Insights | October 22, 2019

The Finnish Financial Supervisory Authority’s notice on migration to strong customer authentication in e-commerce

The Finnish Financial Supervisory Authority FSA has published its supervision release 54/2019 on the deadline for the migration to strong customer authentication (SCA) for e-commerce card-based payments in Finnish on 18 October 2019 and in English on 21 October 2019. The guidance is a follow-up to the European Banking Authority's EBA opinion of 16 October 2019. Electronic SCA involves the use of means of electronic identification that provide a substantial or high level of confidence in the claimed or asserted identity of a person and fulfill certain technical specifications and standards.

In its opinion, the EBA set a deadline for the adoption of SCA of 31 December 2020 and recommended that national competent authorities (NCAs) adopt a consistent approach. The EBA further recommended that the NCAs communicate that such guidance on the deadline does not mean a postponement of the applicability of SCA requirements under the so-called second payment services directive (PSD2).

According to the EBA, the postponement should be considered rather as an indication that the supervisory authorities will focus on monitoring migration plans and their implementation instead of imposing sanctions on payment service providers that are not yet in compliance with the SCA requirements. The opinion further stressed that the additional time for implementing SCA for e-commerce card-based payments does not affect the payment service providers’ liability and consumer protection pursuant to Article 74 of the PSD2. Therefore, issuing and acquiring payment service providers will continue to be liable for unauthorized payment transactions where they do not require SCA.

According to supervision release 54/2019, the FSA has decided to apply the migration period and monitoring plan as outlined in the EBA opinion. The FSA requires that all of its supervised entities that are party to card-based payments in e-commerce have a realistic migration plan. The FSA will also monitor the progress of the migration and require that all of its supervised entities comply with the SCA requirements by the end of the migration period, i.e. by 31 December 2020.

In the Finnish context, it is good to note that the national TUPAS protocol that was previously widely used for strong customer authentication does not fulfill the current SCA requirements. Thus, the Finnish Transport and Communications Agency’s Regulation on Electronic Identification and Trust Services required Finnish market players to migrate to other protocols for SCA by 1 October 2019. This deadline was also postponed as the original deadline was a year earlier.

Read the Finnish Financial Supervisory Authority’s supervision release in Finnish and in English. Read the European Banking Authority’s opinion here.