Immigration law /

Strong customer authentication – KNF allows transition period after 14th of september 2019

On August 19th 2019, the Polish Financial Supervision Authority (KNF) published a statement referring to the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the Regulation).

According to the Regulation starting from September 14th, 2019 payment services providers shall use the strong authentication of customers (payers), in case if the customer:

  1. accesses her/his payment account online (including e-banking platforms accessible through web browsers or mobile apps),
  2. initiates an electronic payment transaction (including payment card transactions),
  3. carries out any action through a remote channel which may imply a risk of payment fraud or other abuse.

Pursuant to the Payment Services Act, strong authentication is one that ensures protection of data confidentiality based on the use of at least two elements belonging to the category:

  1. knowledge of something that only the customer-payer knows (e.g. PIN, multiple-use password),
  2. having something that only the customer-payer has (e.g. payment card, mobile application),
  3. customer-payer characteristics (e.g. biometrics, including fingerprint)

The abovementioned elements should form an integral part of the authentication process and be independent of each other in such a way that violation of one of the elements does not weaken the credibility of the other. According to the position of the European Banking Authority (EBA), at least two of the used elements of strong authentication should belong to different categories.

Importantly, EBA has allowed national regulators (including the Polish Financial Supervision Authority, hereinafter: KNF) to apply a transitional period (i.e. the period after September 14th, 2019), in which payment service providers will have additional time to adjust their authentication methods and bringing them to solutions that fully comply with the requirements for strong customer authentication.

KNF allows for such a transitional period in relation to: (i) online payments using payment cards and (ii) contactless payments made at payment terminals. The transition period requires proposing to KNF before September 14th 2019 the so-called ‘migration plan’, which must then be approved by KNF. At present, the maximum time limit for the application of transitional period is unknown. Setting the time limit lies within the capacity of EBA and will probably occur after September 14th, 2019.

We invite you to contact our Law Firm, which offers services such as:

  1. representation in front of KNF,
  2. legal design of the systems of strong customer authentication used by payment services providers.
Author team leader DKP Legal Piotr Putyra
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Piotr Putyra

Contact us

Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]