Executive circular on written contracts and written declarations concluded by electronic means

DEPUTY GOVERNOR FOR FINANCIAL INSTITUTIONS SUPERVISION AND CONSUMER PROTECTION Executive circular on written contracts and written declarations concluded by electronic means TRANSLATION In accordance with the provisions of the relevant regulations, the Central Bank of Hungary (MNB) wishes to ensure that the institutions of the financial intermediary system (institution) will perform contracting and unilateral legal declarationsfor which the law prescribes written form in the future – while also taking into account the consumer protection and prudential requirements for concluding contracts and making legal declarations by electronic means, either in person or through remote access – in accordance with the unified criteria set out in this circular. The objective of this executive circular is to define the expectations of the MNB, to increase the predictable application of the law, to promote the uniform application of relevant legislation and to support innovation. The MNB is convinced that the appropriateness and verifiability of the written contracts and legal declarations concluded with the customers is in the common interest of customers, supervised institutions and the MNB. This executive circular does not refer fully to all legislative provisions when defining principles and requirements, and institutions still need to comply with the respective legal provisions. In this executive circular, the MNB considers the legislative intention of technological neutrality regarding the written contracts and written declarations concluded by electronic means. Therefore, this executive circular abstains from mentioning specific technologies and related detailed expectations.

1. Introduction to the regulatory environment 1.1. Legal background of the written contract The rules of legal declarations in written form are regulated by the Book 6 of the Civil Code1 . According to this, if the legal declaration needs to completed in written form, the legal declaration is considered valid only if a substantial part of its content is in writing. The legal declaration is considered written, if it is signed by the declaring party. Furthermore, a declaration also will be considered written, if it can be communicated in a form that enables the retrieval of the content without any change, enablesthe identification of the declaring person and shows the time of the declaration2 . 1 Act V of 2013 on the Civil Code (Ptk.) 2 Ptk. article 6:7

In case of dispute between the language versions, the Hungarian version shall prevail. 2/7 Regarding financial institutions the Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.) 3 regulates those cases when the contract must be concluded in writing4 . With certain exceptions, the institution shall contract for financial and auxiliary financial services only in writing. As of 31st March 2019 the Hpt. abolished the legal institution of identified electronic means and subsequently the contracts concluded by electronic means must comply with the Civil Code’s triple conjunctive criteria of written declarations in order to meet the formal requirements. It should be noted in this regard, that the method of contracting by identified electronic means, which fully complies with the legal provisions in force, still fully meets the formal requirements of the Hpt. after 31st March 2019, as it complies with the requirements of the Civil Code for written form. Another important change in the Hpt. is that following 31st March 2019, the financial institution is required to provide the customer with a certified copy of the contract – and not the original of it – as set out in section 3.1. of this circular. In case of insurance, the normal termination of the insurance contract by the contracting party – with the exception5 of the compulsory vehicle liability insurance – is bound to a written form in each case6 .Pursuant to certain provisions of the Civil Code, specific elements of insurance contracts are also bound to written form and furthermore, the customer information rules of Act LXXXVIII of 2014 on the Business of Insurance (Bit.)7 also assume the written form. In case of investment firms, customers’ written consent to the use of their financial instruments are regulated in Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (Bszt.)8 , the rules of the contracts related to securities are laid down in the Act CXX of 2001 on the Capital Market (Tpt.)9 , whereas for payment services they are defined in Act CCXXXV of 2013 on Payment Service Providers (Fsztv)10 . Membership rules of voluntary mutual insurance funds and private pension funds are covered in Act XCVI of 1993 on Voluntary Mutual Insurance Funds (Öpt.)11and Act LXXXII of 1997 on the Private Pension and Private Pension Funds (Mpt.)12 , and regarding the occupational pension provider institutions Act CXVII of 2007 on Occupational Pensions and its Institutions (Fnyt.)13 is the relevant regulation. 1.2. Written contracting and declaration made by electronic means Any declaration bound to written form satisfiesthe legal requirements according to the Civil Code’s provisions only if at least a substantial part of its content is in writing, and it can be communicated in a form that enables both the retrieval of the content without any change, enables the identification of the declaring person, and shows the time of the declaration. The institution must be able to prove that the applied technology fully and unquestionably satisfies the above mentioned triple conjunctive criteria. This requires at least meeting the requirements 3 Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.) 4 Hpt. article 279. paragraph (1) 5According to the Act LXII. of 2009 on compulsory vehicle liability insurance article 7 paragraph (1) point b) the contracting registered keeper may terminate the contract in writing or – as agreed by the parties – by electronic means, without assigning any reason. 6 Ptk. articles 6:466. and 6:483. 7 Act LXXXVIII of 2014 on the Business of Insurance (Bit.) 8 Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (Bszt.) 9 Act CXX of 2001 on the Capital Market (Tpt.) 10 Act CCXXXV of 2013 on Payment Service Providers (Fsztv.) 11 Act XCVI of 1993 on Voluntary Mutual Insurance Funds (Öpt.) 12 Act LXXXII of 1997 on the Private Pension and Private Pension Funds (Mpt.) 13 Act CXVII of 2007 on Occupational Pensions and its Institutions (Fnyt.)

