Online banking code lists as part of strong customer authentication
FIVA 8/01.02/2019
1 Background and regulation
The requirement for strong customer authentication to increase payment security brings changes to the possibility for banks and other payment service providers to use banking code lists in online payment and accessing payment accounts. Regulation on the requirement for strong authentication is based on the Second Payment Services Directive (PSD2) and will enter fully into force on 14 September 2019. The Directive has been transposed into the Payment Services Act in Finland.
Under the Payment Services Act, service providers must use strong authentication if a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel that may imply a risk of payment fraud or other abuse. Regulation allows for a number of exemptions for which there is no need to comply with the requirement for strong authentication.
Strong authentication refers to the electronic authentication of a payment service user which protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are:
- knowledge, i.e. something only the user knows,
- possession, i.e. something only the user possesses, and
- inherence, i.e. something only the user is.
Separate security requirements, which must be taken into account when implementing strong authentication, are laid down for each option. Online banking code lists are included in elements categorised as possession, which are subject to a requirement to adopt measures designed to prevent replication of the banking code lists when the payers uses them.
2 Statement by the Financial Supervisory Authority (FIN-FSA)
The printed online banking code lists (one-time password lists) currently used by banks in Finland are easily copied, and therefore they do not, used in their present form, meet the security requirements of the new regulation.
Continuing the use of online banking code lists will require, for strong customer authentication in connection with payment and accessing a payment account, the addition of elements that result in the implementation of two-factor authentication required by regulation in accordance with the requirements.
By this statement the FIN-FSA does not take a position on the continued use of online banking code lists in those usage situations where banking codes are used for customer strong authentication in services other than payment and accessing a payment account, such as in the services of the authorities, for example. In these situations strong electronic authentication is regulated by the Act on Strong Electronic Identification and Electronic Trust Services. The Finnish Communications Regulatory Authority TrafiCom is responsible for interpreting this Act.
3 Factors to note in the change process
The objective of the change is to increase the security of payment and accessing a payment account. In addition to security, banks must pay particular attention to the usability, accessibility and reliability of new methods.
In Finland, online banking codes used as a means of strong electronic authentication are part of basic banking services and they should be provided on an equal and non-discriminatory basis to all customer groups. Prices for basic banking services should be reasonable.
The FIN-FSA requires banks, when providing new authentication methods, to take into account the needs of all of the various customer groups as well as the requirements of equality legislation for reasonable adjustments to be made for specific groups. An easy-to-use method enabling the implementation of strong customer authentication should be available to all customer groups.
Changes to authentication methods should be implemented so that the possibility of all customer groups to use the authentication tools without interruption is secured. Customers should be able to use the current online banking code lists in payment and accessing a payment account until the bank has adequately ensured the usability, accessibility and reliability of new methods.
The FIN-FSA emphasises that banks should provide customers with adequate advice and personal guidance on the introduction of new authentication tools and methods. Customer communications must also provide clear instructions for situations where the authentication tool or part thereof malfunctions or disappears or the mobile device of the customer used in authentication is replaced by a new device.
4 Implementing the change process
The FIN-FSA will request from the banks a plan and confirmed timetable for the adoption of new methods as well as a statement on taking different customer groups into account. The FIN-FSA will closely monitor the implementation of the change process in respect of banks that do not fulfil the requirements of regulation on its effective date.
The fact that the current online banking code lists may be used in payment and accessing payments accounts after 14 September 2019 does not affect a bank’s responsibility under the law.
5 Legal norms
Payment Services Act (290/2010) section 8 (24), section 62, section 85 b
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, Article 7(2)
Credit Institutions Act (610/2014) chapter 15, sections 6 and 6 a
6 For further information, please contact
Sanna Atrila, Legal Adviser, tel. +358 10 831 5552, sanna.atrila(at)fiva.fi