Supervision release 21 October 2019 – 54/2019

Financial Supervisory Authority complies with EBA-proposed additional time for strong customer authentication in e-commerce card-based payments – requirements must be implemented by 31 December 2020

On 16 October 2019, the European Banking Authority (EBA) published an opinion on the granting of additional time for implementing the requirements of strong customer authentication (SCA) in e-commerce card-based payments. In its opinion, the EBA expresses the view that national competent authorities (NCAs) may grant additional time, until 31 December 2020, for implementing the requirements of and migration to SCA. Additional time means that, temporarily, NCAs will not impose administrative sanctions on their supervised entities, even if supervised entities neglect their legal obligation to authenticate customers strongly in connection with e-commerce card-based payments.

The EBA opinion includes recommendations on measures by which NCAs should monitor the progress made by the different parties to the card-based payment process in implementing the requirements of SCA. The objective of the measures is to ensure as consistent as possible supervisory practices throughout the European Union.   

In its own supervisory work, the FIN-FSA will comply with the additional time proposed in the EBA opinion and the supervisory measures plan described therein. The FIN-FSA requires all of its supervised entities who are parties to e-commerce card-based payments to have a realistic plan for implementing migration to SCA.

The FIN-FSA will monitor supervised entities’ progress in migrating to SCA according to plan and that the requirements are implemented within the additional time period. The FIN-FSA encourages all parties to e-commerce card-based payments to prioritise migration projects and to strive to ensure that migration to SCA is completed in good time before the end of the additional time granted in the EBA opinion.

The FIN-FSA reminds supervised entities that the regulations on SCA entered into force on 14 September 2019. The entry into force of the regulations will impact, among other things, cases of liability for abuse between consumers and their service providers. The additional time granted for implementing the technical requirements will not weaken consumers’ rights in card-based payments. Consumer communications must provide a true picture of the division of responsibility in cases of abuse.

For further information, please contact  

  • Sanna Atrila, Senior Legal Adviser, tel. +358 9 183 5552 or sanna.atrila(at)fiva.fi (from 21 October 2019)
  • Hanna Heiskanen, Senior Digitalisation Specialist, tel. +358 9 183 5202 or hanna.heiskanen(at)fiva.fi
  • Anu Kettunen, Legal Adviser, tel. +358 9 183 5309 or anu.kettunen(at)fiva.fi
  • Heli Mäkitalo, Risk Specialist, tel. +358 9 183 5369 or heli.makitalo(at)fiva.fi

Attachments

Opinion of the European Banking Authority on the deadline for the migration to SCA for e-commerce card-based payment transactions, published 16 October 2019

FIN-FSA supervision release 5 September 2019

FIN-FSA statement 24 June 2019

Background information on PSD2 regulations

Strong customer authentication (SCA) refers to electronic authentication of payment service users that protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are knowledge, i.e. something only the payment service user knows (e.g. PIN code, password), possession, i.e. something only the user possesses (e.g. mobile phone, code calculator), and inherence, i.e. something only the payment service user is (e.g. fingerprint, face map).

Service providers must use SCA if a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel that may imply a risk of payment fraud or other abuse. SCA in accordance with the regulations must therefore be used, as a rule, in all payer-initiated electronic payment transactions, for example in online banking, e-commerce or at a retail payment terminal.

The regulations specify limited situations where SCA need not be implemented. These include, for example, contactless payments up to EUR 50 in a brick and mortar store or online payments up to EUR 30. Even in these situations, SCA is also required when the security limits set for individual purchases or the total amount of purchases are reached.

For more information on PSD2 regulations, visit the FIN-FSA website.

The corresponding Finnish-language supervision release was published on 18 October 2019.