From March 26, 2022, UK banks will be encouraged to only use strong customer authentication for the first access request from an account information service provider, the Financial Conduct Authority (FCA) has said
From the end of March next year, responsibilities will shift, with the onus now being on account information service providers (AISPs) to manage customer data sharing.
AISPs will be required to start sending consent confirmations out no later than July 26, 2022, subsequently asking the customer at 90-day intervals whether they wish for data sharing to continue.
Rather than a bank, it will instead now be the fintech that will reconfirm the consumer's consent to continue to access account data.
Although this will be carried out at least every 90 days, strong customer authentication (SCA) is not a requirement.
The FCA has also announced the following changes:
- It will require certain account servicing payment service providers (ASPSPs) to provide dedicated interfaces to enable third-party providers (TPP) access to customer account information for retail and small and medium-sized enterprise payment accounts.
- Requirements will be amended on providing interface technical specifications, testing interfaces and fallback interfaces by ASPSPs intended to let ASPSPs innovate and launch products and services more quickly.
- Allowing ASPSPs with authorisation under the post-Brexit Temporary Permissions Regime (TPR) to rely in the UK on an exemption from setting up a fallback interface granted by a competent authority that is located in the EU.
The news from the FCA is welcome, said Jack Wilson, head of policy at TrueLayer.
“While the 90-day rule was introduced with good intentions it was causing some significant issues for open banking-based services,” he continued.
But now, there will be no need for customers to jump through the credential sharing hoops with each of their connected banks every 90 days, Wilson pointed out.
“This strikes a balance between continued access with the important right for consumers to withdraw their consent at any point in time,” he said.
For Jens Olsson, payments expert at Trustly, the change is important for the UK’s uptake of open banking.
“The requirement to re-authenticate has been called out by the fintech community as one of the biggest problems, specifically by AISPs that experience losses and dropouts for each and every re-authentication as it entails friction for the consumer,” Olsson complained.
Introducing this change, which is in the consumer’s best interest, reduces friction and complexity for the fintech, he said.
There is now renewed optimism in the UK about the state of open banking. "Hopefully, this will improve the situation for TPPs,” said Jan Van Vonno, research director at Tink.
Yet, not everyone will be pleased, he suggested. “I can imagine some smaller banks being disappointed, especially by the mandatory requirement for dedicated interfaces.”
“All major UK banks apply the exemption to allow TPPs to retrieve account information four times per day when the payment service user is not present,” said Van Vonno.
“Hopefully, the 90-day re-consent does not create any new problems and improves the situation for TPPs significantly.”
EU takes similar path
The UK is not alone in trying to smooth the edges when it comes to SCA.
The European Banking Authority (EBA) recently proposed a mandatory exemption to the regulatory technical standards Article 10 when access happens through an AISP, and is looking to extend the 90-day re-authentication requirement to 180 days.
However, the response to this has been lukewarm, according to EBA payments chief Dirk Haubrich, who even suggested that maybe the industry would be happier if the status quo was maintained.
“Much points to the fact that the EU will still have re-authentication, but the time limit is likely to be extended from the current 90 days,” cautioned Olsson.