Recommendation No 13/2025 of the Magyar Nemzeti Bank on the digital transformation of credit institutions

1 Recommendation No 13/2025 (XII. 3.) of the Magyar Nemzeti Bank on the digital transformation of credit institutions I. Purpose and scope of the Recommendation The realisation of the digital transformation of credit institutions is a progressive and desirable development for several reasons. Through the implementation of innovative solutions and state￾of-the-art technologies and the modernisation of the organisational culture and workflows, the quality of services offered to customers can be substantially improved, the institutions’ operating expenses can be reduced, while the risk management mechanisms and work organisation processes can be made more efficient. Cost-efficient and agile operation also improves the stability and resilience of the sector, and in addition, the developments implemented by the credit institutions may also foster the appearance and acceleration of digital developments in other sectors, thus exerting a positive effect on economic development at the macroeconomic level as well. The purpose of this Recommendation is to foster and accelerate the digital transformation of credit institutions in a safe environment. The Recommendation is aligned with the FinTech Strategy of the Magyar Nemzeti Bank (hereinafter: MNB). In accordance with this, the Recommendation’s key objectives include the extension of personalised and customer-focused digital services, the fostering of the financial innovation of domestic credit institutions, the improvement of the banking sector’s competitiveness and stability, and finally the ongoing protection of consumer interests. Further objectives of the Recommendation include contribution to sustainable economic growth and the fostering of the environmentally conscious operation of the banking sector, which is in line with the MNB’s Green Programme. The Recommendation also aims to promote and facilitate the responsible use of artificial intelligence (hereinafter: AI) by credit institutions and to encourage the dissemination of secure artificial intelligence systems (hereinafter: AI system) within the banking sector. The MNB developed its Recommendation for credit institutions based on these directions, the results of the bank digitalisation survey conducted at the end of 2019 and at the beginning of 2020 and the experiences gained from the personal follow-up interviews. The addressees of this Recommendation include the credit institutions falling within the scope of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (hereinafter: Credit Institutions Act), with the exception of the specialised credit institutions falling within the scope of Act XLII of 1994 on the Hungarian Export-Import Bank Corporation and the Hungarian Export Credit Insurance Corporation and Act XX of 2001 on the Hungarian Development Bank, and KELER Central Depository Private Limited Company (hereinafter: credit institution). When formulating the principles and expectations, this Recommendation makes no full reference to the legislative provisions. Nevertheless, the addressees of the Recommendation are obliged to comply with the relevant legislative requirements.

2 This Recommendation shall be applied jointly with the provisions of the MNB’s other relevant regulatory instruments. 1 This Recommendation does not provide guidance on data processing and data protection issues, further it does not contain any expectations with regard to the processing of personal data, and the requirements set forth herein should not be construed in any way as an authorisation to process personal data. Data processing in the context of the supervisory requirements set out in the Recommendation may only be carried out in compliance with the data protection legislation in force at the time. Credit institutions should apply the supervisory expectations set out in the Recommendation in line with and proportionately to the nature of their applied business model and the special features, including also features resulting from the organisational structure and size of operations, the coverage and complexity of the services activity pursued by the credit institution or the group, their risk profile and role in the financial intermediary system, and the features of their customer base. II. Interpreting provisions

1. Unless otherwise specified, the terms used in this Recommendation should be understood in the context of the Credit Institutions Act and Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (hereinafter: AI Act) and in the guidance developed by the European Commission on the basis thereof. III. Development of the digital transformation strategy
2. The MNB expects the credit institution to develop a comprehensive and detailed local – i.e. Hungarian – group-level digital transformation strategy, within the framework of which the credit institution aligns the implementation of certain objectives and plans with predefined milestones and measurable key performance indicators. The credit institution may satisfy this requirement by supplementing its existing strategic document based on the provisions of this Recommendation (the dedicated digital transformation strategy and any other strategic document supplemented on the basis of this Recommendation shall be jointly referred to as: 1 Including, but not limited to: Recommendation No 6/2025 (VI.16.) of the Magyar Nemzeti Bank on the treatment of clients with disability, Recommendation No 2/2025 (I.13.) of the Magyar Nemzeti Bank on the use of community and public cloud computing services, Recommendation No 1/2025 (I.13.) of the Magyar Nemzeti Bank on the protection of IT systems, Recommendation No 9/2020 (VII.14.) of the Magyar Nemzeti Bank to financial organisations on the application of consumer protection principles, Recommendation No 12/2020 (XI.6.) of the Magyar Nemzeti Bank on IT security requirements for remote working and remote access.

