Changes related PSD2 Directive
We would like to inform our clients that Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market (PSD2 Directive) entered into force on 13 January 2018 in the first phase, and will enter into force on 14 September 2019 in the second phase.
The primary objective of the PSD2 Directive is to foster competition, innovation in the field of financial services, and to improve customer experience and customer - in particular consumer - confidence, and to protect their security more effectively. The regulatory technical standards (RTS) and guidelines set out on the basis of the Directive address in detail the set of rules for informing consumers and for using strong customer authentication.
The National Bank of Hungary authorised a 12-month grace period for domestic financial service providers for the introduction of strong customer authentication in the case of online payments with bank cards (point III/3), setting a final deadline of 14 September 2020. As regards the exact date from which to start strong customer authentication for purchases made through the internet we will inform our Clients at a later date. In the transition period, the rules of liability provided for in the payment services act guarantee for customers that their risk in such payments is not increased, that is to say risks arising from the planned introduction of strong customer authentication shall be borne by the Bank.
On the other hand, changes related to Raiffeisen DirektNet and Raiffeisen Electra, detailed in Sections II and III, changes to transfer limits and new rules for activating bank cards will take effect, therefore we recommend to read this information carefully and to review the changes in the Bank’s General Terms and Conditions scheduled to enter into effect on 14 September 2019.
I. Strong customer authentication is coming!
Raiffeisen Bank will be required to use so-called strong customer authentication if its client:
- (the paying party) has access to his bank account online
- initiates an electronic payment transaction (electronic remote payment)
- wishes to execute a payment order or to access account information through a so-called payment service provider. (More detailed information is available on these service provider below.)
The essence of strong customer authentication or SCA is that before the given transaction or order is executed two independent, different types of identification elements from three identification categories are performed simultaneously.
Identification categories distinguished by SCA definition:
- knowledge: information known only to the person initiating the payment (e.g. PIN, password)
- possession: something only the person initiating the payment possesses (e.g. a one-time code sent to a telephone)
- inherence: something the person initiating the payment is (e.g. fingerprint)
The point is that in the event of the breach of one an unauthorised third party cannot initiate a payment or use a service.
Some examples where strong customer authentication is not required:
- The exception to the principle are paper-based transactions and payment orders initiated through the call centre (Raiffeisen Direkt).
- Strong customer authentication is not required where card-based payment is initiated by the payee, for example, regular monthly subscription payments previously authorised by the cardholder.
II. Changes from 14 September 2019
1. One-touch bank card payments
For one-touch payments, the POS terminal will ask for PIN identification after every fifth purchase.
2. Changes in the use of our DirektNet online banking system
As of 14 September 2019, our Clients will not be able to access DirektNet without a mobile phone number registered with the Bank or a Mobile Token built into the Raiffeisen Mobile Application. (In other words, the user name-password combination will not be enough for access if neither one of the above is available.)
Accordingly, after 14 September 2019, Customers using telephone banking services under contract concluded before 2 November 2010 - Raiffeisen Direkt or DirektNet, who do not have a mobile phone number - may not request, apply, or use a one-time activation code received on paper, instead the activation code will be sent by the Bank in the form of SMS only, therefore it will be obligatory to register a mobile phone number in order to access the service.
More information about these new entry modes is available at https://www.raiffeisen.hu/-/internetbank-direktnet in the DirektNet user manual.
3. Changes in transfer limits
As of 14 September 2019, the amount limits and the number of individual and standing transfer orders initiated through Raiffeisen DirektNet will change as set forth in the applicable Retail, Premium and Preferred Private Customer Terms and Conditions.
In case of transfers sent by DirektNet vith SMS signature, the limit per transaction for private individuals is reduced to HUF 1 million, and for Premium and Private Customers it is reduced to HUF 2 million, while quantitative limits are abolished and the daily transfer limit is increased to HUF 25 million.
If you require a higher per transaction limit, we recommend that you download our online banking and mobile application service available to retail, Premium and Private Customers, i.e. the Raiffeisen Mobile Application, and sign your transactions with Mobile Token. For account holders and business customers, it is possible to change the transaction limit personally in the branches and through our call centre up to the amount of the daily transfer limit.
