Due to changes in the Prevention and Combating of Money Laundering and Terrorist Financing Act earlier this year, the policy templates and guidelines have changed

The National Bank of Hungary (MNB) updated its Money Laundering and Terrorist Financing Prevention Policy Templates and its Guidelines, designed to assist companies under the effect of the Act on Money Laundering (primarily those operating in the money and capital markets) with legal compliance.

Major amendments to the Act on Money Laundering (Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing) entered into force on the 10^th of January 2020. Most notably, they extend the scope of the Act to new services and providers of services:

• a provider of exchange services between virtual and legal currencies and virtual currency exchange services;
• depositary wallet providers;
• a service provider dealing in or selling cultural goods (art, antiques) in respect of transactions or series of transactions the value of which is equal to or greater than HUF 3,000,000;
• service providers engaged in the storage or trading of cultural goods (art, antiques) in free ports or those acting as intermediaries in free ports for transactions or series of transactions the value of which is equal to or greater than HUF 3,000,000; and
• registered office service providers.

The Act also applies to a service provider – irrespective of where its headquarter is registered – which offers its services through a permanent business establishment in Hungary – which includes a branch – directly with the services specified in the Act on Money Laundering.

With respect to services, in case of the commercial leasing of real estate, only rental fees exceeding HUF 500,000 per transaction are subject to the law. Similarly, in the case of a brokerage service provided by a real estate agent, the extension applies only to the commercial mediation of the transfer of ownership of real property. The obligations of investment fund managers to prevent money laundering are extended with regards to their activities as defined in the Investment Services Act (Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities). The law imposes provisions on the amount of money exchanged in foreign exchange offices: transactions with a value of HUF 100,000 or more for one client within one week, are now subject to the law.

The rules on customer due diligence changed significantly. New regulations demand service providers to classify customers based on risk assessment, expand the line of customers subject to more stringent due diligence procedures with politically exposed persons and tighten the rules of procedure. Service providers with high risk, third-country clients with strategic deficiencies must comply with new standards in terms of customer identification (the most important of which is the establishment of business relationships, the execution of a transaction order subject to management approval under internal regulations). A new chapter – Special Customer Due Diligence – was added to the legislation, primarily concerning credit institutions, financial service providers and electronic money issuers. The limits of transaction orders set by laws changed. Service providers are required to perform due diligence when executing a transaction order in excess of HUF 4,500,000, the merchant must perform due diligence when a transaction exceeding HUF 3,000,000 is performed using cash, and due diligence must be conducted on any currency exchange amounting to at least HUF 300,000. The scope of the documents which may certify the source of money or property has been defined in the regulations.

Further changes to the law will take effect on October 1 and December 1, 2020, including the so-called provisions on changes in the level of risk, new reporting obligations on beneficial owners (to be filed in a central registry), and reporting obligations on bank accounts and safes.

Policy Templates

In line with its previous practices, MNB prepared sample model policies for trust service providers, and supports the compliance of service providers subject to the Act on Money Laundering with the help of the internal regulations. The most recent policy templates were published on the website on the 30^th of March 2020: https://www.mnb.hu/felugyelet/szabalyozas/penzmosas-ellen/szabalyzatok-segedletek

Internal policies are required to comply with the new requirements by April 9, 2020, in line with the Act on Money Laundering, regardless of the date of publishing of regulatory samples.

Assignment of a Legal Adviser

For service providers who only recently became affected by new laws, or who do not have sufficient resources to ensure compliance with the law, it is strongly recommended that they consider utilising the services of legal advisers.

• Kapolyi Law Firm, the preeminent Hungarian capital markets law firm, with over two decades of expertise, fully supports the development of internal policies and the adaptation of existing policies the to new requirements.
• Kapolyi Law Firm has extensive experience in drafting internal policies to comply with laws on the prevention of money laundering and terrorist financing.

If you have further questions about money laundering and terrorist financing prevention, please do not hesitate to contact one of our experts.

In our previous newsletter, we examined the most important labour law provisions, which became especially relevant due to the spread of the coronavirus. We would like to remind you, that in today’s extraordinary circumstances, employers must not only consider labour laws, but also comply with data protection regulations. This newsletter summarises the most imperative risks, and proposes measures to be taken, which are approved by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

1. Risks and Challenges

The European General Data Protection Regulation (GDPR) set strict conditions for data processing, and equipped national authorities with effective tools to enforce its provisions. As a result, enterprises must invest a significant amount of resources in order to ensure compliance with data protection provisions. The world of business perceives the strictness of the GDPR as an unnecessary burden. This is especially true for SMEs and those enterprises whose main area of activity bears no relationship with processing personal data, or those who only conduct data processing peripherally. Therefore, one may believe that the new data protection regulations needlessly hinder the implementation of the employer’s health and safety measures.

Luckily, this is not the case. During the drafting of the GDPR, European lawmakers considered risks such as an epidemic, which means that the GDPR does not hinder or prevent epidemic measures from being implemented (Section 46 of the Preamble of the Regulation explicitly describes this). However, this does not mean that by referring to extraordinary circumstances employers are allowed to collect and process any kind of data. The Regulation continues to severely sanction data processing which may not be considered as purposeful or justifiable, and also prohibits the employer from going beyond its role, utilising tools which only national authorities are permitted use.

A situation such as this requires the employer to process a wider range of data on employees than it usually does. In order to ensure uninterrupted communication and the upkeeping of regular operation, it becomes inevitable for the employer to collect and process personal phone numbers, e-mail addresses and other online contact details. Furthermore, depending on a given economic activity, it may become necessary to process several other kinds of personal data.