3 digital transformation strategy). The MNB also expects the credit institution to review the digital transformation strategy annually and to prepare and submit to the MNB an annual report on the progress and ex-post evaluation of the plans and targets set out in the strategy by 31 December of the year in question. 3. The MNB expects key content elements of the digital transformation strategy to cover at least, but not exclusively, the following objectives: a) the current range of products and services available in digital form and the expansion thereof; b) encouraging the use of various digital channels; c) consumer-centric digitalisation of the branch network; d) transformation of the corporate culture; e) enhancement of digital competency; f) improvement of cooperation and external communication channels in terms of digitalisation; g) improvement of the data asset management strategy in terms of digitalisation; h) enhancement of the risk management strategy in terms of digitalisation; i) transformation of the corporate IT system; j) enhancement of IT security; k) safe and responsible use of AI. 4. The MNB expects the credit institution to elaborate the individual content elements of the strategy considering the expectations, recommendations and good practices set out in the relevant sections hereof. 5. The MNB expects the digital transformation strategy prepared based on this Recommendation and the credit institution’s IT strategy to be harmonised. IV. Expanding the range of products and services available in digital form 6. It is the MNB’s key objective to strengthen the stability of the banking sector, increase its competitiveness and improve its adaptability. To this end, in line with its FinTech Strategy, the MNB encourages the actors of the banking sector to make an increasingly wide range of their products and services available on their digital platforms and online channels. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 6.1. The MNB considers it good practice for the credit institution to make account opening available fully online for all account packages where the legislative environment permits this. The MNB considers it good practice for this to be available both through online platforms and mobile applications. 6.2. The MNB expects the credit institution to offer account packages where the available administration options relevant for the account services – taking into consideration the

4 volume, cost and feasibility (depending on its nature) of using the given type of administration and services – are also available digitally. 6.3. The MNB considers it good practice for the credit institution to send a reminder and notice – via electronic channels, in a separate notification or in a paper-based statement – related to the possibility and process of changing over to digital bank account statements to all clients not yet using digital account statements. 6.4. Taking into consideration and managing the potential risks, the credit institution should identify a customer base to which it recommends sending the informative notification – which is not capable of producing legal effects in its own right – on outstanding credit liabilities in digital form, in cases where the law or the MNB’s recommendation do not provide otherwise. Furthermore, the MNB expects the credit institution to send a reminder and notice – in separate notifications or in a paper-based reminder – related to the possibility and process of changing over to digital notification to all clients not yet using digital notification. If the notification is sent at the client’s request, the credit institution is expected to do so via the channel stipulated in the request. 6.5. With reference to the provisions of sub-point 6.4, the MNB considers it good practice for the credit institution to prepare and present to the MNB a sub-strategy for the digitalisation of the process related to the collection of outstanding credit liabilities, including the development of digital forms of cooperation with natural persons or legal entities acting on behalf of or in lieu of the credit institution. 6.6. Considering and managing the potential risks, the credit institution should identify the customer base to which it proposes to deliver in digital form the informative notification – which is not capable of producing legal effects in its own right – on overdrawing a credit line. Furthermore, the MNB expects the credit institution to send a reminder and notice related to the possibility and process of changeover to this digital notification form to all clients not yet using digital notification. 6.7. The MNB considers it good practice for the credit institution to develop a solution that enables clients to monitor the application and administration processes related to credit products for small and medium-sized enterprises and other corporate clients digitally on a continuous basis in the case of those standard (non-customised) credit products and administration processes where the loan assessment or administration process exceeds 2 working days on average. 6.8. The MNB expects the credit institution to assess the feasibility of developing a solution that enables customers to monitor the application and administration processes of retail credit products – including in particular the process of pre-qualification, administration related to the application (submission of loan application documents), the submission of loan application and its acceptance and assessment by the credit institution – digitally on a continuous basis where the application and administration process exceeds 2 working days on average. 6.9. The credit institution should examine the possibility of sending automatic digital notifications on the changes in the status of product application and administration

5 processes, taking into consideration the volume and cost of administration and the use of the service. 6.10. The MNB considers it good practice for the credit institution to develop customer-friendly personal financial management service suitable for categorising expenditures and revenues, offering time series-based and cross-sectional revenue and expenditure analysis. 6.11. The MNB considers it good practice if upon the development of digital channels the credit institution ensures that those are accessible to customers with disabilities, giving due consideration to the limitations and requirements prescribed by the relevant laws for the legal declarations of the given clientele. 6.12. The MNB considers it good practice if the credit institution – in line with its business policy – ensures the availability of digital channels in English and publishes the contact details of its customer service premises online (hereinafter: bank branch, branch) where administration is possible in English. 6.13. The MNB considers it good practice – where the laws and regulations so permit – if corporate credit product applications can be submitted via a digital interface without the personal presence of the client’s representative, the person authorised to act on behalf of the client or the client’s proxy in the branch. 6.14. In the case of credit institution products and services where the laws permit the performance of the application and administration process fully online, without the client’s personal presence in the bank branch, depending on the credit institution’s risk￾based assessment of the products and services, the MNB considers it good practice for this option to be effectively available both to new and existing clients. 6.15. The MNB considers it good practice for the credit institution to ensure that where administration fully online is restricted by the legislative framework, the online sub￾processes of the administration processes which are permitted by law (e.g. application, attaching documents) can take place without the personal presence of the customer. 6.16. In the case of those sales where the credit institution acts as an intermediary, the MNB considers it good practice for the credit institution, in response to inquiries about the offered products, to initiate the provision of the processes and administration fully online without the personal presence of the customer in the branch. Where the complexity of the product generates other, consulting and information duties, the MNB considers it good practice for the credit institution to provide an online video-banker channel. 6.17. The MNB expects the credit institution to identify within the value chains of the individual products the sub-processes requiring improvement with a view to diverting the entire product process to digital channels. The MNB considers it good practice for the credit institution to develop its plans for the digitalisation of the identified sub-processes.

