03 — Bank Integration Plan — PSD2 / Tok / QWAC Croatia (HR) Bank Integration Plan — Bilko via Tok Platform Author: Markos Zachariadis (Finverge) Date: 2026-05-28 Version: 1.0 Status: DOCUMENT-ONLY (no code, no deploy) MC Task: #102423 TL;DR — Recommended Path EEA passporting via Finanstilsynet (NO → HR) is the ONLY viable path for Q3 2026 HR launch. Direct HANFA authorization takes 6+ months plus €125K capital. QWAC from DigiCert or GlobalSign after Finanstilsynet AISP approval — 5-15 days, ~€300-800/year. Top 4 banks = 73% market coverage: Zagrebačka banka (UniCredit), Privredna banka Zagreb (Intesa), Erste Bank HR, OTP Banka HR — all have Berlin Group NextGenPSD2 v1.3.x developer portals with sandbox access. Tok coverage gap: NO Croatian banks currently integrated. Priority P0: 4 banks above. P1: Raiffeisen, Addiko, HPB. Risk flag: 90-day consent re-authentication UX is CRITICAL — without it, ALL users disconnect simultaneously after 90 days. 1. Per-Bank PSD2 NextGenPSD2 Readiness Matrix Croatian Banking Market Context Source: Croatian National Bank (HNB) Banking Sector Report 2024 (https://www.hnb.hr/en/statistics/statistical-data/credit-institutions) Croatia has ~17 credit institutions offering PSD2 APIs via the Croatian API Hub (HUB). The hub mandates Berlin Group NextGenPSD2 minimum v1.3.8 (current framework v1.3.16). Top 7 banks by SMB market share (estimated from HNB Q4 2025 data): Rank Bank Market Share (SMB deposits) Parent Group 1 Zagrebačka banka (Zaba) ~28% UniCredit (IT) 2 Privredna banka Zagreb (PBZ) ~24% Intesa Sanpaolo (IT) 3 Erste Bank Croatia ~12% Erste Group (AT) 4 OTP Banka Hrvatska ~9% OTP Group (HU) 5 Raiffeisenbank Austria d.d. (RBA) ~7% Raiffeisen Bank International (AT) 6 Addiko Bank d.d. ~4% Addiko Group (AT) 7 Hrvatska poštanska banka (HPB) ~3% Croatian Post (state-owned) — TOTAL (Top 7) ~87% — Cumulative coverage: Top 4 banks = ~73% of SMB market Top 7 banks = ~87% of SMB market Bank-by-Bank Readiness Matrix Bank Developer Portal URL NGPSD2 Version Sandbox Status Production Status AISP Support PISP Support SCA Type Blockers / Known Issues Zagrebačka banka (Zaba) https://developer.unicredit.eu Berlin Group v1.3.12 ✅ Active — public sandbox, test PSU credentials provided ✅ Active — requires AISP NCA registration ✅ Accounts, Balances, Transactions ✅ SEPA CT, SEPA Instant Redirect (OAuth 2.0) None known. UniCredit Group has mature PSD2 infrastructure (live since 2019). Privredna banka Zagreb (PBZ) https://apiportal.pbz.hr Berlin Group v1.3.8 (HUB minimum) ✅ Active — requires developer registration ✅ Active — requires AISP NCA registration + QWAC ✅ Accounts, Balances, Transactions ✅ SEPA CT Redirect (OAuth 2.0) PBZ portal documentation is Croatian-only (no English version). API responses are standard Berlin Group (English). Erste Bank Croatia https://developers.erstegroup.com Berlin Group v1.3.10 ✅ Active — shared Erste Group sandbox, requires developer account ✅ Active — requires AISP NCA registration + QWAC ✅ Accounts, Balances, Transactions ✅ SEPA CT, SEPA Instant Redirect (OAuth 2.0) Erste Group sandbox covers HR, CZ, SK, AT. Croatian-specific endpoints documented separately. OTP Banka Hrvatska https://apiportal.sandbox.otpbanka.hr (sandbox) https://api.otpbanka.hr (production) Berlin Group v1.3.8 ✅ Active — public sandbox ✅ Active — requires AISP NCA registration + QWAC ✅ Accounts, Balances, Transactions ⚠️ Limited — SEPA CT only (no Instant confirmed) Redirect (OAuth 2.0) OTP Group has PSD2 infrastructure but less mature than UniCredit/Erste. Sandbox availability is a positive signal. Raiffeisenbank Austria d.d. (RBA) https://api.rbinternational.com (RBI Group portal) Berlin Group v1.3.12 ✅ Active — shared RBI Group sandbox ✅ Active — requires AISP NCA registration + QWAC ✅ Accounts, Balances, Transactions ✅ SEPA CT, SEPA Instant Redirect (OAuth 2.0) RBI Group portal covers AT, CZ, SK, HR, RS. Croatian RBA endpoints are explicitly documented. Addiko Bank d.d. https://oapideveloper.addiko.hr Berlin Group v1.3.6 ✅ Active — public sandbox ⚠️ Production availability unclear — portal does not explicitly state production readiness. Direct outreach recommended. ✅ Accounts, Balances, Transactions ❓ Not documented Redirect (OAuth 2.0) Addiko Group has active PSD2 portals in AT, SI, BA, RS, ME. Croatian portal exists but production status needs verification with Addiko digital team. Hrvatska poštanska banka (HPB) https://openbanking.hpb.hr Berlin Group v1.3.8 ✅ Active — sandbox available ⚠️ Production status unclear — portal exists but no explicit production documentation ✅ Accounts, Balances, Transactions (documented) ❓ Not documented Redirect (OAuth 2.0) HPB is state-owned (Croatian Post). Portal exists but maturity is unclear. Recommend direct contact: openbanking@hpb.hr Sources cited: UniCredit Developer Portal: https://developer.unicredit.eu/apis PBZ API Portal: https://apiportal.pbz.hr Erste Developers Portal: https://developers.erstegroup.com OTP Sandbox Portal: https://apiportal.sandbox.otpbanka.hr RBI API Portal: https://api.rbinternational.com/developer-portal Addiko Developer Portal: https://oapideveloper.addiko.hr HPB Open Banking Portal: https://openbanking.hpb.hr Croatian API HUB specifications: https://hub.hr/en/psd2-open-api (Berlin Group v1.3.8 minimum mandate confirmed) Implementation Priority (Slice Plan) P0 — MUST-HAVE for HR launch (Q3 2026) Target: 73% SMB market coverage Bank Justification Estimated Integration Effort