Regulatory
PSD2 compliance, AISP/PISP licensing, Croatia HNB, Serbia NBS, BiH bilateral agreements
Licensing Strategy
Licensing Strategy
Unified Platform Model
One PI (Payment Institution) licence covers three products under one regulatory umbrella.
AISP/PISP Licence
Finanstilsynet (Norwegian FSA)
Entity: ALAI Holding AS (org.nr 932 516 136)
│
├── AISP scope
│ ├── Tok Platform — Open Banking API (B2B)
│ └── Bilko — automatic bank feed (AISP consumer)
│
└── PISP scope
├── Drop Balkan — payment initiation
└── Bilko — pay-from-app (invoice payment)
Key insight: The PI licence already required for Drop Norway covers Tok and Bilko at zero marginal regulatory cost. Regulatory overhead shared across three revenue streams.
Licence Types
| Type | Full Name | Scope | Capital Requirement |
|---|---|---|---|
| AISP | Account Information Service Provider | Read bank accounts and transactions | €0 (PII insurance only) |
| PISP | Payment Initiation Service Provider | Initiate payments on behalf of users | €50,000 (Serbia NBS) |
Tok Phase 1 requires AISP only. PISP follows in Phase 2 (Q3 2026+).
Professional Indemnity Insurance (PII)
PII is mandatory for AISP registration — it replaces capital requirements.
Legal basis: PSD2 Article 5(3), EBA/GL/2017/08 Minimum: €50,000 annual aggregate (EBA floor for new entities without 12 months operating data)
Two Policies Required
| Territory | Policy | Why | Estimated Annual Cost |
|---|---|---|---|
| Norway + Croatia (EEA) | Norwegian policy with explicit EEA scope | HNB accepts home-country PII for passported entities | €800 – €2,500 |
| Serbia | Separate Serbian policy from NBS-licensed insurer | Serbia is not EEA — no passporting for insurance | €2,000 – €8,000 |
Critical: The Norwegian/EEA policy does NOT cover Serbia. Two separate policies are required.
Recommended Providers
Norway/EEA:
- Howden Norway (primary) — created the first PSD2 policy, Lloyd's backing
- Nordic Guarantee (alternative) — faster, PSD2 guarantee specialist
- Superscript EU / Marsh Norway (backup)
Serbia:
No Serbian insurer has a ready-made fintech PII product — policy will be bespoke.
Countries Covered
| Country | Framework | Entity | Mechanism |
|---|---|---|---|
| 🇳🇴 Norway | Finanstilsynet AISP | ALAI Holding AS | Direct registration |
| 🇭🇷 Croatia | PSD2 / Berlin Group | — | EEA passporting from Norway |
| 🇷🇸 Serbia | NBS bilateral (PSD2-equivalent, Sl. glasnik RS 64/2024) | ALAI Tech d.o.o. | Direct NBS registration |
| 🇧🇦 BiH | No PSD2 mandate | — | Bilateral bank agreements |
Veza sa Drop
Drop Norway (ZTL Payment Solution AS candidacy) requires a PI licence from Finanstilsynet. The AISP/PISP licence is the same instrument — Tok benefits from Drop's regulatory investment at no additional cost.
- Same Finanstilsynet application
- Same EEA passporting mechanism
- Same PII insurance (Norway/EEA policy)
- Same QWAC/QSEAL certificates (DigiCert or GlobalSign)
Registration Timeline
| Phase | Country | Entity | Target | Capital |
|---|---|---|---|---|
| 1 | Norway | ALAI Holding AS | Q2 2026 | €0 |
| 1b | Croatia | — (via passporting) | Q2–Q3 2026 | €0 |
| 2 | Serbia | ALAI Tech d.o.o. | Q3–Q4 2026 | €0 |
| 3 | BiH | — (bilateral) | Q1 2027 | €0 |
| 4 | Serbia PISP | ALAI Tech d.o.o. | Q2 2027+ | €50,000 |
Key Regulatory Contacts
| Institution | Contact | Status |
|---|---|---|
| Finanstilsynet (NO) | fintech@finanstilsynet.no | Email sent 24.02.2026 ✓ |
| HNB (HR) | moneterra@hnb.hr | Pending |
| NBS (RS) | platni.sistem@nbs.rs | Pending |
QWAC Certificates
Required for PSD2 mTLS (Croatia, and Serbia if Berlin Group adopted).
- Provider: DigiCert (via QuoVadis) or GlobalSign
- Note: Buypass AS discontinued PSD2 certificates from 01.10.2025 — do NOT use
- Cost: ~€200–800/year
- Lead time: 5–15 business days after receiving NCA authorisation number
- Storage: GCP Cloud KMS HSM (private key never leaves HSM)
Reference: eIDAS Trusted List Dashboard for full list of qualified TSPs.
Per-Country Guide
Per-Country Regulatory Guide
Country-by-country breakdown of Tok's AISP registration approach.
🇳🇴 Norway — Base Registration
Regulator: Finanstilsynet (Norwegian FSA) Licence type: AISP (opplysningsfullmektig) Entity: ALAI Holding AS (org.nr 932 516 136) Capital required: €0 (PII insurance only) Contact: fintech@finanstilsynet.no
Process
- Submit AISP application to Finanstilsynet
- Programme of operations
- Business plan
- Fit & proper declarations
- PII insurance certificate (Nordic Guarantee or Howden Norway)
- IT security documentation
- AML/KYC procedures
- Application fee: NOK 5,000–30,000
- Timeline: 2–3 months
Status
Email sent 24.02.2026. Pre-application guidance meeting to be scheduled.