6 6.18. The MNB considers it good practice for the credit institution to facilitate the submission of complaints via electronic interface for all transaction types and their answering via the same (digital) channel. 2 V. Encouraging the use of digital channels 7. In addition to expanding the offering of digital products and services, the MNB deems it important to apply incentives that support the steering of customers towards digital channels. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 7.1. The MNB considers it good practice for the credit institution, in order to foster the use of digital channels, to apply more favourable pricing – compared to application and administration in person – for the products and services available digitally. 7.2. The MNB considers it good practice for the credit institution to make efforts to foster the gradual spread of online customer information channels. 7.3. The credit institution should elaborate its plans related to the development of the process of reporting and managing customer complaints digitally, including the processes from the receipt of the complaint until the closing of the case. 7.4. The MNB expects the credit institution to develop its plans both for retail and corporate customers with regard to creating the possibility of concluding contracts electronically and making electronic legal declarations in the case of legal declarations to be made in written form. 7.5. The credit institution should prepare brief informative and educational contents (e.g. educational videos) presenting the advantages of its digital financial services and distribute them among the customers. 7.6. The credit institution should outline its plans to explore the opportunities stemming from the active use of digital marketing activities and within the framework of this it should assess the risk of data phishing connected to the more intensive online presence. 7.7. The MNB considers it good practice for a UX (user experience) strategy to also form an integral part of the digital transformation strategy of the credit institution. This also takes into consideration, in addition to formulating the business and IT strategy, the requirements, typical activities and expectations of existing and prospective customers with regard to the digital services of the credit institution. Furthermore, the MNB considers it good practice for the credit institution to use appropriate UX resources in proportion to the business and IT resources from the very beginning of the projects, in accordance with the international standards. 2 In accordance with Section 3(3)-(5) of MNB Decree 66/2021 (XII.20.) on the Detailed Rules of Forms and Methods of Complaint Processing Procedures of Financial Organisations.

7 VI. Consumer-centric digitalisation of the branch network 8. The banking sector has an extremely wide branch network throughout the country. The MNB continues to deem it important to ensure the accessibility of branches, digital solutions expand, make administrative proceedings at branches more convenient and flexible. Due to this, the MNB deems it justified to improve the digitalisation of the branch network, while maintaining fair cash supply for retail customers. To this end, the MNB makes the following recommendations to be presented in the credit institutions’ digital transformation strategy. 8.1. The MNB expects the credit institution to assess the possibility of digital administration in the branches, in addition to the personal assistance available by default, specifying the range of potential digital administration types. 8.2. The MNB considers it good practice for the credit institution to provide the opportunity for virtual queuing. 8.3. The MNB considers it good practice for the credit institution to provide the opportunity for administration methods in the branches that significantly reduce direct physical contact. 8.4. The credit institution should ensure that appointments can be made in advance online for the planned administration in the branch. The MNB considers it good practice to allocate the clerk in advance or, where possible, to collect the relevant documentation in advance through safe channels and complete it with data stored by the credit institution. 8.5. The credit institution should elaborate its plans related to the development of digital applications that improve customer experience for small and medium-sized enterprises (e.g. feedback and evaluation through digital platform). VII. Transformation of corporate culture 9. For the successful implementation of digital transformation, it is of key importance that the corporate culture within the credit institution is aligned with the current and future challenges. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 9.1. The credit institution should have dedicated manager(s) in charge of financial digitalisation and digital transformation with sufficient powers and competence to carry out this duty, being the member(s) of the credit institution’s Board of Directors. 9.2. The credit institution should outline measures aimed at the development of corporate culture that supports digital transformation. 9.3. The credit institution should present the project management tools used by it and its plans related to the methods used for efficient project management. 9.4. The MNB expects the credit institution to examine in its digital transformation strategy the way to represent the goals outlined in this Recommendation and in the credit institution’s digital objectives in the performance assessment and incentive systems.

8 9.5. The credit institution should outline its plans related to the development of an internal framework which fosters the digital communication of employees. 9.6. The credit institution should establish the current home office framework and its plans for the future, the constraints related to home office arrangements and the plans to reduce such constraints, in accordance with MNB Recommendation 12/2020 (XI.6.) on the information security requirements of teleworking and remote access. 9.7. The MNB considers it good practice for the credit institution to develop a framework for the testing of new external and internal communication solutions and for the related trainings of employees. VIII. Enhancement of digital competency 10. The ongoing enhancement of the knowledge and skills of the labour force, the expansion thereof with new types of information, as well as the recruitment of employees with relevant IT and digital professional competencies are essential for the efficient implementation of digital transformation. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 10.1. The credit institution should conduct job-specific internal surveys on a regular basis, at least every two years of its employees’ relevant digital competencies and define, based on the results of such internal surveys, the employees’ competence development plans. 10.2. The credit institution should organise relevant, job-specific academic and practical courses on financial innovations influencing the operation of the credit institution at least annually. 10.3. The credit institution should provide job-specific internal knowledge transfer forums for all current and new employees. 10.4. The credit institution should organise job-specific practical trainings on software usage for all current and new employees. 10.5. The MNB considers it good practice for the credit institution to examine the kind of tools it can and intends to use for the recruitment of potential new labour force with digital and IT competencies. IX. Improvement of co-operations and external communication channels in terms of digitalisation 11. In terms of digitalisation, it is important that both the existing and future communication methods and communication channels are enhanced and that credit institutions strive for cooperation with FinTech firms emerging in the sector which are capable of adequate value creation. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 11.1. The MNB considers it good practice for the credit institution to be actively present on various digital channels and social media platforms by displaying content and messages

