To support the prevention of money laundering and terrorist financing, on 26 June 2024, the Hungarian National Bank issued two new regulations, incorporating changes in domestic legislation, guidelines of the European Banking Authority and lessons learned from supervisory experience.
The legislation includes new provisions on the identification of the beneficial owner, requirements of the external audit function, establishment of the nature of business relationship, and electronic customer due diligence. The new legislation, depending on the subjects covered, enters into force from July 2024, January 2025 and/or March 2025 and covers service providers within the meaning of the Hungarian AML Act.
The regulation on the identification of the beneficial owner introduces a new provision that, in order to establish the ownership and control structure of legal persons or entities without legal personality, a declaration by the customer is sufficient for low-risk customers. In all other cases, the ownership and control structure must be verified by other risk-based measures. Additionally, to avoid the ‘strawman risk’, financial service providers must verify the identity of the beneficial owner. Where appropriate, they must conduct a due diligence interview with the customer and beneficial owner, and complete a questionnaire to determine the risk level. Providers must then assess the customer's risk. Additionally, electronic customer due diligence can be outsourced, but the provider cannot delegate the decision to establish a business relationship.
A new requirement for the internal control and information system is that the service filtering system must ensure real-time monitoring of transactions. The intensity and conditions of the filtering - based on the characteristics and risks of the customer and the indications of the Hungarian National Bank - will be set by the service provider, with a maximum time limit for the analysis and evaluation of the filters.
The other regulation of the Hungarian National Bank contains detailed rules on the minimum requirements for audited electronic communication devices and their operation, internal regulations, the method of auditing, and the implementation of online customer due diligence through such devices. As a new feature, service providers must consider and assess in a demonstrable manner the justification for introducing a new type of electronic communication tool for customer due diligence and its feasibility in light of the risks involved. Service providers must establish an electronic customer due diligence policy and continuously monitor, on a regular and ad hoc basis, and modify the functioning of their digital communication equipment as necessary in accordance with the law and their internal rules. The regulation also introduces the possibility to use biometric data in online customer due diligence. Finally, it should be highlighted that the regulation also contains a number of other provisions relating to the timeliness, secure storage and data protection of data obtained through audited electronic communications.
By Gabriella Galik, Founding Partner, KCG Partners Law Firm