FinTech – Guidance from the Hungarian regulator

The Hungarian National Bank published on its website guidance regarding PSD2. The regulator provided interpretation in the following areas:

• All payment account qualifies as online accessible if the client is able to give payment orders through any IT device. The term shall cover e.g. a computer, a mobile phone, or an application on a mobile phone.
• The payment service provider is obliged to require strong customer authentication in three cases: a) if the client accesses his/her own account (i.e. the client uses its NetBank or mobile bank application), b) the client gives payment order irrespective of the form of such order (e.g. the client uses its card at a POS terminal or gives payment order via NetBank), c) any other situation, which does not fall under points a) or b), but which could lead to fraud (e.g. the amendment of limits or changing the mobile phone number used to notify the client).
• TPPs may acquire information only if such information is necessary for the provision of the given service. If the service requires the analysis of the narrative, the TPP may acquire such information upon consent from the client, however, the requirements of GDPR should also be fulfilled.
• The regulator identified those provisions of the Hungarian implementing rules, which in line with EBA’s Opinion (EBA/Op/2017/16.) should not apply before 2019.
• The Account Servicing Payment Service Providers are not obliged to develop a dedicated interface, it is enough if the ASPSP provide access to account e.g. via NetBank.
• If the ASPSs develop a dedicated interface, they are, with certain exceptions, obliged to develop fallback mechanisms. The regulator’s position is that the client interface could function as a fallback mechanism.

Back to news