Compliance

Regulatory Framework

Bankee Technologies OÜ operates within the regulatory framework applicable to payment technology providers in Estonia and the European Union. Our compliance programme is designed to meet the requirements of current and emerging EU payment regulation, with a particular focus on open banking, data protection, and agentic payment standards.

Finantsinspektsioon (Estonian FSA)

Bankee operates in partnership with Yapily Ltd, a payment institution authorised and regulated by relevant financial authorities, which provides the open banking infrastructure underpinning Bankee's payment initiation and account information services.

Estonian financial services regulation is overseen by Finantsinspektsioon (the Estonian Financial Supervision Authority, fi.ee). Bankee's activities as a technology provider to regulated payment institutions are conducted in accordance with applicable requirements under the Estonian Payment Institutions and E-money Institutions Act (Makseasutuste ja e-raha asutuste seadus, MIAS) and relevant EU regulations.

PSD2 and PSD3

The Bankee platform is built in compliance with the EU Payment Services Directive 2 (PSD2) as implemented in Estonian law, and is designed to accommodate the forthcoming Payment Services Regulation (PSD3 / PSR) reforms.

Key PSD2-aligned capabilities include:

• Strong Customer Authentication (SCA): our SDK supports SCA flows compliant with the EBA Regulatory Technical Standards on SCA and Common and Secure Open Standards of Communication. • Open Banking API connectivity: account-to-account payment initiation via compliant open banking APIs across 2,000+ financial institutions. • Transaction monitoring: real-time fraud detection and reporting mechanisms consistent with PSD2 Article 96 obligations.

As PSD3 and the Payment Services Regulation (PSR) come into force across the EU, Bankee will update its platform to align with new requirements including enhanced open finance scope, liability frameworks, and API performance standards.

GDPR and Estonian Data Protection

Bankee is fully committed to compliance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, IKÜS).

Our data protection measures include:

• Data minimisation: we collect only the personal data necessary for the purposes described in our Privacy Policy. • Privacy by design: data protection considerations are embedded into our product development lifecycle. • Data Processing Agreements: all third-party processors are bound by contractual obligations meeting the requirements of GDPR Article 28. • Data Subject Rights: we have established procedures to respond to access, erasure, portability, and other data subject requests within statutory timeframes. • Breach notification: we maintain incident response procedures to notify the Estonian Data Protection Inspectorate (AKI) and affected individuals of reportable breaches within 72 hours.

For data protection enquiries, contact: privacy@bankee.ai

EMV and Card Network Standards

Bankee's card payment integrations are built on EMV (Europay, Mastercard, Visa) specifications, the global standard for chip-based payment card security.

Our platform supports:

• EMV Contact and Contactless (NFC): chip-and-PIN and tap-to-pay transaction flows across supported devices. • EMV 3-D Secure (3DS2): for card-not-present authentication in digital payment flows. • Tokenisation: card credential tokenisation in accordance with the EMV Payment Tokenisation Specification to reduce exposure of sensitive card data.

Card network integrations with Visa and Mastercard are subject to the respective network's operating regulations and data security requirements.

PCI-DSS

Bankee does not store, process, or transmit cardholder data in a manner that would require direct PCI-DSS certification of our core platform. Card data handling is delegated to our regulated payment partners (including Stripe and Visa) who maintain their own PCI-DSS certification.

Where our SDK operates in proximity to payment flows, we follow PCI-DSS scoping guidance to minimise cardholder data environment (CDE) scope for our device manufacturer partners.

Anti-Money Laundering (AML) and Financial Crime

Bankee maintains policies and procedures to prevent the misuse of our platform for financial crime, in accordance with the EU Anti-Money Laundering Directives (AMLD) as implemented in Estonia, including:

• Know Your Business (KYB) checks on commercial partners and device manufacturers onboarding to the Bankee SDK. • Transaction monitoring capabilities to detect unusual payment patterns. • Sanctions screening in accordance with EU sanctions regulations and relevant international sanctions lists. • Staff training on AML obligations and suspicious activity recognition.

Bankee does not provide money transmission services directly. Payment execution is performed by regulated third-party institutions.

Agentic Payment Compliance

As a pioneer in agentic payment infrastructure, Bankee is actively engaged with emerging regulatory guidance on AI-initiated payments.

Our approach includes:

• Human-in-the-loop controls: configurable approval thresholds ensuring appropriate human oversight of AI-initiated transactions. • Audit trails: immutable logs of all agentic payment actions, accessible to our partners for regulatory reporting. • Protocol alignment: implementation of FIDO Alliance AP2 specifications, which incorporate privacy-preserving authentication standards for AI agents. • Responsible AI: use of Claude (Anthropic) models with built-in safety guardrails for all AI components in our payment flows.

We actively monitor EBA, ECB, and European Commission guidance on AI in financial services, as well as the EU AI Act implications for payment systems, and update our platform accordingly.

Compliance Contact

For compliance enquiries, regulatory concerns, or to request our compliance documentation:

Email: compliance@bankee.ai Bankee Technologies OÜ, Estonia