Népszerű bejegyzések

2015. október 5., hétfő

Payment Initiation Services, Account Information Services

Broadening the Scope of Payment Services

The European Parliament’s agenda scheduled the second Payment Services Directive (PSD2) for a vote on 8th of October, 2015. Although the final text is set many questions lack clear answers and need to be addressed accordingly.

Since the adoption of PSD1 (Directive 2007/64/EC on payment services in the internal market) new types of payment services have emerged, especially in the area of internet payments. According to Recital 18 of PSD2 “these services play a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer’s bank in order to initiate internet payments on the basis of a credit transfer. The payment initiation service provider, when providing exclusively payment initiation service, does not in any stage of the payment chain hold user’s funds”.”[1]

 These new e-commerce payments are made over the internet, usually in one of these three ways[2]:
  1. via a remote payment card transaction through the internet;
  2. in the form of online credit transfers or direct debits by using either the payer’s online banking system directly, or that of a third party’s (e.g. Sofort);
  3. payments through e-payment providers, with which the consumer has set up an individual account that has been funded through “traditional” payment methods, e.g. bank transfers or credit card payments (e.g. PayPal, PayU).
 Annex 1 of PSD2 includes those payment services that are within the scope of the directive. Two new services were added to this list with PSD2: payment initiation services and account information services. The first includes those services under point 2 above that are provided by third parties other than banks. The second is only a complementary service providing the user with aggregated online information on one or more payment accounts.

Payment Initiation Services 

The German Sofort, the largest bank-independent TPP in Europe offers payers the option of paying merchants directly from the payer’s bank account. The payer authorizes the specific payment and personally carries through and completes the necessary steps for executing it, including selecting from which of his or her bank account the payment should be made. The payer then signs the transaction using his or her existing online bank credentials. The payer retains full control of the completion of the payment and uses bank issued security credentials to carry it out. The whole process is carried out using Sofort’s software but Sofort is not able to initiate a payment without the payer actively participating and going through the same steps as if initiating an online bank payment. This makes this payment one of the safest online methods, and the risk for the payer to be exposed to fraud is minimized[3].

Although Sofort has not faced one single case of data fraud affecting the consumer since its launch in 2004, payment initiation services do imply an increased risk for the user. The Study on the Impact of PSD1 also highlighted some security concerns:

“To put it simply, under payment initiation services, the historically basic concept of the payment process “give me EUR X from your wallet” turns into “give me your wallet” (out of which the payee or its provider takes EUR X). This triggers security concerns which are broader than the mere fear of the risk of one-off fraud.”[4]

 Figure 2 shows that in the new, five member process the payer initiates payment via the TPP which in turn passes the instruction to the payer’s bank.

 ----           PSD2 relation

PSD2 does not use the term bank. Instead it uses the definition: “account servicing payment service provider”. This wording basically covers banks as it means a payment service provider providing and maintaining payment accounts for a payer[5].

The service provided by Sofort and of other similar banking services (e.g iDeal or Trustly) was not covered by PSD1. PSD1 exempted those technical operators who support PSPs on the ground that these do not come into the possession of the payer’s funds[6]. Article 3(j) of PSD2 upholds this exemption however specifically excludes payment initiation services and account information services thus extending scope to such TPPs.

It is therefore inevitable for those technical operators who relied upon the above exemption to carry out a careful analysis as to whether they will now need to become regulated under PSD2. It will be particularly important for determining whether a payment service provider enjoying exemption as a support operator under PSD1 now falls within the scope of providing “payment initiation services” or not.

Under PSD2, payment initiation service providers are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros[7]. Account information service providers are expressly exempt from authorisation, but are subject to a registration requirement[8].

Account Information services

According to Recital 18(a) of PSD2 “…with technological developments, a range of complementary services have also emerged in recent years, such as account information services. These services provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider, thus enabling the payment service user to have an overall view of his financial situation immediately at a given moment.

PSD1 was silent about such services, that raise several legal issues such as consumer protection, security and liability as well as competition and data protection issues.

This service used to be the monopoly of the consumer’s bank and was limited only to one bank account. Now the user authorizes this TPP to process information available in the user’s online banking facility and then provides financial information and new functionalities not available from the bank (e.g. eWise).

Figure 3 shows how account information service would work under PSD2.

 Some argue that PSD2 does not contain clear definitions as to the content of the account information services[9]. They claim that PSD2 remains neutral about the technology of such services and refers only to “services requested by the user[10]” or “information requested through an account information service provider[11]” and “access and use the information on the payment services user account[12]”. This argument is however is not well founded, since PSD2 is a directive, its goal is to set out minimum requirements that each EU members must achieve. It is up to national legislation how this goal is achieved. This is somewhat contrary to the above where emphasis was made on the unprecise definitions used by PSD2. Nevertheless it is not this directive’s task to solve technicalities.
 In the earlier draft version of PSD2 the wording of account information service included references to a payment service. However the EPC was of the opinion that such services should not be presented as a “payment service” as these are not necessarily linked to payment transactions[13].The EPC reasoned that such services would only comprise historical payment transaction data, or “aggregation services”, but would never lead to a payment initiation. The EPC even questioned if it should be included in PSD2. The reason that these services should not be left without appropriate authorization resulted in their inclusion under the scope of PSD2.