In case of dispute between the language versions, the Hungarian version shall prevail. 3/7 stated in point 2. of this circular. It is important to note, that in case the IT system and procedure applied by the institution fully comply with the requirements for audited electronic communication equipment, electronic customer identification systems, as prescribed by the Pmt.14 and the MNB decree15 issued for its implementation, then – according to the MNB – they are also suitable to satisfy the Civil Code’s triple conjunctive criteria of declarations considered to be in writing, as explained in detail above. In this case, the legal declaration related to the actual business purpose must be made voluntarily, explicitly and clearly. 1.2.1. The usage of advanced or qualified electronic signature The usage of qualified and advanced electronic signature is appropriate during electronic contracting, however the utilized trusted service must be reported to the authority (NMHH) as required by the eIDAS regulation and the Act on the general rules of electronic administration and fiduciary services (Eüsztv.)16 . Although it is not strictly the subject of this circular, it is important to note that the sole usage of advanced or qualified electronic signature is not sufficient for the customer due diligence required by the Pmt. and the MNB decree issued for its implementation. The electronic signature issued in closed systems – as defined in point 1.2.2. – cannot be considered as advanced electronic signature as prescribed by the eIDAS regulation, as it does not fall under the scope of the eIDAS regulation, and consequently this signature was not issued by a trusted service provider, the review and registration of which falls within the competence of the NMHH. 1.2.2. The usage of closed systems The eIDAS17 regulation mentions the so-called trust services provided in closed systems18 , under which electronic signature may be used. According to the MNB the requirements of the closed systems are met when the physical and logical boundaries of the system and the range of the subjects involved are possible to define. When using electronic signature issued in closed system, the company must demonstrate in an appropriate manner its compliance to the triple conjunctive criteria of written form of the Civil Code. 1.2.3. The use of the central administration electronic identification service The MNB recommends that the authentication of the customer’s declaration is performed by 14 Act LII of 2017 on Prevention and Interdiction of Money Laundering and Terrorist Financing 15MNB Decree 45/2018 (XII. 17.) on the implementation of the Act on the Prevention and Interdiction of Money Laundering and Terrorist Financing that must be applied to service providers supervised by the MNB, furthermore on detailed rules for the development and operation of a minimum set of requirements of a screening system according to the legislation on the prevention and prevention of money laundering and terrorist financing by the European Union and the United Nations Security Council 16 Act CCXXII of 2015 on the General Rules for Electronic Administration and Trust Services 17 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC 18 Article 2 paragraph (2) of the eIDAS Regulation excludes the trusted services used between a defined set of participants from the scope of the regulation, therefore, according to the literal, systematic and logical interpretation of the regulation, the definitions and requirements of the eIDAS Regulation cannot be applied to the services excluded from its scope, at most analogy can be made.

In case of dispute between the language versions, the Hungarian version shall prevail. 4/7 using one of the certification services issued by central administration (for example, but not limited to the eID, SZEÜSZ, KAÜ, KEÜSZ or the AVDH19 etc.) based on a prior agreement made with the relevant administrative bodies, as in such cases it is advisable to clarify terms in the contract, for example the terms of availability, terms of liability (e.g. transaction limit) or the control requirements prescribed in the money laundering act, etc. 1.2.4. Legal declaration based on biometric identification The MNB recommends that in case the institution intends to use the biometric data of the customer that enables unique identification, it shall consider whether the applied solution is proportionate to the intended purpose, and does not disproportionately infringe the customers’ fundamental right related to their (biometric) personal data. Biometric data can be a characteristic personal feature of the customer, such as fingerprint, face, retina, vein recognition, even the combination or profiling of several personal features, evaluation of behavioural data, or the recording of the customer’s self-signed signature including biometric data. It should be also considered in case of other identification methods (for example advanced and qualified electronic signature), the device or feature used for identification may be suspended or revoked in case of compromise, but biometric data is not revocable, it’s further use cannot be prevented. Therefore, special attention should be paid to the use and protection of biometric data. When applying mass-produced devices that use biometric technology (such as mobile phones, IoT devices), it should be treated as an additional risk that the built-in biometric identification system – which is typically used to unlock the device – does not necessarily individually identify the user of the device. For example, several persons’ fingerprints can be recorded in the mobile devices that use fingerprint recognition, without the device differentiating the users. 1.2.5. Other solutions In case of other technologies, business models, products and services not described above, which constitute an innovation to the respective sector of the financial intermediary system, and which are beneficial to the customers (for example services that are faster or cheaper) the MNB provides the opportunity to test these technologies with different rules – according to the MNB decree No. 47/20108 (XII.17.) on different rules for complying with the obligations of certain MNB decrees – in the frame of the Innovation Financial Test Environment (Regulatory Sandbox). 2. Procedures, documents relating to written contracts concluded by electronic means 2.1. For the system utilized the institution must have at least: 2.1.1. detailed legal and technical analysis on how the applied technology complies fully and without any doubt with the conditions laid down in sectoral legislation (Eüsztv; eIDAS regulation and Civil Code), 19 Regulated Electronic Administration Services (SZEÜSZ); Central Identification Agent (KAÜ); Central Electronic Administration Service (KEÜSZ); Document Authentication led to Identification (AVDH)

