The Financial Conduct Authority (FCA), as the independent financial market regulator in the United Kingdom, has proposed that customers no longer need to be re-authorized every 90 days if they have linked their bank account to a licensed third-party service provider. At fino, we strongly welcome such an initiative. This is because the FCA has captured the essence of the issue with its reasoning.
In its “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual”, the agency argues that payments as a business model has grown and evolved in recent years. Open Banking has grown steadily, it says, with the Corona pandemic acting as a catalyst. However, the current requirement to perform Strong Customer Authentication (SCA) every 90 days for security reasons has been identified as a barrier to the future success and adoption of Open Banking, he said. This is because it has proven to be cumbersome and causes friction in the user experience, especially when customers manage multiple accounts with different account providers. Third-party providers have reported a significant loss of customers at the point where re-authentication is required – as much as 40 percent. In addition, the disruption of ongoing access after a failure to re-authenticate could lead to customers making decisions based on outdated data. This has led companies to refrain from launching new products and services, which means the potential of open banking is not being fully realized. That is why changes to regulatory technical standards are now being proposed.
Security even without re-authorization
According to the FCA, the risk is low when a third-party provider accesses account information on behalf of a customer. Dangers would be largely minimized by other requirements such as presenting a valid eIDAS certificate. For this reason, the agency is proposing an exception that would exempt account-holding institutions from the requirement to re-authorize every 90 days. A one-time strong customer authentication would suffice, the FCA said. To protect consumers, new requirements are to be introduced at the same time, namely when the provider accesses account information without the customer actively requesting it. In this case, it is recommended to obtain explicit consent from the customer for this every 90 days, it said.
From our point of view, this proposal makes sense. As fino, we would very much welcome it if the EU also considered this approach, relying on cooperation with other third-party service providers and national supervisory authorities. After all, in this country, too, the re-authentication required every 90 days has a detrimental effect on the customer experience – coupled with the same negative consequences as in the UK. Moreover, security can be implemented here in just as user-friendly a manner as in the FCA’s proposal.
Yours, Manuel Gutmann
Technical Lead und Product Owner at fino