Access to Payment Accounts 

 Access to payment accounts is one of the most controversial territories of PSD2. A payment initiation service or an account information service would not work if banks would not grant access to payment accounts. This is a very sensitive territory, touching banking secrecy, anti-money laundering and data protection issues.

The Study on the Impact of PSD1 highlighted that with payment initiation services the concept of the access to accounts has shifted:

“Existing online access relies on the as-assumption that the user is the only person to access the account. Indeed, to tackle concerns with payment initiation services, while still preserving the innovative potential of those services, this basic assumption needs to be shifted. Instead, the basic underlying assumption should hold that the user is one of the persons to access the account, but remains the only person to decide on who else may get access to the account. The concept under which the user is one of the persons to access the account and the only one able to decide who gains access removes most obstacles to the sustainable development of payment initiation services. Indeed, this way of conceptualizing access to accounts ensures neutrality with regards to future developments in this area.”

In accordance with Articles 58 and 59 of PSD2 a bank or a credit institution must give TPPs access to customers' account information, provided that the customer has given his explicit consent to that access. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator[14].

Aren’t the above articles contrary to bank’s general terms and conditions? Could a customer raise a concern that the general terms and conditions prohibit the disclosure of confidential login details and the confirmation code to third parties? Would such disclosure imply breach of contract?

Ross Anderson explained the Sofort case during the Security Protocols 20th International Workshop in 2012 when the German banks sued Sofort on the basis that it induced its customers to break the general terms and conditions of their contract. However the Federal Competition Authority intervened and said that “they actually liked these Sofort chaps because they were bringing some much needed competition into a very, very cartelised payment business”.[15].In 2011 the authority called upon the German banks to enable non-discriminatory access for online payment systems that are independent of banks.

Contrary to the German practice, in 2014 the Polish competent authority for payment service providers explicitly closed the market for service providers with its decision on instructing banks not to allow access to bank accounts to Polish TPPs.[16]

 Simultaneously with the Polish approach, the District Court of Midden-Nederland ruled that AFAS Software B.V. acted unlawfully and must desist from asking ING Bank’s customers to enter their banking credentials on the website of AFAS so that it could log on automatically to ING’s secure online banking interface[17].

The Dutch AFAS operates along the same principles as the German Sofort with the difference that Sofort has been granted access to payer’s bank accounts, while AFA hasn’t. Interestingly ING relied on the same reasons as the German banks when suing Sofort. ING reasoned that its general terms and conditions and the Uniform Safety Standards of the Dutch Banking Association prohibit customers to disclose their personal internet banking credentials to third parties. Furthermore, AFAS created an immediate online banking security risk by asking ING customers to supply their internet banking credentials. The court ruled in favor of ING and said that in order to prevent fraud, internet banking credentials should never be provided to third parties.

Most surprisingly the Dutch court rejected of the argument of AFAS that its services, including the offer for an automatic connection between its third party applications and online banking environments, will be regulated by PSD2. The court agreed with ING saying that PSD2 is not yet in force and that the proposed text of the directive is still under discussion, especially those provisions that AFAS could rely on.

The Dutch court eventually ruled that the final compromise text of a directive waiting for voting cannot be relied on. This is in line with the CJEU’s case law. In Inter-Environment Wallonie the CJEU held that even within the implementation period the Member States are not entitled to take any measures which would seriously compromise the result required by the directive[18]. This was later on strengthened in Mangold[19].

If PSD2 entered into force AFAS could challenge the Dutch court decision by invoking Inter-Environment Wallonie and Mangold. But first it should be examined whether the given Article of PSD2 is capable of direct effect using the test set out in Francovich.[20]

According to Article 58 Section 1.b (b) of PSD2:

The account servicing payment service provider shall: 

(b) immediately after the receipt of the payment order from a payment initiation service provider provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider; 

(c) treat payment orders transmitted through the services of a payment initiation service provider without any discrimination for other than objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer himself.”

Subsection b) of the above article seems capable of direct effect. Notwithstanding the fact that the term all information is not precise enough, the preceding subsections of this Article give some guidance on what information (personalized security credentials, other information on the service user) banks should give access to. Subsection b) confers rights on payment initiation service providers On the other hand subsection c) is not precise enough. While it imposes a clear obligation and identifies who the subject of that obligation is (the account servicing PSP) it does not seem that it confers rights on any party in particular.

Horizontal or vertical direct effect in relation to AFAS would depend on the fact how the Netherlands implements PSD2.

