Follow-up assessment of online payment security – Recommendations for credit institutions
The supervision release of October 9, 2025 has been supplemented on October 24, 2025 with a background report.//Fraud and scams involving account-based payments have increased substantially and the methods used in criminal activities are also evolving. Fraud is typically carried out by phishing for banking credentials using fraudulent messages or fake websites, and by scam calls and credit transfers via remote access software. Technology solutions for online payment security and for strong customer authentication need to meet the changing security threats. Ensuring the security of account-based payments requires continuous care and attention by service providers and customers alike.
Background to follow-up assessment
In a thematic review conducted in October–November 2023, the Financial Supervisory Authority (FIN-FSA) examined the controls and processes for online and mobile banking security and online payment security that are used by banks operating in Finland to ensure strong customer authentication and payment security against misuse of payment instruments and other scams.
Based on a thematic review, the FIN-FSA in 2024 recommended that banks develop controls for online banking and mobile payments to allow users the option of setting more versatile security limits on their credit transfers. The FIN-FSA also recommended that banks develop their payment monitoring so that they can more precisely block payments that differ significantly from the customer’s previous payment history in regard to, for example, the size of payments or the parties to which the customer has previously sent payments.
Conclusions of follow-up assessment
Credit institutions have taken the FIN-FSA’s recommendations into consideration and improved the security of account-based payments. Most credit institutions reported that they will introduce per transaction and/or daily security limits for credit transfers by the end of 2025. Many credit institutions also offer their customers the option of setting country-specific or region-specific restrictions on these payments.
In line with the FIN-FSA’s recommendation, credit institutions have also improved other control mechanisms to ensure the security of account-based payments. They have, for example, set delays concerning the use of new devices for payments or developed other security measures. Credit institutions have also modified the content of authentication messages and have, among other things, expanded the use of warning messages about possible fraud attempts.
In line with the FIN-FSA’s recommendations, credit institutions monitor credit transfers as part of their fraud prevention activities. However, credit transfer monitoring should be developed further to include more extensively the various factors related to customer behaviour. In addition, effective real-time measures are needed when unusual account activity is detected in payment monitoring.
Regarding other fraud prevention measures, credit institutions reported that they have increased the provision of information on fraud both to customers and internally. Credit institutions have also invested in staff training and increased staff resources in fraud prevention activities.
Based on the responses and discussions, the FIN-FSA has identified legislative challenges that could limit the exchange of important fraud prevention information between different actors. The FIN-FSA is examining with various authorities how the barriers to information sharing could be removed.
In the follow-up assessment, credit institutions expressed concerns about the spread of fraud via social media and websites. They stated that social media and website owners enable scams by, for example, allowing fake advertisements and phishing sites and that non-EU actors, such as search engines and social media platforms, are problematic in terms of supervision and accountability. The FIN-FSA is aware of these challenges and will bring this aspect of the follow-up assessment results to the attention of the European Commission.
FIN-FSA’s updated recommendations for credit institutions
In the follow-up assessment, the FIN-FSA identified good practices used in the sector for improving security and it recommends that these be adopted by all credit institutions.
Security limits on credit transfers
In accordance with the Instant Payments Regulation (IPR) provisions entering into force on 9 October 2025, credit institutions must offer a service in which customers can themselves set a per transaction or daily euro limit for instant payments.
The FIN-FSA recommends that credit institutions offer both per transaction and daily security limits on account-based payments and that this should apply to both instant payments and standard credit transfers.
In addition, the FIN-FSA recommends that credit institutions automatically set per transaction and daily euro limits on their retail customers’ credit transfers if the customers have not set the limits themselves. Credit institutions can determine the euro limits for their retail customers on a risk-based basis.
The FIN-FSA considers that any modifications to the security limits require strong authentication in accordance with section 85c, subsection 1, paragraph 3 of the Payment Services Act (290/2010).
Other payment controls
The FIN-FSA recommends that credit institutions also improve other payment security controls, such as:
- setting of delays or other similar security controls when the customer installs a new identification application;
- requests for additional confirmation if the bank’s monitoring suspects a fraudulent payment transaction.
Development of fraud monitoring
The FIN-FSA recommends that credit institutions develop real-time fraud monitoring to incorporate features related to the customer’s behaviour, such as previous payment history, size and time of payment, payment channel, payment recipient and unusual payer location.
The FIN-FSA monitors the implementation of its recommendations to banks as part of its normal supervisory work.
For further information, please contact
Kaisa Tukiainen, Senior Specialist, kaisa.tukiainen(at)fiva.fi
Links
Background report: Monitoring assessment of online payment security in Finnish (link added on October 24, 2025)