PSD2 Transposed into Hungarian Law
On 31 October 2017, the Hungarian Parliament passed the legislative package that will implement Directive 2015/2366 on payment services in the internal market (“PSD2”) into Hungarian law. The majority of the relevant provisions of the legislative package (“Amendment Act”) will enter into force on 13 January 2018, in line with the requirements of PSD2.
The Amendment Act modifies as many as ten laws governing payment services. Below we will highlight significant changes to the laws modified by the Amendment Act (such as the act on the pursuit of the business of payment services, the act on payment service providers, and the act on credit institutions and financial enterprises) which are likely to bring about substantial changes primarily for current service providers.
Introduction of the Open Banking
The biggest change proposed by PSD2 affecting the whole banking system is the creation of “open banking” that aims to enable customers to initiate transactions and to access their account information not only by their account servicing bank, but also through fintech companies (new types of third-party service providers or “TPPs”).
According to a late modification of the bill during the parliamentary proceeding, customers will not be granted with statutory rights to the open banking services yet, since the applicable provisions will enter into force only on 1 January 2019. This however does not imply that the services of payment initiation service providers (“PISPs”) and account information service providers (“AISPs”) cannot be used after 13 January 2018; instead, it means that the availability of such services will depend on the given account servicing payment service provider and its preparedness. Until then, such TPPs will be required to proceed with the newly developed authorisation and registration procedures and thereafter they will have the opportunity to step in to the market through the (yet discretionally) opening gates of the banks.
However, discretion may not lead to discrimination: if a bank allows a PISP to send transfer orders through the system, it must make this possibility available to other PISPs as well in an objective, proportionate and anti-discriminatory manner.
Strong Customer Authentication, Complaints Handling and Liability
Although the other comprehensive change, introduced by the PSD2 and affecting all online transactions, is not immediately introduced by the Amendment Act, the application of strong customer authentication will be required more than six months before as it would be according to the EU legislative timeline.
- The detailed rules and technical conditions for strong customer authentication are set out in the relevant regulatory technical standards (“SCA-CSC RTS”) which are currently being finalised. While the minimum requirement set out by PSD2 is that strong customer authentication must be applied 18 months after the SCA-CSC RTS enters into force (in the legal form of a Commission delegated regulation), most likely from August 2019, the timeline for Hungary will be tighter: the service providers affected have slightly more than one year to execute the substantial technical development projects required for ensuring compliance.
- During the one-year transition period from the entry into force of the Amendment Act until strong customer authentication becomes mandatory, service providers should prepare for changes in liability rules. It is important to know that, where the service provider did not require strong customer authentication and transactions without consent took place (e.g. lost credit cards or unauthorised account access), the service provider will be liable for the full amount of the damage occurred.
- One of the most significant immediate changes triggered by the Amendment Act (that is likely to cause serious concern for account servicing banks) will be the immediate liability for transactions without consent. This means that, if an unauthorized payment transaction is executed , the account servicing bank of the payer will be required to refund the amount of the unauthorised payment transaction to the payer no later than the end of the workday following the day when the transaction is reported by the customer, regardless of whether or not such transaction was initiated through a PISP.
- In order to ensure compliance with the requirement, an expedited administration process, separate from the conventional complaints handling procedure, will need to be developed, as well as procedures for managing and monitoring customer complaints. This is not only an additional administrative burden, but also represents an increased liability for incorrectly executed payment transactions.
- In addition, resistance to unfounded claims will also become harder under the Amendment Act as the burden of proof will rest with the account servicing bank. In such a regulatory environment, therefore, applying strong customer authentication would have multiple benefits and could provide sufficient evidence to avoid the intraday payment obligation for damages.
The new act establishes the grounds for free movement of all types of data (including personal information and data which qualify as bank and securities secret, business secret, payment secret and insurance secret) within groups of companies.
- This is intended to improve access to personalised and digital banking services by allowing access to data in respect of various financial, investment and insurance services provided typically to the same clients typically by legally separate entities that are members of complex groups. The transfer and management of such data will not require the customer’s consent, contrary to the general data protection principles, but the customer will be able to expressly restrict or prohibit the transfer of data at any time by issuing a statement to this end.
- There will be two levels of regulation: the financial, investment and insurance service providers that are involved in collective data management will have a relatively extensive access to customer data as part of their business activities, while other entities belonging to the group will have access only for specific purposes.
- The option to transfer data will be available for existing contracts as well, and customers with existing contracts will need to be notified in writing at least 30 days before such data transfers. In addition, relevant publication must also be made on the service provider’s website, and data transfers may commence only after 30 days from such publication on the website.
Changes in Exemptions
In terms of exemptions from payment services, service providers offering services relating to various gift cards, store cards or fuel cards (subject to “limited network exclusion”) and service providers offering music and content downloads, voting and similar services through various telecommunications channels (“telecom exclusion”) should prepare for the changes.
- In respect of the limited network exclusion, from now on service providers will be required to report to the Hungarian National Bank if the total value of their payment transactions exceeded HUF 300 million in the preceding 12 months. Based on the report describing the features of the network, the Hungarian National Bank will decide on whether the given service qualify as a payment service.
- In respect of the telecom exclusion, from now on entities will be required to ensure that the value of individual payment transactions (e.g. a concert ticket purchased against a prepaid phone card) does not exceed HUF 1,500 and their aggregate amount does not exceed HUF 90,000 per calendar month. Telecommunications service providers exercising the exemption will have to submit an annual inspector’s opinion to the Hungarian National Bank before 31 May of each year to prove that the conditions for exemption apply.
- Although PSD2 envisages the abolition of the exemption for intermediaries acting in both buyer-side and seller-side money transfers (various store-within-a-store e-commerce platforms), this is not reflected in the changes to the Hungarian regulations.
Preparing for the Changes
- The Amendment Act requires a significant number of changes to be made to framework agreements. Account servicing banks are required to inform their customers of these changes before the Amendment Act takes effect, i.e. before 13 January 2018, so that they shall have sufficient time to reject the proposed changes and terminate the framework agreement. This will likely be a significant administrative burden for banks despite the fact that the concerned provisions, according to which banks would have been required to be inform customers by 13 November 2017, were finally changed in the Amendment Act by a last-minute modification.
- Although the implementation rules are expected to be published later, as a general rule, current payment service providers may carry on their activities in an unchanged form until 13 July 2018 on the basis of the statutory regulations. If they wish to continue providing payment services after this date, they will need to submit an application for a certification of compliance, supported by a wide range of documents, to the National Bank of Hungary before 28 February 2018.
- It is important to note that the Hungarian legislator adopted the option provided by PSD2, by which the majority of banks will not be required to submit either an application for authorisation or a separate application for a certification of compliance, provided that they meet the capital requirements by 13 January 2020. Nevertheless, they will be required to comply with the new regulatory requirements all the same.