9 related to the management of personal finances differentiated and relevant for different age and target groups. 11.2. The credit institution should assess in which cases customers can be provided with the opportunity of live video calls. 11.3. The MNB expects the credit institution to assess in its digital transformation strategy where – beyond the cases prescribed by law on a mandatory basis – it is possible to divert communication to digital platforms and survey the obstacles to digital communication and take initiatives to minimise these. 11.4. The MNB considers it good practice for the credit institution, during communication and liaison with external counterparties, to give priority – complying with the data security requirements – to digital solutions. 11.5. The MNB considers it good practice for the credit institution to automate regular communication processes, both in respect of business partners and customers. 11.6. The MNB considers it good practice for the credit institution to regularly evaluate its existing supplier and other business relations, including the examination of opportunities for digital improvement. 11.7. The MNB considers it good practice if, above and beyond the expectations based on the laws transposing Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation 1093/2010/EU, and repealing Directive 2007/64/EC (hereinafter: PSD2) into Hungarian legislation [e.g. Act LXXXV of 2009 on the Pursuit of the Business of Payment Services, Act CCXXXV of 2013 on Payment Service Providers, MNB Decree 35/2017 (XII.14.) on Payment Services Activities], the credit institution surveys cooperation opportunities with other new, innovative actors. 11.8. The MNB considers it good practice if, above and beyond the expectations of the laws transposing PSD2 into Hungarian legislation, the credit institution creates a standard framework (e.g. dedicated organisational unit, working group or incubator lab), to explore and develop communication and cooperation with innovative market participants. X. Improvement of the data asset management strategy in terms of digitalisation 12. Customer data bear utmost importance for all service providers, and thus the conscious processing and targeted use of the available data assets are extremely important. Through these processes the institutions of the banking sector are able to implement customer experience-improving developments efficiently, and they can materially strengthen their competitiveness relative to internationally active innovative, digital service providers. To this end, the MNB makes the following recommendations regarding data asset management to be presented in the credit institution’s digital transformation strategy.

10 12.1. In line with the data protection regulations, and within the limits permitted thereby, the credit institution should regularly analyse transaction data on all platforms in order to elaborate and develop personalised offers. 12.2. The credit institution should outline its plans related to the development of a data asset management system and to the more efficient and comprehensive use of data assets. 12.3. The credit institution should outline its plan related to the enhancement of conscious use of data assets. In this context, the credit institution should present how it uses the available customer data for analysis, for the development of product schemes personalised or tailored to a specific range of customers, and how it plans to enhance, deepen and accelerate this. 12.4. The credit institution should outline its plans aimed at the automatic and ongoing update of customer databases, in compliance with the data protection rules. 12.5. The credit institution should outline its plan to create a data warehouse or, where the credit institution already has a dedicated data warehouse, increase the automation related to the use thereof. XI. Enhancement of the risk management strategy in terms of digitalisation 13. In addition to the revised customer profile developed from more data, the MNB also deems it important to develop the related risk management strategy by assessing the possibilities of enhancing and automating the related processes and defining the relevant plans. The modernisation of risk management also supports the more efficient realisation of customer product and service developments. In order to enforce these criteria, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 13.1. The MNB expects the credit institution to use the extra information stemming from the personalised and more active use of the data assets also in its risk management methods. 13.2. The credit institution should prepare its plans related to the automation of risk management controls and calculations in the following areas: treasury, back-office, customer data management, customer identification and customer due diligence. 13.3. In connection with surveying, evaluating and managing the risks of fraud, in addition to complying with the relevant laws, the MNB expects the credit institution to integrate into its risk management methods the potential fraud cases appearing anew in connection with increasing digitalisation; furthermore, it considers it good practice to develop cooperation among credit institutions. XII. Transformation of corporate IT systems 14. The MNB deems it necessary to perform a comprehensive review of the credit institution’s IT systems and survey the possibility of modernising them, which may ensure the more efficient operation of the credit institution’s IT systems. To this end, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy.

11 14.1. The credit institution’s digital transformation strategy should be aligned with Recommendation No 1/2025 (I.13.) of the Magyar Nemzeti Bank on the protection of IT systems regarding the transformation of corporate IT systems and – where applicable – with the relevant provisions of the DORA Regulation. 3 14.2. For all new projects impacting internal operations, the credit institution should assess – where applicable – the possibility of realising the respective project objective fully digitally. 14.3. The MNB expects the credit institution to provide – even under increased data traffic – fast and stable data transmission capacities with proper ICT security and redundancy in the head office’s internal network, between the head office and the branches, for the data connections used to reach critical services or counterparties, and for remote work. 14.4. The credit institution should survey the possibilities of using cloud-based services and examine and evaluate the options of efficient use thereof in accordance with Recommendation No 2/2025 (I.13.) of the Magyar Nemzeti Bank on the use of community and public cloud computing services system and – where applicable – with the relevant provisions of the DORA Regulation. 14.5. The credit institution should develop a plan for measures to support paperless operation. 14.6. The MNB considers it good practice for the assessment of the experiences gained from enterprise software implementation to be part of the general practice of the credit institution. 14.7. The credit institution should outline its plans developed for the minimisation of the manual data transformation necessary for the management reports in the course of regular and ad-hoc analyses. 14.8. The MNB considers it good practice for the credit institution to prepare a plan for the development of a digitalised management approval framework, also taking into consideration risk management criteria. 14.9. The credit institution should present its plans related to improving its existing redundant systems and developing additional ones. In this plan, the credit institution should present its approach and practice related to the use of redundant systems and the justification for its relevant decisions, with a special view to areas where no redundant system is available and is also not planned. XIII. Enhancement of IT security 15. In addition to their advantages, the increasing availability and use of digital interfaces and the spread of automation may also increase the risk of attacks against institutions’ IT systems. To foster the improvement of IT security, the MNB makes the following recommendations to be presented in the credit institution’s digital transformation strategy. 3 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