Zagrebačka banka (Zaba) 28% market share + mature UniCredit infrastructure + English documentation + active sandbox 3 weeks (BerlinGroupAdapter already designed per Tok docs) Privredna banka Zagreb (PBZ) 24% market share + Intesa Group infrastructure + active production API 3 weeks (Croatian-only docs add 2-3 days translation/verification overhead) Erste Bank Croatia 12% market share + Erste Group mature PSD2 infrastructure 2 weeks (Erste Group has best-in-class API documentation) OTP Banka Hrvatska 9% market share + public sandbox availability 3 weeks (less mature than UniCredit/Erste, additional testing buffer) Total P0 effort: ~11 weeks (parallelizable to ~4-5 weeks with 3 concurrent integrations) P1 — POST-LAUNCH (Q4 2026) Target: +14% SMB market coverage (cumulative 87%) Bank Justification Estimated Effort Raiffeisenbank Austria d.d. 7% market share + RBI Group infrastructure 2 weeks Addiko Bank d.d. 4% market share + group infrastructure BUT production status needs verification 3 weeks (includes direct outreach + verification) Hrvatska poštanska banka (HPB) 3% market share + state-owned (government contracts potential) 3 weeks (portal exists but maturity unclear) Total P1 effort: ~8 weeks (parallelizable to ~3 weeks) P2 — NICE-TO-HAVE (Q1 2027+) Remaining ~10 smaller banks (each <2% market share). Examples: Istarska kreditna banka Umag Karlovačka banka Slatina Banka Partner banka Kentbank Assessment: Diminishing returns. Total coverage from these banks <13%. Recommend on-demand integration only if specific Bilko customer requests justify effort. 2. eIDAS QWAC/QSeal Certificate Plan Croatian Qualified Trust Service Providers (QTSP) Source: EU Trusted List (https://eidas.ec.europa.eu/efts/tl-browser, Croatia section) Croatia has 3 QTSPs on the EU Trusted List: QTSP Name Services Offered Website QWAC for PSD2 Notes FINA — Financijska agencija Qualified certificates (eID, eSignature, eSeal) https://www.fina.hr ❌ NOT OFFERED FINA is primarily a state agency for financial reporting/registry services. Does NOT issue QWAC for PSD2 use cases. AKD d.o.o. Qualified certificates (eSignature, eSeal, Timestamp) https://www.akd.hr ❌ NOT CONFIRMED AKD offers qualified e-signatures but does NOT explicitly list PSD2 QWAC on their website (checked 2026-05-28). Recommend direct inquiry: info@akd.hr, +385 1 6311 833. T-Com (T-Hrvatski Telekom) Qualified certificates (eID, eSignature) https://www.t.ht.hr ❌ NOT CONFIRMED T-Com issues eID certificates for Croatian citizens. No PSD2 QWAC offering documented. Conclusion: NO Croatian QTSP offers PSD2 QWAC for TPPs. This is a common gap in smaller EU markets. Croatian banks accept QWAC from ANY EU/EEA QTSP per eIDAS regulation. EEA QTSP Options for ALAI Holding AS (NO company) Key constraint: ALAI Holding AS is registered in Norway (EEA but non-EU). eIDAS mutual recognition applies — Norwegian QTSP-issued QWAC is valid across EEA (including Croatia). Option A: Norwegian QTSP (NO) Provider Service Price (estimated) Timeline Notes Buypass AS QWAC for PSD2 ❌ DISCONTINUED (01.10.2025) — Buypass was Norway's primary PSD2 QTSP but exited the market. Commfides Qualified certificates (eSignature, eSeal) ❌ NO PSD2 QWAC OFFERING — Commfides (Norwegian QTSP) does NOT offer PSD2 QWAC as of 2026-05-28. Confirmed via https://www.commfides.com/en/products Conclusion: NO Norwegian QTSP currently offers PSD2 QWAC. Norway's small PSD2 market (population 5.5M) makes this commercially non-viable for Norwegian QTSPs. Option B: International QTSP with EEA Coverage (RECOMMENDED) Provider Service Price (annual) Timeline Notes Contact DigiCert (via QuoVadis) QWAC + QSeal for PSD2 €300-600 (QWAC) €400-800 (QWAC + QSeal bundle) 5-10 business days after NCA authorization number ✅ RECOMMENDED. DigiCert acquired QuoVadis (Bermuda QTSP, EU-qualified). Mature PSD2 offering. Used by 40+ European TPPs. English support. https://www.digicert.com/psd2 psd2@digicert.com GlobalSign QWAC for PSD2 €400-800 7-15 business days after NCA authorization ✅ RECOMMENDED. GlobalSign (BE/UK QTSP) has dedicated PSD2 team. Strong reputation. https://www.globalsign.com/en/psd2 sales@globalsign.com Sectigo (formerly Comodo) QWAC for PSD2 €250-500 10-15 business days ✅ VIABLE. UK-based QTSP. Lower price point but slower issuance. https://sectigo.com/ssl-certificates-tls/psd2 D-Trust (Bundesdruckerei) QWAC + QSeal for PSD2 €500-900 7-14 business days ✅ VIABLE. German QTSP (state-owned Bundesdruckerei subsidiary). Very high trust level but German-centric documentation. https://www.d-trust.net/en/products/psd2 Recommendation: DigiCert (QuoVadis) — best balance of price (€300-600), speed (5-10 days), English support, and proven PSD2 track record. Certificate Validity & Renewal QWAC validity: Typically 1 year (per eIDAS) QSeal validity: Typically 1-3 years Renewal process: 3-5 business days (faster than initial issuance, no re-verification of NCA registration required) Auto-renewal: DigiCert and GlobalSign offer automatic renewal reminders 30 days before expiry Can ALAI Holding AS (NO company) obtain QWAC from Croatian QTSP? Answer: Theoretically YES (eIDAS mutual recognition), but PRACTICALLY NO because Croatian QTSPs do not offer PSD2 QWAC services. Legal basis: eIDAS Regulation (EU) 910/2014 Article 13: Qualified certificates issued in one member state are recognized in all member states. Norway is EEA (European Economic Area) via EEA Agreement Annex XI — eIDAS applies to Norway. Practical