Finland may encounter a gigantic authentication mess after the summer holidays

In the fall, new requirements will change strong customer authentication in all Finnish services in which money changes hands, including services with financial or payment transactions. The change will apply to both consumers and service providers, but the implementation is still all over the place.

Finland lacks a widespread strong customer authentication solution that would meet the criteria of the EU’s new payment services directive. The paper login code cards offered by banks will not be good for confirming online payments any more after September, as they are not compliant with the new requirements: cards are much too easy to copy. But their replacement, its implementation, or even the precise statutory requirements for authentication have not been decided yet.

This topic has recently been covered widely by the Finnish media, including Yle, Helsingin Sanomatand Kauppalehti.

“The legislators did not have a realistic idea of the time it takes to implement such changes. Never mind how to specify the requirements before work can even begin”, says Qvik’s CEO Lari Tuominen. “The Act applies to all online monetary transactions, on the part of consumers and service providers alike, and the scale of the necessary changes is such that the work should have already started.”

From September, the EU’s PSD2 payment services directive will require service providers to identify users with two-factor authentication.

Two-factor authentication involves a two-stage login process. Authentication can be based on something only the user knows (e.g. a username and password), something only the user can access, like a phone or e-mail account, or on a biometric attribute, such as a fingerprint.

In Finland, Tupas authentication service provided by banks, that is basically the paper login code cards offered by banks, have been the most common way to identify users when they make payments. Not all banks offer an authentication application that is compliant with the new requirements, however. And it’s not even clear whether authentication will be handled by the banks or the state in Finland.

“The new authentication functions should be up in eight months, counting the summer holiday season that will inevitably slow things down”, Tuominen says. “There is a big risk that many people returning from their summer vacations will have to make massive updates in a lot of hurry.”

The urgency caused by the legislator can make services discriminatory

At the moment we are waiting for Finland’s Financial Supervisory Authority to publish it’s interpretation of the payment service directive and guide payment service providers on what they must and must not do with regard to authentication. But the authority will not go into details and tell the service providers what they coulddo. The industry has been saddled with the practical implementation.

“The Act has been so poorly prepared that it puts Finland in a very tight spot”, Tuominen says.

In Estonia, for example, the state handles strong authentication with electronic identity cards, while the Bank ID system offered by banks is used in Sweden.

While the division of responsibilities remains unclear in Finland and authorities have to make major policy decisions at a short notice, the risk of discriminatory services increases: there simply isn’t time to take everything into consideration.

Will the customers of different banks be treated unequally? Who is responsible for training the aging population in the use of the new electronic services after the old authentication methods are discontinued?

“These types of universal changes are always the most difficult for those who aren’t maybe as young as they used to be.”

Illustration: Aija Malmioja