90-Day Re-Authentication Rule

What does the FCA’s 90-day re-authentication rule announcement mean for open banking?

| Article by: Antonis KazoulisProfile Image Antonis Kazoulis 4 min

When PSD2 was introduced in 2018, data security was at the top of the European Commission’s agenda. Every 90 days, people had to undergo a Strong Customer Authentication (SCA) check to reinstate their consent to service providers. While that evoked a heightened sense of protection, it also created friction for the broader adoption of Open Banking. Things changed last March. 

The Financial Conduct Authority (FCA) released a statement introducing changes in the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication. In the words of the FCA:

... customers would not need to reauthenticate with their ASPSP every 90 days when accessing account information via a TPP. Instead, TPPs would need to reconfirm customers’ consent every 90 days, which will be less burdensome for customers.” 

What does that practically mean? Users only need to authenticate via SCA the very first time. After the commencement of 90 days, they simply need to update their consent through a simple “yes” or “no” answer. To make it even more precise, let’s go through the step-by-step process.

The process before the announcement:

  • To start using a personal finance app, users needed to give their consent, allowing the app to access and share their data
  • They were then redirected to their bank to give their consent using SCA
  • This allows the app to access user data for 90 days
  • Following the 90 days, users receive a notification to re-authenticate from scratch 
  • Users had to go through the same process of redirection to their bank and the provision of 2+ security credentials
  • The exact process would then be repeated every 90 days

Once you break down the steps, it’s easier to see the reasoning behind the change. 

Why did the FCA propose the re-authentication rule?

Strong Customer Authentication was never intended to slow the use and adoption of open banking technology. Inadvertently, this is precisely what happened. Realising that along the way, the governing body saw several reasons to proceed to meaningful changes: 

  • remove barriers to continued growth, innovation, and competition
  • make the industry more resilient and protect consumers if firms fail
  • provide further clarity for market players

Now that we have the thinking and reasoning behind it, let’s see what the new process consists of:

The process following the announcement:

  • To start using a financial super app, users need to give their consent, allowing the app to access and share their data
  • They are then redirected to their bank to give their consent using SCA
  • This allows the app to access user data for 90 days
  • Following the 90 days, users receive a notification to re-authenticate 
  • Instead of going through the entire process, users simply have to confirm access by selecting “yes” or “no”
  • Every 90 days, users repeat the same “yes” or “no” blueprint 

How does the new 90-day re-authentication rule affect users?

In the words of the FCA, “the requirement to re-apply SCA every 90 days has proven burdensome for customers, creating friction in the user experience and hindering the uptake of open banking services.” 

The exemption comes to the rescue of users creating a seamless user experience. We’ve discussed the importance of Customer Experience Guidelines  ad nauseam, but there’s a good reason for that - UX is the foundational piece in open banking’s mass adoption and overall success. 

The new 90-day re-authentication rule makes things simpler, easier, and effortless. It removes friction and barriers to use without compromising security. 

AISPs challenges

As you would expect, changes bring more solutions, but also challenges. Account Information Service Providers, also known as AISPs, need to adjust in terms of planning and execution. Here are some of the challenges faced by AISPs as a result of the amended rule: 

  • AISP and TTP harmonization: AISPs need to check in the banks’ transparency calendars in order to seamlessly prepare themselves accordingly. That will have a domino effect as TPPs can use “lastConfirmedAt” and “reconfirmBy” fields to set up the right workflow. 
  • Technical changes: We’ve referenced the importance of user experience earlier in the article and this falls right in line. AISPs will need to consider how they will display the request for consent aiming to find the balance between enhancing and obstructing the user experience. 
  • Clear and concise communication: AISPs need to put a lot of effort into  communicating these changes to their customers. They need to urge them to consent and inform them on what could happen if they don’t re-authenticate. 

What does this mean for open banking? 

The rule change is a clear step towards open banking mass-adoption. FCA is ironing out the speed bumps in user experience, helping individuals and businesses alike to handle consent in the best way possible. This is one piece of the puzzle in the evolution of security within the open banking space. 

The European Commission recently ordered a targeted consultation on the open finance framework and data sharing in the financial sector. Couple that with the targeted consultation on the review of the revised payment services Directive (PSD2) and what you have are clear signs of the PSD3 coming sooner rather than later. 

Recommended articles