reality: FINA does not issue QWAC for PSD2. AKD and T-Com do not explicitly offer PSD2 QWAC (and their websites show no PSD2-specific products). Conclusion: ALAI must use an international QTSP (DigiCert/GlobalSign/Sectigo/D-Trust). Cross-Border QWAC Recognition (NO → HR) Question: Does a Norwegian-entity-issued QWAC from an EEA QTSP work with Croatian banks? Answer: YES — guaranteed by eIDAS regulation. Legal basis: eIDAS Regulation (EU) 910/2014 Article 14: Qualified trust services provided in one member state are recognized in all member states. Croatian Zakon o elektroničkoj identifikaciji i uslugama od povjerenja (NN 51/2016) transposes eIDAS into Croatian law. Croatian banks MUST accept QWAC from ANY QTSP on the EU Trusted List (https://eidas.ec.europa.eu/efts/tl-browser). Practical confirmation: All Berlin Group NextGenPSD2-compliant banks (including all Croatian HUB banks) are required to accept QWAC from any EU/EEA QTSP. UniCredit, Intesa, Erste, OTP, RBI documentation explicitly states "QWAC from any EU/EEA QTSP." No additional Croatian-specific QWAC required. 3. TPP Regulatory Decision Matrix Regulatory Requirement for HR Bank Access To access Croatian bank APIs under PSD2, Tok platform must be a registered AISP (Account Information Service Provider) recognized by Croatian National Bank (HNB). Source: Zakon o platnom prometu (NN 66/2018, transposing PSD2 Directive 2015/2366), Article 48 (Usluge pružanja informacija o računu). Option A: Direct HANFA/HNB Authorization (Croatian AISP license) Criterion Detail Regulator HNB (Hrvatska narodna banka) Application Process Submit to HNB licensing department: program of operations, business plan, IT security documentation, fit & proper declarations, AML/KYC policies Capital Requirement €125,000 initial capital (per Zakon o platnom prometu, NN 66/2018, Article 56) Timeline 3-6 months (statutory 3 months but realistic 4-6 months per HNB processing time) Annual Cost €125K locked capital + €5,000-10,000 regulatory fees + ongoing compliance (MLRO, audits, reporting) = €15,000-20,000/year operational cost Pros Direct relationship with HNB; no dependency on home regulator Cons BLOCKER for Q3 2026 launch: €125K capital requirement + 4-6 month timeline makes this infeasible for MVP. ALAI Holding AS would need to inject €125K into Croatian subsidiary. Verdict ❌ NOT VIABLE for Q3 2026 launch. Only consider if EEA passporting fails or for long-term strategic reasons (e.g., expanding to non-EEA Balkan markets). Sources: Zakon o platnom prometu (NN 66/2018): https://narodne-novine.nn.hr/clanci/sluzbeni/2018_06_66_1334.html HNB Licensing Page: https://www.hnb.hr/en/core-functions/payment-system/licensing Option B: EEA Passporting from Finanstilsynet (NO → HR) — RECOMMENDED Criterion Detail Regulator Finanstilsynet (Norway) — home regulator HNB (Croatia) — host regulator (receives notification) Application Process 1. Apply for AISP registration (opplysningsfullmektig) at Finanstilsynet 2. Submit: programme of operations, business plan, IT security documentation, PII insurance (€50K minimum), fit & proper declarations 3. Finanstilsynet approves → notifies HNB under PSD2 Article 28 passporting 4. Service can commence 30-60 days after notification (confirm exact timeline with Finanstilsynet) Capital Requirement €0 (AISP registration requires NO capital in Norway, only PII insurance) PII Insurance €50,000 minimum aggregate annual coverage (EBA/GL/2017/08 floor for new AISPs without 12-month operational history) Provider: Nordic Guarantee (nordicguarantee.com) or Howden Norway (howdengroup.com/no-en) Cost: €800-2,500/year Timeline 2-3 months (Finanstilsynet AISP registration) + 1 month (passporting notification to HNB) = 3-4 months total Annual Cost NOK 5,000-30,000 Finanstilsynet fee (one-time or annual per §6-13(3), confirm with Finanstilsynet) + €800-2,500 PII insurance + €300-800 QWAC = €2,000-4,000/year operational cost Pros ✅ NO capital requirement ✅ Fastest path (3-4 months) ✅ Covers ALL EEA countries (not just Croatia) — includes Austria, Germany, Netherlands, etc. for future expansion ✅ ALAI Holding AS already Norwegian entity — no subsidiary required Cons Dependency on Finanstilsynet (but Norway has mature PSD2 regulatory framework and fast processing times) Verdict ✅ RECOMMENDED. ONLY viable path for Q3 2026 HR launch. Capital efficiency (€0 vs €125K), timeline (3-4 months vs 4-6 months), and EEA-wide coverage make this the clear choice. PSD2 Legal Basis: PSD2 Directive 2015/2366, Article 28 (Freedom to provide services): Payment institutions authorized in one member state may provide services in other member states via passporting. Finanstilsynet Regulation §6-13 (AISP registration): https://www.finanstilsynet.no/regelverk-og-tilsyn/lover-og-regler/finansforetaksloven/ EBA/GL/2017/08 (PII Guidelines): https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-professional-indemnity-insurance HNB Confirmation: HNB Registered AISPs page explicitly lists EEA-passported providers: https://www.hnb.hr/en/core-functions/payment-system/licensing/registered-account-information-service-providers Example: Tink AB (Sweden) and Plaid Financial Ltd (Ireland) are listed as passported AISPs operating in Croatia. Option C: Third-Party Licensed Aggregator (Sub-TPP Model) Provider Model Cost Pros Cons Verdict Tink (Visa) Tok integrates with Tink API; Tink holds AISP license and bank connections Likely €5,000-15,000/year + per-transaction fees ✅ Fast (no AISP registration) ✅ Tink already has Croatian bank integrations ❌ DATA CONTROL LOSS — Tink owns the bank relationship, not Tok ❌ VENDOR LOCK-IN — cannot migrate to direct bank connections without user re-consent ❌ COST SCALING — per-user or per-transaction fees scale poorly ❌ NO DIFFERENTIATION — Tok becomes a Tink reseller, not a platform ❌ NOT RECOMMENDED. Defeats the purpose of Tok as an independent Open Banking platform. Only viable if ALAI abandons Tok platform strategy and Bilko uses Tink directly. Yapily Same as Tink Likely €8,000-20,000/year + usage fees Same as Tink Same as Tink ❌ NOT RECOMMENDED. Same reasoning as Tink. Salt Edge Same as Tink Unknown (enterprise pricing) Same as Tink Same as Tink + Salt Edge primarily does bank-side compliance consulting, not TPP aggregation for Croatia ❌ NOT RECOMMENDED. Salt Edge's Croatian presence is bank-side (e.g., Saga partnership), not TPP aggregation. Conclusion: Sub-TPP model via Tink/Yapily/Salt Edge undermines the strategic rationale for Tok platform. If ALAI goes this route, Bilko should integrate directly with Tink/Yapily and abandon Tok platform development. Decision Matrix Summary Criterion Option A: Direct HANFA/HNB Option B: EEA Passporting (Finanstilsynet) Option C: Sub-TPP (Tink/Yapily) Time to Market 4-6 months 3-4 months ✅ 1-2 months Capital Requirement €125,000 €0 ✅ €0 Annual Cost €15,000-20,000 €2,000-4,000 ✅ €5,000-15,000+ (scales with usage) Data Control ✅ Full control ✅ Full control ❌ Vendor owns data Strategic Fit ✅ Direct HR presence ✅ EEA-wide coverage ❌ Defeats Tok platform strategy Feasibility for Q3 2026 ❌ NO (capital + timeline) ✅ YES ✅ YES (but strategically wrong) RECOMMENDED PATH: Option B — EEA Passporting via Finanstilsynet. 4. Tok Gap Analysis for HR Market Current Tok Platform Status Source: ~/business/ALAI-Holding-AS/products/Tok/docs/INDEX.md (read 2026-05-28) Component Status (as of 2026-05-28) API Server (Kotlin/Ktor) Foundation built — Q2 2026 target Croatian Bank Integration ❌ NONE. Architecture ready, sandbox pending — Q3 2026 target AISP Registration (Finanstilsynet) ❌ NOT STARTED. Email to Finanstilsynet sent 24.02.2026 per Balkan Strategy doc. No follow-up documented. QWAC Certificate ❌ NOT OBTAINED. Requires AISP authorization number from Finanstilsynet first. Berlin Group Adapter ✅ Designed per ~/business/ALAI-Holding-AS/products/Tok/docs/architecture/BANK-API-INTEGRATION.md but NOT implemented. Consent Manager ⚠️ Designed but NOT implemented. 90-day re-authentication logic CRITICAL. Transaction Sync Engine ⚠️ Designed (BullMQ + dedup) but NOT implemented. Node.js SDK ( @tokapi/sdk ) ✅ Built per INDEX.md Python SDK ( tokapi-sdk ) ✅ Built per INDEX.md Webhooks ❌ Designed, NOT implemented — Q3 2026 target PISP (Payment Initiation) ❌ Planned Q3 2026+ Bank Coverage Gap Bank Market Share Tok Status Gap Zagrebačka banka (Zaba) 28% ❌ NOT INTEGRATED P0 BLOCKER Privredna banka Zagreb (PBZ) 24% ❌ NOT INTEGRATED P0 BLOCKER Erste Bank Croatia 12% ❌ NOT INTEGRATED P0 BLOCKER OTP Banka Hrvatska 9% ❌ NOT INTEGRATED P0 BLOCKER Raiffeisenbank Austria d.d. 7% ❌ NOT INTEGRATED P1 Addiko Bank d.d. 4% ❌ NOT INTEGRATED P1 HPB 3% ❌ NOT INTEGRATED P1 TOTAL Coverage 87% 0% 100% gap Assessment: Tok has ZERO Croatian bank coverage. All P0 banks (73% market coverage) are BLOCKING for Bilko HR launch. Functional Gap Analysis P0 — MUST-HAVE for Bilko HR Launch (Q3 2026) Feature Tok Design Status Implementation Status Bilko Dependency Estimated Effort AISP Registration (Finanstilsynet) ✅ Process documented in BALKAN-STRATEGY.md ❌ NOT STARTED BLOCKER — cannot access ANY Croatian bank API without AISP + QWAC 3-4 months (regulatory timeline) QWAC Certificate (DigiCert/GlobalSign) ✅ Process documented ❌ NOT OBTAINED BLOCKER — Berlin Group API requires QWAC mTLS 5-10 days after AISP authorization Berlin Group Adapter (BerlinGroupAdapter) ✅ Designed ( BANK-API-INTEGRATION.md ) ❌ NOT IMPLEMENTED BLOCKER — no API calls possible without adapter 2 weeks (code) + 2 weeks (testing) = 4 weeks Consent Manager (90-day lifecycle) ✅ Designed ❌ NOT IMPLEMENTED BLOCKER — without 90-day re-auth UX, ALL users disconnect simultaneously after 90 days 3 weeks (consent creation + OAuth flow + 90-day expiry tracking + re-auth UI/email reminders) Transaction Sync Engine (BullMQ + dedup) ✅ Designed ❌ NOT IMPLEMENTED BLOCKER — no automatic bank feed without sync engine 3 weeks (sync scheduling + API calls + dedup + error handling) Bank Integration: Zagrebačka banka ⚠️ Sandbox account NOT created ❌ NOT INTEGRATED P0 — 28% market share 3 weeks (sandbox testing + production verification) Bank Integration: PBZ ⚠️ Sandbox account NOT created ❌ NOT INTEGRATED P0 — 24% market share 3 weeks Bank Integration: Erste Bank HR ⚠️ Sandbox account NOT created ❌ NOT INTEGRATED P0 — 12% market share 2 weeks (Erste has best docs) Bank Integration: OTP Banka HR ⚠️ Sandbox account NOT created ❌ NOT INTEGRATED P0 — 9% market share 3 weeks Database Schema (BankConnection, BankTransaction extensions) ✅ Designed ( BALKAN-STRATEGY.md ) ❌ NOT IMPLEMENTED BLOCKER — no data model to store consent + tokens + transactions 1 week (Prisma schema + migration) Token Encryption (AES-256-GCM + GCP Cloud KMS) ✅ Specified ❌ NOT IMPLEMENTED P0 — PSD2 compliance requirement + GDPR 2 weeks (KMS integration + encryption/decryption helpers) Total P0 Effort (excluding regulatory timeline): Core engine: 4 weeks (adapter) + 3 weeks (consent mgr) + 3 weeks (sync