Disruptions affecting online and mobile banks

Financial sector entities are obliged to prepare for IT and cybersecurity events and secure the continuity of their operations also in the event of severe disruptions.

In recent years, escalation of the international security situation has heightened the possibility of cyber-attacks also targeting financial sector entities and service providers. The FIN-FSA has urged its supervised entities to practice enhanced monitoring of cybersecurity and required them to ensure that their safeguards against various cyber threats are up to date.

The financial industry is well prepared for short-term disruptions in particular, and the level of preparedness for cyber threats and attacks is reasonably solid. Nevertheless, disruptions do occur from time to time, and citizens are also well advised to prepare for them.

Below are answers to frequently asked questions about IT and cyber-attacks on banks

Will denial-of-service attacks put my money at risk?

Money at Finnish banks is safe. Even where the account or its balance is not displayed correctly to the customer, the money is safe in the bank's systems.

Denial-of-service attacks consist of network attacks and disturbance of data communications, which seek to prevent the use of an online service. Their intent is not to make a data breach into the online bank.

What should I do if a disruption hits my bank?

The bank communicates about the disruption on its website and various customer channels. Follow the communications and guidelines issued by your bank. Even if the account or its balance is not displayed correctly, the money is safe in the bank's systems. In problem situations, contact your bank in the first instance.

Is the FIN-FSA aware of IT and cyber disruptions affecting a bank?

The bank will submit an initial notification to the FIN-FSA without delay when there are substantial disruptions and faults in services provided to customers or in payment and IT systems.

What will the FIN-FSA do when a bank faces a disruption?

The FIN-FSA will receive a report from the bank and check it. If the disruptions last longer or recur, the bank will be in regular contact with the supervisory authority. We want to give our supervised entities a chance to rectify the problems in peace, and therefore only intervene after the disruption has passed.

Banking Supervision will take disruptions, and in particular recurring ones, into account in its supervision efforts. It will examine whether the bank’s preparedness and procedures have been up to par, and on the other hand, that the bank has processes in place to recover from the disruption.

Why does the FIN-FSA not communicate about disruptions?

In the event of a disruption, responsibility for communications belongs to the entity affected. If the disruption is extensive and prolonged, the media will often contact the FIN-FSA, in which case the FIN-FSA may comment on the disruption at a general level.

How does the FIN-FSA ensure that banks are not facing disruptions?

A bank is itself always responsible for its activities. However, many instructions and rules require banks to be prepared for IT and cyber risks, and the FIN-FSA supervises compliance with these provisions. By doing so, it can ensure that banks are prepared for disruptions. However, the sources of cyber disruptions change all the time, and therefore they cannot be completely avoided.

Is citizens’ right to banking services effected when banks are experiencing disruptions?

The functioning of banking services is very important, among other things, because banking these days is almost exclusively electronic, and authentication for many other services also takes place using means of identification issued by banks. Basic banking services in general must be operationally robust, and any technical disruptions must be rectified as soon as possible.

Is the bank liable to compensate for damages caused by its customer due to a cyber disruption?

The bank may be liable to compensate for financial losses incurred by a customer directly as a result of a disruption. There is no liability to compensate, for example, the mere existence of a disruption or discontent resulting from it. If you have incurred direct financial losses due a disruption, contact your bank.

You will find more information and advice for problems in banking services at Fine, the Finnish Financial Ombudsman Bureau.

How can I ensure myself my money is safe?

Everyone must also take care of themselves, and not give fraudsters access to their online bank. Bear in mind that banks or authorities will never inquire your online banking codes on the phone or in a message or email. Your online banking codes are meant for your personal use only, so do not give them to anyone.

Do not open a suspicious link at all. Never enter an online bank using a link from a message or search engine because it may lead to a scam site that could even look authentic. You should access an online bank either through the bank's own application or by typing the bank's address to the browser.

If you are unsure about the authenticity of a message, contact the sender via another channel than responding to the message or using the contact details provided in it. For example, call the bank's switchboard or number provided on its website, not the contact details given in the message.

For more information about avoiding scams, see the FIN-FSA website Scams and the Finance Finland website Huijaamaton (unscammable).