In case of dispute between the language versions, the Hungarian version shall prevail. 5/7 2.1.2. business, legal, IT and information security risk analysis and -management document and action plan in relation to the system utilized, that fully covers all security features (for example verified adequacy of biometrics20 , graphologist expert opinion, key and certificate management, etc.) applicable to the technology used. 2.1.3. IT and IT security audit report or certificate issued by an independent expert on the adequacy of the system used, and on the specific requirements21 specified in the relevant government decree22 for closed systems; 2.1.4. vulnerability test and penetration test for the final system (and the connected environments, for example mobile application) carried out by independent expert, 2.1.5. detailed business and system specification, system documentation23; 2.1.6. a code of conduct that supports the prudent operation of the Institution and the applied system, and regulation on adequately informing customers, as detailed in point 3. of this circular; 2.2. Reporting the applied solution The solution that the institution is willing to use shall be reported to the MNB according to point 4. of this circular, within 5 days following the go-live. The institution must attach the documents that verify the procedures and documents defined in point 2.1. 3. Informing customers 3.1. The customer’s copy of the contract In every case the customer shall be provided with an original or certified copy of the contract that was concluded in writing, or access shall be granted to it all times– with the necessary security measures and access rights. 3.2. Informing the customer The MNB considers it to be inevitable that the institution informs the customer electronically in writing about the following, before concluding any contract or declaration by electronic means in writing: 3.2.1. about the technical steps of contracting, 3.2.2. about the legal consequences of contracting, the code of conduct and the accessibility of the customer’s copy of the contract (the method of handover or granting access); 3.2.3. about those tools that provide for the identification and correction of errors during the 20 As the biometric data is not revocable in case it is compromised, it is not possible to prevent its further usage. Therefore, special attention should be paid to the use and protection of biometric data during the risk assessment and -evaluation also. 21 Regarding the content of the current circular the independent audit report on the provisions of closed systems as defined in the Gov. Decree article 5/B., may be carried out by any independent party who justifiably hasthe necessary expertise. Certification should be made by an accredited certification body defined in Gov. Decree article 5/A. if it is already mandatory by law for the institution. 22 Government Decree 42/2015 (III. 12.) on the Protection of the Information Systems of Financial Institutions, Insurance and Reinsurance Companies, as well as Investment Companies and Commodity Exchange Service Providers. 23 Detailed system documentation (functional and nonfunctional – including IT and IT security requirements – requirement specification, system design, implementation and operating documents) of the entire system, all of its component and connections, including architecture description that promotes the external and internal audit

In case of dispute between the language versions, the Hungarian version shall prevail. 6/7 electronic recording of data, before concluding the contractual statement; 3.2.4. about the language of the contract; 3.2.5. about data management and the possible legal remedies, 3.2.6. in case of contracting by electronic means with a customer who is classified as a consumer, the provisions on the information requirements in the Act XXV. of 2005 on the financial sector service contracts concluded as distance contracts. 3.3. General terms and conditions The institution shall make available the general terms and conditions in a way that allows for the customer to store and retrieve them. 4. Provisions for the fulfilment of reporting obligations According to the provisions of the Eüsztv. and article 58. paragraph (2) of the Act on the MNB, after 1st January 2018, the MNB – as a body providing electronic administration – is obliged to ensure electronic administration in matters that fall within its mandate and competence, consequently the institutions are also obliged to electronic administration. Detailed information on the electronic administration can be found on the link below [in Hungarian]: https://www.mnb.hu/sajtoszoba/sajtokozlemenyek/2017-evi-sajtokozlemenyek/altalanos-tajekoztato￾elektronikus-ugyintezes-a-magyar-nemzeti-bank-hatosagi-eljarasaiban

• – o – - The executive circular is a regulatory tool with no legal binding force for the supervised institutions. The content of the executive circular issued by the MNB represents the requirements imposed by law, as well as the principles, methods, market standards and rules proposed for application based on the law enforcement practice of the MNB. The MNB expects compliance with the provisions of the executive circular by the supervised entities beginning on 3 rd June 2019. The MNB monitors and evaluates the application of the provisions.

In case of dispute between the language versions, the Hungarian version shall prevail. 7/7 MNB makes constantly available all relevant legal provisions and obligations on the website24 and on the Financial Innovation Platform (MNB Innovation Hub)25 so that anyone may acquaint themselves with the respective legal environment and with the practice of MNB regarding this topic. Thank you for your kind cooperation! Budapest, 9 th May 2019 dr. László Windisch The Deputy Governor of the Magyar Nemzeti Bank 24 https://www.mnb.hu/en/supervision/regulation/legislation 25 https://www.mnb.hu/en/innovation-hub/