[1] Recital 18 of PSD2
[2] Green Paper of the European Commission…
[3] Sofort has not faced one single case of data fraud affecting the consumer since its launch in 2004 according to EPIF’s Report on Payment Initiation Services, July, 2013.
[4] Study on the impact... p.4
[5] Article 4(10) of PSD2
[6] Article 3(j) of PSD1
[7] Article 68(b) of PSD2
[8] Article 27(a)of PSD2
[9] http://prudentiz.eu/payment-services-directive-ii
[10] Article 59(2)f o PSD2
[11] Article 87(1)c) of PSD2
[12] Recital 51 of PSD2
[13] Gijs Boudewijn, “PSD2: EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account Information Services” (2014) EPC Newsletter
[14] Article 29a of PSD2
[15] Ross Andreson: Protocol Governance: The Elite or the Mob? In: Security Protocols XX: 20th International Workshop, Cambridge, UK, April 2012.
[16] http://prudentiz.eu/payment-services-directive-ii
[17] ING BANK N.V. v. AFAS SOFTWARE B.V [2014] Rechtbank Midden-Nederland C/16/372291 / KG ZA 14-481
[18] Case C-129/96 Inter-Environment Wallonie ASBL v Région Wallonie [1997] ECR I-7411 para 44
[19] Case C-144/04 Mangold v Helm [2006] 1 CMLR 43 para 28
[20] Case C-60/90 Frankovich [1991] ECR I-5357
Picture source: www.tcdc.govt.nz

2015. augusztus 6., csütörtök

Tokenesítés: Mit jelent az EMV, NFC, HCE, MST?