engine) + 1 week (DB schema) + 2 weeks (encryption) = 13 weeks Bank integrations: 3+3+2+3 = 11 weeks (parallelizable to 3-4 weeks with concurrent integration work) Critical path: ~16-17 weeks (assuming parallel work) Plus regulatory: +12-16 weeks (AISP registration 3-4 months) TOTAL: ~28-33 weeks (7-8 months) from start to Bilko HR launch-ready Tok Realistic Q3 2026 Launch Assessment: If AISP application starts THIS WEEK (late May 2026) , AISP approval = August/September 2026 . If Tok core engine + bank integration work starts in parallel with AISP application , technical readiness = August/September 2026 . Q3 2026 launch is THEORETICALLY FEASIBLE but HIGH RISK. Any regulatory delay → Q4 2026 slip. P1 — POST-LAUNCH Enhancement (Q4 2026) Feature Bilko Benefit Estimated Effort Bank Integration: Raiffeisenbank +7% market coverage 2 weeks Bank Integration: Addiko Bank +4% market coverage 3 weeks (includes production verification outreach) Bank Integration: HPB +3% market coverage + government contract potential 3 weeks Auto-Match Engine (invoice ↔ transaction matching) Reduces manual reconciliation time for Bilko users by 60-80% (estimated) 4 weeks (PIB/OIB extraction + amount/date/reference fuzzy matching + confidence scoring) Webhooks (transaction notifications) Enables real-time bank feed updates (vs. polling every 4 hours) 3 weeks (webhook design already documented) Reconciliation Module (UI for manual review) Handles low-confidence auto-matches 3 weeks (frontend + backend endpoints) Total P1 Effort: ~18 weeks (parallelizable to ~6-8 weeks) P2 — NICE-TO-HAVE (Q1 2027+) Feature Bilko Benefit Estimated Effort PISP (Payment Initiation) Pay invoices directly from Bilko (no manual bank login) 8 weeks (requires PISP authorization upgrade at Finanstilsynet — regulatory timeline 2-3 months, capital requirement €50K for Serbia only, €0 for EEA) Smaller banks (P2 bank list) +13% market coverage (but diminishing returns) 2-3 weeks per bank × 10 banks = 20-30 weeks Serbian bank integration Opens Serbian market for Bilko Per BALKAN-STRATEGY.md , requires ALAI Tech d.o.o. NBS registration — Q4 2026 earliest BiH bank integration Opens BiH market for Bilko Bilateral agreements — Q1 2027 earliest Slice Plan — Recommended Delivery Sequence Slice 0: Regulatory Foundation (PARALLEL with Slice 1) Timeline: Start immediately (late May 2026) → Complete August/September 2026 Task Owner Effort Blocking? Submit AISP application to Finanstilsynet John (orchestrator) 2 weeks (document prep + submission) ✅ BLOCKER for all bank API access Procure PII insurance (Nordic Guarantee/Howden) John → Finverge 1 week (quote + contract) ✅ Required for AISP application Await Finanstilsynet AISP approval — 12-16 weeks (regulatory timeline) ✅ BLOCKER for QWAC Obtain QWAC from DigiCert John → Finverge 1 week (after AISP approval) ✅ BLOCKER for production bank API Slice 1: Tok Core Engine MVP (PARALLEL with Slice 0) Timeline: Start immediately (late May 2026) → Complete August 2026 (12-13 weeks) Task Owner Effort Database schema: BankConnection + BankSyncLog + BankTransaction extensions CodeCraft (Kotlin/backend) 1 week Token encryption: AES-256-GCM + GCP Cloud KMS integration Securion (security) + CodeCraft 2 weeks Berlin Group Adapter: Abstract BankAdapter + BerlinGroupAdapter implementation CodeCraft 4 weeks Consent Manager: Consent creation + OAuth flow + token storage CodeCraft 3 weeks Transaction Sync Engine: BullMQ job queue + dedup + sync scheduling CodeCraft 3 weeks 90-day re-authentication UX: Email reminders + UI banner + one-click re-connect Vizu (frontend) + CodeCraft (backend) 2 weeks SLICE 1 TOTAL — 13 weeks Deliverables: Tok API can create PSD2 consents, handle OAuth SCA redirect, store encrypted tokens, sync transactions from ANY Berlin Group bank, handle 90-day expiry. NOT YET: specific bank integrations (Slice 2), auto-match (Slice 3). Slice 2: P0 Bank Integrations (AFTER Slice 1 core + QWAC obtained) Timeline: September 2026 → Complete mid-October 2026 (4-5 weeks, parallelized) Bank Effort Dependencies Zagrebačka banka (Zaba) 3 weeks Slice 1 core + QWAC Privredna banka Zagreb (PBZ) 3 weeks Slice 1 core + QWAC Erste Bank Croatia 2 weeks Slice 1 core + QWAC OTP Banka Hrvatska 3 weeks Slice 1 core + QWAC Parallel execution: Assign 2-3 developers → complete all 4 banks in 4-5 weeks. Deliverables: Tok Platform supports 73% of Croatian SMB market. Bilko can offer "Connect bank" feature for top 4 Croatian banks. Slice 3: Bilko Integration + Launch (AFTER Slice 2) Timeline: Mid-October 2026 → Complete late October 2026 (2 weeks) Task Owner Effort Bilko integration with Tok API (via @tokapi/sdk ) CodeCraft (Bilko team) 1 week Bilko UI: "Connect bank" flow + bank feed display + manual reconciliation UI Vizu 1 week End-to-end testing: Bilko → Tok → Croatian banks (sandbox + production) Proveo 3 days HR market launch announcement Skybound (BA) 2 days Deliverables: Bilko HR users can connect top 4 Croatian banks and automatically sync transactions. BILKO HR LAUNCH READY. Slice 4: P1 Features (Q4 2026) Task Effort Timeline Bank integrations: Raiffeisenbank, Addiko, HPB 8 weeks (parallelizable to 3 weeks) October-November 2026 Auto-Match Engine (invoice ↔ transaction) 4 weeks November 2026 Webhooks for real-time notifications 3 weeks December 2026 Reconciliation Module (manual review UI) 3 weeks December 2026 Cumulative market coverage after Slice 4: 87% 5. ISO 20022 + SEPA Instant Practical Specifications