🇭🇷 Croatia — EEA Passporting from Norway
Regulator: HNB (Hrvatska Narodna Banka) Mechanism: EEA passporting — Norway (EEA) → Croatia Capital required: €0 Contact: moneterra@hnb.hr, +385 1 4702 181
Process
- ALAI Holding AS obtains Norwegian AISP registration (Finanstilsynet)
- Finanstilsynet notifies HNB (PSD2 Article 28 — home regulator has 1 month)
- Service can begin 30–60 days after notification
- QWAC/QSEAL certificate obtained (DigiCert or GlobalSign)
- Register on Croatian bank developer portals
Passporting scope: Norway → ALL EEA countries (not just Croatia). One Norwegian licence = access to entire EEA.
API Standard
Berlin Group NextGenPSD2 — all Croatian HUB-registered banks implement minimum v1.3.8.
Croatian Bank Portals
| Bank | Sandbox Portal | Status |
|---|---|---|
| Addiko Bank | oapideveloper.addiko.hr | Available |
| Erste & Steiermärkische | developers.erstegroup.com | Available |
| HPB | openbanking.hpb.hr | Available |
| OTP Banka | apiportal.sandbox.otpbanka.hr | Available |
| PBZ (Intesa) | apiportal.pbz.hr | Available |
| Raiffeisenbank | sandbox.rba.hr | Available |
| Zagrebačka banka (UniCredit) | developer.unicredit.eu | Available |
Sandbox access available before AISP approval — testing can begin immediately.
Verification
After approval, verify registration in EBA EUCLID register: euclid.eba.europa.eu/register/pir/search
🇷🇸 Serbia — Direct NBS Registration
Regulator: NBS (Narodna Banka Srbije) Licence type: AISP registracija Entity: ALAI Tech d.o.o. (Serbian subsidiary, 100% ALAI Holding AS) Capital required: €0 for AISP; €50,000 for PISP Contact: platni.sistem@nbs.rs, +381 11 3338-051
Legal Basis
- Zakon o platnim uslugama: Sl. glasnik RS 64/2024 (adopted 31.07.2024, applicable from 06.05.2025)
- Odluka o tehničkim standardima: Sl. glasnik RS 102/2024 (published 23.12.2024)
- Bank API deadline: 01.01.2026
Process
- Register ALAI Tech d.o.o. with APR (Serbian Business Registry)
- ALAI Holding AS = 100% owner
- Minimum capital: 100 RSD (symbolic per Serbian law)
- Activity: account information service provision
- Submit AISP registration to NBS
- Programme of operations
- Business plan
- AML/KYC procedures
- IT security documentation
- Organisational structure
- PII insurance from NBS-licensed insurer (Dunav or DDOR)
- Timeline: 3 months statutory, 6 months realistic
- NBS sandbox available for pre-registration testing
Important: No Central API Standard
Serbia does NOT have a centralised API standard like Croatia's HUB. Each bank must be connected bilaterally.
| Bank type | API standard | Adapter |
|---|---|---|
| EU bank groups (UniCredit, Raiffeisen, NLB) | Berlin Group (likely) | BerlinGroupAdapter |
| Domestic banks (AIK, OTP Serbia, Banca Intesa Serbia) | Bank-specific | BilateralAdapter |
Serbian Bank Portals
| Bank | Portal | API Standard |
|---|---|---|
| NLB Komercijalna | developer.nlbkb.rs | Berlin Group (NLB group) |
| UniCredit Srbija | developer.unicredit.eu | Berlin Group (UniCredit group) |
| Raiffeisen Srbija | api.rbinternational.com | Berlin Group (RBI group) |
| AIK Banka | TBD — bilateral | Unknown |
| OTP Srbija | TBD — bilateral | Unknown |
| Banca Intesa Srbija | TBD — bilateral | Likely Berlin Group |
PII for Serbia
Must be from an NBS-licensed insurer — foreign/EEA policy is not accepted.
🇧🇦 BiH — Bilateral Agreements
Regulators: CBBH (central bank), FBA (FBiH banking agency), ABRS (RS entity banking agency) Mechanism: No PSD2 mandate — direct bilateral contracts with banks Capital required: €0
Process
- Contact EU bank groups with existing API infrastructure:
- UniCredit BiH (UniCredit group — developer portal exists)
- Raiffeisen BiH (RBI group — API marketplace exists)
- NLB BiH (NLB group — developer portal exists)
- Negotiate bilateral data access agreements
- Implement per-bank
BilateralAdapter - Note: May require notification/approval from FBA or ABRS — investigate during Phase 3
Local contact: Asmir Merdžanović (SnowIT partner) — local contacts and market knowledge.
Status
Phase 3 — begin after Croatia and Serbia are operational (Q1 2027).
Comparison Table
| Aspect | Croatia | Serbia | BiH |
|---|---|---|---|
| PSD2 | Full (since 2019) | Equivalent law (2024) | None |
| API standard | Berlin Group v1.3.8+ | No central standard | None |
| Registration path | EEA passporting from NO | Direct NBS registration | Bilateral only |
| Entity | ALAI Holding AS | ALAI Tech d.o.o. | — |
| Capital for AISP | €0 | €0 | €0 |
| PII | EEA policy (NO) | Serbian NBS-licensed insurer | N/A |
| Timeline | Q3 2026 | Q4 2026 | Q1 2027 |
| QWAC required | Yes | If Berlin Group adopted | No |
| Sandbox available | Yes (all major banks) | Yes (NBS sandbox) | No |