Kép forrása: www.paymentsleader.com
A pénzforgalmi iparág gyors ütemben változik és mindez annak tudható be, hogy új technológiák jelennek meg és az egyes pénzügyi intézményeknek gyorsan kell reagálniuk a biztonsági kérdésekre. Ennek köszönhetően hatalmas mennyiségű idegen szó és mozaikszó szivárog be a köznyelvbe, ezért könnyű elveszni ebben a betűtengerben. Az alábbikban ismertetjük a mobil- és elektronikus fizetésekhez kapcsolódó terminológiákat, illetve mozaikszavakat, valamit hogy mit jelentenek és mire használhatóak, illetve hogy együtt mennyiben könnyítik meg és teszik biztonságosabbá a kártyás, ill. mobil fizetéseinket.
Tokenizálás, tokenesítés a kártyán lévő adatok védelmét jelenti oly módon, hogy a kártya Elsődleges Számla Számát (Primary Account Number (PAN)) egy egyedi, véletlenszerűen generált számok sorozatával helyettesítik. Ez a token a megfelelő feloldó kulccsal bármikor visszafordítható a neki megfelelő valódi PAN értékre. Különböző tokenek léteznek és különböző módokon lehet ezeket létrehozni.  Egy token lehet kereskedő specifikus, egyszeri vagy többször használatos, lehet felhőben  vagy ún. token vault-okban (token trezorokban) tárolni és miután a token létrejött hozzá lehet rendelni egy mentett kártyához, vagy egy egyszeri tranzakcióhoz vagy fizetési kártyához vagy eszközhöz. A véletlenszerű token kódsorozat a tényleges PAN helyettesítő értékeként szerepel és az adat a kibocsátó rendszerén belül marad. A tokenesítéssel elkerülhető, hogy a szenzitív fizetési kártya adatok a  kereskedők, webáruházak és mobil pénztárca szolgáltatók hálózatán kerüljenek tárolásra. A fizetési tokenizáció lehetővé teszi, hogy a fogyasztó a fizetési kártyát egy mobilpénztárcában vagy egy webáruházban regisztrálja és a kártya tényleges számát az adott kereskedőre vagy pénztárcára vonatkozó fizetési token kóddal helyettesítse. A tokenizáció nem új jelenség, de a közelmúltban előforduló adatokkal kapcsolatos visszaélések rávilágítottak arra, hogy a fizetési számla adatokat fokozottan védeni kell.
Összefoglalva a tokenesítés valójában a tényleges fizetési kártyaszámla és az egyedi azonosító között létrehozott biztonságos kapcsolatot jelenti. Ez az egyedi azonosító lehet egy pszeudoszám - vagyis egy olyan szám, ami úgy néz ki mint a tényleges kártyaszám - azért, hogy kompatibilis legyen a meglévő eladási-, ill. feldolgozási pontokkal (POS terminálokkal) -, így valójában modell információkat, nem pedig a valós kártyaadatokat közvetíti. De van másféle token is. A legtöbb mobilpénztárca szolgáltató, mint pl. a Paydient,  vagy a LevelUp tokenként kétdimenziós vonalkódokat használ (ún. QR kódot (gyors válasz kódot)) ami okostelefonnal leolvasható, így lehetővé téve a kizárólag mobilon végzett tranzakciókat. Más szolgáltatók azonban, mint pl. a PayPal tokenkét e-mail címet vagy mobil telefonszámot használ. Ez a kód kétrétű: először is védelmi vonalat képez a fizetési-forrás és a támadó között, másrészről a meglévő fizetési módszereket különböző kontextusokban engedi működtetni.  
EMV (Europay, MasterCard® és Visa®) egy globális fizetési rendszer, ami egy mikroprocesszor chip elhelyezését jelenti a hitel-, vagy az előre fizetett kártyákon, vagy bankkártyákon, így azok kevésbé vannak kitéve a személyes tranzakciók során előforduló csalásoknak. Ezek a chip- vagy smart kártyák dinamikus adatokat generálnak minden egyes tranzakcióra, ami megakadályozza, hogy a tranzakciós adatokat csalárd módon újra felhasználják. Ezzel ellentétben a mágneskártya statikus, nem változó adatokat tárol. A chipkártya technológia három fő tranzakció fajtánál használható: érintős, érintés nélküli vagy mobiltranzakciókhoz. Az EMV chip kriptográfiai (rejtjelezett) kulcsokat használ, ami egyedi kódokat generál minden egyes tranzakcióra, így lehetetlen az adatokat klónozni vagy ellopni.
Az Ameriaki Egyesült Államokban 2015. október 1-től azoknál a kártyás csalásoknál, ahol a kártya fizikailag jelen van (card-present fraud) a felelősség azt a felet fogja terhelni, aki a csalásban érintett tranzakció esetében a legkevésbé EMV kompatibilis. (Bár az EU-ban a kártyák majdnem 100 %-a chipkártya, az USA-ban nagyon sok mágneskártyát használnak még.) Az a kereskedő viseli a csalás költségeit akinek az eladási terminálja (POS) nem felel meg az EMV-szerinti módosításoknak, vagy akiknek a terminálja nem fogadja el chipkártyát.
NFC, vagyis Near Field Communication (kis hatótávolságú kommunikáció) egy sztenderdizált vezeték nélküli kommunikációs technológia ami lehetővé teszi az adatáramlást olyan készülékek között, melyek csak pár centire vannak egymástól. Az NFC adatátvitel rövid hatótávolságú és biztonságosabb tranzakciókhoz használják - szemben a rádiófrekvencia vagy RFID típusú tranzakciókkal, melyek hosszú hatótávolságúak és csak minimálisan biztonságosak. Az NFC-re állított telefon egy fizetési applikációval és fizetési számla információval van ellátva.  Ez az applikációs és számla információ titkosítva van és a telefon biztonsági részében kerül tárolásra. A telefon az NFC technológia segítségével a kereskedő érintésnélküli fizetést lehetővé tevő POS rendszerével kommunikál. A fizetés úgy történik meg, hogy a fogyasztó  pár centire odatartja a telefonját az érintésnélküli fizetést lehetővé tevő POS rendszerhez és a tranzakció létrejön.   
A napokban több angol lapban is megjelentek cikkek arról, hogy hogyan lehet a kártyaadatokat ellopni úgy, hogy a kártya még a tulajodnos zsebében van.
Ennek demonstrálására pont a fent említett RFID technológiát használták, ami 13.56 Mhz-el  kommunikál a kártyával és az olvasóval. A hacker egy kisteljesítményű Linux számítógépet és egy könnyen hozzáférhető RFID olvasót használt a művelethez. A digitális zsebtolvajok az RFID app-ot a telefonjukra is letölthetik, nem kell hozzá külön eszközt vásárolni. Ha az olvasó, vagy az RFID-s app-os okostelefon elég közel kerül, akkor azokat a wireless jeleket, amiket a kártya akkor bocsát ki, amikor éppen vásárolnak vele, be tudja fogni. Azután ezeket az információkat csak egy olyan készülékbe kell tenni, amit online akár 300 dollárért is meg lehet vásárolni és a kártyát csak le kell másolni. 
Szakértők szerint a kártya hátoldalán szereplő 3 jegyű kód (CVC) a megoldás, mert ezeket nem lehet leolvasni a fenti módszerrel. Viszont számos webáruházban ezt a 3 jegyű kódot nem is kérik, illetve a boltokban lehet olyan hamis kátyával is fizetni, ami nem tartalmazza a CVC kódot.
Sokak szerint megoldást jelenthet továbbá a kártya fóliáva történő lefedése is.
HCE, vagyis Host Card Emulation (Felhőből Elérhető Kártyák), ami lehetővé teszi, hogy az NFC eszközök érintésnélküli tranzakciókat bonyolítsanak le azzal, hogy a fizetést, az egyéb azonosítókat és a vonatkozó kártya applikációkat nem ott tárolják, ahol a biztonsági elemet (SE - Secure Element). A HCE az NFC vezérlő számára ezen felül olyan opciót nyújt, hogy az érintésnélküli olvasóból vagy a POS terminálból a kommunikáció egy Felhőből Elérhető Kártya szolgáltatóhoz kerül. A HCE-ben a fizetési applikáció a telefon operációs rendszerére települ és és közvetlenül komminikál a felhő-rendszerrel és az NFC vezérlővel.  Nincs szükség arra, hogy a kártya kibocsátó SIM-et vagy más biztonsági elemet (SE) használjon annak érdekében hogy érintésnélküli NFC mobilfizetéseket bonyolítson.
MST vagy Mágneses Biztonsági Átvitel technológia. Ez a rendszer váltóáramot generál a változó mágneses mező induktív ciklusain keresztül. A eszköz által észlelt jel ugyanazt a mágneses mező változást utánozza mint a mágnescsíkos kártya amikor ugyanazon az olvasófejen keresztülhúzzák.  MST az olvasófejtől számított 2,5-3 cm-es távolságon belül működik. Az MST-t a LoopPay mobil-pénztárca megoldás  szabadalmaztatta ami lehetővé teszi, hogy a fogyasztók a mobiljaikkal fizethessenek. A LoopPay-t utóbb a Samsung felvásárolta. A tranzakció biztonsága érdekében az MST csak a továbbítási folyamatban működik.  

