Hungary’s national bank changes risk-management system for determining the quality of public officials

The National Bank of Hungary (MNB) issued a new decree (14/2025. (VI. 16.)), which sets down detailed rules for implementing the obligations of service providers subject to MNB supervision under the AML Act and the minimum requirements for the development and operation of a screening system for service providers to enforce financial and asset restriction measures adopted by the EU and the Security Council of the UN.

In addition to the verification obligation under paragraph (1) to (2a) of Article 12 of the AML Act, service providers must regularly verify the quality of the politically exposed person (PEP), individuals entrusted with public functions, of the customer and beneficial owner. In order to determine the quality of a PEP, service providers can use electronic tools, documents, a combination of these, and innovative solutions when determining the status of PEP of the customer or the beneficial owner. The service provider, however, must not rely on a solution that solely requires the customer or beneficial owner to be regularly and repeatedly declared. The service provider must specify in its internal policies the frequency with which it will carry out the verification of PEP quality. This must be done at least annually for low-risk customers, and quarterly for all other risk groups of customers.

The above provisions, intended to prevent money laundering by people entrusted with public functions, will be applicable from 31 December 2025.

The service provider must, at the request of MNB as the supervisory authority, prepare an impact assessment (except in the case of public registers) on the applicability of the registers it uses for assessment, which must include the following:

• information and communication technology and security risks, in particular the risk that the innovative solution may be inappropriate, unreliable or manipulable;
• quality risks, in particular the risk that the information sources used for verification purposes may not meet the applicable legal requirements in terms of independence and reliability and the risk that the scope of the identity verification provided by the applied innovative solution is not proportionate to the level of risk of money laundering and terrorist financing associated with the business relationship;
• legal risks, in particular the risk that the third-party provider of the technological solution does not comply with the applicable data protection legislation; and
• the relationship between the service provider and the third-party provider of the innovative solution and the legal relationship between the service provider and the third-party provider.

For more information, contact your CMS client partner or these CMS experts.

The article was co-authored by Emilia Viven Martits.