Answer ... (a) Internet (e-commerce)
Internet banking solutions are offered by all major banks in Hungary. Other e-commerce solutions – such as prepaid cards, Apple Pay, Revolut and Transferwise – are also present on the market. Financial service providers must ensure that services are provided in a secure manner, irrespective of the communication medium or device. A detailed recommendation (Guideline 15/2015) including recommended practices and solutions issued by the National Bank of Hungary (NBH) helps market players to meet these obligations.
In line with the Second Payment Services Directive, if a client has online access to a bank account or initiates an electronic payment transaction, the payment service provider must apply strong customer authentication (SCA). Requirements relating to SCA entered into force in September 2019. However, further to negotiations with market players, the NBH – in line with the opinion of the European Banking Authority – allowed an additional 12 months for payment service providers to adopt the necessary IT measures. It is thus presumed that SCA will be obligatory from September 2020.
Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union was implemented into Hungarian law through Act CVIII of 2001 on certain matters concerning electronic commercial services and information society services (the Act on Electronic Commercial Services). The act applies to online marketplaces, online search engines and cloud computing services. Service providers with more than 50 employees or a turnover or total balance sheet of more than HUF 10 million must inform the Special Service for National Security of any incidents in the IT security system that may have a substantial impact.
(b) Mobile (m-commerce)
Mobile applications are widely used in payment services. All major Hungarian banks offer e-banking mobile applications. Furthermore, several third-party service providers provide mobile solutions, such as account information. Many EU-based mobile payment firms also provide their services in Hungary. In terms of security and data protection, the same rules apply as in the case of payments made via the Internet.
(c) Big data (mining)
The use of big data in the provision of financial services is not yet subject to regulation. However, as a data-driven approach develops in the industry, the regulatory authorities have started to monitor the associated challenges and risks. A final report published by the European Banking Authority (EBA) (https://eba.europa.eu/file/609786/download?token=Mwkt_BzI), and referred to by the NBH, highlights that the use of big data raises questions relating to data protection, among other things. The rules of the General Data Protection Regulation apply in relation to data protection. Big data solutions are used, for example, to improve accuracy in the forecasting of ATM and branch cash supply.
(d) Cloud computing
Financial institutions, investment service providers and insurance companies are free to use cloud computing services; however, they must comply with all regulatory requirements relating to IT security, data protection and other rules regarding the necessary technical equipment. If personal data, bank secrets, securities secrets or insurance secrets are affected, the rules on outsourcing shall apply. In the case of outsourcing, the financial service provider remains liable for compliance with the data protection and confidentiality rules.
As cloud computing services are widely used in the financial sector, the NBH has issued detailed guidelines on the risk assessments that financial institutions should conduct before availing of such services, and the minimum requirements relating to the contract between the financial institution and the cloud computing service provider. These include the following:
- The financial institutions should maintain a day-to-day list of activities in relation to which cloud computing services are used.
- Client data and bank secrets should be handled, processed and stored by the handler or processor only to the extent and for such time as is necessary to achieve the purpose of handling the data.
- The financial institution should have a plan in place in case it becomes necessary to end the agreement with the cloud computing service provider.
The outsourcing contract should include provisions on certain key issues, including:
- the cancellation of data;
- the rights of control of the financial institution;
- how force majeure cases will be handled;
- data handling and data processing; and
- responsibilities for data protection and IT security tasks.
(e) Artificial intelligence
In order to foster the widespread use of artificial intelligence (AI), the AI Coalition was established. The coalition consists of companies, universities, IT firms and law firms. Its objective is to determine jointly the directions and framework for AI development in Hungary and to serve as a forum for cooperation.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
The National Tax Authority has published an opinion which states that mining activity is subject to tax, and that tax may also be payable on profits earned from cryptocurrencies. The scope of the regulations on anti-money laundering and terrorist financing has further been extended to service providers that exchange virtual currencies for fiat currencies and vice versa. Apart from this, however, cryptocurrencies are not regulated in Hungary and as such, their legal status is uncertain.
In its publications, the NBH has repeatedly highlighted the risks that may arise from cryptocurrencies and investments in initial coin offerings (ICOs) and security token offerings (STOs), as these instruments and their providers do not fall under the scope of financial regulation, including customer protection. In an opinion, the Ministry of Finance has also highlighted that cryptocurrencies do not qualify as electronic money, financial instruments or non-cash means of payment. A joint working group, comprising members of the NBH, the Ministry of Finance and the National Tax Authority, has been established to assess the legal and economic aspects of cryptocurrencies. However, ICOs and STOs may also fall under the scope of financial instruments as defined under the Second Markets in Financial Instruments Directive (MiFID 2). Consequently, where such instruments are offered to the public, the Prospectus Regulation and the corresponding rules on public offerings set under the Capital Markets Act may apply.
Although blockchain technology is not regulated in Hungary, it is already being used in fintech innovations (eg, Aegon’s ski-slope insurance, discussed in question 2.2). Hungary has joined the European Blockchain Partnership, which aims to develop a European blockchain services industry that meets the highest standards in relation to privacy, cybersecurity, interoperability and energy efficiency.