Hogyan működnek együtt
A technológia keményen dolgozik azért hogy biztonságosabbá tegye a fogyasztók tranzakciót és ezek közül is sok technológia hasonlóságot mutat.  A két legjobb példa az együttműködő technológiákra az Apple Pay és a Samsung Pay. Mind a kettő a tokenizációt használja arra, hogy a kártyaadatokat titkosítsa és NFC-t használnak az adattovábbításra. Azonban a Samsung elöl jár abban, hogy MST technológiát is ajánl , amely lehetővé teszi, hogy a fogyasztó olyan tranzakciókat bonyolítson, ahol a kereskedő csak mágneses kártyaolvasóval rendelkezik. A másik különbség a két pénztárca között az, hogy az Apple a tokenek és a fizetési azonosítók tárolására a biztonási elemet (SE) használja, míg a Samsung a HCE-t így az azonosítók a biztonsági elemen (SE) kívül tárolhatóak - egy operációs rendszerben vagy pl. felhőben. Bizonoys értelemben az Apple Pay és a Samsung Pay tranzakciók hasonlóak az EMV tranzakcióhoz abban, hogy megakadályozzák azt hogy alopott kártyaadatokat máshol felhasználják. Az egyedülálló eszköz felmiserő ami egy mobil tranzakció alkalmával létrejön ugyanazat a célt szolgálja, mint a mikochip az EMV kártyán azaz minden egyes tranzakció alkalmával egy dinamikus rejtjelet továbbít.

2015. július 22., szerda

Europol felszámolta a számítógépes bűnözésre használt Darkode fórumot

Kép forrása: Europol

2015. július közepén a bűnöldöző szervek és hatóságok felszámolták a legjelentősebb angol nyelvű számítógépes bűnözésre specializálódott fórumot, a Darkode-ot. A hekker fórum és annak használói ellen indított nemzetközileg koordinált akcióban a világ különböző részeiből érkező nyomozók azokra a számítógépes bűnözőkre csaptak le, akik a Darkode fórumot a hekker tapasztalataik,  így malware (rosszindulatú szoftverek) és botnet (zombi gépek) ötletek eladására és cseréjére és arra használtak, hogy a következő spam vagy vírus akciójukhoz partnert találjanak.

Az akciót az FBI vezette, az Europol Európai Számítógépes Bűnözés elleni Központ (EC3) támogatásával és  20 EU-s és EU-n kívüli ország bűnöldöző szerveinek részvételével. Az FBI, valamint az EC3 részéről  Bosznia Herzegovina, Ciprus, Dánia, Finnország, Németország, Lettország, Makedónia, Románia, Szerbia , Svédország és az Egyesült Királyság bűnüldöző szervei valósították meg a fórum tényleges leállítását és hoztak intézkedéseket, melynek során 28 embert letartóztattak, 37 házkutatást végeztek és számos számítógépet és más eszközt lefoglaltak.

A számítógépes bűnözési fórum végét az jelentette, amikor azt leállították és egy bannert tettek közzé ami közölte, hogy az FBI és az EC3 valamint azok nemzetközi partnerei átvették a honlap fölött az irányítást. Ezzel szűnt meg a Darkode, a legnépszerűbb angol nyelvű hekker fórum,  amely a világ öt legtermékenyebb bűnügyi fórumjainak az egyike mely  sorrendet főleg az orosz nyelvű bűnügyi platformok dominálnak. A Darkode 250-300 aktív felhasználója egy zárt csoportot képviselt. A tagság kizárólag meghívással jött létre, miután a leendő tagot a fórum egy megbízható tagja leellenőrizte. Bár volt néhány botrány és állítólag a fórum a működése során veszélybe is került, a Darkode mégis az a hely volt amit az angol nyelvű számítógépes bűnözők használtak.  Ez a népszerű számítógépes bűnözési központ olyan termékek és szolgáltatások kereskedelmére irányult, amely rosszindulatú szoftvereket (malware) és Zero day Exploit kódokat (nulladik napi támadásra irányuló kódokat) adott el és lehetővé tette a meghekkelt szerverekhez történő hozzáférést.

