A more seamless way to reauthenticate in the UK is coming

The Financial Conduct Authority (FCA) has changed the 90-day reauthentication rules in the UK to improve the experience for end users. Here, we break down what this rule change means, what its impact will be, and how Plaid is supporting its customers to use the rule change. Plaid will automatically apply the changes by 30th September and customers will not be required to make any changes to their integration.

What are the changes?

When connecting a new bank account to a fintech app/service via open banking, end users must provide their explicit consent and complete Strong Customer Authentication (SCA) in their banking app/portal. That consent lasts for 90 days post which an end user must reauthenticate (with their bank) if they want to continue benefiting from open banking. 

With the new re-authentication changes, end users will still need to provide their explicit consent and complete SCA with their bank when they connect a bank account for the first time. However now, rather than re-authenticating with the bank, end users will only need to re-consent with the Third Party Provider (TPP), eg. Plaid. The FCA’s reform to this process will see TPPs, like Plaid, made responsible for user data sharing, removing the need for a cumbersome process between the end user, the TPP, and the bank. This means users will experience less friction while retaining control over how they share data with multiple apps and services. Below is a mock-up of the new re-authentication journey within the Plaid experience.

When are the changes effective?

30th September 2022 is the FCA deadline to implement these changes. At a high level, banks are encouraged by the FCA to only authenticate end users for the first time when connecting a bank account to. The renewal of end user’s consent every 90 days should be done by TPPs like Plaid.

Which Countries are impacted by these changes?

The changes only apply to TPPs and banks in the UK, regulated by the FCA. There is an upcoming change in Europe, where the current 90-day consent period is being extended to 180 days, but there will be no change to end user experience as they continue re-authenticating directly with their bank.The deadline for the changes in Europe is yet to be announced.

What is Plaid doing?

Plaid is on track to implement the UK re-authentication changes allowing sufficient time before the FCA’s September 30th deadline. We have been actively engaged with the Open Banking Implementation Entity (OBIE) and worked alongside various UK banks to design and build the best experience for our customers and their users.

To learn more about how Plaid authenticates users, you can read our Oauth whitepaper.

Additional FAQ’s:

1. Will Plaid customers in the UK be required to make any changes to their Plaid integration?

No, Plaid customers will not be required to make any updates to implement the new 90-day re-authentication changes.

2. Do these changes impact Plaid customers outside the UK?

No, they don’t. The above changes only apply to AISPs and banks in the UK, regulated by the FCA. 

3. Will there be a similar change in Europe?

There is an upcoming change in Europe, where the current 90-day consent period is being extended to 180 days, but consumers will still need to re-authenticate directly with their bank. The deadline for this change is yet to be announced. 

4. What does the new re-authentication experience look like?

The only difference to the existing experience is users are not required to authenticate with their banks to renew access to their accounts, instead they will simply re-confirm with Plaid.

5. Technically, how does this work under the hood?
Banks will generate long-lived tokens without any expiry date the first time the customer connects their accounts via Plaid. However, Plaid will continue to track 90 days expiration of the consent and 7 days before the expiration, send a notification to the customer, asking to re-confirm their consent by starting Plaid Link in Update Mode. Once started, Plaid Link will ask the user to re-confirm the list of accounts that Plaid wants to continue having access to. After confirmation, the expiration date will be extended by another 90 days. If the consent expires, Plaid will send another notification to the customer but will also stop accessing user data until they reconfirm consent.

6. Can the tokens generated prior to the 30th September be considered as long lived tokens or only those generated after the 30th September?

This depends on the bank. For example, NatWest will do retroactively, so yes, all tokens created before Sep 30th will continue working. On the other hand, Nationwide will require a final reauthentication, after which tokens will remain valid.

7. What if Plaid rolled out the changes but some banks still provide existing tokens that continue to expire in 90 days?

Plaid looks for instructions within the bank token. An expired bank token would mean the user would have the existing experience of re-authentication with their bank to renew consent to continue sharing data with clients. However, Plaid will roll out the changes on a per-bank basis, so the new reconfirmation flow should work only with banks that explicitly stated being ready.

8. Have any of the UK banks rolled out the changes yet? What’s the impact to users if Plaid is yet to roll out the changes?
Plaid tracks notifications from banks, and different banks have different rollout dates, taking into account FCA’s deadline of September 30th. For banks that have already rolled out long-lived tokens, but Plaid has not yet enabled it, the existing re-authentication experience remains. Approximate launch dates (subject to change):

2022-07-23 Santander

2022-08-22 NatWest International, Ulster Bank

2022-09-01 Starling

2022-09-07 Royal Bank of Scotland

2022-09-08 NatWest

2022-09-22 HSBC Personal, HSBC Business, HSBC Kinetic, First Direct, M&S Bank

2022-09-20 Nationwide

2022-09-27 Barclays

2022-09-30 Lloyds

9. Are there any exceptions?

Generally, there are no exceptions to the new consent re-confirmation process. However, purely based on a bank’s internal criteria, users may be required to re-authenticate their consent with the bank at certain times.