90 days AIS consent changes
These changes apply to the UK only.
In the UK, regulations have changed for how users provide consent to Account Information Service Providers (AISPs) in order to access their data.
The FCA announced in November 2021 that users are no longer required to re-authenticate every 90 days via Strong Customer Authentication (SCA) with their bank when sharing their account data with AISPs. Instead, the user needs to reconfirm their consent to have their data accessed with the AISP.
Authentication is still required when providing access to a user’s data for the first time.
What is the impact of this change?
All regulated AISPs are now responsible for obtaining reconfirmation of consent from their customers every 90 days for continued access to their data.
If you are a regulated AISP (you are operating under your own licence), the reconfirmation of your users' consent needs to be captured as part of your user management. The consent doesn't need to be provided via SCA but it does need to be explicit. For example, a user selects a checkbox to confirm consent. You may want to use Yapily's consent object fields to manage user consents.
If you are a Yapily Connect customer, Yapily is required to confirm and record the reconfirmation of consent from your users before granting you access to their data. Yapily has implemented a new ‘Reconfirmation of Consent’ API endpoint to allow for this requirement.
What actions do you need to take?
User reconfirms consent
When the reconfirmation from the user has been received, you must call the extend consent endpoint to reconfirm the consent with Yapily. Yapily will capture the date and time of the reconfirmation and you will be able to access the user data for a further 90 days.
User retracts consent
If the user explicitly opt-outs of the consent at reconfirmation, we strongly recommend you call the delete consent endpoint to delete the user's consent. Any access the user's data in the future, will then require the user to submit consent again.
User takes no action
If the user doesn't reconfirm or decline the consent, then after 90 days Yapily will prevent further access to their data until the user takes an action. If you try to access user data, you will receive an error prompting you to get reconfirmation or re-authentication from the user.
If you later receive reconfirmation from the user, access to the user's data can be resumed from this date after you have confirmed to Yapily via the extend consent endpoint.
If the user later declines the consent, you should call the delete consent endpoint to delete the user's consent.
When is re-authentication required?
UK banks will likely release these changes at different times. If the reconfirmation change has not been implemented yet, re-authentication from the user is still required every 90 days.
There may also be circumstances where the bank requires re-authentication to take place, which is at the discretion of the bank, even if they have implemented the reconfirmation change.
The target for widespread adoption of this change is September 30th 2022. However, banks will likely implement it at different times and so where a bank does not support the new change, re-authentication will still be required every 90 days. Yapily is working with the banks to understand their readiness and thereby ensuring that the customer end-to-end experience is as seamless as possible whether they are going through the reconfirmation or re-authentication journey.
If you have any questions or require more information please contact your Customer Success Manager.