Rob Wainwright az Europol igazgatója azt nyilatkozta, hogy "Ma ez a globális akció szétrombolta ezt a földalatti gazdaságot ami jelentősen felhívja a figyelmet arra hogy a privát fórumok nem nyújtanak oltalmat a bűnözők  számára és nem is elérhetetlenek a bűnöldöző szervek részéről. Tovább folytatjuk a munkát a bűnüldöző partnereinkkel annak érdekében a hogy a virtuális tér  a világ polgárai számára bűnözés mentessé váljon."

A Darkode fórum leállításával felszámolták azt a bűnöző közösséget aminek a tevékenységébe tartotott a hekkelés, a bankkártya és banki adatok ellopása, botnetek bérbeadása és az ún. DDoS (túlterheléses) támadások.

Forrás: Europol EC3

2015. július 18., szombat

Collective Redundancies in Hungary

Collective Redundancies in Hungary


Source of picture: menzieslaw

In Hungary employers must follow a rather strict procedure set forth by the applicable collective agreement and the Labour Code of Hungary.

When do the provisions apply?

The provisions apply where an employer is proposing to dismiss the number of employees specified below within a 30 day period.

No. of the employees to be dismissed
Size of the organization
at least 10
between 21 and 99 employees
between 100 and 299 employees
at least 30
300 or more employees

The provisions only apply to dismissals and terminations by mutual consent relating to the employer’s operations. Dismissals connected to the employee’s performance or skills do not count.  The number of terminations by mutual consent, those by ordinary dismissal and terminations without notice during fixed term employment should be added together for the purposes of calculation.  

What are the requirements?

Prior to making collective redundancies, an employer must:
·         inform the appropriate representatives and the Government Agency on its intention of collective redundancies;
·         consult with the appropriate representatives;
·         inform the appropriate representatives, the employees and the Government Agency on its decision on collective redundancies.
 At least seven days before the consultation, the employer must provide oral and written information to the appropriate representatives about its proposed intention on collective redundancies. The written information shall include at least the reasons for the proposed redundancies, the number of employees to be made redundant divided into categories, the number of employees employed during the last six months, the period over which the redundancies will take place, the criteria to be used to select the employees to be made redundant and the conditions for eligibility for any redundancy payments other than statutory ones and their calculations.
Who are “appropriate representatives”?
Before the announcement of the collective redundancies, the employer must consult with the employee representatives of the works council.  The Labour Code provides that a works council must be elected at all companies or at all of the employer’s independent sites where the number of employees exceeds 50. If there is no works council, the employer must consult with ad hoc representatives of the employees.
 How shall the employer consult?
The employer shall consult with the representatives at lease fifteen days before taking the decision on collective redundancies. During such consultation the parties shall discuss possible ways to prevent redundancies, lessen their impact and consequences and reduce the number of employees involved. If an agreement is reached it must be put down into writing and one copy shall be sent by the employer to the Government Authority. The employer must notify each employee involved in the collective redundancies in writing 30 days before sending out the notices for dismissal. Collective redundancies will not take effect within 30 day from these employee notifications.
What sanctions apply if the process is not followed? 
Failure to comply with the Labour Code regulations can lead to unlawful employment termination. The consequences of unlawful termination apply only in case of ordinary dismissals, terminations by mutual consent or terminations without notice are excluded. If the employment is terminated unlawfully, the employer must pay lost wages (no more than 12 months’ average earnings) and compensate any harm suffered. 
If the employer fails to notify the representatives of the works council, they can turn to court for remedy.
If the employer fails to notify the Government Authority or the notification is defective or the employer provides incorrect data, the Government Authority has the right to levy fines which amounts to EUR 1700 maximum.
Are certain employees protected from dismissal?
The employer cannot dismiss an employee who is within five years of the minimum statutory retirement only if a proper justification is given.  There are employees who enjoy special protection against ordinary dismissal as listed by the Labour Code (e.g. employees unable to work due to illness, pregnant women, etc.).
How do I choose which employees to dismiss?
At least seven days before the above mentioned consultation the employer must provide oral and written information to the appropriate representatives on the criteria to be used to select the employees to be made redundant. The employer must provide clear reasons for the selection of the employees and the criteria must be submitted to the Government Agency. The employer and the employee representatives may agree on the selection criteria in the above mentioned separate consultation agreement. Unfortunately the Hungarian Labour Code does not contain any regulations on such selection criteria but it does happen many times that within a family husband and wife are also affected. Therefore in the consultation agreement the employer and employee representatives can agree that only one person shall be dismissed within a family.
Unfair dismissal
If the employer breaches the relatively strict procedural rules of collective redundancies, this may render the whole procedure unlawful.  If the employment is terminated unlawfully, the employer must pay lost wages (no more than 12 months’ average earnings) and compensate any harm suffered.
What will it cost?
Aside from statutory redundancy payments, there are no direct costs for making redundancies, although the minimum consultation and notice periods can result in significant costs. An employee is entitled to a statutory redundancy payment if his or her employment is terminated by an ordinary dismissal:
1 month's pay for at least 3 years of employment
2 month's pay for at least 5 years of employment
3 month's pay for at least 10 years of employment
4 month's pay for at least 15 years of employment
5 month's pay for at least 20 years of employment
6 month's pay for at least 25 years of employment.

