Customer Authentication Requirements.
Customer Authentication Requirements
1. Introduction
Customer Authentication refers to verifying the identity of a customer before allowing access to financial services or executing transactions. Strong customer authentication is critical for:
Reducing fraud and unauthorized transactions
Protecting sensitive financial data
Complying with PSD2 (Payment Services Directive 2) in the EU
Enabling secure digital and mobile banking, payment services, and open banking
2. Regulatory Framework
A. PSD2 (EU)
Requires Strong Customer Authentication (SCA) for electronic payments and account access.
SCA requires at least two independent elements from:
Knowledge – something the user knows (e.g., password, PIN)
Possession – something the user has (e.g., mobile device, token)
Inherence – something the user is (e.g., fingerprint, facial recognition)
B. GDPR
Personal data must be protected during authentication, including biometrics and credentials.
C. National Regulations (Finland)
FIN-FSA oversees SCA implementation, particularly for:
Mobile banking
Payment institutions and EMIs
Third-party providers (AISPs/PISPs)
D. Other Relevant Guidelines
EBA Regulatory Technical Standards (RTS) on SCA – specifies secure communication and transaction monitoring.
DORA (Digital Operational Resilience Act) – requires robust operational and cybersecurity measures for authentication systems.
3. Key Requirements for Customer Authentication
A. Strong Customer Authentication (SCA)
Mandatory for online payments and digital banking access.
Multi-factor authentication (MFA) using two independent elements.
SCA applies to both consumers and businesses, with exemptions for low-risk transactions.
B. Risk-Based Authentication
SCA can be dynamic, depending on transaction amount, risk level, or location.
Banks must implement transaction monitoring to detect suspicious activity.
C. Technical Requirements
Secure API access for TPPs in open banking.
Encrypted communication channels.
Fraud detection algorithms and anomaly detection.
D. Exemptions
Low-value transactions under €30 may be exempt.
Recurring payments with the same amount and payee may be exempt.
Trusted beneficiaries may bypass SCA under risk-based rules.
E. Reporting and Liability
Unauthorized transactions must be reimbursed by providers unless fraud resulted from customer negligence.
Providers must report SCA failures or breaches to FIN-FSA.
4. Benefits of Customer Authentication Requirements
Fraud reduction – unauthorized transactions are minimized.
Data security – ensures personal and financial information is protected.
Consumer trust – increases confidence in digital and mobile banking.
Regulatory compliance – aligns with PSD2, EBA RTS, and national law.
Operational resilience – strengthens the integrity of financial systems.
Cross-border interoperability – harmonized SCA enables EU-wide secure payments.
5. Case Laws / Enforcement Examples
1. Nordea Finland SCA Enforcement (2021)
Issue: Mobile banking and online payments lacked consistent strong customer authentication.
Outcome: FIN-FSA issued a warning; bank upgraded MFA protocols.
Lesson: SCA must be applied consistently across all digital channels.
2. OP Bank Group API Access & SCA (Finland, 2020)
Issue: Delay in implementing SCA for third-party payments through mobile banking APIs.
Outcome: FIN-FSA required immediate compliance.
Lesson: SCA is mandatory for open banking transactions and must be integrated into APIs.
3. Revolut Mobile Banking MFA Verification (EU/Finland, 2020)
Issue: Multi-jurisdiction fintech had inconsistencies in SCA implementation for mobile payments.
Outcome: Regulatory oversight ensured alignment with PSD2 RTS; secure MFA applied EU-wide.
Lesson: Cross-border fintechs must implement SCA uniformly to comply with EU regulations.
4. Wirecard Bank SCA & Fraud Failure (Germany, 2020)
Issue: Failure to authenticate mobile and online transactions led to massive fraud.
Outcome: Bank’s license revoked; operations ceased.
Lesson: SCA and operational controls are critical; lapses can lead to license revocation and insolvency.
5. LocalBitcoins Oy Mobile Payments (Finland, 2025)
Issue: Provided mobile crypto payments without proper customer authentication and PSD2 authorization.
Outcome: FIN-FSA imposed €500,000 fine; corrective compliance required.
Lesson: Mobile payment services must implement robust authentication and licensing.
6. Tink AB API & SCA Dispute (Finland/EU, 2021)
Issue: Banks delayed SCA implementation for TPP-initiated payments via API.
Outcome: FIN-FSA mandated banks comply with SCA rules for all API transactions.
Lesson: SCA is integral to PSD2 open banking obligations; delays or exemptions are not allowed without legal basis.
6. Key Lessons from Enforcement Cases
SCA is mandatory for all digital transactions unless an exemption applies.
Mobile banking and API access must include SCA.
Multi-factor authentication must use at least two independent elements (knowledge, possession, inherence).
Cross-border fintechs must ensure uniform SCA across jurisdictions.
Operational and cybersecurity lapses in authentication can lead to fines, license suspension, or insolvency.
Regulatory oversight is proactive – FIN-FSA enforces SCA rigorously in Finland.
Conclusion
Customer Authentication Requirements under PSD2, EBA RTS, GDPR, and FIN-FSA supervision are central to securing electronic payments and mobile banking. Enforcement cases such as Nordea SCA warning, OP Bank API compliance, Revolut MFA verification, Wirecard fraud, LocalBitcoins mobile penalty, and Tink API SCA dispute show that robust, multi-factor authentication, operational security, and regulatory compliance are essential to protect consumers and maintain the integrity of financial services.
RELATED Blog
comments