Aggregated News From Investment Management Regulators

Financial Supervisory Authority complies with EBA-proposed additional time for strong customer authentication in e-commerce card-based payments – requirements must be implemented by 31 December 2020


Please complete the required fields.

On 16 October 2019, the European Banking Authority (EBA) published an opinion on the granting of additional time for implementing the requirements of strong customer authentication (SCA) in e-commerce card-based payments. In its opinion, the EBA expresses the view that national competent authorities (NCAs) may grant additional time, until 31 December 2020, for implementing the requirements of and migration to SCA. Additional time means that, temporarily, NCAs will not impose administrative sanctions on their supervised entities, even if supervised entities neglect their legal obligation to authenticate customers strongly in connection with e-commerce card-based payments.

The EBA opinion includes recommendations on measures by which NCAs should monitor the progress made by the different parties to the card-based payment process in implementing the requirements of SCA. The objective of the measures is to ensure as consistent as possible supervisory practices throughout the European Union.

In its own supervisory work, the FIN-FSA will comply with the additional time proposed in the EBA opinion and the supervisory measures plan described therein. The FIN-FSA requires all of its supervised entities who are parties to e-commerce card-based payments to have a realistic plan for implementing migration to SCA.

The FIN-FSA will monitor supervised entities’ progress in migrating to SCA according to plan and that the requirements are implemented within the additional time period. The FIN-FSA encourages all parties to e-commerce card-based payments to prioritise migration projects and to strive to ensure that migration to SCA is completed in good time before the end of the additional time granted in the EBA opinion.

The FIN-FSA reminds supervised entities that the regulations on SCA entered into force on 14 September 2019. The entry into force of the regulations will impact, among other things, cases of liability for abuse between consumers and their service providers. The additional time granted for implementing the technical requirements will not weaken consumers’ rights in card-based payments. Consumer communications must provide a true picture of the division of responsibility in cases of abuse.

For further information, please contact

  • Sanna Atrila, Senior Legal Adviser, tel. +358 9 183 5552 or sanna.atrila(at) (from 21 October 2019)
  • Hanna Heiskanen, Senior Digitalisation Specialist, tel. +358 9 183 5202 or hanna.heiskanen(at)
  • Anu Kettunen, Legal Adviser, tel. +358 9 183 5309 or anu.kettunen(at)
  • Heli Mäkitalo, Risk Specialist, tel. +358 9 183 5369 or heli.makitalo(at)


Opinion of the European Banking Authority on the deadline for the migration to SCA for e-commerce card-based payment transactions, published 16 October 2019

FIN-FSA supervision release 5 September 2019

FIN-FSA statement 24 June 2019

Background information on PSD2 regulations

Strong customer authentication (SCA) refers to electronic authentication of payment service users that protects the confidentiality of security credentials and uses a procedure based on at least two of three mutually independent options. These options are knowledge, i.e. something only the payment service user knows (e.g. PIN code, password), possession, i.e. something only the user possesses (e.g. mobile phone, code calculator), and inherence, i.e. something only the payment service user is (e.g. fingerprint, face map).

Service providers must use SCA if a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel that may imply a risk of payment fraud or other abuse. SCA in accordance with the regulations must therefore be used, as a rule, in all payer-initiated electronic payment transactions, for example in online banking, e-commerce or at a retail payment terminal.

The regulations specify limited situations where SCA need not be implemented. These include, for example, contactless payments up to EUR 50 in a brick and mortar store or online payments up to EUR 30. Even in these situations, SCA is also required when the security limits set for individual purchases or the total amount of purchases are reached.

For more information on PSD2 regulations, visit the FIN-FSA website.

The corresponding Finnish-language supervision release was published on 18 October 2019.

Source link

Regulator Information

Abbreviation: FIN-FSA
Jurisdiction: Finland

Recent Articles

SEC Awards $20 Million to Whistleblower

Washington D.C., Nov.

Update on the Lending, Credit and Finance (Bailiwick of Guernsey) Law, 2022 — GFSC

In July 2022, the Lending, Credit and Finance (Bailiwick of Guernsey) Law, 2022 (the “Law”) was approved by the States of Guernsey, the States of Alderney and the Chief Pleas of Sark.

UK and Singapore deepen collaboration in FinTech and strengthen financial cooperation

The United Kingdom (UK) and Singapore held the 7th UK-Singapore Financial Dialogue in Singapore today. Both countries renewed their commitment to deepening the UK-Singapore...

Consultation on ‘six directorship’ exemption for directors — GFSC

The Policy & Resources Committee has today published a Consultation Paper seeking views on a proposed change to the requirements which affect some individuals acting as company directors, by way of b

The AMF is supplementing its policy on liquidity management tools

New disclosure obligations This update provides for new obligations if the regulatory documentation of the CIU does not include a mechanism to cap redemption requests (gates) and/or a mechanism to of

Get the latest from Regulatory.News in your inbox!