The notice period is 30 days but may not exceed 6 months. Employees may also be entitled to receive enhanced redundancy payments under the terms of their contract or any collective agreement.
Is staff required to work during the consultation process?
The employer must release employees from work at least for half of the notice period. Such release can be allocated in two parts at the employee’s discretion.   
Can I ask employees to sign a waiver agreement?
Employers often enter into settlement agreements with individual employees to compromise potential or actual claims. There isn’t a requirement that the employee must be independently advised through his or her own solicitor. Claims for failure to inform and consult can be later compromised through the courts e.g. in cases when the employee was denied the possibility to consult with his or her own solicitor or in cases where the employer’s manner influenced the employee to act in accordance with his or her free will when entering into such a settlement agreement.
Do I need consent from a public authority?


No.  While the employer needs to notify the Government Agency, it does not need to obtain consent for the collective redundancies.
Can disgruntled employees bring claims?
Yes.  Employees can bring claims for unfair dismissal before the court.  Such claims generally need to be brought within 30 days of the employer’s dismissal  

Employee Business Protection in Hungary - Versenytilalmi klauzula, munkáltató jogos gazdasági érdekének védelme

Employee Business Protection in Hungary

Source of picture: lawyerslegalformsanddocuments
During employment an employee shall not conduct himself or herself in a manner which directly or indirectly would be detrimental to the legitimate economic interests of the Company unless permitted by law.  
The employment agreement can stipulate post-termination restrictions but this shall only be valid if it lasts for a maximum of two years following termination of employment and if the employee receives an adequate compensation in return.

Restrictions during employment
The Hungarian Labour Code does not define the Company’s legitimate economic interest in detail.  It does not even give a general definition for such interests because these interests are generally dependent on the Company’s business activities, the place of operation and the tasks performed.
Provision of confidential information for competitors, or establishment of a company with the same business activities that the employer pursues could be regarded as such jeopardizing the Company’s legitimate economic interests.

The Labour Code does not directly require employees to report any of their further employments to the employer; however parties are obliged to notify each other on any facts, data, circumstance that is important regarding the conclusion of the employment contract or their rights and obligations. Therefore employees shall report any further employment to the employer and such report shall include all those facts that could affect the employer’s legitimate economic interests.

Outside working hours an employee shall not conduct himself or herself in a manner which directly or indirectly would be detrimental to the legitimate economic interests of the Company, the Company’s reputation or the aim of the employment. On the basis of case law, if the employee outside working hours wearing he Company uniform acts in an anti-social behaviour and conducts disorders it could be  regarded as a behaviour jeopardizing the Company’s reputation.   
Not only the employment agreement but also the so called code of ethics can include regulations on the restriction of the employees’ behaviour during and outside working hours. Such restrictions are only valid if they are necessary for a reason directly relating to employment and if they are proportionate for achieving the objective. If the employment agreement of directors or executives generally prohibits freedom of expression (e.g. if the employee is generally denied public participation) it could be regarded as a clause against the law if the necessity for a reason directly relating to employment is missing. Such general clauses could only be acceptable in case of executives of big firms where political expressions although not directly relating to the Company’s activity but could influence the Company’s market position.

Employees are required to keep business secrets confidential and they shall not disclose any confidential information to unauthorized persons unless permitted by law.
Restrictions after employment

Post-termination restrictions can be agreed upon in the employment agreement itself or later on when the employment terminates.
Employees are required to keep business secrets confidential by law even after termination of employment regardless the way of termination (be it mutual agreement or dismissal) and parties are not required to stipulate post-termination restrictions either for such an obligation. In accordance with Hungarian case law, a post-termination restriction stipulated only for non-disclosure of business secrets in return for additional fee shall be void.

If the law does not require the employee to protect the employer’s legitimate economic interests after employment, such obligation can only be valid if parties agree on post-termination restrictions. The Labour Code does not regulate the types of such restrictions in detail. Generally parties stipulate non-compete clauses that seeks to prevent the employee from working for a competitor, or setting up in competition. Further, it is relatively common to include a restriction preventing an employee from poaching key colleagues. Under Hungarian law the period for stipulating such clauses can be a maximum of 2 years.
Post-termination restrictions are only valid if they are adequately compensated by the employer. Adequacy depends on the level of restriction that the employee suffers when trying to find new work. If the employee has special qualifications and he can only apply for a very limited number of job offers, the compensations should be higher.  The law stipulates the minimum amount of such compensation that shall be one third of the salary the employee is entitled to during the non-compete period if the employment would not have terminated. Parties can also agree on a penalty in case of breach of non-compete clauses. If e.g. the employee established a new employment at the Company’s competitor, he must pay the penalty and therefore by payment of such penalty the Company cannot enforce the non-compete clause. 