12 The MNB expects the development of the credit institution’s IT security to be aligned with Government Decree No 42/2015. (III.12.) on protecting the information system of financial institutions, insurance undertakings, reinsurance undertakings, investment firms and commodity dealers, Recommendation No 1/2025 (I.13.) of the Magyar Nemzeti Bank on the protection of IT systems and Recommendation No 12/2020 (XI.6.) of the Magyar Nemzeti Bank on IT security requirements for remote working and remote access and with DORA Regulation. XIV. Safe and responsible use of AI 16. The MNB expects that a credit institution providing or using an AI system, or planning the introduction thereof (hereinafter collectively referred to as: ‘credit institution’ for the purposes of Chapter XIV) shall complement its digital transformation strategy with a sub-strategy for the responsible use of AI (hereinafter: AI sub-strategy), which sets out the credit institution’s objectives, plans and implementation milestones for the use of AI. 17. Improving organisational governance from an AI perspective For the responsible and secure use of AI systems, it is also crucial that credit institutions are prepared for the development, implementation and operation of AI systems by establishing a regulated internal framework, processes and procedures for AI. A prerequisite for this is the review and development of the existing organisational governance system from an AI perspective, and to facilitate this, the MNB makes the following recommendations for inclusion in the AI sub-strategy of credit institutions. 17.1. The MNB expects credit institutions to have an effective, sound governance system for the institutional application of AI, including a well-defined organisational structure with transparent, clear lines of responsibility and effective internal policies, processes and control mechanisms, taking into account both the AI systems already in place and those planned to be implemented. 17.2. Credit institutions should establish, maintain and implement internal policies and procedures tailored to the credit institution’s use of AI, which span the entire lifecycle of the AI system and cover in particular the research, design and development, training, documentation, validation, third-party procurement, implementation, use, operation, review, evaluation, impact assessment, monitoring and control, maintenance, error handling and decommissioning of AI systems, and the related processes and decision￾making, as well as the roles and responsibilities of the professional areas and departments involved in these processes. 17.3. The MNB expects the credit institutions to ensure that the definitions and use of AI￾related terms relevant to the institution’s operations are consistent and clear throughout the organisation. In the case of a concept defined in legislation or in an EU act, credit institutions may also comply with this requirement by referring to the relevant legislation or EU act in their internal rules. In the absence of such a definition, the MNB considers it

13 good practice for credit institutions to take into account the definitions developed by international organisations and bodies. 17.4. The MNB expects the credit institutions to assess and review the effectiveness and completeness of their internal policies, processes and procedures under sub-point 17.2 at regular intervals, but at least annually, in line with the pace of technological development, and to take appropriate measures to address any deficiencies. 17.5. The MNB expects credit institutions to have a designated manager responsible for the implementation of the AI sub-strategy, vested with the authority and clearly defined responsibilities, and possessing an appropriate level of AI literacy. 17.6. The MNB considers it good practice for tasks related to AI systems to be implemented at the institutional level through close coordination, with the involvement of all relevant expert areas, under the direction of the manager referred to in sub-point 17.5. 17.7. The MNB considers it good practice for credit institutions to give high priority to the up￾to-date monitoring of the development of AI-related technologies and solutions and analysing the opportunities for their implementation, and, within this framework, to continuously assess the optimal use of AI in improving internal operations and processes or products and services, with a particular focus on the aspects of increasing efficiency, promoting competitiveness, reducing costs, and improving accuracy, completeness and customer experience. The MNB considers it good practice for credit institutions to consider the possibility of using or introducing AI as a decision option in such cases. 17.8. The MNB considers it good practice for credit institutions to periodically assess the efficiency and business relevance of their automated internal processes from a technological perspective, including through the use of an AI system, and to revise such processes if necessary. 17.9. The MNB expects credit institutions to continuously monitor legislative and regulatory developments related to AI, and to assess the measures needed for preparation and compliance in a timely manner in relation to their own organisation and the AI systems in place or planned to be implemented. The MNB considers it good practice for credit institutions to prepare a preparedness strategy in this area. 17.10.The MNB expects credit institutions to strive, throughout the entire lifecycle of the AI systems applied by them, to ensure enforcement of the principles of transparency, safety, explainability, fairness, non-discrimination, equity and accountability. In this context, the MNB considers it good practice for credit institutions to take into account the guidelines, recommendations and standards of the European Union, international and domestic organisations and bodies (in particular: the OECD, the G7, and UNESCO), as well as those of international standard-setting institutions. 17.11.The MNB expects credit institutions to apply the institution’s ethical principles in the development and implementation of AI systems. 17.12.The MNB considers it good practice to establish a separate institutional code of ethics applicable to AI systems or to add ethical principles for AI systems to an existing code of ethics or an institutional document with equivalent functions.

