Obligations and practical application for employers subject to the Anti-Money Laundering Act
Pursuant to the “Complaints Act” adopted by the Hungarian Parliament on 23 May 2023 (Act on Complaints and Public Interest Disclosures), all service providers (e.g. credit institutions, audit and accounting firms, trusts, law firms) and oil and gas/civil aviation operators/floating facility operators, regardless of the number of employees, subject to the Anti-Money Laundering Act must have a whistleblowing system in place within 60 days of the Act’s entry into force (until 24 July 2023). (In addition, all businesses with at least 50 employees, regardless of their activity, are also required to implement the law: with 50-249 employees until 17 December 2023 at the latest, with over 250 employees also until 24 July 2023.)
Basis, background and purpose of the legislation
The law is based on a European Union Directive (2019/1937 – Whistleblower Directive), which all Member States were obliged to incorporate into their national legislation. The law regulates the so-called internal whistleblowing system, through which public and private sector employees can report any wrongdoing they have experienced (mainly economic/corruption offences, but also information about harassment at work). Contrary to previous plans, however, it does not cover activities which are (considered) illegal and which affect private life („related to the protection of the Hungarian way of life”)! The aim of the whistleblowing system is to provide an efficient, confidential and secure channel for investigating detected breaches, while protecting whistleblowers from possible retaliation.
The EU has encouraged Member States to set up a three-step reporting system:
1. the first step is the so-called internal abuse reporting channel, which means reporting the infringement within the entity,
2. the second step is the so-called external abuse reporting channel, where the whistleblower communicates the infringement to the competent national authority designated by the Member State,
3. the third step is public disclosure of the infringement.
The legislation provides for a so-called common abuse reporting system for employers with 50-249 employees. However, the details are not yet known. (It is possible that for accountants, auditors, lawyers, the relevant chambers will set up such a system.)
|Number of employees||Employers not covered by Subsection (1) of Section 1 of the Anti-Money Laundering Act||Employers covered by Subsection (1) of Section 1 of the Anti-Money Laundering Act|
|under 50||Optional||Mandatory||from 24 July 2023- a common system can also be set up|
|50 – 249||Mandatory||from 17 December 2023 – a common system can also be set up||Mandatory||from 24 July 2023- a common system can also be set up|
|above 249||Mandatory||from 24 July 2023, only in a stand-alone system||Mandatory||from 24 July 2023, only in a stand-alone system|
What to do in practice
- Establishing an internal procedure
Preparation of rules, internal procedures: where complaints can be lodged, how they are dealt with, sanction policy/sanction system, mandatory actions in case of detected violation (criminal offences, infringements in terms of labor law, etc.), information to be provided to data subjects on the process of complaint investigation/rejection, data processing rules, data storage, etc. Optional: drafting a code of ethics.
The establishment of a procedure is also important because if the company does not investigate the case in time, the whistleblower can go public.
Data protection: The system must be designed in such a way that the personal data of the whistleblower who discloses his/her identity cannot be known to persons other than those investigating the report. Personal data must be kept confidential and not shared with any other department or employee of the employer. Personal data of data subjects which are indispensable for the investigation of a report may only be processed for the purposes of investigating the report and remedying or stopping the conduct which is the subject of the report.
a) Designation of the person or organization responsible for running the system (who records the complaint and starts investigating it). Criteria: impartiality, independence, and conflict of interest. The designation of this person or organization can be done internally (e.g., an HR employee or a compliance team) or outsourced to an external service provider (whistleblower protection lawyer or other independent company).
b) Informing employees about the legislation, continuous training.
- The complaint investigation process
a) A complaint may be made regarding information about an unlawful act or omission of an economic nature or alleged unlawful act or omission, or other abuse.
b) Complainants: whistleblowers can be former, current or prospective employees (if the process of establishing an employment relationship has started), trainees, job applicants or volunteers, or contracting parties (e.g. suppliers, contractors, subcontractors, sole traders) at any stage of the relationship (at the time of contracting, during the contract and after termination), given that any of these may have information or evidence. In addition, the (co-)owners, managing directors, members of the supervisory board, etc. of the employer can also report. As a general rule, the whistleblower should not suffer any negative consequences as a result of his/her whistleblowing.
c) How to report: there are no specific rules, it can be done orally, in writing, by phone, in person (e.g. by setting up a dedicated email account, complaint box, telephone line, other dedicated platform).
d) Substantiated complaint: the employer must investigate all complaints and inform the complainant of the receipt of the complaint (acknowledgement to be sent within 7 days) and the course of the procedure, in particular if there are issues to be clarified, the data management and, at the end of the procedure, the decision taken. The complaint must be investigated within a maximum of 30 days from the date of receipt of the report, which may be extended to 90 days only in justified cases.
On the basis of the report, it is necessary to ensure that:
- the lawful situation or the situation in the public interest is restored or that otherwise necessary measures are taken,
- the causes of the defects discovered are remedied,
- the damage caused is rectified and
- where appropriate, initiate proceedings for prosecution.
e) Unfounded (bad faith) complaints: in the case of manifestly unfounded complaints (e.g. anonymous reports every 2 days on the same case), the complaint may not be investigated. Reports may be made anonymously or non-anonymously, but anonymous reports may also be disregarded unless they indicate a serious breach of rights or interests. The person against whom the report is made may also be aware of the investigation but cannot know the identity of the person making the report.
Those who do not comply with the conditions for the introduction of the system by the deadline may be subject to the following sanctions:
- the employment supervisory authority has the power to check compliance with the law and to impose sanctions in the events of an infringement (although it cannot impose fines or prohibition of professional activity)
- non-compliance with data processing rules may be grounds for a data protection fine
- a person who obstructs whistleblowing or takes unfavorable action against the whistleblower gives rise to liability for an offence.