Explaining changes to the 90 day rule for open banking access
Open banking got started back in 2018 thanks to groundbreaking regulations (PSD2), that gave consumers the right to access their bank account data using third parties called account information services providers (AISPs).
But these same rules created a significant pain point for consumers: they needed to confirm access for every open banking service and with each of their connected banks, every 90 days, using strong customer authentication (providing two or more different security credentials).
The requirement has led many consumers, even those highly engaged, to stop using open banking. Many businesses report average ‘drop-off’ rates (the percentage of customers who abandon the open banking service when prompted to re-authenticate) of above 50%.
What is changing?
Thankfully in November 2021, the UK regulator, the FCA, stepped in to address the issue by changing the rules. Now, instead of a consumer having to provide their bank with credentials every 90 days (re-authentication), they only need to provide their AISP with reconfirmation that they consent to having their data accessed.
The change will remove significant friction in open banking journeys, encouraging consumers to adopt and stick with services ranging from credit score tools and affordability checks, to financial management and loyalty schemes.
In this blog, we discuss:
The status quo – what consumers have experienced to date.
The regulatory changes – what consumers in the UK should experience in the future once the new rules are implemented.
The implementation process and challenges – where we are with implementation of the new rules and the challenges facing AISPs.
1. Status quo
To date, when a consumer uses an account information service provider (AISP) to access their account data, the following happens:
The consumer consents to the AISP to allow them to access or share their data.
The consumer is redirected to their bank and strongly authenticates with their bank by providing credentials.
The AISP then has access to that data for 90-days.
There is then a legal requirement for the consumer’s bank to ‘re-authenticate’ the account access after 90 days. The process for this is:
The AISP lets the consumer know that access to the account data has expired.
The AISP redirects the consumer to their bank to re-authenticate.
Access to the data for the AISP is renewed by the bank.
Example: what does this look like in the real world?
A consumer connects their different bank accounts to a loyalty points scheme. The service has access to their transactions to spot when they shop at retailers that earn the consumer points, regardless of which bank account they pay from.
Before day 90, the consumer reconnects their accounts, redirecting to their bank’s app to authenticate. This is repeated once for every bank the consumer has connected to the loyalty points scheme. This takes 10 minutes of their time and reduces the convenience of using the service in the first place. If the consumer doesn’t provide credentials to their bank(s) at this point, the service is no longer connected to their data.
How does the status quo work technically?
When an AISP has obtained consent from a consumer, the AISP makes a call to the bank’s API and generates an access token and refresh token. Once issued by the bank, these tokens allows the AISP to request data from the bank without the consumer having to input credentials each time. These tokens are set to expire after 90 days. After 90 days, the consumer must input credentials with their bank in order for the AISP to obtain new access and refresh tokens.
2. Regulatory changes
From 26 March 2022, banks are strongly encouraged by the FCA to apply an exemption allowing them to authenticate only the first time a customer gives an AISP access to their account data.
The reason banks are only ‘strongly encouraged to apply an exemption’, rather than being required to, has to do with how the rules relating to authentication are written. As with the previous rules, which allowed re-authentication to be a requirement every 90 days rather than for every access request, the new rules are written as an exemption (Article 10) from authentication for the bank. In practice the UK banks previously chose to use this exemption across the board. The hope is they will also implement changes to use the new exemption (Article 10A), given the benefits for consumers.
What do the changes mean in practice?
Instead of banks re-authenticating, AISPs will be required to re-confirm consent with their customers. AISPs will need to have obtained the first re-confirmation by 26 July 2022, in order to be allowed to access account data after that date.
So, following the changes, when a consumer uses an account information service provider (AISP) to access their account data, the following will happen:
The consumer consents to the AISP to allow them to access/ share their data.
They are redirected to their bank and complete authentication with their bank by providing credentials.
The AISP then has access to that data for as long as the consumer wishes data access to continue.
After 90 days, the AISP must obtain re-confirmation of consent from the consumer:
If the re-confirmation is obtained, the AISP can continue to access data.
If the consumer asks for the data sharing to stop, the AISP must not access data (and access is revoked).
If the consumer doesn’t respond, the AISP must not access the data but can send prompts and upon reconfirmation of consent can continue accessing data.
Example: what will this look like in the real world?
A consumer connects their different bank accounts to a loyalty points scheme. The scheme has access to their transactions to spot when they shop at retailers that earn the consumer points, regardless which bank account they pay from.
Before day 90 the consumer is simply asked by the AISP whether they are happy to continue sharing data with the loyalty scheme. Consumers who have linked accounts from multiple banks will be able to reconfirm as many of these as they choose in a single screen. This takes less than 1 minute of their time and keeps the convenience of using the service in the first place. If the consumer doesn’t provide the ‘re-confirmation’ at this point, the service is no longer connected to their data.
How do the changes work technically?
(Note: the exact technical solutions for these changes are still being developed by banks and AISPs. This is our view on the likely technical approach).
When an AISP has obtained consent from a consumer, the AISP makes a call to the bank’s API and generates an access token and refresh token. Once issued by the bank, these tokens allow the AISP to request data from the bank without the consumer having to input credentials each time. These tokens do not have an expiry date. While the AISP is using these ‘long-lived’ tokens, they are responsible for obtaining re-confirmation of consent from the consumer, but they are not required to notify the bank whether or not they have received consent.
3. The implementation process and challenges
TrueLayer is taking part in cross-industry discussions about the implementation of the rule changes. We’re part of a weekly meeting between banks and AISPs organised by the Open Banking Implementation Entity (OBIE), which began on 13 January.
These meetings are helping to shape a new version of the UK open banking standard – version 3.1.10 – which will help banks to implement the 90 day rule changes. The draft standard and guidance is likely to be published for consultation in February.
The OBIE discussions are covering:
Timing of the changes – when banks will start to make the changes to enable them to apply the exemption (bearing mind they are encouraged to do so by the FCA ‘as soon as possible after 26 March’).
Communication – messaging that banks and AISPs should provide to consumers about the upcoming changes.
Technical details – will banks be able to ‘swap-out’ existing 90 day tokens for long lived tokens, in the background, or will this require consumers to re-authenticate?
Consent screens – what should AISPs display to their consumers in order to obtain re-confirmation of consent?
Access dashboards – how will the dashboards that banks maintain regarding account access, interact with these changes?
The need for coordination
Because of the nature of the rule changes, there is no a hard deadline for each bank to implement the changes: only a start date – 26 March 2022.
But, AISPs appear to be under a stricter requirement to ensure that they are reconfirming consent with consumers from 26 July.
This could result in a dual process, where consumers are asked to re-confirm consent, and re-authenticate access at the same time.
This is clearly an undesirable outcome and it’s why we are calling on the FCA to convene the major UK banks and TPPs to agree a coordinated implementation approach.
In the meantime, TrueLayer will continue to provide customers with updates of key developments.