The Hungarian National Bank’s New Green Banking Recommendation: ESG Risk Management as a Core Element of Bank Governance

The Hungarian National Bank’s Recommendation No. 2/2026. (III. 6.) represents a substantive shift in supervisory approach compared to the former Hungarian National Bank’s Recommendation No. 10/2022 (2 August). While the 2022 Recommendation primarily focused on the management of climate-related and environmental risks, the new Recommendation expects banks to establish a comprehensive ESG risk management framework: in addition to environmental risks, social and governance risks must also be embedded into the bank’s business strategy, risk appetite, internal control framework, lending and investment processes, ICAAP/ILAAP procedures and management reporting. Accordingly, the Recommendation is not merely a “green” compliance task, but a set of governance and risk management expectations affecting the entirety of prudent banking operations.

Compliance work must be based on a multi-layered regulatory framework. The foundation is provided by the corporate governance, risk management and internal control rules of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises, in particular Sections 107, 108/A, 109 and 115 of the Credit Institutions and Financial Enterpries Act. At EU level, the ESG risk-related provisions of the CRR and CRD, the Taxonomy Regulation, the SFDR, the CSRD, the CSDDD, as well as the implementing technical standards on prudential disclosures must be taken into account. Among the supervisory instruments, the Hungarian National Bank’s Recommendation No. 12/2022 on internal lines of defence, the Hungarian National Bank’s Recommendation No. 1/2022 on suitability assessment, the Hungarian National Bank’s Recommendation No. 4/2022 on remuneration policy, the Hungarian National Bank’s Recommendation No. 7/2024 on credit risk, the Hungarian National Bank’s Recommendation No. 7/2025 on the minimum ESG questionnaire, and the Hungarian National Bank’s ICAAP-ILAAP-BMA Methodological Manual are of particular relevance. The new Recommendation also implements the EBA Guidelines on the management of ESG risks and the sustainability-related parts of the EBA Guidelines on loan origination and monitoring.

The Hungarian National Bank’s Recommendation clearly aligns the tasks within the bank with the logic of the three lines of defence. The board of directors, or the management body in its management function, is responsible for ensuring that ESG risks are embedded into the strategy, the business plan, the risk appetite and the internal risk management framework. The management body must understand ESG risks, ensure the necessary human and financial resources, approve the plans for the oversight and management of ESG risks, and regularly monitor their implementation. From the perspective of the supervisory function, annual assessments of the control functions are expected to also cover ESG risks, and the body acting in its supervisory capacity must exercise effective oversight over the system established.

The first line of defence — including, in particular, the business, lending, investment and client relationship areas — is responsible for identifying and recording ESG information relating to the client, product or transaction during onboarding, credit and investment decision-making, and monitoring. In the second line of defence, risk management must carry out methodologically sound assessment, monitoring and management on an aggregated basis, including in relation to ESG risk limits, risk appetite and KRIs. The compliance function is responsible for overseeing compliance with ESG legislation, internal policies, sustainability claims and commitments, as well as for participating in the product approval process for products with ESG characteristics. Internal audit, as the third line of defence, provides independent assurance as to whether the bank’s ESG risk management and control system is actually operating effectively.

The role of the controlling and management information functions becomes particularly important under the new framework. The bank must establish an ESG data collection, aggregation and reporting system capable of providing regular information to the management body and senior management. This includes mapping data gaps, developing an ESG data taxonomy, making the necessary adjustments to IT systems, and monitoring ESG metrics at portfolio, sector, client and product level. In the case of large institutions, such metrics may include, for example, financed GHG emissions, the alignment of portfolios with climate pathways, the energy efficiency breakdown of real estate collateral, concentrations of physical and transition risks, ESG-related reputational and litigation risks, and the outcomes of client engagement measures.

On the internal regulatory side, at least six types of documents and processes should be reviewed. First, an ESG risk management or transition plan must be developed, with short-, medium- and at least ten-year long-term time horizons, measurable targets and interim milestones. Second, the business strategy, risk strategy and risk appetite framework must be amended. Third, a separate methodology must be developed for ESG materiality assessment, client- and portfolio-level risk assessment, as well as scenario analysis and stress testing. Fourth, the lending, client rating, collateral valuation, sustainable lending and product approval policies must be updated. Fifth, the ICAAP/ILAAP procedures, as well as the procedures relating to liquidity, market, operational and reputational risks, must be amended. Sixth, the remuneration, training, compliance, disclosure, communication and internal audit policies must be aligned accordingly.

The deadlines are differentiated. As a general rule, the Hungarian National Bank expects the Recommendation to be applied from 1 July 2026, and the Hungarian National Bank’s Recommendation No. 10/2022 will cease to have effect on the same date. In the case of small and non-complex institutions, the general application date is 1 January 2027. As regards the plans for the oversight and management of ESG risks under Section IV.1, large and complex institutions must comply from 1 January 2027, while small and non-complex institutions must comply from 1 July 2027. At the same time, in strategic planning, banks must already take into account a longer time horizon: the plans must also address a time horizon of at least ten years, interim climate targets for 2030 and alignment with the 2050 net-zero objective.

The integration of an ESG organisational unit or responsible person into the bank governance system cannot be achieved merely by establishing a new “ESG office”. According to the Hungarian National Bank’s expectations, either a separate ESG centre, a chief sustainability officer function or a manager responsible for the management and control of ESG risks must be designated; alternatively, in smaller institutions, a member of the management body may also perform this role, subject to appropriate segregation of duties and responsibilities. The key point is that the ESG function should not operate as a parallel organisation, but should be embedded into the existing bank governance structure through regulated points of connection: its powers, role in preparing decisions, cooperation with risk management, compliance, legal, lending, controlling and internal audit functions, and direct reporting obligation to the management body should all be documented. The Hungarian National Bank considers quarterly or semi-annual reporting to be good practice, taking into account the principle of proportionality.

From a practical compliance perspective, the best model is for the ESG centre to have a coordinating and methodological role, without taking over the responsibilities of the individual lines of defence. The business areas remain responsible for the primary identification of ESG information at client and transaction level; risk management is responsible for methodology, rating, limits and aggregated control; compliance oversees legal compliance and greenwashing risks; controlling provides the data and management reporting infrastructure; and internal audit independently assesses the functioning of the entire system. In this way, ESG does not become a standalone compliance project, but an integrated part of the bank’s prudent operation, strategic planning and risk-taking decisions.