Everything you need to know about 90-day reauthentication changes

Written by Yapily · September 21st, 2022

Since PSD2 was introduced in 2018, if users wanted to access their data via open banking, they had to provide their consent to every service provider, for each of their connected bank accounts, every 90 days through Strong Customer Authentication (SCA).

While great for security, this requirement to repeatedly provide 2+ security credentials created friction between users and service providers and, as a result, has stunted adoption of open banking services.

But, in November 2021, the UK Financial Conduct Authority (FCA) amended the 90-day rule.

What exactly is changing?

Instead of forcing users to provide 2+ security credentials to every service provider, for every connected bank account, every 90 days, they only need to authenticate via SCA the very first time. After that, they just need to re-confirm their consent every 90 days. A simple “yes” or “no” is all that’s required.

How does this affect Account Information Service Providers?

For all of this to work, banks have to issue long lived tokens without an expiry date. This enables Account Information Service Providers (AISPs) to request data from banks without the need for re-authentication.

The FCA’s deadline for implementing these changes is fast-approaching, with UK banks being encouraged to offer users the option to re-confirm their consent (and, in doing so, issue long lived tokens) by September 30, 2022. From there, the responsibility of renewing confirmation sits with UK AISPs.

Things for AISPs consider:

  • Coordination: The Open Banking Implementation Entity (OBIE) has been urging banks to update their transparency calendar, detailing their progress on implementation to allow AISPs to prepare themselves accordingly. Technical teams especially should be paying close attention to this calendar to ensure they can effectively roll-out new processes on a per-bank basis. From there, TPPs can make use of “lastConfirmedAt” and “reconfirmBy” fields to identify customers who need to reconfirm,and trigger the appropriate notification and workflow.
  • Technical complexity: The devil’s in the detail, as they say. At a high-level, we know banks need to issue long lived tokens to facilitate these changes. But AISPs will need to dig a bit deeper and understand whether or not they can swap out existing 90-day tokens without requiring their customers to reauthenticate. User experience, and how AISPs will actually display the request for consent, should also be top of mind for product teams.
  • Communicating with customers: It’s essential AISPs clearly communicate how these changes will impact user experience for their customers, and what could happen if the user doesn’t re-confirm consent. The earlier AISPs make customers aware, the better. Note: it’s essential all customer comms is written in plain english, and is consistently reiterated to drive awareness and understanding.

Yapily has been actively engaging with the OBIE and continues to share updates and offer support to our customers to help them prepare for these changes and, in doing so, enhance their product offering and product adoption.

How does this affect consumers?

Great news! Because the amendment was introduced after the FCA acknowledged that “the requirement to re-apply SCA every 90 days has proven burdensome for customers, creating friction in the user experience, and hindering uptake of open banking services,” consumers should expect a more seamless user experience that will save them considerable time and effort, without compromising when it comes to security.

This will be particularly useful when using apps you engage with day-to-day, like wealth tech and accounting apps.

Here’s a breakdown of the process today, and how it will evolve starting at the end of September.

The process today:

  1. To start using a personal finance app like Emma, a consumer will first have to give their consent, allowing Emma to access and share their data
  2. The user is redirected to their bank, and authenticates using SCA
  3. This allows Emma to securely access the user’s data for 90 days
  4. After 90 days, Emma notifies the user that they need to re-authenticate
  5. The user is once again redirected to their bank and must, again, provide 2+ security credentials in line with SCA
  6. Access is renewed for another 90 days
  7. Rinse, Repeat

It’s important to remember that this process has to be repeated every 90 days, for every service provider. This compounds time like interest.

The new process:

  1. To start using a personal finance app like Emma, a consumer will first have to give their consent, allowing Emma to access and share their data
  2. The user is redirected to their bank, and authenticates using SCA
  3. This allows Emma to securely access the user’s data for 90 days
  4. After 90 days, Emma notifies the user that they need to give consent for continued access to their data
  5. Instead of being redirected to their bank, they’re simply promoted to confirm access by selecting “yes” or “no”
  6. Access is renewed for another 90 days
  7. Rinse, Repeat

While the change is overwhelmingly positive from a user experience perspective, especially for apps you use frequently, it’s important consumers keep an eye on apps they don’t engage with as often. Why? The service provider could lose access without you knowing.

This could be particularly problematic for apps that help you boost your credit score, for example. Without access to your data, the app can’t make recommendations or apply changes. This underscores the importance of communication between AISPs and their consumers, especially in the immediate wake of these changes.

To recap…

  • September 30, 2022 is the deadline for UK banks to offer users the option to reconfirm their consent instead of re-authenticating it every 90 days. From there, the responsibility of renewing confirmation sits with UK AISPs.
  • Instead of providing 2+ security credentials to every service provider, for every connected bank account, every 90 days, users will only need to authenticate via SCA the very first time. After that, they just need to re-confirm their consent every 90 days to the AISP. A simple “yes” or “no” is all that’s required.
  • This will create a more seamless user experience and, as a result, prevent drop-off and boost conversions for service providers
  • Service providers need to pay close attention to the OBIE’s transparency calendar to ensure they can effectively roll-out new processes on a per-bank basis, and need to clearly communicate the changes to their users
  • Yapily has been actively engaging with the OBIE and continues to share updates and offer support to our customers to help them prepare for these changes and enhance their product offering and product adoption.

What are you going to build today?