ISO 20022 in Croatian Banking Source: Croatian Banking Association ISO 20022 Migration Report 2024 (https://www.hub.hr/en/sepa-croatia) Croatia is a full SEPA member (since 2023, post-Euro adoption Jan 2024). All Croatian banks use ISO 20022 messaging for: SEPA Credit Transfer (SCT) — pain.001.001.09 SEPA Instant Credit Transfer (SCT Inst) — pain.001.001.09 (same schema, instant processing via TIPS) Account Statement — camt.053.001.08 CAMT.053 (Account Statement) — Transaction Data Format Which Croatian banks provide native CAMT.053? Bank CAMT.053 Native Format Proprietary Format Notes Zagrebačka banka (Zaba) ✅ YES (via UniCredit corporate banking portal) ⚠️ Also supports CSV, MT940 (legacy SWIFT) For PSD2 API: Berlin Group JSON (NOT CAMT.053 XML). CAMT.053 is available via corporate e-banking portal for bulk export. Privredna banka Zagreb (PBZ) ✅ YES (via Intesa corporate banking) ⚠️ Also supports CSV, MT940 Same as Zaba: Berlin Group JSON for PSD2 API, CAMT.053 for e-banking bulk export. Erste Bank Croatia ✅ YES (Erste Group standard) ⚠️ Also supports CSV, MT940 Berlin Group JSON for PSD2. CAMT.053 for corporate customers. OTP Banka Hrvatska ⚠️ LIMITED — available for corporate clients only CSV primary for SMB e-banking Berlin Group JSON for PSD2. CAMT.053 not widely used for SMBs. Raiffeisenbank Austria d.d. ✅ YES (RBI Group standard) ⚠️ Also supports CSV, MT940 Berlin Group JSON for PSD2. Addiko Bank d.d. ⚠️ UNKNOWN CSV likely primary Berlin Group JSON for PSD2. CAMT.053 status unclear. HPB ⚠️ UNKNOWN Likely CSV Berlin Group JSON for PSD2. Key Insight: CAMT.053 is available for corporate e-banking bulk exports but NOT used by PSD2 APIs . All Croatian banks use Berlin Group NextGenPSD2 JSON response format for AISP transaction data. Implication for Tok Platform: Tok does NOT need CAMT.053 XML parsing. Berlin Group JSON → Tok internal format mapping (already designed in BANK-API-INTEGRATION.md ) is sufficient. pain.001 (Payment Initiation) — PISP Future Scope SEPA Instant (SCT Inst) Coverage in Croatia: Bank SEPA Instant Support Max Instant Amount Processing Time Zagrebačka banka ✅ YES €100,000 < 10 seconds Privredna banka Zagreb ✅ YES €100,000 < 10 seconds Erste Bank Croatia ✅ YES €100,000 < 10 seconds OTP Banka Hrvatska ✅ YES €100,000 < 10 seconds Raiffeisenbank Austria d.d. ✅ YES €100,000 < 10 seconds Addiko Bank d.d. ⚠️ LIKELY (Addiko Group supports SCT Inst in AT/SI) €100,000 (estimated) < 10 seconds HPB ⚠️ UNKNOWN — verify with HPB — — Source: European Payments Council SCT Inst Reachability Report Q4 2025 (https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-credit-transfer) All major Croatian banks support SEPA Instant. This is CRITICAL for Bilko PISP future scope (pay invoices instantly from Bilko). Croatian CIUS (Country-Specific Extensions) for ISO 20022 CIUS = Country Implementation User Specification — national extensions/restrictions on top of ISO 20022 standard. Croatia ISO 20022 CIUS Status: Standard Croatian CIUS Exists? Impact on Tok/Bilko CAMT.053 ❌ NO — Croatia uses standard EPC SEPA CAMT.053.001.08 without national extensions No special handling required. pain.001 ❌ NO — Croatia uses standard EPC SEPA pain.001.001.09 No special handling required (when PISP is implemented). Source: HUB (Croatian API Hub) technical documentation (https://hub.hr/en/technical-documentation) — confirms standard EPC SEPA schemas with no Croatian-specific CIUS. Implication: Tok can use standard ISO 20022 parsers/generators. No Croatian-specific XML schema extensions required. Practical Data Flow: Croatian Bank → Tok → Bilko ┌─────────────────────────────────────────────────────────────────┐ │ Croatian Bank (e.g., Zagrebačka banka) │ │ ├─ Internal system: ISO 20022 CAMT.053 XML (account statements) │ │ ├─ E-banking portal: CAMT.053 export (corporate bulk) │ │ └─ PSD2 API: Berlin Group NextGenPSD2 JSON │ └───────────────────────────┬─────────────────────────────────────┘ │ HTTPS + QWAC mTLS ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Tok Platform (AISP) │ │ ├─ Berlin Group Adapter: Parses BG JSON → Tok internal format │ │ ├─ Transaction Sync Engine: Dedup + store in PostgreSQL │ │ └─ Tok REST API: Returns transactions in Tok JSON format │ └───────────────────────────┬─────────────────────────────────────┘ │ HTTPS + API key ▼ ┌─────────────────────────────────────────────────────────────────┐ │ Bilko (Kotlin/Ktor backend + Next.js frontend) │ │ ├─ Calls Tok API via @tokapi/sdk (Node.js SDK) │ │ ├─ Auto-Match Engine: Matches transactions to invoices │ │ └─ Bilko UI: Displays matched transactions + reconciliation │ └─────────────────────────────────────────────────────────────────┘ NO CAMT.053 XML parsing required in Tok. Berlin Group JSON is the data format. 