There is hardly any major business that will not be affected by the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May. In addition to that, the financial services providers need to prepare for and be compliant with even more regulations. In recent weeks, Bulgaria has finally implemented (a bit behind schedule) important directives that directly impact the country’s financial sector.


A new Markets in Financial Instruments Act (“MiFIA”) was approved by parliament and entered into force on 16 February 2018. The act brings Bulgarian legislation governing the markets in financial instruments in line with Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (“MiFID II”). The new MiFIA is designed to offer greater protection for investors and increased transparency of the financial instruments markets and to prevent unregulated trading.

The new law builds on the existing legal regime governing the organisation and activity of investment firms and regulated financial markets and introduces several new points. The most important changes include, among others:

  • the introduction of more stringent rules for investment firms and their managing and supervisory boards by refining the requirements that the members of the boards must fulfil;
  • ensuring transparency of the financial instruments markets by setting out detailed obligations for investment firms to store records of all correspondence with clients;
  • expansion of the regulatory and supervisory powers of the Financial Supervision Commission;
  • the possibility for investment firms to enter into contracts with tied agents;
  • new requirements for performing algorithmic trading on the part of investment firms;
  • introduction of a “growth market” - a new type of multilateral trading system aimed at small- and medium-sized businesses to raise capital through the capital market;
  • setting out requirements for establishing quotation steps for shares, depositary receipts, exchange-traded funds, certificates and other financial instruments.

The Bulgarian MiFIA goes further than the minimum obligations set out in MiFID II in the following areas:

  • Article 30 “Transactions executed with eligible counterparties” – the new law contains an non-exhaustive list of entities (both EU-based or third country-based) which will from now on be recognized as eligible parties without the need for them to explicitly request to be treated as such (as was the rule until now);
  • Article 39 “Establishment of a branch” – the new law now provides for a more detailed regime on the establishment, licensing and activities of branches of third-country investment firms.


The Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market) (“PSD2”) was implemented in Bulgaria in the entirely new Payment Services and Payment Systems Act (“PSPSA”). The act entered into force on 6 March 2018.

The main points tackled in PSD2 include creating an equal playing field for payment service providers through improving payment efficiency and expanding the accessibility of customer account information, while strengthening customer protection and the security of payment processing.

The changes introduced in the new PSPSA related to payment services and their security include:

  • introduction of new types of payment services – (i) payment initiation services; and (ii) account information services, along with a detailed regulation of the activity of the providers that would offer them;
  • expansion of the territorial scope of the act by addressing payment transactions in which one party is not in the EU;
  • refining the existing procedure for licensing of payment and e-money institutions through the introduction of additional and detailed requirements;
  • strengthening the security of remote payments processing through ensuring secure connections and elaborate authentication of the customer.

In relation to customer protection, the following changes have been introduced:

  • decrease of the maximum loss of a customer in the event of fraud from BGN 300 to BGN 100;
  • new details on the requirements regarding the applicable information that payment institutions must provide to clients;
  • new legal framework regarding risk management procedures and incident reporting;
  • refined complaint resolution procedures; and
  • increased sanctions for infringements of the law.

Some of the optionality provided for in PSD2 has been used in the Bulgarian implementation of the law.

Areas in which the Bulgarian implementation of the law goes further than the minimum obligations in PSD2 are as follows:

  • Article 8 “Own funds requirement” – Bulgarian legislation requires payment institutions, including payment institutions included in the consolidated supervision of a parent credit institution, to have their own funds at any time of their activity, with the exception of payment institutions that offer payment initiation services;
  • Article 29 “Information requirements” – payment institutions having agents or branches in Bulgaria are required to report information to the Bulgarian National Bank on activities carried out in Bulgaria. These institutions shall also appoint a central contact point to ensure information reporting, for both statistical purposes and payment supervision purposes;
  • Article 74 “Limitation of payer’s liability” – a payer’s liability for unauthorised payment transactions has been reduced.

4th AML Directive

The Bulgarian parliament voted into law a bill that will repeal and replace the existing Act on the Measures against Money Laundering (the “New AMML”). The New AMML, which has been promulgated on 27 March 2018 and will enter into force on 31 March 2018, is meant to transpose Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the “4th AML Directive”).

The New AMML changes significantly the current regulatory framework and introduces the following main changes:

  • amendments in the list of obliged entities, whereby now the list includes also market operators and/or regulated markets;
  • prohibition from keeping anonymous accounts or anonymous passbooks;
  • amendments related to risk assessment before entering into certain transactions, whereby the risk assessment could be a simplified or an extended one depending on the particular risk level;
  • extended definition of politically exposed persons, which now refers also to members of the managing bodies of political parties;
  • specific rules on the registration of the ultimate beneficial owners of corporate and other legal entities established in Bulgaria (for more in-depth analysis, please see our article;
  • better mechanisms for cooperation between national intelligence services in light of detection and prevention of criminal activities and in particular „tax crimes”.

It is expected that further secondary regulations to be enacted by the respective Bulgarian authorities will shed more light on the application in practice of these new rules.