PSD2 changes payments

The much-discussed PSD2 – What is it?

The PSD2, i.e. the Second Payment Services Directive issued by the EU, has also changed legislation in Finland with regard to payments. The new legislation entered into force in January 2018, but is proceeding in stages and the new statutes on payments will come fully into effect on 14 September 2019. The PSD2 will have the following impact:

Third-party service providers (TPPs) can enter the market. Banks are required to allow TPPs access to customers’ payment accounts. Access to a customer’s payment account is only possible, however, with the explicit consent of the customer. This ends, for example, the exclusive right of a bank to allow its customers to view their account information only through the bank’s online service.
Use of online banking codes and other strong authentication methods will become more common. In principle, online payments will always require strong customer authentication, i.e. in practice often the confirmation of payment transactions with online banking codes. Providing payment card information alone will no longer be sufficient to pay online, except in exceptional circumstances.
The goal of the new online payment security requirements is to improve payment security. The aim is reduce the level of abuse using new security requirements for online payments. Customers will become aware of this, as it will no longer be possible, for example, to use online banking code lists as before in connection with payments, unless their use is supplemented by other methods.
Consumer protection will improve in cases of abuse. The bank will fully reimburse the customer for unauthorised payment transactions, i.e. payment transactions made without the customer’s consent. A prerequisite for the bank’s liability is that the customer has acted with due care in keeping and using the payment instrument and has reported the loss or misappropriation of the payment instrument immediately upon becoming aware of this.

In cases where the customer has acted negligently, the customer’s personal liability has been reduced from the previous EUR 150 to EUR 50. This will not apply in cases where the customer has acted with gross negligence or intent. In that case, the customer is fully liable for the financial loss resulting from the abuse.

In addition to the situations mentioned above, the customer shall not be liable for abuses in cases where the service provider did not require strong customer authentication.

In cases of payment instrument abuse, the bank must refund the money to the customer more quickly, within 24 hours of a claim being made.

What does strong authentication mean in connection with payments?

Strong authentication means the method by which customers are identified, for example in connection with payment transactions or when logging in to payment accounts. Authentication is accomplished by combining at least two of the following three options:

knowledge, i.e. something only the user knows (such as a password, PIN code)
possession, i.e. something only the user of the payment service possesses (such as a mobile phone, code calculator, a card when paying at a store payment terminal)
inherence, i.e. something only the user is (such as a fingerprint, face map)

In addition to making payments, the means of identification provided by banks are also used in services where strong electronic customer authentication is required. Such services include electronic services provided by public authorities (e.g. Kela, Police, tax authorities) and electronic services provided by insurance companies. In addition to the means of identification provided by banks, mobile certificates provided by telecom operators and the Population Register Centre’s citizen certificate are generally used as means of identification in these services.

What is a Third Party Provider?

The term Third Party Provider (TPP) is often heard in connection with the PSD2. This refers to new service providers whose activities are within the scope of the new regulations. The new providers of services are:

Payment Initiation Service Providers (a service through which one can pay directly from an account)
Account Information Service Providers (a service though which one can view one’s own payment account information)
Card-based Payment Instrument Issuers (new service providers can provide customers with payment cards that are linked to an account in the customer’s bank)

With the PSD2, banks are required to allow TPPs access to customer accounts with the explicit consent of the customer, thereby enabling the creation of new services. A TPP could, for example, develop a service enabling customers to view the balances and transactions of their accounts in different banks simultaneously. An authentication solution provided by the customer’s account bank is used in the services of TPPs.

Is anyone supervising the activities of new service providers?

All payment service providers (PSPs) are supervised in Finland by the Financial Supervisory Authority (FIN-FSA). TPPs must apply to the FIN-FSA for authorisation or registration before commencing operations. The FIN-FSA maintains a list of supervised service providers and a list of foreign service providers that have submitted a notification on the provision of services in Finland. The listed can be used to check whether an operator is appropriately authorised to provide financial sector services in Finland.

Do I have to use these new services?

In the future, customers will continue to choose which services they want to use. On the other hand, traders will continue to choose the payment methods they offer to customers to purchase goods.

Who will see my account information?

Although the PSD2 requires banks to allow TPPs to access customers’ accounts, actual access to information always and only takes place with the explicit consent of the customers’ themselves. No non-bank entities will otherwise gain the right to access customers’ account information as a result of the new regulations. The express right to use account information services applies to customers themselves and not to other parties.

Will it become more difficult to make payments?

The PSD2 aims to increase the security of payments. In order to increase security, there is also a need to change the methods of payment, and the regulations will result in some changes to daily payments as a result of the stricter security requirements of strong customer authentication. On the other hand, the regulations allow payments to be made without strong customer authentication in the case of certain low-risk payments.

Can I still pay online using payment card information?

Previously, in many online stores it has been possible to pay by entering into the service your payment card information. As of 14 September 2019, you will no longer be able to pay at an online store simply by entering your payment card information; customers must also be strongly authenticated in connection with payments.¹ In certain exceptional cases, such as in small purchases less than EUR 30, strong customer authentication is not necessarily required. Even in small online payments, strong customer authentication is required, however, when the security limits set for individual purchases or the total amount of purchases are reached.

Can I still use an online banking code list?

The PSD2 will impact the use of online banking code lists. The current paper-based online banking code lists provided by banks are easy to copy and therefore they no longer meet, in their present form, the requirements for increasing payment security. The banks are creating alternative methods, which fulfil the requirements of the new regulations, to replace or supplement the use of online banking code lists. The FIN-FSA has issued a statement on the use of online banking code lists.

When online banking codes are used for strong customer authentication in services other than in relation to payments and accessing payment accounts, such as in public authority services (Kela, Police, tax authorities), then identification service regulations, supervised the Finnish Communications Regulatory Authority TrafiCom, will be applied instead of payment service regulations. The PSD2 will not affect the use of online banking codes in these other services. The bank can decide whether it will continue to provide its customers with code lists in these services or some other means of identification.

How will I make payments in the future if I don't own a smartphone?

The FIN-FSA requires banks, when providing new authentication methods, to take into account the needs of all of the various customer groups. An easy-to-use method enabling the implementation of strong customer authentication should be available to all customer groups. A requirement for a new method therefore cannot simply be that a customer owns a smartphone; other means must also be provided. The FIN-FSA emphasises that banks should provide customers, where necessary, with adequate guidance and personal advice on the introduction of new means and methods of authentication.

How do I recognise a scam?

A risk of abuse is always associated with payments. It is important to be aware of the possibility of scams and to be alert, for example, to various contacts made by telephone or email. It is very important to keep in mind that your bank, the Police or other authority will never ask for your payment card details or banking codes by telephone, email or social media.

Further information on scams is available from the services of other authorities:

https://www.kyberturvallisuuskeskus.fi/en/
https://www.poliisi.fi/kyberrikokset (in Finnish)
https://www.kuluttajaliitto.fi/kampanjat/huijausinfo (in Finnish)

What should I do if I suspect I have been scammed?

If your card details or online banking code information have been entered into a suspicious website or have been accessed by another person, you must immediately block them by calling your bank’s card and banking code blocking service. Do not delay in reporting a scam, and it is advisable to contact the blocking service even if you just suspect a scam. The banks’ blocking service is open 24 hours a day and every day of the week. Check the telephone number of your bank’s blocking service.

In addition, report the scam to the service provider, the bank’s customer service and, if necessary, the Police or other authorities. Further information on reporting scams is available on the website of the Finnish Competition and Consumer Authority, Report a scam.