Supervision release 5 September 2019 – 47/2019

Financial Supervisory Authority permits temporary exemptions for implementation of strong customer authentication in online card payments

The requirement for strong customer authentication will enter into force on 14 September 2019. The regulatory framework is based on the Second Payment Services Directive and it will enter into force throughout Europe. The aim is to improve the security of payments and to reduce cases of abuse. Consumer protection will also improve. In online card payments, the change means that consumers will no longer, as a rule, be able to pay for online purchases merely using the numerical information printed on a payment card. In the future, the service provider must also identify customers using strong authentication in connection with payments made with payment cards.

Situation of strong customer authentication in Finland

Strong customer authentication has already been used in Finland in verifying some online purchases, although this has not been mandatory. Through the new regulations, strong customer authentication will become the general rule, unless the payment transaction is covered by regulatory exceptions. At the same time, methods of strong customer authentication will also change when new security requirements enter into force.

The Financial Supervisory Authority (FIN-FSA) has reviewed the readiness of various parties involved in online card payments to comply with the new regulations. Based on the responses received, the assessment of the FIN-FSA is that there are to some extent significant deficiencies in the readiness of online businesses in Finland to implement the strong customer authentication required by card-issuing banks from 14 September 2019.

Statement by the FIN-FSA

On a temporary basis, the FIN-FSA does not intend to impose administrative sanctions on its supervised entities, even if supervised entities neglect their legal obligation to authenticate customers strongly in connection with online card payments. The objective of this is to ensure the seamless continuity of online card payments and to avoid unreasonable inconvenience to consumers. The transitional period also aims to promote the smooth adoption of solutions that meet the regulatory requirements. The FIN-FSA’s policy is in line with the statement issued on 21 June 2019 by the European Banking Authority which allows national supervisors the opportunity to grant additional time to various parties in the sector to implement the change processes required for strong customer authentication.

The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary. The FIN-FSA will decide on the length of the transitional period this year after consulting the European Banking Authority and the supervisors of other Member States on the issue. Later this year, the FIN-FSA will require all of its supervised entities who are parties to online card payments to have a plan for implementing the change process.

Impact of entry into force of strong customer authentication

The regulatory framework on strong customer authentication enters into force on 14 September 2019. The FIN-FSA cannot change the date of entry into force of the regulations. The entry into force of the regulations will impact, among other things, cases of liability for abuse between consumers and their service providers, and thus this policy will not weaken consumers’ rights in card payments. The FIN-FSA reminds supervised entities that consumer communications must provide a true picture of the division of responsibility in cases of abuse.

FIN-FSA’s position on status of online banking code lists

On 24 June 2019, the FIN-FSA issued a separate statement on online banking code lists as part of strong customer authentication. According to the statement, customers should be able to use the current online banking code lists in payments and accessing payment accounts until the bank has adequately ensured the usability, accessibility and reliability of new methods.

For further information, please contact

Sanna Atrila, Senior Legal Adviser, tel. +358 9 183 5552 or sanna.atrila(at)



Background information on PSD2 regulations

Strong customer authentication refers to electronic authentication of payment service users that protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are knowledge, i.e. something only the payment service user knows (e.g. PIN code, password), possession, i.e. something only the user possesses (e.g. mobile phone, code calculator), and inherence, i.e. something only the payment service user is (e.g. fingerprint, face map).

Service providers must use strong customer authentication if a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel that may imply a risk of payment fraud or other abuse. Strong customer authentication in accordance with the regulations must therefore be used, as a rule, in all payer-initiated electronic payment transactions, for example in online banking, online shopping or at a retail payment terminal.

The regulations specify limited situations where strong customer authentication need not be implemented. These include, for example, contactless payments up to EUR 50 in a brick and mortar store or online payments up to EUR 30. Even in these situations, strong customer authentication is also required when the security limits set for individual purchases or the total amount of purchases are reached.

For more information on PSD2 regulations, visit the FIN-FSA’s website.