For regulated organizations

Compliance starts
where MFA ends.

Strong Customer Authentication (SCA) proves a credential was presented. It does not prove that the voice on the call is the person who holds it. Hongi closes that gap, for banks, insurers, and any organization where impersonation carries a real cost.

Talk to the team Read the regulatory map →
  • $3B
    annual BEC and CEO-fraud losses
    FBI IC3 2024
  • €40M
    Belgian phishing and vishing losses
    Febelfin 2024
  • Dec 2027
    EUDI Wallet acceptance deadline
    Regulation (EU) 2024/1183
  • 80%+
    AI-augmented social engineering
    ENISA Threat Landscape 2025

The compliance gap.

SCA covers the two ends of a customer interaction: the login and the transaction signing. Everything between them, the phone call, the video session, the email exchange, has no live identity proof. That middle is where vishing, deepfake video, and CEO fraud all sit.

covered by SCA
gap that Hongi closes

The regulatory map.

Eight frameworks that touch identity assurance in the channels Hongi defends. For each: scope, where Hongi sits, and the primary source.

  1. 2019 PSD2 RTS-SCA in force
  2. 2024 EBA fraud reporting updated guidelines
  3. Oct 2024 NIS2 transposed
  4. Jan 2025 DORA in force
  5. Dec 2027 EUDI Wallet acceptance mandatory
Foundational regulations 3
EU in force since 2019
PSD2 · RTS on SCA
Commission Delegated Regulation (EU) 2018/389
Scope

Strong customer authentication: at least two of knowledge, possession, inherence; transaction binding.

Where Hongi fits

A complementary out-of-band possession factor for the conversation around payment authorisation. Does not replace SCA. Defends against social engineering that drives a customer through an otherwise valid SCA flow (fraud-induced transactions, advisor impersonation).

Primary source →
EU in force since Jan 2025
DORA
Regulation (EU) 2022/2554
Scope

Digital operational resilience for the financial sector. Art. 9 (protection and prevention), Art. 17 to 19 (ICT incident reporting). In force since 17 Jan 2025.

Where Hongi fits

Reduces the social-engineering surface that triggers ICT-related incidents. Optional audit log (Merkle tree of pairing hashes, no identities) supports post-incident reconstruction without retaining personal data.

Primary source →
EU mandatory Dec 2027
eIDAS-2 · EUDI Wallet
Regulation (EU) 2024/1183
Scope

Mandatory EU Digital Identity Wallet acceptance by relying parties from December 2027 (Art. 5f). Strong cryptographic identity proofs.

Where Hongi fits

The live human-channel verifier alongside EUDI. EUDI proves a credential was presented. Hongi proves the voice on the call belongs to the credential holder. Two orthogonal problems, one architecture.

Primary source →
Supporting frameworks 5
EBA Guidelines · fraud reporting
EBA/GL/2018/05 (updated 2024)
EU

A failed Hongi cross-check during a bank-to-customer call is a clean machine-readable signal that can feed fraud reporting on CEO fraud and vishing, where the existing card-fraud schema underreports.

updated 2024 Primary source →
NBB · ICT-veiligheid
Belgian National Bank prudential guidance and DORA implementation
BE

An operational identity-assurance layer for remote bank-customer and bank-internal interactions, consistent with the NBB framing of governance over ICT-supported services.

active Primary source →
GDPR · privacy by design
Regulation (EU) 2016/679, Art. 25
EU

No name, no phone number, no email, no contact list, no codeword history, no analytics. The shared key lives on the two paired devices. The server forwards an opaque cipher. Almost nothing to leak in a breach.

in force since 2018 Primary source →
NIS2
Directive (EU) 2022/2555
EU

Adds an identity-assurance layer to access control for the high-risk remote interactions (transaction approval, breach response, vendor onboarding) that text-channel MFA does not cover.

transposed 2024 Primary source →
NIST SP 800-63-4 and ENISA TL 2025
NIST Digital Identity Guidelines, July 2025 · ENISA Threat Landscape 2025
GLOBAL

Targets the threat ENISA ranks first. Complements NIST authentication assurance levels with a session-level human-channel attestation that is mechanism-agnostic (phone, video, in person).

industry standard Primary source →

Where it shows up in operations.

On the B2B roadmap see roadmap →

Six operational scenarios across customer-facing and internal flows. The organizational pairing and audit-log mechanics described below are on the B2B roadmap, not yet shipped. First pilots with banks are scheduled for Q4 2026. A single missed verification in any of these has a known six-figure tail.

01
€40M
Belgian phishing and vishing · Febelfin 2024

Outbound bank-to-customer calls

PSD2 RTS-SCAEBA fraud reporting
Without Hongi

Customers cannot distinguish a real advisor from a vishing fraudster with the right context.

With Hongi

The customer's codeword must match the advisor's. No match, no conversation.

02
$25.6M
one deepfake video call · Arup 2024

Customer onboarding video sessions

eIDAS-2GDPRKYC/AML
Without Hongi

Deepfake face swaps hit remote KYC. The face on screen may not match the uploaded ID.

With Hongi

Both sides read matching codewords on camera before KYC review. Attested in the session recording.

03
$3B
annual BEC losses · FBI IC3 2024

Internal verification (BEC / CEO fraud)

DORANIS2
Without Hongi

Urgent wire request from the CEO. Signature matches, voice sounds right. Money leaves.

With Hongi

Live codeword check before any unusual payment. One pairing closes the gap.

04
4h+
DORA incident reporting window

Breach response

DORA Art. 17 to 19NIS2
Without Hongi

Attackers exploit incident chaos: fake IT, fake support, fake IR vendors.

With Hongi

Every internal call gated by a codeword check. No match, no instruction acted on.

05
€100k+
typical high-value wire threshold

High-value transaction confirmation

PSD2 RTS-SCAEBA fraud reporting
Without Hongi

Phone-authorised EUR 100k+ transfer with no out-of-band proof that the customer on the line is genuine.

With Hongi

Customer reads their current codeword aloud. Advisor confirms the match. Payment proceeds, attested.

06
avg €40k
per vendor-invoice fraud incident

Vendor / supplier KYB

DORA supply-chainNIS2
Without Hongi

Vendor calls have weak identity. Invoice fraud sits on top of that gap.

With Hongi

Pair at KYB. From then on, every vendor call carries a codeword check. No guessing.

Architecture, under DPO scrutiny.

A Hongi deployment is auditable by your DPO in a single afternoon. Below is everything held on a server when an organization deploys Hongi for its staff and customers.

  • Per-device push tokens. Opaque identifiers issued by APNs and FCM. No mapping to a human name. Used only for the silent-ping notification path. Routine codeword verification is fully offline.
  • Optional pairing-hash audit log. For B2B deployments that need traceability under DORA Art. 17 or NBB guidance, Hongi can append a Merkle-tree log of pairing hashes. No identities, no codewords, verifiable by Merkle proof. No public chain.
  • Tip-jar payment metadata. Consumer product only, not B2B. Routed through Stripe. Hongi sees that a tip was paid and the amount. Nothing ties it back to a user.

What we do not store: names, phone numbers, emails, contact lists, codeword history, call logs, location, transcripts, biometrics, advertising identifiers. The verification key between two paired devices lives only on those two devices, derived locally.

Next step

Book a 30-minute pilot conversation.

The Hongi team sits down with your compliance, fraud, and IT leads and walks through your highest-impact use case. If there is a fit, we run a free six-month pilot with up to 500 customers or employees. No procurement, no licence, no exposure.

Email the founders Read the FAQ first →

Hongi (Lovit BV) · Vlaanderen, Belgium · info@hongi.io