SWEDEN: FI Publises New rules on Strong Customer Authentication

Monday September 16 2019

On 14^th August 2019, the Finansinspektionen published a Q&A on new rules concerning strong customer authentication that will be introduced within the EU. This will be effective from 14^th September 2019.

In brief, the rules require authentication through secure methods when payers access their payment account online, initiate an electronic payment transaction, or carry out any type of payment account action through a remote channel which may imply a risk of payment fraud or other abuses.

The rules regarding strong customer authentication are set out in Chapter 5b, section 4 of the Payments Services Act (2010:751) and the European Commission’s technical standards on strong customer authentication and common and secure communication RTS(EU)2018/389. These technical standards are part of the implementation of the second Payment Services Directive, Directive (EU) 2015/2366 of the European Parliament and of the Council.

What effect will the new rules have on consumers?

The rules on strong customer authentication protect consumers and other parties that use payment services. The benefits of the rules include stronger protection against card payment fraud.

The strong customer authentication must be based on at least two elements from the following categories:

• Knowledge (something only the user knows, e.g. a PIN code),
• Possession (something only the user possesses, e.g. a personalized mobile telephone application), and
• Inherence (something the user is, e.g. a fingerprint).

In Sweden, this means in practice that payers as a rule will need to have access to e.g. a PIN code for a debit/credit card or Bank ID when conducting payment transactions, for example in a physical store, via an e-merchant’s website or via a mobile telephone-based payment service app. However, there are a number or exemptions to the requirement on strong customer authentication, for example given certain conditions for low-value transactions and contactless payments in physical stores.

How are consumers affected if the payment service providers do not provide strong customer authentication after 14 September?

There are a number of signs indicating that some actors in the EU are not fully ready to implement requirements on strong customer authentication on 14 September 2019. There are occurrences of implemented purchases via e-merchants’ websites that are based on payment card information where no additional authentication is required from the payer.

Finansinspektionen makes the assessment that these problems are not widespread when it comes to the websites of Swedish e-merchants since, for example, Bank ID is widely accessible.

Consumers conducting card-based transactions within e-commerce should not be negatively affected by some payment service providers not complying with the strong customer authentication requirements after 14 September 2019.

The fact that a payment service provider needs to prepare a migration plan in order to transition to approved methods for authentication over a limited period of time does not affect the application of the law that applies to the relationship between payment service providers and payment service users. For example, the provisions regarding the distribution of responsibility in the event of unauthorised transactions will not change (Chapter 5a of the Payment Services Act (2010:751).

Click on the above link for further information.