14 18. Improving data governance and data asset management from an AI perspective Ensuring the quality, proper management and protection of the data used for the development and operation of these systems is a prerequisite for the safe and responsible use and efficient and accurate functioning of AI systems. In order to facilitate this, the MNB makes the following recommendations on how to reflect this in the AI sub-strategy of credit institutions. 18.1. In the case of AI systems classified as high-risk, including those classified as high-risk on the basis of the credit institution’s own risk assessment (hereinafter collectively referred to as: high-risk), the MNB expects credit institutions to establish a group-wide data governance system, which – in a manner aligned with whether the AI system applied is developed in-house or provided by a third-party provider – defines in particular the internal rules, requirements and procedures for the acquisition, source, collection, preparation, cleansing, labelling, verification, replenishment, handling, storage, access and deletion or destruction of the data necessary for the development, application and operation of the AI systems, as well as the documentation of such processes. The MNB considers it good practice for these requirements to be also implemented in respect of AI systems that are not classified as high-risk. 18.2. The MNB expects credit institutions to ensure that the acquisition, collection, use of training, validation and test data necessary for the development of their own in-house developed AI systems complies with the legislation in force. 18.3. Where a credit institution uses an AI system that uses personal data, it should continuously assess, monitor and ensure compliance of the operation of the AI system with data protection legislation. 18.4. In the case of AI systems which are developed in-house, credit institutions should ensure the adequate, high-quality verification and suitability of the training, validation and test data. In this context, the MNB expects the data to be accurate, free from error, bias and discrimination, and further expects that, taking into account the function of the AI system and the principle of proportionality to risk, the data should be representative of the population concerned by the intended application. The MNB further expects the data to be relevant to the intended scope of application, and coherently and appropriately structured. The MNB considers it good practice for credit institutions to regularly review the adequacy of the data used in this area. 18.5. In the case of AI systems which are developed in-house, credit institutions should ensure that the preparation, filtering, cleaning, data substitution and other similar operations carried out on the raw, unprocessed data to ensure adequate data quality are fully documented, so that it is possible to know what operations have been carried out in the production of the training data used to train the model underlying the AI system (for the purposes of this chapter XIV: AI model). The MNB considers it good practice for raw data – within the limits permitted by data protection rules – to be accessible and retrievable independently of the processed data.

15 18.6. In the case of the use of the supervised learning method, the MNB considers it good practice for credit institutions, when labelling the training data of AI systems which are developed in-house,to ensure validation by multiple labellers and to set out in the related documentation, in particular, the consensus rates and the manner in which statistical adequacy is ensured. 18.7. Credit institutions should use synthetic data, i.e. artificially generated data, that appropriately represents the statistical characteristics and structure of the original data underlying the data generation process, only after a comprehensive assessment of the quality, suitability for the intended purpose and overall compliance of such data, including an examination of the data generation process, and following validation of the data. 18.8. The MNB expects that when using data from external sources in an AI system, in particular in real-time, credit institutions should have policies and procedures in place to define the framework for accessing, filtering and using such data. 19. Development and procurement of AI systems To promote the development and procurement of responsible, secure AI systems, the MNB makes the following recommendations for inclusion in the AI sub-strategy of credit institutions, as well as in the internal policies established for its implementation. 19.1. The MNB expects credit institutions to define the AI systems and AI models to be used and their complexity in a way that is appropriate to the application objectives and the available data and competences, and – in the case of AI systems developed in-house – to apply appropriate techniques (in particular: hold-out data, cross-validation, regularisation techniques, reduction of AI model complexity, dropout and early stopping), in order to avoid underfitting and overfitting of AI models. 19.2. In the case of AI systems which are developed in-house, the MNB considers it good practice for credit institutions to determine the periodicity and events or conditions under which the applied AI model needs to be reviewed, updated or re-trained, and to implement these measures. 19.3. The MNB expects credit institutions, in a manner proportionate to the technological characteristics of the AI system and the underlying AI model, and at least as regards their essential content, to ensure the reproducibility of the results and outputs of AI systems which are developed in-house, and to also enforce this requirement with regard to AI systems and AI models procured from third parties. 19.4. By applying technical and technological measures consistent with the state of the art, credit institutions should ensure the protection of their models developed in-house against catastrophic forgetting. 19.5. The MNB considers it good practice for credit institutions to monitor and assess the compliance of AI systems with ethical tests, including at the extremes, to screen for potentially biased or discriminatory decisions.

