The Financial Conduct Authority (FCA), as the independent financial market regulator in the United Kingdom, has proposed that customers no longer need to be re-authorized every 90 days if they have linked their bank account to a licensed third-party service provider. At fino, we strongly welcome such an initiative. With its explanatory memorandum, the FCA has captured the essence of the issue.
In its “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual”, the authority argues that payments as a business model has grown and evolved in recent years. Open banking has grown steadily, it says, with the Corona pandemic acting as a catalyst. However, the current requirement to perform Strong Customer Authentication (SCA) every 90 days for security reasons is seen as a barrier to the future success and adoption of Open Banking. This is because it has proven to be cumbersome and causes friction in the user experience, especially when customers manage multiple accounts with different account providers. Third-party providers have reported a significant loss of customers at the point where re-authentication is required – as much as 40 percent. In addition, the disruption of ongoing access after a failure to re-authenticate could lead to customers making decisions based on outdated data. This has led customers to refrain from launching new products and services, which means the potential of open banking is not being fully realized. As a result, changes to regulatory technical standards are now being proposed.
Safety even without re-authorization
According to the FCA, the risk of a third-party provider accessing account information on behalf of a customer is low. Dangers would be largely minimized by other requirements such as presenting a valid eIDAS certificate. For this reason, the agency is proposing an exception that would exempt account servicing payment service providers from the requirement to re-authorize a customer every 90 days. A one-time strong customer authentication would suffice, the FCA said. To protect consumers, new requirements are to be introduced at the same time, namely when the provider accesses account information without the customer actively requesting it. In this case, it would be recommended to obtain explicit consent from the customer for this every 90 days.
From our point of view, this proposal makes sense. As fino, we would very much welcome it if the EU also considered this approach, relying on cooperation with other third-party service providers and national supervisory authorities. After all, the re-authentication required every 90 days has a detrimental effect on the customer experience – coupled with the same negative consequences as in the UK. Moreover, security can be implemented here in just as user-friendly a manner as in the FCA’s proposal.
Technical Lead and Product Owner at fino