Regulatory
PSD2 compliance, AISP/PISP licensing, Croatia HNB, Serbia NBS, BiH bilateral agreements

Licensing Strategy
Licensing Strategy 
 Unified Platform Model 
 One PI (Payment Institution) licence covers three products under one regulatory umbrella. 
 AISP/PISP Licence
Finanstilsynet (Norwegian FSA)
Entity: ALAI Holding AS (org.nr 932 516 136)
 │
 ├── AISP scope
 │ ├── Tok Platform — Open Banking API (B2B)
 │ └── Bilko — automatic bank feed (AISP consumer)
 │
 └── PISP scope
 ├── Drop Balkan — payment initiation
 └── Bilko — pay-from-app (invoice payment)
 
 Key insight: The PI licence already required for Drop Norway covers Tok and Bilko at zero marginal regulatory cost. Regulatory overhead shared across three revenue streams. 
 
 Licence Types 
 
 
 
 Type 
 Full Name 
 Scope 
 Capital Requirement 
 
 
 
 
 AISP 
 Account Information Service Provider 
 Read bank accounts and transactions 
 €0 (PII insurance only) 
 
 
 PISP 
 Payment Initiation Service Provider 
 Initiate payments on behalf of users 
 €50,000 (Serbia NBS) 
 
 
 
 Tok Phase 1 requires AISP only. PISP follows in Phase 2 (Q3 2026+). 
 
 Professional Indemnity Insurance (PII) 
 PII is mandatory for AISP registration — it replaces capital requirements. 
 Legal basis: PSD2 Article 5(3), EBA/GL/2017/08
 Minimum: €50,000 annual aggregate (EBA floor for new entities without 12 months operating data) 
 Two Policies Required 
 
 
 
 Territory 
 Policy 
 Why 
 Estimated Annual Cost 
 
 
 
 
 Norway + Croatia (EEA) 
 Norwegian policy with explicit EEA scope 
 HNB accepts home-country PII for passported entities 
 €800 – €2,500 
 
 
 Serbia 
 Separate Serbian policy from NBS-licensed insurer 
 Serbia is not EEA — no passporting for insurance 
 €2,000 – €8,000 
 
 
 
 Critical: The Norwegian/EEA policy does NOT cover Serbia. Two separate policies are required. 
 Recommended Providers 
 Norway/EEA: 
 
 Howden Norway (primary) — created the first PSD2 policy, Lloyd's backing 
 Nordic Guarantee (alternative) — faster, PSD2 guarantee specialist 
 Superscript EU / Marsh Norway (backup) 
 
 Serbia: 
 
 Dunav Osiguranje — state-owned, largest in RS 
 DDOR Osiguranje — Unipol group, has professional liability 
 Generali Srbija — international 
 
 No Serbian insurer has a ready-made fintech PII product — policy will be bespoke. 
 
 Countries Covered 
 
 
 
 Country 
 Framework 
 Entity 
 Mechanism 
 
 
 
 
 🇳🇴 Norway 
 Finanstilsynet AISP 
 ALAI Holding AS 
 Direct registration 
 
 
 🇭🇷 Croatia 
 PSD2 / Berlin Group 
 — 
 EEA passporting from Norway 
 
 
 🇷🇸 Serbia 
 NBS bilateral (PSD2-equivalent, Sl. glasnik RS 64/2024) 
 ALAI Tech d.o.o. 
 Direct NBS registration 
 
 
 🇧🇦 BiH 
 No PSD2 mandate 
 — 
 Bilateral bank agreements 
 
 
 
 
 Veza sa Drop 
 Drop Norway (ZTL Payment Solution AS candidacy) requires a PI licence from Finanstilsynet. The AISP/PISP licence is the same instrument — Tok benefits from Drop's regulatory investment at no additional cost. 
 Shared regulatory infrastructure: 
 
 Same Finanstilsynet application 
 Same EEA passporting mechanism 
 Same PII insurance (Norway/EEA policy) 
 Same QWAC/QSEAL certificates (DigiCert or GlobalSign) 
 
 
 Registration Timeline 
 
 
 
 Phase 
 Country 
 Entity 
 Target 
 Capital 
 
 
 
