KNF admonishes the banking sector in the context of strong authentication: “security first”!

The KNF points out in the letter that despite intensive information campaigns, there is a noticeable „growing tendency in the number of frauds targeting consumers, often losing their life savings.” This applies to both expert users of modern technologies and the elderly who do not have regular contact with them. First of all, the KNF expects the exemption from the use of the strong authentication mechanism provided for in the Commission Delegated Regulation (EU) 2018/389 (RTS).

The element preceding the decision by banking customers to resign from strong authentication for transactions should be the acceptance by these customers of information about the potential risk of losing funds, in this case related to the exclusion of strong authorization for low-value transactions.

Additionally, taking into account the application of the „security first” principle, the Polish Financial Supervision Authority expects the implementation of a functionality in the transaction system that allows the customer to set up confirmation with strong authentication of each payment.

In the same letter, the KNF, pointing to the growing problem of phishing, strongly opposes the practice of sending active links to websites to customers in e-mail messages (including embedding such links in graphics) and SMS messages addressed to customers. Instead, the KNF recommends changing the mode in favor of static information that does not generate the above-mentioned fraud risk or in favor of providing customers with information via mobile applications and electronic banking portals.

The KNF also condemned an excessively simplified encryption of attachments sent in e-mail correspondence with simple passwords that could be broken using standard IT tools. The risk analysis carried out by suppliers should take into account the specificity of a given communication channel and User eXperience. The KNF will control the fulfillment of these standards by suppliers regarding the security of clients’ funds.