February 25, 2021
Misconceptions of authentication and authorisation: why 90-day reauthentication does not work
Kat Cloud
Under PSD2, the concepts of access and consent are legally captured by authorisation and authentication; however, they only work as intended when the consumer first connects their payment account to a Third Party Provider (TPP) such as Plaid.
When a consumer first initiates a connection with a TPP, they are authorising the TPP to access, use and store their data. To do this, the consumer provides their explicit consent for the TPP to authenticate their identity with their chosen financial institution. The financial institution will then grant the TPP access to their payment account, and the TPP is able to securely share that information with the consumer’s chosen fintech provider.
One key issue with PSD2 is that it conflates authorisation and authentication in a way that interferes with the policy objectives and development of open banking. An example of this is the 90-day “reauthentication” requirement. The purpose of 90-day reauthentication is to ensure that consumers actively re-engage with the TPP and continue to consent to their data being shared by the TPP.
Reauthorisation takes place between the consumer and TPP, while reauthentication happens between the financial institution and the TPP, see the diagrams below. The way the 90-day reauthentication requirement is currently drafted means that financial institutions are involved to the detriment of consumers and the ecosystem.
However, all of this is about to change. The FCA’s latest consultation is proposing to remove the 90-day reauthentication requirement and replace it with 90-day reauthorisation.
This is a monumental win for TPPs, the industry accurately identified the misconceptions and challenges caused by 90-day reauthorisation, making regulators listen and react. We believe that everyone operating within the open banking ecosystem should read and respond to this consultation, now is our chance to get our voices heard and contribute towards the final stages of open banking within the UK.
Plaid addresses these issues in detail within this report. If you would like to coordinate your response with Plaid, please contact our UK Policy Lead, Kat Cloud, at kcloud@plaid.com.