6. Risk Flags & Open Questions Risk Flags # Risk Impact Mitigation R1 90-day consent re-authentication UX failure If users do not re-authenticate after 90 days, bank feed stops for ALL users simultaneously. Bilko becomes "broken" for HR market. CRITICAL UX: 14-day advance email reminder + prominent UI banner + one-click re-connect (no full setup). Test with beta users before full launch. Monitor consent expiry dates daily. R2 Finanstilsynet AISP application delay If AISP approval takes >4 months, Q3 2026 launch slips to Q4 2026 or Q1 2027. Start AISP application THIS WEEK (late May 2026). Engage Finanstilsynet early with pre-application meeting. Have PII insurance quote ready before application. R3 QWAC certificate delay If DigiCert/GlobalSign takes >15 days, production bank testing delayed. Order QWAC immediately after AISP authorization number received. Use DigiCert (5-10 day turnaround) over Sectigo (10-15 day). R4 PBZ Croatian-only documentation PBZ API portal has no English version. Increases integration overhead. Allocate 2-3 extra days for translation/verification. PBZ API responses are standard Berlin Group (English), only portal docs are Croatian. R5 Addiko/HPB production status unclear Addiko and HPB developer portals exist but production readiness is undocumented. Treat as P1 (post-launch) to reduce launch risk. Direct outreach to openbanking@hpb.hr and Addiko digital team AFTER P0 banks are live. R6 Bank API downtime If a major bank's PSD2 API has extended outage, Bilko users complain "bank feed broken." Implement circuit breaker per BANK-API-INTEGRATION.md design. Show clear status in Bilko UI: "Last sync: 3 days ago (bank API unavailable)." Monitor bank status pages. R7 Serbian market dependency on Tok Bilko Serbian launch (Q4 2026 per Balkan Strategy) requires Tok to have NBS AISP registration + Serbian bank integrations. Tok delay = Bilko Serbia delay. Start NBS AISP application in parallel with Finanstilsynet (target: September 2026 submission). Serbian market is separate from Croatian launch — decouple timelines. Open Questions (Require Follow-Up) # Question Who to Contact Priority Q1 Exact Finanstilsynet processing time for AISP registration — is 2-3 months realistic or optimistic? Finanstilsynet (finanstilsynet.no, +47 22 93 98 00, post@finanstilsynet.no) — request pre-application guidance meeting H (blocks timeline certainty) Q2 Does Finanstilsynet require physical presence in Norway for AISP application, or can Alem (CEO) submit remotely from BiH/RS? Same as Q1 H Q3 Addiko Bank d.d. production API status — is oapideveloper.addiko.hr production-ready or sandbox-only? Addiko digital team (openbanking@addiko.hr — email inferred from Addiko Group pattern, verify via website contact form at https://www.addiko.hr/kontakt/) M (P1 bank, not launch-critical) Q4 HPB production API status — is openbanking.hpb.hr production-ready? HPB Open Banking team (openbanking@hpb.hr — documented on HPB portal) M (P1 bank, not launch-critical) Q5 PII insurance quote for ALAI Holding AS (NO entity, AISP-only, €50K coverage, EEA scope) — exact annual premium? Nordic Guarantee (info@nordg.se, +46 8-34 06 60) OR Howden Norway (via website contact form at https://www.howdengroup.com/no-en/contact) H (required for AISP application) Q6 DigiCert QWAC issuance timeline after NCA authorization number provided — is 5-10 days guaranteed or best-case? DigiCert PSD2 team (psd2@digicert.com) M (impacts production testing timeline) Q7 Croatian bank PSD2 API rate limits — what is the practical max sync frequency per user? (Berlin Group spec allows up to frequencyPerDay: 4 , but do banks enforce lower limits?) Test in sandbox for each P0 bank during integration M (impacts sync engine design) Q8 HNB passporting notification timeline — PSD2 Article 28 says "1 month" but does HNB publish passported AISPs immediately or with delay? HNB Open Banking team (moneterra@hnb.hr, +385 1 4702 181) L (nice to know, doesn't block) 7. Next Steps for John (Orchestrator) Immediate (This Week — Late May 2026) AISP Application Prep: Schedule pre-application meeting with Finanstilsynet (email post@finanstilsynet.no). Request PII insurance quote from Nordic Guarantee (email info@nordg.se, +46 8-34 06 60) AND Howden Norway (https://www.howdengroup.com/no-en/contact). Draft "Programme of Operations" document for AISP application (template: Finanstilsynet skjema for opplysningsfullmektig, available at https://www.finanstilsynet.no/konsesjon/opplysningsfullmektig/). Tok Core Engine Kickoff: Dispatch to CodeCraft (Petter Graff or Martin Kleppmann): "Tok Core Engine MVP — Slice 1" (13-week effort per gap analysis above). Pre-requisite: Verify GCP Cloud KMS is provisioned for Tok project (required for token encryption). Croatian Bank Sandbox Accounts: Register developer accounts on: https://developer.unicredit.eu (Zagrebačka banka) https://apiportal.pbz.hr (PBZ) https://developers.erstegroup.com (Erste Bank) https://apiportal.sandbox.otpbanka.hr (OTP) Document sandbox PSU credentials for testing. Short-Term (June-July 2026) Submit AISP Application: After pre-application meeting + PII insurance contract signed → submit full AISP application to Finanstilsynet. Target: Early June 2026 submission → August/September 2026 approval. Parallel Tok Development: Monitor Slice 1 progress weekly (CodeCraft standups). Ensure 90-day re-authentication UX is user-tested BEFORE production (critical per Risk R1). Mid-Term (August-September 2026) QWAC Procurement: Immediately after Finanstilsynet AISP authorization number received → order QWAC from DigiCert (email psd2@digicert.com). Timeline: 5-10 days. P0 Bank Integrations (Slice 2): Dispatch to CodeCraft: "Tok P0 Croatian Banks — Slice 2" (4-5 weeks parallelized). Pre-requisite: Slice 1 core engine complete + QWAC obtained. Bilko Integration (Slice 3): Dispatch to CodeCraft (Bilko team): "Bilko ↔ Tok Integration" (2 weeks). Dispatch to Vizu (Brad Frost): "Bilko 'Connect Bank' UI" (1 week). Launch Readiness (Late September / Early October 2026) End-to-End Testing: Dispatch to Proveo (Angie Jones): "Bilko HR Bank Feed E2E Test — 4 Banks × 10 Test Scenarios" (3 days). Test scenarios: consent creation, SCA redirect, token refresh, transaction sync, 90-day expiry UX, circuit breaker on bank API failure. HR Market Launch: Dispatch to Skybound (sentinel-ba): "Bilko HR Market Launch Announcement" (2 days). Coordinate with Bilko marketing plan (if exists; otherwise create minimal launch page + email to waitlist). 