Financial Supervisory Authority permits temporary exemptions for implementation of strong customer authentication in online card payments

On a temporary basis, the FIN-FSA does not intend to impose administrative sanctions on its supervised entities, even if supervised entities neglect their legal obligation to authenticate customers strongly in connection with online card payments. The objective of this is to ensure the seamless continuity of online card payments and to avoid unreasonable inconvenience to consumers.

The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary. The FIN-FSA will decide on the length of the transitional period this year after consulting the European Banking Authority and the supervisors of other Member States on the issue. Later this year, the FIN-FSA will require all of its supervised entities who are parties to online card payments to have a plan for implementing the change process.

The transitional period aims to promote the smooth adoption of solutions that meet the regulatory requirements. The FIN-FSA’s policy is in line with the statement issued on 21 June 2019 by the European Banking Authority which allows national supervisors the opportunity to grant additional time to various parties in the sector to implement the change processes required for strong customer authentication.

The regulatory framework on strong customer authentication enters into force on 14 September 2019. The FIN-FSA cannot change the date of entry into force of the regulations. The entry into force of the regulations will impact, among other things, liability for cases of abuse between consumers and their service providers, and thus this policy will not impair the consumer’s rights in card payments. The FIN-FSA reminds supervised entities that consumer communications must provide a true picture of division of responsibility in cases of abuse.

On 24 June 2019, the FIN-FSA issued a separate statement on online banking code lists as part of strong customer authentication. According to the statement, customers should be able to use the current online banking code lists in payments and accessing payment accounts until the bank has adequately ensured the usability, accessibility and reliability of new methods.

Strong customer authentication refers to electronic authentication of payment service users that protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are knowledge, i.e. something only the payment service user knows (e.g. PIN code, password), possession, i.e. something only the user possesses (e.g. mobile phone, code calculator), and inherence, i.e. something only the payment service user is (e.g. fingerprint, face map).

For further information, please contact:

Sanna Atrila, Senior Legal Adviser. Requests for interviews are coordinated by FIN-FSA Communications, tel. +358 9 183 5030, weekdays 9.00–16.00.

See also:

• Supervision release 5 September 2019 – 47/2019
• FIN-FSA statement 24 June 2019 Online banking code lists as part of strong customer authentication
• Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2