SCA is not too far away: switch to open banking
Strong Customer Authentication is coming on 14 September — and now is the time to switch to open banking.
Update: Since publishing this blog post, the Financial Conduct Authority has on SCA implementation, which will provide financial institutions with an extension to the September deadline. Many banks have already migrated to API based connectivity, and so TrueLayer will be deprecating the bulk of our credential sharing functionality on 14 September, with some exceptions for banks who are still migrating their products to open banking.There are less than 40 days left until Strong Customer Authentication — SCA for short — becomes mandatory by law. SCA will have a wide-ranging effect across financial services in general, but it is the impact on credential sharing that will interest TrueLayer clients. Credential sharing is the former standard authentication method where users enter their bank credentials using TrueLayer’s secure authentication interface. On 14 September, we are taking the step to deprecate our UK credential sharing authentication method. That means we will no longer be making changes to it or supporting it after that date. This has not been an easy decision, but after consulting with industry bodies, regulators, intra-governmental organisations and the UK Banks, we have made the decision to end support for credential sharing. With this change, we are asking our clients to move their users to open banking as soon as possible, but no later than the 14 September.
Goodbye to credential sharingWith that out of the way, it is important that we get to the nuts and bolts of SCA’s impact on our service. If you are not already aware, that will be introduced as part of the 2nd Payment Services Directive (PSD2) and seeks to increase the security and trust around the access of financial data.Currently, TrueLayer’s credential sharing functionality uses static elements — like a username and password — to authenticate with banks. With SCA, logging in to your bank account requires additional authentication, and introduces new elements which include:
- something the customer knows (eg a password or PIN)
- something the customer has (eg a phone or hardware token)
- something the customer is (eg a fingerprint or face recognition)
Welcome, open bankingMy colleague Sean Conley has already spoken in a , but with SCA compliance now being a reality, it is critical that our clients using credential sharing migrate ➡️ to open banking as soon as possible.Open banking has its share of benefits — including better reliability, stability, and security — but its biggest benefit come September will be recurring access to the last 90 days worth of financial data, without the need for a user to go through SCA. While Strong Customer Authentication has a big impact on credential sharing, there is negligible impact on open banking (more on this later).Open banking has come a long way over the past 6 months, with many banks now offering parity with credential sharing for data. For example, Lloyds Banking Group now offers current, savings and credit cards under their open banking system, giving the same level of access as credential sharing. Our Client Care team updates our regularly, so you can check out what is and is not supported there. Needless to say, with all the changes, open banking is a growing and evolving standard that goes from strength to strength.
Managing consentThere are a couple of things that we want to make our clients aware of when it comes to open banking.Firstly, consent periods. Under open banking, all users submit to a 90-day, revokable consent. This is all part of PSD2 and this 90 day period isn’t negotiable. The good news is that the process of “re-consenting” or “re-authentication” — where a user gives access to their account again after 90 days — is going to become a lot easier, with many banks implementing shorter “re-authentication journeys” to make the process more seamless. We will have more to share on this soon.
The second, and the more pressing element of SCA and open banking, relates to data access. With SCA, our customers will be able to obtain as much historical data as they need within the first 45 minutes of consent, and up to 90 days of data after that without an additional SCA requirement for end-users.This is where our first piece of best practice advice comes in: we highly recommend that you obtain and store as much historical data as you require straight after a customer authenticates, and then refresh the delta or last 90 days of data where required. In practice, this means that users only have to authenticate once during their 90 day consent period, and provides a much more fluid user experience.