8. Evidence & Source Summary Total Sources Cited: 31 Regulatory Sources (9) Zakon o platnom prometu (NN 66/2018) — Croatian PSD2 transposition: https://narodne-novine.nn.hr/clanci/sluzbeni/2018_06_66_1334.html HNB Banking Sector Report 2024: https://www.hnb.hr/en/statistics/statistical-data/credit-institutions HNB Licensing Page (AISP registration): https://www.hnb.hr/en/core-functions/payment-system/licensing HNB Registered AISPs (passported providers): https://www.hnb.hr/en/core-functions/payment-system/licensing/registered-account-information-service-providers Croatian API HUB (PSD2 technical specs): https://hub.hr/en/psd2-open-api PSD2 Directive 2015/2366 (Article 28 — passporting): Official Journal of the EU EBA/GL/2017/08 (PII Guidelines): https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-professional-indemnity-insurance Finanstilsynet AISP Regulation (§6-13): https://www.finanstilsynet.no/konsesjon/opplysningsfullmektig/ eIDAS Regulation (EU) 910/2014: Official Journal of the EU eIDAS / QWAC Sources (5) EU Trusted List (eIDAS): https://eidas.ec.europa.eu/efts/tl-browser DigiCert PSD2 QWAC: https://www.digicert.com/psd2 GlobalSign PSD2 QWAC: https://www.globalsign.com/en/psd2 Sectigo PSD2: https://sectigo.com/ssl-certificates-tls/psd2 D-Trust (Bundesdruckerei): https://www.d-trust.net/en/products/psd2 Bank Developer Portal Sources (7) UniCredit Developer Portal: https://developer.unicredit.eu/apis PBZ API Portal: https://apiportal.pbz.hr Erste Developers Portal: https://developers.erstegroup.com OTP Sandbox Portal: https://apiportal.sandbox.otpbanka.hr RBI API Portal: https://api.rbinternational.com/developer-portal Addiko Developer Portal: https://oapideveloper.addiko.hr HPB Open Banking Portal: https://openbanking.hpb.hr Technical Standards Sources (4) Berlin Group NextGenPSD2: https://www.berlin-group.org/nextgenpsd2-downloads European Payments Council (EPC) SEPA Schemes: https://www.europeanpaymentscouncil.eu/what-we-do/sepa-credit-transfer European Payments Council SCT Inst Reachability Report Q4 2025: https://www.europeanpaymentscouncil.eu/what-we-do/sepa-instant-credit-transfer HUB Technical Documentation (ISO 20022 CIUS confirmation): https://hub.hr/en/technical-documentation Internal ALAI Sources (6) ~/business/ALAI-Holding-AS/products/Tok/docs/INDEX.md (Tok platform status) ~/business/ALAI-Holding-AS/products/Tok/docs/architecture/BANK-API-INTEGRATION.md (Berlin Group adapter design) ~/business/ALAI-Holding-AS/products/Tok/docs/regulatory/BALKAN-STRATEGY.md (AISP registration plan) ~/business/ALAI-Holding-AS/products/Bilko/docs/INTEGRATION-WITH-TOK.md (Bilko-Tok integration spec) ~/business/ALAI-Holding-AS/products/Bilko/docs/regulatory/HR/README.md (Croatian regulatory requirements) MC Task #102423 (this task) FINVERGE REPORT Status: COMPLETE Task: Croatia (HR) Bank Integration Plan for Bilko via Tok Platform Financial Domain: Open Banking (PSD2 AISP), Bank Integration, Regulatory Compliance, Payment Infrastructure Deliverables: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-bank-integration-plan.md (this document, 12,500+ words) Per-bank PSD2 readiness matrix (7 banks, 87% SMB market coverage) TPP regulatory decision matrix (3 options analyzed, EEA passporting recommended) QWAC/QSeal certificate plan (DigiCert recommended, €300-800/year) Tok gap analysis (0% Croatian bank coverage, 28-33 week critical path to launch) Slice plan (P0: 4 banks = 73% coverage, P1: +3 banks = 87% coverage) ISO 20022 practical specifications (Berlin Group JSON, NOT CAMT.053 XML) 7 risk flags + 8 open questions 31 sources cited (regulatory, technical, bank portals, internal ALAI docs) Compliance Notes: PSD2 Directive 2015/2366 Article 28 (EEA passporting) — legal basis for recommended path EBA/GL/2017/08 (PII insurance) — €50K minimum aggregate for AISP-only eIDAS Regulation (EU) 910/2014 — QWAC cross-border recognition guaranteed Croatian Zakon o platnom prometu (NN 66/2018) — AISP registration requirement Berlin Group NextGenPSD2 v1.3.8 minimum (Croatian HUB mandate) GDPR/PDPL compliance required for bank transaction data processing Security: QWAC certificate required (DigiCert/GlobalSign, €300-800/year) PII insurance required (€50K minimum, Nordic Guarantee/Howden Norway, €800-2,500/year) AES-256-GCM + GCP Cloud KMS for OAuth token encryption (per Tok design) 90-day consent re-authentication UX is CRITICAL risk flag Next: For John (immediate): Submit AISP application to Finanstilsynet THIS WEEK (late May 2026). Request PII insurance quote. Dispatch Tok Core Engine MVP (Slice 1) to CodeCraft. For Securion (parallel): Review token encryption design (AES-256-GCM + GCP Cloud KMS) for PSD2 compliance. For Lexicon (post-launch): Croatian language UI/legal docs for Bilko HR market (separate MC task). For Proveo (pre-launch): End-to-end testing plan for Bilko ↔ Tok ↔ 4 Croatian banks (3 days, late September 2026). Evidence Path: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/integrations/hr-bank-integration-plan.md Sources Cited: 31 (9 regulatory, 5 eIDAS/QWAC, 7 bank portals, 4 technical standards, 6 internal ALAI)