.svg)
The KBC-owned Hungarian bank has been hit with a financial penalty from the Magyar Nemzeti Bank (MNB), the country's central bank, over its lack of compliance with the EU’s revised Payment Services Directive (PSD2) requirements for data access.
In this most rare of enforcement actions, Hungary’s central bank imposed the fine on K&H Bank, one of the country’s largest retail banking institutions, over its lack of adherence to PSD2’s open banking rules.
“The MNB is committed to ensuring the spread of open banking as required by the EU Payments Directive, and in its decision, the MNB found that the Credit Institution had violated one of the requirements of the Commission Delegated Regulation on strong customer authentication and secure communication in relation to open banking,” the regulator said in a press statement.
The HUF19m ($49,549) fine was for violating rules regarding access for account information service providers (AISPs) or the customers using them by requiring users to manually enter their payment transaction reference number.
In other words, the bank did not ensure that customers could easily select account numbers with a single click, rendering the process clunky and non-compliant with open banking rules.
When determining the fine, the MNB considered K&H Bank’s significant role in the national payment system, as well as the fact that the breach was embedded in its IT system for an extended period, after the regulator had already granted the bank an additional 14 months to rectify the issue.
However, the MNB acknowledged the bank’s cooperation during the investigation and the fact that it did not attempt to conceal the breach.
The MNB summarised that it “considers the monitoring of compliance with payment rules to be particularly important, condemns all violations of the law and will accordingly continue to act with sufficient rigor in the monitoring of institutions providing payment services”.
A rare enforcement action
PSD2 enforcement in the EU has been noticeably limited since the regulation was introduced.
What action there is is not well publicised, and it often seems that if regulators are taking steps, they are doing so behind closed doors.
Fintechs have long complained about this lack of enforcement action against banks for non-compliance.
For example, a complaint filed in December last year with the Norway Competition Authority saw the fintech Neonomics allege that Norwegian banks and their affiliates have stifled innovation and restricted competition in the country's payments market.
Specifically, Neonomics claimed that retail banks in Norway have deliberately contravened the requirements of the PSD2.
In 2021, the European Banking Authority (EBA) took a similar view, and called for national competent authorities to take supervisory actions to ensure the removal of obstacles to account access under PSD2.
This sparked some verbal warnings to firms, including a caution from Sweden’s financial watchdog to Swedbank in 2022.
In October 2024, meanwhile, the Netherlands’ Rabobank agreed to lift access restrictions for payment institutions following discussions with the Netherlands Authority for Consumers and Markets (ACM).
Coming change
The updated iteration of the EU’s payment services regime, the Payment Services Regulation (PSR), may bring some change in this area, given that it sets new expectations for banks.
Article 43, for example, states that banks must securely communicate with payment initiation service providers (PISPs) and AISPs, treating their requests as if made directly by users.
Real-time dashboards must allow users to manage data access permissions and, if agreed by the EU’s political institutions, this will mean they can deny access for fraud concerns but must justify and report it.
Barriers to data access are explicitly prohibited by the PSR, and banks will not be able to impose unnecessary authentication steps, restrict payment initiation to certain payees or limit transactions based on domestic identifiers.
They must also not require additional registration for third-party providers, prevent credential use or impose redirection that complicates user authentication, and dedicated interfaces need to support all authentication methods available to direct users.
The PSR also sets much higher expectations in terms of what national competent authorities need to do.
Article 48 expands on PSD2 by imposing stricter oversight on competent authorities, stating that regulators need to scrutinise banks’ compliance with interface requirements, remove obstacles and maintain access rights for third-party providers (TPPs).
They must enforce compliance without delay, have sufficient resources and cooperate with data protection authorities. In addition, they will need to collect and share market data with the EBA.
However, the regulation could also open up the opportunity for better dialogue. For example, it emphasises the need for regular meetings between banks and TPPs to resolve data access issues.