III. Further changes expected after 14 September 2019
1. Activation of bank cards
From a later date to be published by the Bank in the form of public notice, only the cardholder (the individual in whose name the card is made out) will be allowed to activate his newly issued bank card. The cardholder can do this personally at a branch or through Raiffeisen Direkt subject to proper identification. Activation of a bank card sent by post or courier, or received by an authorised representative is done through Raiffeisen Direkt by entering the Cardholder’s D-PIN, the Activation Code sent to the Cardholder from the date specified by the Bank and the card number, or entering the Activation Code sent to the Cardholder plus the card number, along with 3 personal details. The Bank will send the Activation Code required for activating the bank card – after the time to be published by the Bank in the form of public notice – to the Cardholder’s mobile phone number notified to the Bank by SMS.
Renewed bank cards sent to the Cardholder by post will be activated at the time of first ATM cash withdrawal made by the Cardholder, or can be activated through Raiffeisen Direkt as described in the previous paragraph.
In the case of a business bank card, activation can be done by the Cardholder through Raiffeisen Electra as well.
2. Online shopping with bank card
In connection with online purchases made with credit or debit cards, from a later date to be published by Raiffeisen Bank in the form of public notice - if the merchant also uses strong customer authentication - the Bank may request additional authentication to finalise the purchase once the card information is entered. Strong customer authentication can be achieved by:
- for clients using the Raiffeisen Mobile application, with a mobile token in the application, or
- by entering a one-time code sent to the mobile phone in an SMS, and/or by applying an additional knowledge-based authentication element.
From a later date to be published by Raiffeisen Bank in the form of public notice, in the case of online bank card purchases, if online identification fails five consecutive times the Bank will temporarily block online bank card purchases. Temporary blocking will automatically be lifted at midnight on that same day. In the case of a mobile token blocking is permanent, and the activation of a new mobile token is required.
After the time to be published by the Bank at a later date, customers without a mobile phone number (cardholders, authorised business card holders or co-holders) will not be able to make online purchases without a phone number registered by the Bank.
We have informed our customers by postal mail or by way of notice sent through DirektNet and Electra on what to do.
3. Changes in the Raiffeisen Electra banking system
A later date, to be published by the Bank in the form of public notice, Electra may be accessed exclusively by the means of authentication used for the signature of orders instead of the username and password combination previously used.
The Bank provides detailed information about changes in the use of Electra to the customer concerned.
IV. New payment service providers and services in the financial market governed by PSD2
In recent years, the financial sector has seen the emergence of many new market players (FinTech) as well as more innovative payment products and services, such as account information services or payment initiation services. These new types of payment services and the activities of the providers of such payment services are regulated by the PSD2 Directive, while it ensures to impose the least amount of legal regulations upon all persons providing such payment services.
The payment services act distinguishes between "payment account servicing payment service provider", "payment initiation payment service provider” and "account information service provider", as well as "payment service provider issuing card-based cash-substitute payment instruments".
"payment initiation service" means a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
"account information service" means an online service to provide consolidated information on one or more payment accounts held by the payment service user with another payment service provider or with more than one payment service providers.
"payment service provider issuing card-based cash-substitute payment instruments" means where the payment service provider issuing such instrument is entitled to request information, subject to the customer’s authorisation, from the customer’s payment account servicing payment service provider (account bank) in connection with transactions initiated by the customer with such instrument, as to whether sufficient funds are available on the customer’s payment account to cover the payment transaction.
The bank customer shall have the right to decide, at his own discretion, whether or not to use the services of a payment service provider providing payment initiation services, account information services, or the services of a payment service provider issuing card-based cash-substitute payment instruments, provided that:
- the customer’s payment account at the bank is accessible online, and
- the Customer has consented to the provision by the above-specified payment service providers of services with respect to the payment account held with the Bank.
The Bank is obligated to cooperate with the provider of the payment initiation service, the account information service and to accommodate the services of a payment service provider issuing card-based cash-substitute payment instruments, and shall provide them with the data and information required by law.
The Bank shall ensure, in an objective, non-discriminatory and proportionate manner, that providers of payment initiation services and account information service providers have access to the payment accounts of those customers who wish to use the services of such third party service providers.
The Bank is required to provide a secure data link (open API) between the Bank and the above-specified third party service providers starting no later than 14 September 2019.
In the case of a payment transaction initiated by the Customer through a payment initiation service provider, point 1.XIV.14.10 of the General Business Terms and Conditions contains the liability rules applicable in the period following the provision of the secure data transmission connection.
In the case of a transfer initiated through a payment initiation service provider, the applicable charges for the electronic channel used by the customer (Raiffeisen DirektNet, myRaiffeisen, Electra ) will be charged to the account of the Customer to whom the service is provided.