June 29, 2022
90-day reauthentication in the UK and Europe - are you ready?
The Financial Conduct Authority (FCA) has changed the 90-day reauthentication rules. Here, we break down what this rule change means, what its impact will be, and how Plaid is supporting its customers to use the rule change to improve their experience without creating additional work
What are the changes?
Today, when connecting a new Account Information Service Provider (AISP) to their account, a consumer must provide their explicit consent and complete Strong Customer Authentication (SCA) with their bank. That explicit consent lasts for 90 days, on day 90 the consumer must reauthenticate (with their bank) if they want to continue benefiting from open banking.
Starting September, consumers will still need to provide their explicit consent and complete SCA with their bank when they connect a new AISP. However, on day 90 rather than re-authenticating with the bank they will only need to re-consent with the Third Party Provider (TPP). The FCA’s proposed reform to this process will see AISPs, like Plaid, made responsible for consumer data sharing, removing the need for a cumbersome process between the consumer, the AISP, and the bank. This means consumers will experience less friction while retaining control over how they share data with multiple apps and services.
Which countries are impacted by these changes?
The changes only apply to AISPs and banks in the UK, regulated by the FCA. There is an upcoming change (Nov 2022) in Europe, where the current 90-day consent period is being extended to 180 days, but consumers will still need to re-authenticate directly with their bank.
When are the changes effective?
30th September 2022 is the FCA deadline to implement these changes for both banks and AISPs. While some banks have started implementing how they will handle these changes, others are still discussing it. At a high level, banks are encouraged by the FCA to only authenticate consumers for the first time when they give an AISP access to their account data. The renewal of consumer’s consent every 90 days should be done by AISPs like Plaid and re-authentication should only be done in case of exceptions (like fraud prevention).
What is Plaid doing?
Plaid is actively engaged with the Open Banking Implementation Entity (OBIE) and working alongside various UK banks to design and build a solution that works best for our clients and their users. While we are working to ensure no additional work for our new and existing customers, we are still awaiting bank updates to finalise our designs and API changes. We plan to roll out the changes in Q3, allowing sufficient time before the FCA September deadline.
Plaid will continue to update customers on key developments. To learn more please download our Oauth whitepaper.