Strong customer authentication – KNF allows transition period after 14th of september 2019
On August 19th 2019, the Polish Financial Supervision Authority (KNF) published a statement referring to the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the Regulation).
According to the Regulation starting from September 14th, 2019 payment services providers shall use the strong authentication of customers (payers), in case if the customer:
- accesses her/his payment account online (including e-banking platforms accessible through web browsers or mobile apps),
- initiates an electronic payment transaction (including payment card transactions),
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuse.
Pursuant to the Payment Services Act, strong authentication is one that ensures protection of data confidentiality based on the use of at least two elements belonging to the category:
- knowledge of something that only the customer-payer knows (e.g. PIN, multiple-use password),
- having something that only the customer-payer has (e.g. payment card, mobile application),
- customer-payer characteristics (e.g. biometrics, including fingerprint)
The abovementioned elements should form an integral part of the authentication process and be independent of each other in such a way that violation of one of the elements does not weaken the credibility of the other. According to the position of the European Banking Authority (EBA), at least two of the used elements of strong authentication should belong to different categories.
Importantly, EBA has allowed national regulators (including the Polish Financial Supervision Authority, hereinafter: KNF) to apply a transitional period (i.e. the period after September 14th, 2019), in which payment service providers will have additional time to adjust their authentication methods and bringing them to solutions that fully comply with the requirements for strong customer authentication.
KNF allows for such a transitional period in relation to: (i) online payments using payment cards and (ii) contactless payments made at payment terminals. The transition period requires proposing to KNF before September 14th 2019 the so-called ‘migration plan’, which must then be approved by KNF. At present, the maximum time limit for the application of transitional period is unknown. Setting the time limit lies within the capacity of EBA and will probably occur after September 14th, 2019.
We invite you to contact our Law Firm, which offers services such as:
- representation in front of KNF,
- legal design of the systems of strong customer authentication used by payment services providers.