New European Union rules on strong customer authentication (“SCA”) will apply across the EU from 14 September 2019 onwards. Based on the revised EU Payment Services Directive, the new rules are intended to enhance the security of payments, reduce fraud in the authentication process and improve consumer protection. For the e-commerce industry, this means that online payments can no longer be carried out by solely using the information printed on the card used in the transaction. In future, service providers must also verify their customer’s identity with SCA in connection with card payments.
In Finland, some operators in the e-commerce industry already use SCA for card payments even though it is not mandatory. Given the new rules, SCA will now become the new standard, unless the payment falls within one of the exemptions. At the same time, the execution of SCA will change as new security requirements will also enter into force apply.
The Finnish Financial Supervisory Authority (FIN-FSA) has announced that it will not take enforcement action against companies if they do not meet the relevant requirements for SCA even after the new EU rules come into force.
Background for the FIN-FSA’s decision
After conducting an industry study, the FIN-FSA discovered that there are significant shortcomings in the readiness of the Finnish e-commerce industry to execute SCA required by the card issuers from 14 September onwards. As such, the FIN-FSA will now temporarily refrain from undertaking administrative action against its supervised entities even if the supervised entities have neglected their legal obligation to verify their customer’s identity with SCA in connection with an e-commerce card payment. The aim of the decision is to secure the uninterrupted use of card payments and to ensure that the new rules will not cause material disruption to consumers. In addition, the transition period will facilitate the implementation of the new rules within the industry.
The FIN-FSA’s decision corresponds to the opinion of the European Banking Authority, which stated on 21 June 2019 that the industry may need more time to implement the changes required to enforce SCA. The transition period granted by the FIN-FSA is temporary, and the FIN-FSA will decide on a final deadline later this year. In addition, the FIN-FSA will require a plan for the implementation of SCA from all of its supervised entities involved in e-commerce card payments later this year.
It should be noted that the FIN-FSA’s decision only applies to card payments used in e-commerce. As such, entities offering any other payment instruments must ensure that they are in compliance with SCA requirements from 14 September 2019 onwards, unless any of the exemptions apply.
On 24 June 2019, the FIN-FSA gave a separate opinion on the use of PIN number lists as part of SCA. According to the opinion, customers must be allowed to use PIN number lists to make payments and access their bank accounts until the bank has sufficiently validated the usability, accessibility and reliability of the new methods.
Borenius’ lawyers are available to assist in addressing any questions you may have regarding this legal alert. Please feel free to contact any of the Borenius’ attorneys listed in this alert or those with whom you usually work.