Banks’ instant payment services largely well implemented – shortcomings and development needs especially in customer communication and fraud prevention

The Financial Supervisory Authority (FIN-FSA) has reviewed how banks comply with the EU Instant Payments Regulation that entered into force in 2025¹ and how they have taken into account the recommendations from the FIN-FSA’s previous follow-up review on the security of online and mobile banking conducted last year. The review examined, among other things, the availability and smoothness of instant credit transfer services, management of security limits, the payee verification service and fraud monitoring. The thematic review focused on instant and standard credit transfer services for retail customers and covered nine banks.

In addition, the thematic review separately surveyed banks’ sanctions screening procedures insofar as they relate to the new obligations of the Instant Payments Regulation. These findings will be utilised in separate supervisory actions concerning sanctions monitoring.

Instant credit transfers available in all banks

Based on the banks’ responses, instant credit transfer services are available in almost all euro-denominated payment accounts and in key service channels, such as online and mobile banking. The execution of payments within the 10-second deadline is overall at a good level.

Differences nevertheless exist in the banks’ operating models in situations where the payee’s bank is unable to confirm the execution of the payment to the payer’s bank within the 10-second deadline.

• FIN-FSA's action requirement
  
  The FIN-FSA urges banks to ensure that they follow the procedure required by regulation, according to which the payer’s bank must return the funds to the payer if the payee’s bank does not confirm that the funds have been made available to the payee within 10 seconds. According to regulation, banks must also promptly inform the payer and the payment initiation service provider whether the payment amount has been credited to the payee’s account within 10 seconds of receiving the order.

Security limits largely in line with regulation – however, bank practices vary

All banks offer security limits for instant and regular credit transfers to their customers, but the regulatory requirements are not met uniformly in all respects. Almost all banks have set, or are in the process of setting, default security limits for customers who have not defined their own limits, in line with the FIN-FSA’s recommendation. However, there are significant bank-specific differences in the default level of the security limits, which may affect customer protection.

All banks require strong customer authentication when raising security limits, which supports the security of payments.

• FIN-FSA’s action requirement and recommendations
  
  The FIN-FSA requires banks to ensure that customers have the possibility to set both transaction-specific and daily security limits for instant payments in accordance with regulation.
  
  The FIN-FSA recommends that banks:

• • actively communicate the importance of security limits to their customers across all customer channels,
  • develop services that guide customers to set limits suitable for their own payment behaviour, and
  • ensure that the security limit options are equally comprehensive for both instant and regular credit transfers.

It can be regarded as good practice that several banks require new customers to set security limits before the service is taken into use.

Shortcomings in payee verification service

The verification of payee information is an important reform aimed at preventing incorrect payments and fraud, thus improving payment security. The importance of the payee verification service is emphasised as instant payments become more common.

In the initial phase of implementing the payee verification service, several banks have experienced general disruptions related to service availability and challenges in reliably verifying the match between the payee’s name and account number.

• FIN-FSA's recommendation
  
  The FIN-FSA recommends that banks improve the coverage, accuracy, and reliability of the payee verification service by developing the matching logic and ensuring high service availability to minimise disruptions.
  
  Customer communication in payee verification service
  
  There are differences in the implementation of the payee verification service, particularly in how warnings are presented to customers in situations where the payee’s information does not match or when the service is experiencing disruptions. According to the FIN-FSA’s assessment, customer communication in some banks does not fully meet regulatory requirements and does not always support the customer’s informed decision-making when confirming the payment.
  
  
• FIN-FSA’s action requirement and recommendation
  
  Situations where the payee’s name and account number do not match
  
  The FIN-FSA urges banks to present a clear warning to the customer that accepting the payment may result in funds being transferred to the wrong recipient. In addition, the customer must be informed about the effects on the bank’s liability. The presentation of warnings should be visually clear and support risk awareness.
  
  Service disruptions
  
  The FIN-FSA recommends that customers be clearly informed when the verification service is unavailable and that the risks associated with accepting the payment be highlighted.

Fraud monitoring better, but still room for improvement

Real-time fraud monitoring is a key part of payment security. Most banks utilise analysis methods based on customer payment behaviour and are also able to automatically block suspicious payments.

According to regulation², banks must have payment transaction monitoring mechanisms in place enabling them to detect unauthorised or fraudulent payment transactions in order to implement security measures. These mechanisms must be based on the analysis of payment transactions, taking into account factors that are characteristic of the payment service user in the normal use of personal security credentials.

• FIN-FSA's recommendation
  
  The FIN-FSA recommends that customer behaviour-related factors such as payment history, payment amount, time of payment, payment channel, payment recipient, the payer’s deviating location, as well as device and language information, be comprehensively taken into account in fraud monitoring.
  
  
• FIN-FSA's recommendation
  
  The FIN-FSA recommends that banks:

• • develop monitoring so that:
    • suspicious payments can be blocked in a risk-based and automated manner, and
    • the use of the customer’s credentials can be blocked in real time in critical situations,
  • strengthen controls especially in high-risk situations where the authentication app is activated on a new device, in which case additional safeguards such as delays and active measures by the customer (e.g. a phone call to the bank or remote reading of the passport chip) should be used.

In addition, banks should ensure sufficient human resources for fraud prevention activities and the handling of fraud cases.

The FIN-FSA will monitor the correction of identified shortcomings in future supervision.

The recommendations issued in this supervision release supplement the recommendations issued in a supervision release on 9 October 2025.

For further information, please contact

• Sanna Atrila, Chief Legal Advisor, sanna.atrila(at)fiva.fi
• Kaisa Tukiainen, Senior Supervisor, kaisa.tukiainen(at)fiva.fi

  The corresponding Finnish-language supervision release was published on 26 May 2026 

• ¹Regulation (EU) 2024/886 of the European parliament and of the council amending Regulations (EU) No 260/2012 and (EU) 2021/1230 and Directives 98/26/EC and (EU) 2015/2366 as regards instant credit transfers in euro 
• ²Commission delegated regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication