How to make re-authentication better: our response to the FCA’s consultation

In the UK, the requirement for 90-day reauthentication has been controversial and debated since it was first introduced in 2018. The current 90-day re-authentication requirement creates an unnecessary barrier to improving competition between traditional banking products and those offered through the open banking ecosystem. Since then, the open banking ecosystem has advocated for a bigger role for third party providers (TPPs).

After our extensive engagement with the FCA on this issue, the FCA recognised the harm caused by 90-day reauthentication and is now proposing entrusting TPPs with this responsibility. With this consultation the FCA recognises that reauthentication is in fact the consumer re-consenting with the TPP to continue using their services, rather than re-authenticating their identity with the ASPSP. For more on this critical distinction see our earlier blog Misconceptions of authentication and authorisation.

Under the new exemption, TPPs would be responsible for collecting consumers' re-consent every 90 days and Account Servicing Payment Service Providers (ASPSPs) will no longer have a role in the TPPs ongoing customer relationship.

In our response to the FCA, we proposed two models for making reconsent work for TPPs and the consumers they serve. We also brought together a group of fintech companies to submit a coalition letter highlighting the importance of giving TPPs the responsibility of owning re-consent.

Why This Matters

Plaid is committed to providing the best open banking consumer experience and this change is essential to achieving that goal. The quality of that consumer experience is often one of the key selling points that a fintech uses to distinguish themselves from their competition and bring on new customers. So why allow a company--one that doesn’t have the same consumer experience principles,or even quality, and may even be a competitor--to be in charge of whether the consumer agrees to keep using your service? A consistent and reliable experience in authorizing data access means more people are equipped with access to their financial data for the long term. This in turn incentivises ecosystem participants to compete to develop innovative data-driven, consumer-centric services that help people and businesses better manage their financial lives. However, those long, stable, and trust-based relationships require the recognition that obtaining re-consent is a relationship strictly between the consumer and the TPP - and should therefore be owned by the TPP.

What’s next

We cannot leave it at just that– the industry needs more guidance on how to collect consumers’ re-consent. Current regulations make it impossible for consumers to reauthenticate with all of their ASPSPs and TPPs in one smooth journey. Instead, the regulations are based on an assumption that consumers have one bank account connected to one TPP and that the relationship is linear and separate. In practice, this means that people have to reauthenticate with every single ASPSP every 90 days in order to continue to benefit from open banking which ultimately leads to consumer attrition.

As the open banking ecosystem continues to grow and consumers increasingly rely on TPPs for their everyday banking needs, this linear approach will only cause more undue friction.

Instead we need to take a network approach, where consumers manage their consents across the ecosystem in one place. Cue our two models. Both would meet regulatory requirements. However, one supports direct linear relationships while the other supports network relationships - check out Annex 3 of our response for the user experience. Given the current challenges, we are advocating for the FCA to provide guidance that states for a direct (linear) relationship, a solution like Plaid Link is acceptable while if the relationship relies on a network, a solution like Plaid Portal is acceptable.

Both of these models roll up into our broader view of what the future of financial services looks like: consumers at the centre, free to take their data with them to any provider that meets their needs. In order to achieve this view, the FCA and TPPs should work together to ensure the re-consent journey meets the security and convenience needs of consumers, and supports the wider development and promotion of the open banking ecosystem.