Fintech Regulation – Implementation of the PSD2 Directive

The PSD2 Directive (EU) 2015/2366), an EU directive on the regulation of payment services, was implemented in Hungarian law in October 2017. Law No. 145/2017 entered into force on 13/01/2018 in accordance with the Directive.

Introduction of open banking
The biggest innovation is the introduction of the so-called Opens Banking. As part of open banking, customers will in future be able to carry out transactions not only via their account-managing bank, but also via the FinTech companies as third-party providers (“Third Party Provider”). Using the so-called “PISP” payment triggering service, bank customers can then have payments executed from their own account without having to contact the account-managing institution directly, as well as access the account information of the banks, which was obtained in a standardised manner from the third-party providers (AISP account information services). This enables customers to retrieve information from different accounts fully automated and have it available in real time.

However, open banking without restrictions will not be made available to Hungarian customers until 01/01/2019. In the meantime, the use of third-party providers depends on the willingness of the respective account-holding institutions to enable customers to do so. However, this offer must not be restricted. Therefore, if a bank assures a PISP that it may use its system to send payment orders, the same option must be given to the other PISPs.

Customer authentication and liability
Furthermore, careful customer authentication is a prerequisite. The detailed regulations and technical requirements for customer authentication are determined by the control standards (“SCA-CSC RTS”), which are currently being finalised. The PSD2 Directive stipulates that customer authentication must be applied no later than 18 months after the Directive enters into force, i.e. as of 01/09/2019. In contrast, the Hungarian regulation shortens this period by six months and prescribes such customer authentication from 13/01/2019. In the transition period, however, strict liability regulations will already apply. If financial service providers do not perform customer authentication in the event of an unauthorised transaction (eg loss of a credit card or unauthorised access to the account), they are fully liable for damages. In addition, in the event of an unauthorised transaction, the account-holding bank is obliged to refund the amount of the unauthorised transaction to the paying party by the end of the working day following the registration, irrespective of whether the payment was initiated by means of a PISP or not.

Irrespective of the usual, already existing procedures, new, accelerated procedures are being developed for the handling of complaints.

Author: Richárd Zuberecz