Fintech firms will no longer need to re-authenticate customers every ninety days for continued access to bank account data, but they will need to prove customer consent, under modifications to Open Banking rules spelled out by the Financial Conduct Authority.
Currently, customers who access account information through a Third-Party Provider (TPP) must authenticate via Strong Customer Authentication (SCA) when they access their data for the first time.
Under the current rules, reauthentication is required every 90 days thereafter, a process which results in confusion for customers and high drop-out rates.
The FCA says that one trade association reported that TPPs are experiencing customer attrition rates of around 20-40% at the 90-day mark when SCA is required.
The abolition of the 90-day rule will be a relief to TTPS, although they will still need to obtain customer consent every three months in order to consinue supplying services.
States the FCA: "We consider that these measures are proportionate, taking into account the level of risk. They balance the need to protect consumers from TPP access without explicit consent, and unwittingly sharing data, with reducing friction for customers."
The move has been welcomed by Open Banking proponents. Jack Wilson, head of public policy at TrueLayer, says: "While the ‘90-day’ rule was introduced with good intentions it was causing some significant issues for open banking-based services.Now there will be no need for customers to jump through the credential sharing hoops with each of their connected banks every 90-days. Instead, it will be for the AISP, such as TrueLayer, to manage the customer’s data sharing, by asking the customer at 90-day intervals whether they wish for data sharing to continue. This strikes a balance between continued access with the important right for consumers to withdraw their consent at any point in time."
Another barrier to Open Banking growth identified in the review entails the use of existing customer interfaces (or modified customer interfaces, MCIs), like online banking platforms, that are not specifically designed for TPPs to access customer account information.
Many TPPs have claimed operational difficulty when accessing customers’ payment accounts via MCIs, discousaging them from serving customers whose account providers enable access through MCIs.
The FCA has proposed mandating the use of dedicated interfaces for TPP access to certain consumer and SME customers’ payment accounts and given firms an 18-month runway to make the necessary changes.
Says the watchdog: "We wouldn’t consider an interface that requires a TPP to access the information through a screen (known as ‘screen scraping’) to be a dedicated interface. In setting the scope of this requirement, we have taken into account where we believe there is a reasonable prospect of TPP demand. This includes personal payment accounts within the scope of the Payment Account Regulations 2015 (PARs), equivalent payment accounts held by SMEs, and consumers’ and SMEs’ credit card accounts."