16 19.6. The MNB considers it good practice for credit institutions to apply technical solutions and tools (guardrails) which – in particular through the monitoring, filtering and modification of the inputs to and outputs from the AI system – are suitable to ensure that the AI system operates within the technical, ethical and legal frameworks expected by credit institution. 19.7. The MNB expects that the credit institutions’ design, development, training, validation, testing and review of their AI models and AI systems developed in-house are fully documented in a clear and transparent manner. 19.8. The MNB expects credit institutions to ensure that human oversight and intervention are available through all lifecycle stages of its high-risk AI systems. The MNB considers it good practice for credit institutions to apply this requirement also in the case of AI systems not classified as high-risk. 19.9. In the case of AI systems or AI models procured from third parties and in compliance with applicable legal provisions, credit institutions should, prior to implementation, obtain information on how the third party ensures compliance with the requirements set out in this point 19. The MNB further considers it good practice for credit institutions to establish internal competences and procedures to assess the technological-technical and ethical-legal compliance of their third-party AI systems that are not developed in￾house. 19.10. The MNB considers it good practice for credit institutions to have their in-house developed and third-party AI systems audited by an independent service provider. 19.11. The MNB considers it good practice for credit institutions to continuously assess the performance of their AI systems, as well as their adequacy in relation to expected business and customer needs and their suitability, to document the experience gained from the evaluation and the related development needs, and to take these into account in their investments in IT infrastructure development. 19.12. The MNB expects credit institutions to have appropriate technological and technical arrangements in place in the event of a malfunction or any unintended function of an AI system at a credit institution (hereinafter collectively referred to as: malfunction), and to have in place appropriate procedures and measures to restore the service affected by the malfunction to its intended function and to review decisions taken with the assistance of the relevant AI system during the period of malfunction. 20. Developing risk management from an AI perspective The application of AI in credit institutions may entail specific risks, in view of which the MNB considers it necessary to review and supplement existing risk management strategies and procedures from an AI perspective. In order to facilitate this, the MNB makes the following recommendations on how to reflect this in the credit institutions’ AI sub-strategy and in the organisations’ core risk management documents. 20.1. Credit institutions should assess and define their own risk profile for AI systems. 20.2. The MNB expects credit institutions to determine the acceptable risk levels of the AI systems already in operation or planned to be implemented, according to their risk

17 profile. The MNB also expects that only AI systems, where the identified risks have been adequately managed and mitigated to an acceptable level prior to implementation will be implemented and used. 20.3. The MNB expects credit institutions to establish and maintain comprehensive, fully documented risk management systems and procedures throughout the entire lifecycle of the AI systems they have implemented or plan to implement. 20.4. The MNB expects credit institutions, throughout the entire lifecycle of the AI systems, to assess, identify and monitor the known and foreseeable risks of the AI systems used or planned to be implemented, in relation to the state of the art, taking into account the unintended or malicious use cases, in particular covering the following aspects and risks: a) data processing and data protection risks, b) compliance risks, c) legal risks, d) liability risks, e) reputational risks, f) financial risks, g) risk related to the breach or infringement of fundamental rights and ethical principles referred to in the AI Act and this Recommendation, h) customer-related risks, i) model risks, j) operational risks, in particular technology, IT, cybersecurity and human resources risks, k) third-party provider risks, and l) the risks entailed in generative AI systems. 20.5. The credit institution should elaborate the risk classification of AI systems and review such classification on a regular basis, at least once annually. In accordance with the risk classification of the AI system, the MNB expects credit institutions to establish risk￾proportionate, effective and state-of-the-art risk management measures and procedures to manage and mitigate the identified risks. 20.6. The MNB considers it good practice to introduce AI systems in phases prior to full roll￾out, with continuous backtesting and evaluation of implementation experience and related business needs. 21. AI-specific development of IT security In addition to its benefits, the introduction of AI systems may also increase the risk of attacks against the IT systems of institutions and may also introduce new types of IT security risks. To help improve IT security and increase the resilience of AI systems to cyber-attack attempts, the MNB makes the following recommendations for inclusion in the AI sub-strategy of credit institutions, in line with the provisions of the DORA Regulation relating to ICT risks and with Recommendation No 1/2025 (I. 13.) of the Magyar Nemzeti Bank on the protection of IT systems.

18 21.1. Through appropriate technological and technical solutions and security measures, credit institutions should ensure that: a) the teaching data used to teach the AI models applied cannot be manipulated or extracted without authorisation; b) the learning algorithm, structure, parameters, non-public inputs or system prompts of the applied AI models cannot be extracted, reconstructed or manipulated in an unauthorised manner; c) the input data sent by users and customers of the AI systems used are checked and filtered to ensure that they cannot be manipulated and produce an output other than intended. 21.2. The MNB considers it good practice for the AI models used to have capabilities that ensure the detection and prevention of manipulations and attacks, and to handle them at the model level. 21.3. The MNB considers it good practice for credit institutions to use technical solutions which, by pre-filtering the inputs of the AI system and filtering out inputs not intended for proper use, while performing a protective function, are able to reduce the load of the applied AI system through their pre-filtering mechanisms, thereby optimising its energy use and reducing its environmental impact. 21.4. The MNB expects credit institutions using externally sourced training data to establish appropriate technical solutions and processes to detect and filter unauthorised data manipulation. 21.5. The MNB expects credit institutions to develop and operate a monitoring solution to detect and counter attacks directed against AI systems. 21.6. In the case of an AI system or AI model procured from a third party, the credit institution should, prior to implementation, obtain information on the technical solutions and protective measures by which the third party ensures compliance with the requirements set out in point 21 of this Recommendation. 22. Development of organisational AI expertise To ensure the safe, responsible use of AI systems, it is essential to continuously develop the knowledge and skills of managers and employees, and to keep them up to date with the pace of technological developments. In order to facilitate this, the MNB makes the following recommendations on how to reflect this in the AI sub-strategy of credit institutions. 22.1. Credit institutions should ensure that their employees have an appropriate level of competency in AI, i.e. skills and knowledge, which is appropriate to their professional knowledge, qualification, experience, responsibilities and the circumstances in which they will use or come into contact with the AI systems, to develop, operate and use the AI systems in a responsible and secure manner, including knowledge of the operational logic and mechanisms, capabilities, interpretation of outputs, ethical use, risks and potential harm of AI in general and of the AI systems used by the credit institution in particular.