 
 1 
 Norway 
 ALAI Holding AS 
 Q2 2026 
 €0 
 
 
 1b 
 Croatia 
 — (via passporting) 
 Q2–Q3 2026 
 €0 
 
 
 2 
 Serbia 
 ALAI Tech d.o.o. 
 Q3–Q4 2026 
 €0 
 
 
 3 
 BiH 
 — (bilateral) 
 Q1 2027 
 €0 
 
 
 4 
 Serbia PISP 
 ALAI Tech d.o.o. 
 Q2 2027+ 
 €50,000 
 
 
 
 
 Key Regulatory Contacts 
 
 
 
 Institution 
 Contact 
 Status 
 
 
 
 
 Finanstilsynet (NO) 
 fintech@finanstilsynet.no 
 Email sent 24.02.2026 ✓ 
 
 
 HNB (HR) 
 moneterra@hnb.hr 
 Pending 
 
 
 NBS (RS) 
 platni.sistem@nbs.rs 
 Pending 
 
 
 
 
 QWAC Certificates 
 Required for PSD2 mTLS (Croatia, and Serbia if Berlin Group adopted). 
 
 Provider: DigiCert (via QuoVadis) or GlobalSign 
 Note: Buypass AS discontinued PSD2 certificates from 01.10.2025 — do NOT use 
 Cost: ~€200–800/year 
 Lead time: 5–15 business days after receiving NCA authorisation number 
 Storage: GCP Cloud KMS HSM (private key never leaves HSM) 
 
 Reference: eIDAS Trusted List Dashboard for full list of qualified TSPs.

Per-Country Guide
Per-Country Regulatory Guide 
 Country-by-country breakdown of Tok's AISP registration approach. 
 
 🇳🇴 Norway — Base Registration 
 Regulator: Finanstilsynet (Norwegian FSA)
 Licence type: AISP (opplysningsfullmektig)
 Entity: ALAI Holding AS (org.nr 932 516 136)
 Capital required: €0 (PII insurance only)
 Contact: fintech@finanstilsynet.no 
 Process 
 
 Submit AISP application to Finanstilsynet
 
 Programme of operations 
 Business plan 
 Fit & proper declarations 
 PII insurance certificate (Nordic Guarantee or Howden Norway) 
 IT security documentation 
 AML/KYC procedures 
 
 
 Application fee: NOK 5,000–30,000 
 Timeline: 2–3 months 
 
 Status 
 Email sent 24.02.2026. Pre-application guidance meeting to be scheduled. 
 
 🇭🇷 Croatia — EEA Passporting from Norway 
 Regulator: HNB (Hrvatska Narodna Banka)
 Mechanism: EEA passporting — Norway (EEA) → Croatia
 Capital required: €0
 Contact: moneterra@hnb.hr, +385 1 4702 181 
 Process 
 
 ALAI Holding AS obtains Norwegian AISP registration (Finanstilsynet) 
 Finanstilsynet notifies HNB (PSD2 Article 28 — home regulator has 1 month) 
 Service can begin 30–60 days after notification 
 QWAC/QSEAL certificate obtained (DigiCert or GlobalSign) 
 Register on Croatian bank developer portals 
 
 Passporting scope: Norway → ALL EEA countries (not just Croatia). One Norwegian licence = access to entire EEA. 
 API Standard 
 Berlin Group NextGenPSD2 — all Croatian HUB-registered banks implement minimum v1.3.8. 
 Croatian Bank Portals 
 
 
 
 Bank 
 Sandbox Portal 
 Status 
 
 
 
 
 Addiko Bank 
 oapideveloper.addiko.hr 
 Available 
 
 
 Erste & Steiermärkische 
 developers.erstegroup.com 
 Available 
 
 
 HPB 
 openbanking.hpb.hr 
 Available 
 
 
 OTP Banka 
 apiportal.sandbox.otpbanka.hr 
 Available 
 
 
 PBZ (Intesa) 
 apiportal.pbz.hr 
 Available 
 
 
 Raiffeisenbank 
 sandbox.rba.hr 
 Available 
 
 
 Zagrebačka banka (UniCredit) 
 developer.unicredit.eu 
 Available 
 
 
 
 Sandbox access available before AISP approval — testing can begin immediately. 
 Verification 
 After approval, verify registration in EBA EUCLID register: euclid.eba.europa.eu/register/pir/search 
 
 🇷🇸 Serbia — Direct NBS Registration 
 Regulator: NBS (Narodna Banka Srbije)
 Licence type: AISP registracija
 Entity: ALAI Tech d.o.o. (Serbian subsidiary, 100% ALAI Holding AS)
 Capital required: €0 for AISP; €50,000 for PISP
 Contact: platni.sistem@nbs.rs, +381 11 3338-051 
 Legal Basis 
 
