Update: Since publishing this blog post, the Financial Conduct Authority has provided additional guidance on SCA implementation, which will provide financial institutions with an extension to the September deadline. Many banks have already migrated to API based connectivity, and so TrueLayer will be deprecating the bulk of our credential sharing functionality on 14 September, with some exceptions for banks who are still migrating their products to open banking.
There are less than 40 days left until Strong Customer Authentication — SCA for short — becomes mandatory by law. SCA will have a wide-ranging effect across financial services in general, but it is the impact on credential sharing that will interest TrueLayer clients.
Credential sharing is the former standard authentication method where users enter their bank credentials using TrueLayer’s secure authentication interface.
On 14 September, we are taking the step to deprecate our UK credential sharing authentication method. That means we will no longer be making changes to it or supporting it after that date.
This has not been an easy decision, but after consulting with industry bodies, regulators, intra-governmental organisations and the UK Banks, we have made the decision to end support for credential sharing. With this change, we are asking our clients to move their users to open banking as soon as possible, but no later than the 14 September.
Goodbye to credential sharing
With that out of the way, it is important that we get to the nuts and bolts of SCA’s impact on our service. If you are not already aware, SCA is a new regulatory requirement that will be introduced as part of the 2nd Payment Services Directive (PSD2) and seeks to increase the security and trust around the access of financial data.
Currently, TrueLayer’s credential sharing functionality uses static elements — like a username and password — to authenticate with banks. With SCA, logging in to your bank account requires additional authentication, and introduces new elements which include:
something the customer knows (eg a password or PIN)
something the customer has (eg a phone or hardware token)
something the customer is (eg a fingerprint or face recognition)
Customers across a wide range of services — like online banking — will be required to use 2 out of 3 of these elements from 14 September, when they log in, providing a more safe and secure experience.
However we anticipate this will result in a poor user experience for credential sharing: businesses will not be able to refresh data on a frequent basis without the end-user being present (known as “offline” access). Previously, this was possible because TrueLayer could authenticate user with static elements; with SCA, user intervention is required each time data is refreshed.
We expect to see a significant drop in the conversion of users authenticating using SCA-enabled credential sharing, and for those who do successfully authenticate, the lack of recurring access to data will provide a poor user experience.
Welcome, open banking
My colleague Sean Conley has already spoken in a previous post about the switch to open banking, but with SCA compliance now being a reality, it is critical that our clients using credential sharing migrate ➡️ to open banking as soon as possible.
Open banking has its share of benefits — including better reliability, stability, and security — but its biggest benefit come September will be recurring access to the last 90 days worth of financial data, without the need for a user to go through SCA. While Strong Customer Authentication has a big impact on credential sharing, there is negligible impact on open banking (more on this later).
Open banking has come a long way over the past 6 months, with many banks now offering parity with credential sharing for data. For example, Lloyds Banking Group now offers current, savings and credit cards under their open banking system, giving the same level of access as credential sharing. Our Client Care team updates our banks and endpoints list regularly, so you can check out what is and is not supported there. Needless to say, with all the changes, open banking is a growing and evolving standard that goes from strength to strength.
There are a couple of things that we want to make our clients aware of when it comes to open banking.
Firstly, consent periods. Under open banking, all users submit to a 90-day, revokable consent. This is all part of PSD2 and this 90 day period isn’t negotiable. The good news is that the process of “re-consenting” or “re-authentication” — where a user gives access to their account again after 90 days — is going to become a lot easier, with many banks implementing shorter “re-authentication journeys” to make the process more seamless. We will have more to share on this soon.
The second, and the more pressing element of SCA and open banking, relates to data access. With SCA, our customers will be able to obtain as much historical data as they need within the first 45 minutes of consent, and up to 90 days of data after that without an additional SCA requirement for end-users.
This is where our first piece of best practice advice comes in: we highly recommend that you obtain and store as much historical data as you require straight after a customer authenticates, and then refresh the delta or last 90 days of data where required. In practice, this means that users only have to authenticate once during their 90 day consent period, and provides a much more fluid user experience.
The great migration
For many of our customers, all this information will be nothing new, and you may already have spoken to one of teams regarding migration to open banking. But switching has never been more pressing than right now — with less than 40 days until the SCA deadline, clients that do not switch their users to open banking will not be able to refresh data with the same frequency (or at all) come 14 September.
We are happy to assist with this transition, so please reach out to one of our team if you need more information.
How to migrate users
These are our recommendations for how to effectively migrate your users, causing minimal disruption to them and to your connectivity.
It is possible for a user to have access to both open banking and credential sharing at the same time, so we would recommend asking your users to connect their accounts to open banking first. You can disconnect their credential sharing access after they have made the switch.
We recommend taking a “batch” approach: grouping your users into small groups. You can do this by choosing a selection of users randomly or choosing to do this per-bank. For example, moving only your Lloyds or Barclays customers at any one time. You can stagger this approach across the next 30 days, which will minimise the impact to users.
Welcome to the revolution
For the past 6 months, many of my colleagues have blogged and spoken about how the financial services industry has been undergoing significant change, with open banking creating a fairer and more efficient way for consumers and companies to harness the power of financial data.
We are working closely with policymakers, regulators, industry working groups and the wider financial industry to make the SCA transition as seamless as possible.
We expect there will be differences in how SCA will play out for national regulators and even individual banks. As ever, we will continue to build our products with this in mind, abstracting away complexity and creating exceptional user experiences.
Part of this has been our collaboration with the banks, where we have been providing feedback and guidance on how they can improve their open banking products and deliver a better experience for users.
In a little over a month, the switch to an open banking economy will finally be complete, and TrueLayer has been leading — and will continue to lead — every step of the way.
Oh, and by the way — if you want to help power this revolution, why not join us? We are hiring after all.