Finnish regulator also grants exemptions for strong customer authentication implementation
The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary.
Finland’s Financial Supervisory Authority (FSA) has become the latest regulator to permit temporary exemptions for implementation of strong customer authentication (SCA) in online card payments.
The Finnish regulator has announced that it does not intend to impose administrative sanctions on its supervised entities, even if supervised entities neglect their legal obligation to authenticate customers strongly in connection with online card payments. The purpose of this is to ensure the seamless continuity of online card payments and to avoid unreasonable inconvenience to consumers.
The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary. The FIN-FSA will decide on the length of the transitional period this year after consulting the European Banking Authority and the supervisors of other Member States on the issue. Later this year, the FIN-FSA will require all of its supervised entities that are parties to online card payments to have a plan for implementing the change process.
The transitional period aims to promote the smooth adoption of solutions that meet the regulatory requirements. The FIN-FSA’s policy is in line with the statement issued on June 21, 2019 by the European Banking Authority which allows national supervisors the opportunity to grant additional time to various parties in the sector to implement the change processes required for strong customer authentication.
The regulatory framework on strong customer authentication enters into force on September 14, 2019. The FIN-FSA cannot change the date of entry into force of the regulations. The entry into force of the regulations will impact, among other things, liability for cases of abuse between consumers and their service providers, and thus this policy will not impair the consumer’s rights in card payments. The FIN-FSA reminds supervised entities that consumer communications must provide a true picture of division of responsibility in cases of abuse.
On June 24, 2019, the FIN-FSA issued a separate statement on online banking code lists as part of strong customer authentication. According to the statement, customers should be able to use the current online banking code lists in payments and accessing payment accounts until the bank has adequately ensured the usability, accessibility and reliability of new methods.
Strong customer authentication refers to electronic authentication of payment service users that protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are knowledge, i.e. something only the payment service user knows (e.g. PIN code, password), possession, i.e. something only the user possesses (e.g. mobile phone, code calculator), and inherence, i.e. something only the payment service user is (e.g. fingerprint, face map).
Similar exemptions and extensions of the implementation of the SCA have been granted by the UK Financial Conduct Authority (FCA) and Denmark’s FSA.