19 22.2. Credit institutions should carry out an assessment of their employees’ competencies in AI as part of the assessment under sub-point 10.1. 22.3. Credit institutions should regularly provide all their employees with relevant theoretical and practical courses, refresher training, practical software use training, experiential learning opportunities and internal knowledge transfer forums on AI, based on continuously updated and up-to-date curricula, adapted to their job function and the AI systems used by the credit institutions. 22.4. The MNB considers it good practice for credit institutions, in the course of the trainings referred to in sub-point 22.3, to place particular emphasis on, and to develop and enforce, clear internal rules for their employees on the framework and limits for the use of third￾party AI systems, in particular third-party generative AI systems in work processes. In this context, the MNB considers it good practice for a person with the appropriate expertise and authority to decide on the case-by-case admissibility of the application in cases of controversial, ambiguous or disputed use. 22.5. The MNB considers it good practice to require periodic assessment of the AI competencies of employees in key positions in AI-related processes and decision-making or in the operation and management of AI systems, as well as of employees who come into contact with customers in an administrative capacity in the context of AI systems. 22.6. The MNB considers it good practice for credit institutions to examine what tools they can and will use to attract potential new employees with appropriate AI skills. 22.7. The MNB considers it good practice for credit institutions to establish human resources policies and measures to ensure the continued existence and continuity of internal AI expertise and AI competencies within the institution. 23. Improving communication related to AI Clear, unambiguous, proactive internal and external communication about AI helps to develop a corporate culture that supports digital transformation, to use AI systems responsibly, to increase employees’ and customers’ knowledge of AI and thus to strengthen employee and customer confidence in AI. To this end, the MNB makes the following recommendations on the presentation in the AI sub-strategy of credit institutions. 23.1. In order to strengthen the organisational culture and ensure a consistent internal understanding of the credit institutions’ position, strategy and plans for AI, credit institutions should initiate proactive communication about AI and their strategy for AI throughout the organisation. 23.2. The MNB considers it good practice for credit institutions to develop a strategy for communication on AI or to supplement their strategic communication document with strategic provisions on internal and external communication on AI. 23.3. Credit institutions should operate an internal reporting system that allows for the reporting, effective investigation and prompt resolution of errors, deficiencies and ethical breaches relating to the functioning of the implemented AI systems.

20 23.4. The MNB expects credit institutions to inform customers clearly and understandably about the impact on customers of identified errors, deficiencies and ethical breaches, and about the elimination of such issue. 23.5. The MNB considers it good practice to display educational content and messages on the credit institutions’ digital channels and social media platforms, differentiated and relevant for different age groups and target groups, related to AI and the application of AI in banking, as well as effective communication with AI systems and the development of AI-related security awareness. 23.6. The MNB considers it good practice for credit institutions using generative AI systems in their communication channels to enable customers to regularly provide feedback on the quality and accuracy of AI-generated responses. 23.7. The MNB expects credit institutions to provide information to customers in a clear, understandable and unambiguous manner: a) on certain AI-supported products, services and customer-related processes; b) where the customer views or perceives content created by an AI system; c) where the customer is in direct interaction with an AI system. The information should cover the basic operation of the AI system concerned, as well as the benefits, limitations and risks of the relevant AI system. 23.8. The MNB expects credit institutions to operate a prioritised channel with appropriate competencies and AI literacy for customer contact related to AI systems, ensuring that customers: a) may request information as to whether the product, service or customer-related credit institution process used or intended to be used by them is supported by an AI system, as well as on alternative products, services and processes that provide for human intervention and administration; b) may initiate a review of decisions directly affecting them that involve an AI system; c) may report and initiate investigations into errors and deficiencies related to AI systems in an efficient and timely manner. XV. Closing provisions 24. Recommendation is a regulatory instrument issued in accordance with Article 13 (2) i) of the Act CXXXIX of 2013 on the Magyar Nemzeti Bank, with no binding force on the supervised financial organisations. The content of the recommendations issued by the MNB expresses the statutory requirements, the principles proposed to be applied based on the MNB’s supervisory and regulatory practice as well as the methods, market standards and practices. 25. During its audit and monitoring activity, the MNB monitors and assesses compliance with the Recommendation by the credit institutions supervised by it in line with the general European supervisory practices.

21 26. The MNB highlights that the credit institution may make the contents of this Recommendation part of its policies. In such case, the credit institution is entitled to indicate that the provisions of its policies comply with the relevant Recommendation issued by the MNB. If the credit institution wishes to incorporate only certain parts of the Recommendation in its policies, it should not make reference to the Recommendation as a whole or should only do so in respect of the parts taken from the Recommendation. 27. The MNB expects the respective credit institutions to apply this Recommendation – with the exception of point 28 – from 1 April 2026. 28. The MNB expects the respective credit institutions to develop the AI sub-strategy in accordance with the recommendation and to submit it to the MNB for the first time by 30 June 2026. 29. Recommendation No 4/2021. (III.30.) of the Magyar Nemzeti Bank on the digital transformation of credit institutions is superseded on 1 April 2026. Mihály Varga Governor of the Magyar Nemzeti Bank