90 Day Consent Changes

The FCA is making a change to Article 10 of the UK-RTS concerning access to account data by Account Information Service Providers (AISPs).

Today, a customer must perform Strong Customer Authentication (SCA) at their bank every 90 days in order to allow Third Party Payment Service Providers (TPPs) to gain continued access to their account data. If the customer does not complete the SCA step, the consent expires and the TPP can no longer access data.

The RTS change means that customers will no longer need to re-authenticate with an SCA step at their bank every 90 days, instead they can reconfirm their consent directly with their AISP.

As now, customers will continue to be able to determine the expiration date of their consent, and that will be honoured by the Account Servicing Payment Service Provider (ASPSP). This behaviour is unchanged by this new regulation.

We know that TPPs, registered Account Information Services Providers (AISPs), will want to adopt this practice and will need to implement changes to their customer experience. Instead of directing customers to perform an SCA at their bank every subsequent 90 days, they instead can ask customers to "reconfirm" their permission to the TPPs within the same time frame.

This reconfirmation step could be simply a case of TPPs presenting the customer with appropriate wording and a check box; if the customer populates the check box then their reconfirmation is recorded. If a TPP does not gather the customer’s reconfirmation of consent at or before the 90 days is up, then they must refrain from accessing the customers account data.

warning

The consent will remain active, regardless of a TPP performing this reconfirmation step.

The TPP can commence data access again as soon as the customer reconfirms their consent and the reconfirmation lasts for another 90 days from the date that the customer gave their reconfirmation.

There are two rules relating to "90 days" that are quite separate.

  • Accessing 90 days worth of historical data: TPP's reconfirmation is enough
  • Accessing more than 90 days worth of historical data (historical data): reauthorisation (SCA) is required at the ASPSP

TPPs may decide to gather reconfirmation in an opportunistic way earlier than 90 days, and may prefer to synchronise the reconfirmation across multiple accounts to improve the customer experience.

The OBIE standard is issued on the 25th of March, however, it is likely that ASPSPs will not implement this change immediately when the standard comes into effect on the 26th March. They are encouraged to adopt it promptly but is not mandatory, therefore TPPs may need to cope with the scenario where some ASPSPs have adopted the changes ahead of others.