New rules on strong customer authentication

2019-09-13 | PSD 2 EBA News Consumer Bank

FI is publishing a Q&A on new rules that will go into effect on 14 September.

 Information to firms under supervisionInformation to consumers

Information to firms under supervision


What are the new rules that will be introduced?

On 14 September 2019, new rules on strong customer authentication will be introduced within the EU. In brief, the rules require authentication through secure methods when payers access their payment account online, initiate an electronic payment transaction, or carry out any type of payment account action through a remote channel which may imply a risk of payment fraud or other abuses.

The rules regarding strong customer authentication are set out in Chapter 5b, section 4 of the Payments Services Act (2010:751) and the European Commission's technical standards on strong customer authentication and common and secure communication RTS(EU)2018/389. These technical standards are part of the implementation of the second Payment Services Directive, Directive (EU) 2015/2366 of the European Parliament and of the Council.

Are there any transitional provisions or a transitional period?

There is no transitional period. The rules go into effect when they are introduced on 14 September 2019.

However, the European Banking Authority (EBA) has taken the position that under certain conditions it is possible to accept a limited implementation period for card transactions within e-commerce. This entails that payment service providers who do not comply with the rules on strong customer authentication on 14 September 2019 must present time-restricted migration plans that show supervisory authorities when and how compliance with the requirements in the rules will be achieved. This position is specified in an opinion published by the EBA on 21 June 2019, Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2.

Is it possible to apply the time-restricted implementation period in Sweden?

Finansinspektionen is committed to ensuring that the implementation of the Payment Services Directive proceeds smoothly and in harmonisation with the EU and does not create undesirable disruptions for consumers or businesses. Finansinspektionen makes the assessment that there are already enough solutions on the Swedish market for the greater share of card transactions within e-commerce to be able to comply with the requirements on strong customer authentication. However, firms subject to Finansinspektionen's supervision that determine they need more time to apply strong customer authentication for transactions conducted via card payments within e-commerce have the possibility of submitting to Finansinspektionen a detailed implementation plan that must be in line with the timetable the EBA will specify later this year. The plan must contain, for example, the firm's planned communication activities to inform e-merchants and payment service users about the new requirements. Finansinspektionen will review the content of the plan and respond to each firm.

Notification of a plan for an extended implementation period can be emailed to finansinspektionen@fi.se. Specify Ref. No.: 19-19162.

Top of page

Information to consumers


What effect will the new rules have on consumers?

The rules on strong customer authentication protect consumers and other parties that use payment services. The benefits of the rules include stronger protection against card payment fraud.

The strong customer authentication must be based on at least two elements from the following categories:

  • knowledge (something only the user knows, e.g. a PIN code),
  • possession (something only the user possesses, e.g. a personalized mobile telephone application), and
  • inherence (something the user is, e.g. a fingerprint).

In Sweden, this means in practice that payers as a rule will need to have access to e.g. a PIN code for a debit/credit card or Bank ID when conducting payment transactions, for example in a physical store, via an e-merchant's website or via a mobile telephone-based payment service app. However, there are a number or exemptions to the requirement on strong customer authentication, for example given certain conditions for low-value transactions and contactless payments in physical stores.

How are consumers affected if the payment service providers do not provide strong customer authentication after 14 September?

There are a number of signs indicating that some actors in the EU are not fully ready to implement requirements on strong customer authentication on 14 September 2019. There are occurrences of implemented purchases via e-merchants' websites that are based on payment card information where no additional authentication is required from the payer. Finansinspektionen makes the assessment that these problems are not widespread when it comes to the websites of Swedish e-merchants since, for example, Bank ID is widely accessible.

Consumers conducting card-based transactions within e-commerce should not be negatively affected by some payment service providers not complying with the strong customer authentication requirements after 14 September 2019. The fact that a payment service provider needs to prepare a migration plan in order to transition to approved methods for authentication over a limited period of time does not affect the application of the law that applies to the relationship between payment service providers and payment service users. For example, the provisions regarding the distribution of responsibility in the event of unauthorised transactions will not change (Chapter 5a of the Payment Services Act (2010:751).

Top of page