By passing a new act on the prevention of money laundering and the financing of terrorism, Hungary has implemented the fourth EU directive to combat money laundering. Contrary to the previous law, the scope of the new act does not address activities, but rather defines the types of the obliged entities. The law has extended its application to any merchant of goods that accepts a cash payment in excess of the equivalent of EUR 8,000.

A new business relationship and client will no longer require the physical presence of the client if the service provider employs pre-audited and safe electronic identification processes. In the new law, client data is to be recorded more precisely, and there is no distinction in the types of data between Hungarian and non-Hungarian clients. The new act also amends existing rules on verifying the ultimate owner of a client company.

Service providers may perform a simplified client identification process if pre-audited internal rules allow it. Concerning enhanced client identification, the new act applies more stringent rules than the directive, since a Hungarian service provider may establish a corresponding relationship with a non-Hungarian service provider. Additionally, enhanced client identification should be applied if specified by the internal rules of the service provider, or if a client is from a third country identified as having strategic deficiencies, and involving high risk.

The act also requires that service providers continuously monitor their business relationship with clients to identify whether any transaction by a client is in line with data available to the service provider.

Companies should revise their data protection notices and processing practices to reflect the provisions of the new act, particularly in regard to the legal basis of the data processing for anti-money laundering purposes, the scope of data, data retention obligations, and the process for updating relevant data. The law establishes a new data transfer obligation: the Central Database of Information on Beneficiary/Ultimate Owners. According to this, financial service providers must immediately transfer the data required regarding the beneficiary/ultimate owner of customers to a central database. Companies should also reflect this data flow in their data protection notices and policies.

The regulator will issue an order outlining the specific rules of the internal risk assessment, cases of simplified and enhanced identification, and the auditing of any electronic devices used in the identification process. Service providers must update their internal processes and systems by 30 September 2017, and notify the regulator of this update.