 Zakon o platnim uslugama: Sl. glasnik RS 64/2024 (adopted 31.07.2024, applicable from 06.05.2025) 
 Odluka o tehničkim standardima: Sl. glasnik RS 102/2024 (published 23.12.2024) 
 Bank API deadline: 01.01.2026 
 
 Process 
 
 Register ALAI Tech d.o.o. with APR (Serbian Business Registry)
 
 ALAI Holding AS = 100% owner 
 Minimum capital: 100 RSD (symbolic per Serbian law) 
 Activity: account information service provision 
 
 
 Submit AISP registration to NBS
 
 Programme of operations 
 Business plan 
 AML/KYC procedures 
 IT security documentation 
 Organisational structure 
 PII insurance from NBS-licensed insurer (Dunav or DDOR) 
 
 
 Timeline: 3 months statutory, 6 months realistic 
 NBS sandbox available for pre-registration testing 
 
 Important: No Central API Standard 
 Serbia does NOT have a centralised API standard like Croatia's HUB. Each bank must be connected bilaterally. 
 
 
 
 Bank type 
 API standard 
 Adapter 
 
 
 
 
 EU bank groups (UniCredit, Raiffeisen, NLB) 
 Berlin Group (likely) 
 BerlinGroupAdapter 
 
 
 Domestic banks (AIK, OTP Serbia, Banca Intesa Serbia) 
 Bank-specific 
 BilateralAdapter 
 
 
 
 Serbian Bank Portals 
 
 
 
 Bank 
 Portal 
 API Standard 
 
 
 
 
 NLB Komercijalna 
 developer.nlbkb.rs 
 Berlin Group (NLB group) 
 
 
 UniCredit Srbija 
 developer.unicredit.eu 
 Berlin Group (UniCredit group) 
 
 
 Raiffeisen Srbija 
 api.rbinternational.com 
 Berlin Group (RBI group) 
 
 
 AIK Banka 
 TBD — bilateral 
 Unknown 
 
 
 OTP Srbija 
 TBD — bilateral 
 Unknown 
 
 
 Banca Intesa Srbija 
 TBD — bilateral 
 Likely Berlin Group 
 
 
 
 PII for Serbia 
 Must be from an NBS-licensed insurer — foreign/EEA policy is not accepted. 
 
 Dunav Osiguranje: dunav.com 
 DDOR Osiguranje: ddor.rs 
 Policy will be bespoke (no off-the-shelf fintech PII product in Serbia) 
 
 
 🇧🇦 BiH — Bilateral Agreements 
 Regulators: CBBH (central bank), FBA (FBiH banking agency), ABRS (RS entity banking agency)
 Mechanism: No PSD2 mandate — direct bilateral contracts with banks
 Capital required: €0 
 Process 
 
 Contact EU bank groups with existing API infrastructure:
 
 UniCredit BiH (UniCredit group — developer portal exists) 
 Raiffeisen BiH (RBI group — API marketplace exists) 
 NLB BiH (NLB group — developer portal exists) 
 
 
 Negotiate bilateral data access agreements 
 Implement per-bank BilateralAdapter 
 Note: May require notification/approval from FBA or ABRS — investigate during Phase 3 
 
 Local contact: Asmir Merdžanović (SnowIT partner) — local contacts and market knowledge. 
 Status 
 Phase 3 — begin after Croatia and Serbia are operational (Q1 2027). 
 
 Comparison Table 
 
 
 
 Aspect 
 Croatia 
 Serbia 
 BiH 
 
 
 
 
 PSD2 
 Full (since 2019) 
 Equivalent law (2024) 
 None 
 
 
 API standard 
 Berlin Group v1.3.8+ 
 No central standard 
 None 
 
 
 Registration path 
 EEA passporting from NO 
 Direct NBS registration 
 Bilateral only 
 
 
 Entity 
 ALAI Holding AS 
 ALAI Tech d.o.o. 
 — 
 
 
 Capital for AISP 
 €0 
 €0 
 €0 
 
 
 PII 
 EEA policy (NO) 
 Serbian NBS-licensed insurer 
 N/A 
 
 
 Timeline 
 Q3 2026 
 Q4 2026 
 Q1 2027 
 
 
 QWAC required 
 Yes 
 If Berlin Group adopted 
 No 
 
 
 Sandbox available 
 Yes (all major banks) 
 Yes (NBS sandbox) 
 No