In case of breach of post-termination restrictions, the party in breach cannot claim enforcement.  E.g if the employer failed to pay adequate compensation to the employee for such a restriction, the employee cannot be enforced to observe the restriction. If the employee is in breach, he cannot claim compensation and the employer can claim repayment of any paid parts. Further, any party can claim damages for breach of contract. 

2015. június 24., szerda

Simplified Employment in Hungary 2015 - Egyszerűsített Foglalkoztatás 2015

(Egyszerűsített foglalkoztatás Magyarországon, 2015) 

Kép forrása/source of  picture: http://www.graphicssimplified.com/contact-us/employment/

 What is „Simplified” Employment and what are the benefits for employers?

In case of simplified employment, parties can conclude an employment agreement for a short period of time, even for one day with less administration and payroll tax and more flexible employment rules.

If the conditions of simplified employment are met, the amount of payroll tax the employer has to pay for each day of employment per employee is
HUF 500 (EUR 1,6) for seasonal work  
HUF 1000 (EUR 3,2) for casual work,
HUF 3000 (EUR 9,6) for cinema walk-on roles.

The above fees replace the payroll taxes the employer generally has to pay in case of normal employment. By paying the above charges the employer is exempted from paying social, workforce development, healthcare and rehabilitation contributions and is further exempted from deducting personal income tax. The employee does not have to pay pension, healthcare, workforce development and medical contributions and is exempted from payment of personal income tax advance.

It is not necessary to conclude such an employment agreement in writing. Parties however can fill out a sample employment contract as stipulated by law that could exclude any possible error of law. This sample employment contract contains minimum requirements and replaces recording of working hours and written wage settlement. Parties however cannot supplement this sample with any further sections i.e they cannot stipulate a probation period.

What Types of Employment are covered?

Simplified employment covers four types of employment:

-         agricultural seasonal work,
-         touristic seasonal work,
-         cinema walk-on roles and
-         casual work.

Conditions of Simplified Employment

Length of employment

The aggregate length of simplified employment is bound by law. Employment for agricultural seasonal work or touristic seasonal work cannot exceed 120 days per calendar year. In case of casual work this time limit is 90 days.

The law sets further requirements for casual work. The fixed term employment for  casual work  cannot exceed
-         5 consecutive calendar days, and
-         15 calendar days within one calendar month, and
-         90 days per calendar year.

By contrast, seasonal work can be performed continuously. If the employee works both as a seasonal worker and a temporary worker for the same employer, the maximum length of employment cannot exceed 120 days.

Numbers of Employees Employed

The law does not set limits for seasonal work. However in case of casual work, there is a   daily limit depending on the number of employees employed full time. It is worth noting, that the employer can spread this limit unevenly in a given year.
If the employer does not have full time employees at all it can employ only one employee on the basis of a simplified employment contract per day, which is 365 employees on an annual basis. In this case the company can either employ one individual for 365 days, or employ 365 individuals for one day. If the company employs 365 individuals for one day the employer cannot employ further employees under a simplified employment for the rest of the year.
This limit does not apply in case of cinema walk-on roles.

If the employer employs between 1 to 5 full time employees, the employer can employ a maximum number of 2 employees under simplified contracts per day. If the employer employs between 6 to 20 full time employees, the employer can employ a maximum number of 4 employees under simplified contracts per day. In case of more than 20 full time employees, the daily number of individuals under simplified contracts cannot exceed 20% of the staff.

The Employment Relationship Starts with Notification

As mentioned above, parties can enter into a smaple employment contract stipulated by lae, This contract can be downloaded from

The legal relationship between the parties starts with the employer’s notification to the Tax Authority.  The employer has to submit the so called ’T1042E’ tax form via the internet. If the work is not performed due to any unforeseen reasons, the notification can be cancelled within two hours, in case of one day employments. If the employment is longer than one day, or it starts on the day following such notification, the notification can be cancelled on the day the notification was made, until 8 a.m. If the cancellation is submitted after the deadlines, the employer shall pay its liabilities for the cancelled day.
How much is the Minimum Wage in case of Simplified Employment in 2015?

In case of simplified employment the employee is entitled to 85% of the statutory minimum wage. It he employee has a secondary school certificate this amount is 87% .

It is recommended to agree on payment by the hour when concluding simplified contracts. The minimum hourly wages are follows:
-  85 % of HUF 604 Ft/hour that is 513 HUF/hour (EUR 1,6/hour)
-  for employees having secondary school certificates 87% of 702 HUF/hour, that is 611 HUF/hour (EUR 1,9/hour)

dr. Andrea Egertz