FIN-FSA recommends measures for banks to take to improve online payment security – EU’s Instant Payments Regulation speeds up payments but also increases risks

The FIN-FSA has published new recommendations aimed at improving the security of online and mobile banking and online payments in Finland. The recommendations focus especially on the security limits for credit transfers, the improvement of payment controls and the further development of fraud monitoring. 

“In the spring we looked at the controls and processes for online payment security. Based on this follow-up assessment, the FIN-FSA decided to recommend that banks take a number of further steps. Financial sector entities have done a lot to prevent fraud, but the race against those involved in criminal activity shows no signs of slowing down,” says Samu Kurri, Head of the FIN-FSA’s Digitalisation and Analysis Department.

The FIN-FSA recommends that banks develop security controls that allow users to set more versatile security limits than at present on their credit transfers. In accordance with the IPR provisions that enter into force today, credit institutions must offer a service where the customer can set a per transaction or daily euro limit for instant payments, but it would also be preferable if credit institutions were to offer both per transaction and daily security limits, and not only for instant payments but also for standard credit transfers. The FIN-FSA also recommends that credit institutions automatically set per transaction and daily euro limits for credit transfers if the customer has not set such a limit.

The FIN-FSA urges all banks to improve other payment security controls too, such as delay settings or other security controls in connection with the customer installing a new identification application, and requests for additional confirmation if the bank’s monitoring suspects a fraudulent payment transaction.  

“The FIN-FSA also recommends that in real-time fraud monitoring, banks make more effective use of features concerning the customer’s behaviour, such as previous payment history, unusual time of payment or payer’s location. This analysis would help identify irregular payment transactions and respond to them swiftly before any damage is done,” says Jussi Terho, Head of the FIN-FSA’s Payment Services and IT Supervision Division.

Ten financial sector entities were involved in the FIN-FSA’s follow-up assessment, and the practices and processes of these entities varied somewhat. Most of the respondents reported that fraud prevention is one of their key priorities at present, and all noted that they had increased communications, training and resources in fraud prevention. All the respondents considered it important that the legislation be amended to enable easier sharing of information between different entities. The respondents also hoped that online services, social media platforms and operators would have more robust responsibilities in regard to fraud prevention. 

Instant Payments Regulation speeds up payments but also increases risks

Some elements of the IPR have already entered into force in stages during 2025, but as of 9 October, all euro area banks must be able to send instant credit transfers and apply other IPR requirements. The most significant change is that euro-denominated instant credit transfers must be executed within ten seconds across the euro area, around the clock and every day of the year. At the same a requirement to match the payee name and account number enters into force, applicable to all account-based payments.

“The objective of payee verification is to prevent payments from ending up in the wrong accounts and to decrease scams in which customers are misled into making a payment to the wrong payee. The matching of the account number and the payee name increases security and may prevent errors and fraudulent transactions. At the same time, faster payments hamper the identification and prevention of fraud, as funds are transferred more swiftly. The industry must be ready to monitor and develop the ways in which responses are made to the changing threats, also in this new payment environment,” says Jussi Terho.

The FIN-FSA monitors the implementation of its recommendations to banks as part of its normal supervisory work.

FIN-FSA’s recommendations for credit institutions

The Financial Supervisory Authority (FIN-FSA), in its follow-up assessment, identified good practices used in the sector for improving security and it recommends that these be adopted by all credit institutions. 

Security limits on credit transfers
In accordance with the Instant Payments Regulation (IPR) provisions entering into force on 9 October 2025, credit institutions must offer a service in which customers can themselves set a per transaction or daily euro limit for instant payments. The FIN-FSA recommends that credit institutions offer both per transaction and daily security limits on account-based payments and that this should apply to both instant payments and standard credit transfers.

In addition, the FIN-FSA recommends that credit institutions automatically set per transaction and daily euro limits on their retail customers’ credit transfers if customers have not set the limits themselves. Credit institutions can determine the euro limits for their retail customers on a risk-based basis. 

Other payment controls
The FIN-FSA recommends that credit institutions also improve other payment security controls, such as:

• setting of delays or other similar security controls when the customer installs a new identification application;
• requests for additional confirmation if the bank’s monitoring suspects a fraudulent payment transaction.

Development of fraud monitoring
The FIN-FSA recommends that credit institutions develop real-time fraud monitoring to incorporate features related to the customer’s behaviour, such as previous payment history, size and time of payment, payment channel, payment recipient and unusual payer location.  

Links

Supervision release: Follow-up assessment of online payment security – Recommendations for credit institutions

Contact information:

For further information, please contact Head of Department Samu Kurri or Head of Division Jussi Terho in the Digitalisation and Analysis Department. Requests for interviews are coordinated by FIN-FSA Communications, tel. +358 9 183 5030, Mon–Fri 9:00–16:00.