economic Area and Switzerland are entitled to enter and stay in Bulgaria for three months without the necessity to complete any immigration procedures. They are entitled to work for a Bulgarian company and no work authorization is required. If they intend to stay for more than three months in Bulgaria, they can obtain long-term residence certificates with a term of validity of up to five years.
As a rule, citizens of countries outside the European Economic Area and Switzerland (namely, third-country nationals) may reside and work in Bulgaria only after completion of certain work and residence authorization procedures.
There are different types of work and residence authorization procedures for third-country nationals depending on the duration of the intended assignment in Bulgaria, payroll country, qualification of employees, etc.
The most popular type of permit used in Bulgaria by companies for hiring highly skilled employees is the EU Blue Card.
The application for the EU Blue Card must be sponsored by a Bulgarian company and the entire process includes the following steps:
- the Bulgarian company files an application for work and residence authorization for each employee with the migration authorities in Bulgaria;
- after approval of the work and residence application by the migration authorities in Bulgaria, the employee must apply for a long-term Bulgarian visa at the Bulgarian Embassy in their home country; and
- after the employee comes to Bulgaria with a long-term Bulgarian visa, the employee obtains a work and residence permit card – the EU Blue Card, from the migration authorities in Bulgaria.
The entire process takes three to four months and the employee is entitled to start working for the Bulgarian company after the completion of all steps and the issuance of the EU Blue Card. The term of validity of the EU Blue Card is five years and can be renewed for new five-year terms without limitation.
Bulgaria also started the introduction of a start-up visa programme for high-tech and innovative projects, but regulations are yet to be adopted to implement the programme. The start-up visa would be available only to shareholders of Bulgarian companies and not to employees.
UPDATE AND TRENDS IN FINTECH IN BULGARIA
Current developments
- Are there any other current developments or emerging trends to note?
An encouraging trend that could be noted in recent years is the increasing involvement and support of competent regulators in the fintech sector. The Bulgarian National Bank has shown noticeable flexibility and support in the procedures for licensing of new e-money institutions and has maintained a productive environment for ensuring compliance with the legal requirements for licensing while at the same time maintaining very high supervisory standards.
The Financial Supervision Commission adopted and currently implements a specific Strategy for Monitoring Financial Innovations (FinTech) in the Non-banking Financial Sector in the period 2021–2024. In brief, the strategy sets four main goals in this field:
- establishment of a secure and measurable regulatory environment in which fintech companies can operate, including with respect to the offering of financial products and services or offering of products of entities under the supervision of the regulator;
- analysis and taking of respective regulatory measures for securing safety, stability of the financial services market and protection of the consumers using financial services;
- development of the Innovation Hub – an initiative aiming to establish an effective two-way communication channel between non-banking institutions developing innovative financial services and the regulator; and
- monitoring the development of sandbox regimes and taking measures for their possible implementation by the regulator.
* The authors wish to thank Alexander Chatalbashev, Peter Petrov, Nedyalka Novakova and Deyan Terziev for their assistance in the preparation of this chapter.
* The information in this chapter was accurate as of May 2023.
If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)
You can also download the .docx version here.
“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”
LEGAL CONSULTING SERVICES
090.252.4567NT INTERNATIONAL LAW FIRM
- Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
- Phone: 090 252 4567
- Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam