Hungary targets online fraudsters with new Cyberfraud Act

Hungary

On 1 August 2024, Hungary enacted Act XVIII of 2024 on the amendment of certain acts and other criminal legislation to prevent cyberfraud activities, which introduced obligations for the performance of specific actions that will affect the operations of Hungarian credit institutions and other businesses that actively use bank accounts.

The Cyberfraud Act was passed to do the following:

  • facilitate the detection and suspension of fraudulent payment transactions; and
  • prevent damage caused by defrauding customers in various forms (e.g. SMSs, fake links, misleading bank account numbers, obtaining data from the customer without consent, etc.).

In order to achieve these aims, the Act on the Prevention and Combating of Money Laundering and Terrorist Financing has also been amended, which imposes obligations on payment service providers.

According to the Money Laundering Act, if a costumer or an investigative authority notifies the payment service provider of a payment transaction that is suspected to be fraudulent, the payment service provider must initiate a procedure to trace the defrauded money and prevent these funds from ending up in the hands of fraudsters.

In the framework of this procedure, if the payment service provider receives a notification within 24 hours following the fraudulent transaction, the payment service provider must notify the payee’s payment service provider (i.e. the other payment service provider where the account is held where the Fraudulent Transaction has been made).

Based on the new legislation, the payee’s payment service provider must further notify the next payment service provider in the chain if further transactions are carried out in relation to the fraudulent transaction. This exchange of information must continue until every element of defrauded funds in the fraudulent transaction is identified and the fraudsters can be blocked from carrying out further transactions.

Besides the further-notification process, new provisions in the act expand the payment service provider's reporting obligation to the Financial Intelligence Unit of the Hungarian Tax Authority, explicitly stating that as of 1 August, the financial service provider's obligation to inform the Financial Intelligence Unit is no longer applicable solely in cases where there are signs of money laundering, terrorist financing  or that the specific asset is believed to have derived from criminal activity, but also includes the notification obligation described above. Namely, if a notification is received by the payment service provider, not only is there an obligation to provide further notification in the payment chain, but the Financial Intelligence Unit must also be notified in accordance with the provisions of the Anti-Money Laundering Act.

The amended Anti-Money Laundering Act also allows payment service providers to suspend the execution of the identified fraudulent transaction at any point in the transaction chain, which enables criminal authorities to seize the defrauded money (within the framework of criminal proceedings) and to start the process of recovery and identifying the fraudsters as quickly as possible.

The new legislation also impacts the Criminal Procedure Code, which aims to ensure that fraudulent transactions are combated in due course. To speed up the collection of data and expedite the blocking of fraudulent transactions, several further amendments became effective on 1 August, such as enabling investigative authorities to request data from payment service providers without seeking prior approval from the acting prosecutor.

Notably, the recent amendment is relevant not only from the perspective of AML compliance and criminal investigations. Recent civil court case-law shows that credit institutions, which fail to exercise due care in terms of payment transactions suspected to be fraudulent (i.e. if fraudsters are able to transfer the client’s money without being blocked), this omission may qualify as damaging conduct and credit institutions may be sued and held liable for the damages sustained as a result of these omissions.

In view of this, financial institutions may face a rising number of civil litigations initiated by the victims of cyberfraud. Hence, financial institutions must be extra vigilant when exercising anti-money laundering obligations.

The article was co-authored by Martin Kócsó.

For more information on how Hungary’s Cyberfraud Act could affect your business, contact your CMS client partner or these CMS experts.