With regards to the above, our general advice is to ask for the assistance of a data protection expert when designing new workflows to be implemented. We recommend this in order to satisfy the principle of privacy by design, and through this to ensure compliance with further data protection principles. It is not recommended to appoint administrative staff or middle management to implement measures. It is a better choice to construct uniform, regulated workflows with the aid of an expert.

With regards to data protection, a further challenge stems from the recently popular decision of employers directing employees to work remotely. It is often the case that employees are forced to use their own devices for work – to a certain extent – instead of relying on the employer’s IT infrastructure. Such measures may pose severe data protection risks. In several processes, a greater data protection risk is one which may have an effect on the data processing’s legality. For instance, in case of data processing based on legitimate interest, the test for balancing interests may bear different results under a lower data protection level.

2. Healthcare and Travel-related Data Processing

Recently, employers widely began to implement measures, which involve the processing of personal data concerning health. We would like to emphasise that personal data concerning health is classified as a special category under the GDPR. The processing of such data has strict conditions and boundaries. The data protection risk in this case is significantly greater, than when processing different categories of data.

It is not lawful for employers to conduct medical checks by themselves, or to request healthcare documentation from their employees. Conducting mandatory body-temperature tests, issuing compulsory health-related questionnaires, demanding data on medical history in any way, and other similar measures all count as an unlawful data processing, which the employers may not conduct. According to NAIH, an exception to this rule may only be granted on an individual basis for certain jobs that are considered to be highly susceptible to illness. Even in this case, several data protection provisions are to be complied with, and a healthcare expert must also be involved.

The processing of health-related data is not forbidden. The GDPR prescribes several legal grounds, based upon which the processing of special categories of data is permitted. It is important to mention that prior to beginning the processing of such data, it is essential to examine the necessary conditions for it. It is common practice that an employer orders an employee to fill out a declaration of consent and believes that the data processing is therefore legitimate. This will most likely result in an invalid declaration and illegitimate data processing, even if the data in question does not fall under a special category of data. We therefore recommend this practice to avoided.

A significant proportion of employers with larger workforces have recently ordered their employees to compulsorily fill out questionnaires with regards to whether the employee or any other person entering the premises of the workplace has recently visited a country affected by COVID-19 or whether they have symptoms of the coronavirus. These questionnaires may only be legitimate, if prior to their introduction, the employer has conducted the test for balancing interests, and is satisfied that the measure is necessary and is proportionately beneficial when considering the measure’s negative effects on the employees’ rights. As discussed above, questions may not inquire about medical history, and the processing of data collected through the questionnaire must be regulated.

A further question arises with regards to the legality of an employee’s ‘whistleblowing’ concerning another employee’s symptoms. Accepting these reports is not illegal. Based on the principles of Labour Law (duty of cooperation, good faith, fairness), employees are entitled to and obliged to submit a report to the employer regarding health risks they are aware of in the workplace. However, we believe that the process of submitting a report should be regulated in a way which complies with data protection principles, and does not result in the stigmatization and/or discrimination of employees who are perceived to be ill.

3. Recommended Measures

Generally, we recommend that personal data should only be processed, if it is absolutely necessary. If there is an alternative, then that should be the preferred choice. Furthermore, when processing sensitive data, it is recommended to strive for a high level of compliance with the principle of transparency, and to and to provide clear information on all measures taken.

Recently, European data protection authorities began to publish their recommendations with regards to data protection questions related to the coronavirus epidemic. The interpretation of regulations varies greatly between different authorities. It is often the case that certain legal bases are legitimate in one Member State, but are not applicable in another and a number of Member States’ authorities declared that employers have limited means to conduct data processing. Concurrently, multiple authorities explicitly stated that the GDPR does not restrict entities in such situations. As such, we recommend multinational enterprises not to rely on the guidance and/or internal regulations issued by their corporate group or parent company. Hungarian corporations must comply with NAIH’s guidelines.

On a final note, we would like to direct your attention to NAIH’s recommendations for the measures to be taken by employers, which we summarised below:

NAIH recommends the development of a so-called pandemic or business continuity action plan. This plan this does not exclusively concern itself with data protection issues, but are drafted with consideration of the relevant data protection risks. Detailed informative prospectuses created for employees as a part of the plan don’t limit themselves to data protection issues only. Instead, they are to provide information regarding the coronavirus and guidance on how to deal with the risk of infection. In similar situations, NAIH considers it necessary for the plan to include provisions on the reorganisation of business and business travel, including the regulation of remote working. Additionally, NAIH considers it important that the action plan includes a notice for employees to immediately report any suspected infection and to consult the occupational physician or a general practitioner.

Just like with preparing the necessary labour law documentations, responding to our clients’ data protection inquiries is a top priority for us. We will do everything in our power to help you comply with regulations as soon as possible!

If we may be of assistance to you with regards to any of the above, please don’t hesitate to contact us!

We organized a client breakfast inviting the representatives of listed companies, institutional investors and securities account managers, under the name of Kapolyi INSIGHT. At the event experts of Budapest Stock Exchange and Kapolyi Law Firm presented and summarized the key tasks and obligations of the relevant actors and stakeholders subject to the new act on long-term shareholder engagement.

The act on encouragement of long-term shareholder engagement adopted in July 2019 imposes new obligations on issuers, fund managers and insurance companies. During our Business Breakfast event, Kapolyi INSIGHT – hosted at the Bank Center – our speakers raised awareness about the implications of new duties and responsibilities for those affected. You can read more about the event on portfolio.hu.

Sorry, this entry is only available in Hungarian.