Body
FinTechs belonging to this area offer traditional banking services in a modern way, usually through online services or mobile applications as well as ancillary services – e.g. enabling customers to manage their giro- or custody-accounts online and in real time or offering e-wallet services. Keywords in this context are also API-Banking or Banking as a Service (BaaS)/ Bank as a Platform (BaaP).
API-Banking:
API stands for application programming interface and is offered to access data banks and to extract and insert information. API-Banking consequently means the access to data banks of banks to offer new and innovative banking applications.
Through these services FinTechs offer services with new functions, e.g. enabling customers to manage their accounts online and in real time.
BaaS – Bank as a Service/BaaP – Bank as a Platform:
The API-based Bank as a Service platform has a full banking licence, but merely serves as the back end for standalone independent FinTechs, which “use” the licence and the back end of the bank to offer new financial services, launch additional financial products or expand into additional markets.
Introduction
Attitude of the country towards online-banking services
The social and political climate towards online-banking services is positive in North Macedonia. The banks offer online-banking services that cover functions such as daily transactions, foreign currency payments, the ability to check the balance of the accounts, credit cards, deposits, and loans, change of credit and debit card limits for payment at POS terminals, ATMs, and E-commerce. Overall, it is expected for the banks in North Macedonia to follow and adapt to the latest trends and developments of online-banking services.
Legal affairs
Obligations and requirements to provide online-banking services described above
The banks can provide online-banking services by obtaining an approval by the governor of the National Bank. The online banking services are further regulated with the Decision for the Banking Information Security Methodology (Methodology). The Methodology requires from the banks to (i) conduct a risk assessment of potential digital space attacks; (ii) to implement security controls; (iii) to test the reliability of the system’s resistance to attacks; (iv) constant monitoring; and (v) upgrade of the system and diversion of competencies of the bank’s bodies from the aspect of management with the security of the information system.
The bank is also required to adopt a framework for planning and developing an appropriate information technology management strategy in accordance with the Methodology. The information technology management strategy needs to be harmonised with the business policy of the bank. The Methodology also obliges the bank to develop and implement a plan for continuity of the bank operations which needs to be based on several scenarios which will enable operability and minimise losses in the event of a severe outage of business processes. For the systems of modern channels that include remote access to the bank with the possibility of execution of payment transactions through means of remote communication, information system security should provide user authentication and monitoring payment transactions. Also, in modern channels, monitoring mechanisms should be implemented to the client's activities and the received payment transactions that are intended for preventing, detecting, and further investigating potential fraud. These mechanisms should be activated prior to any acceptance and approval of payments. The banks are required to inform the National Bank in cases when it will identify that the highest level of security incident has occurred i