Open Banking: Why we need to rethink the ‘90 day’ rule

Rules requiring users to 're-authenticate' permsissions every three months are needlessly hurting open banking adoption, writes Jack Wilson Head of Policy & Regulatory Affairs at TrueLayer.

If you use apps powered by open banking you’ve probably opened them to find a message asking you to reconnect your bank account. At first it can seem like something has gone wrong. It soon becomes annoying when you realise this is a regular chore, and you’ll be sent to your bank providers to reconfirm your details every 90 days, also known as ‘re-authentication’.

If you are multi-banked and use a service to view all of your accounts with different providers in one place, 90-day re-authentication almost negates any convenience derived from using the app in the first place.

So why does it exist? When the rules underpinning open banking were being developed, authorities rightly wanted to make sure customers were always aware that their bank data was being shared. UK and EU authorities wanted a way to address the risk that consumers might continue to share data past the point that they stopped using an open banking service.

But instead of asking open banking providers to prompt customers to confirm that data sharing was still ok, they tasked banks with breaking connections unless the customer provided their banking credentials again. A little like using a sledgehammer to break a nut.

The ’90-day’ rule as it was soon called, started to impact open banking providers as soon as it came into force in 2018. Aggregator apps who previously provided customers with a seamless way of viewing all their banks in one app, suddenly had to send their customers to re-authenticate with each bank every 90-days. This undermined the convenience factor that these apps had previously provided.

Drop off rates (where customers decided to stop using open banking) were above 50 per cent. Rather than protecting customers who were no longer using a service, re-authentication appears to have caused a drop-off even among highly engaged consumers.

The UK Financial Conduct Authority has listened to feedback on the unintended consequences of the 90-day rule. In January 2021, they issued a consultation which acknowledged that: “The requirement to re-apply SCA every 90 days has proven burdensome for customers, creating friction in the user experience, and hindering uptake of open banking services.”

It went even further when addressing the unintended consequences of the rule and its impact on consumers, SMEs, TPPs and the overall market:

“The interruption in a customer’s ongoing access to a TPP service after failing to reauthenticate could cause consumers and SMEs to make decisions based on out-of-date data, potentially resulting in harm. A TPP has reported that this could lead to the risk of three-quarters of the businesses that use the service facing liquidity issues. We understand the potential loss of access to customer data as a result of a customer’s failure to re authenticate every 90 days has caused firms to delay or stop the launch of new products

and services in the UK. As a result, the full benefits of open banking to UK consumers and competition are not being realised.”

The FCA’s proposal is to replace 90-day re-authentication with a requirement for open banking providers to re-confirm consent with the customer every 90 days. If consent is not re-confirmed, open banking providers will be required to break access to accounts. For security purposes, authentication with the bank will only be required when a customer first starts to use an open banking service accessing account data.

These proposals would be a welcome development. They will enable customers to enjoy ongoing open banking services without the periodic friction of being diverted to their banks.

However, the re-confirmation requirement could still result in customer inconvenience. In responding to the FCA consultation, there are a number of other factors that we believe should be considered to ensure the new proposals work for providers and customers:

● More flexibility should be allowed for ensuring consumers remain happy with their data sharing. Strictly ceasing data sharing where a customer has forgotten to re-confirm consent could result in customer problems. For example, where ongoing access is being used to support an existing service like ongoing financial health check, accounting or access to credit, ceasing access could result in unintended overdrafts, missed payments or changes to credit scores/ affordability assessments.

● The FCA should clarify that only a single confirmation is required for ongoing access to multiple bank accounts with different providers. If confirmation of consent is required, it should be possible for an open banking provider to obtain confirmation of consent to access multiple accounts at the same time. If re-confirmation requests need to be sent per bank account, this could cause the same kind of friction that is caused by having to obtain authentication per bank every 90 days.

● Delaying changes could harm fintech firms. The FCA has not provided a timeline for requiring banks to stop requiring re-authentication, and for open banking providers to implement re-confirmation. We believe these changes should happen quickly (within 3 months) for the competition benefits to be realised.

While the ‘90-day’ rule was introduced with good intentions. We are now far enough along the open banking journey to reconsider the approach to re-authentication. It will be interesting to see how the FCA now takes on board the feedback from various market participants, any changes suggested and their timetable for implementation.

Jack Wilson is Head of Policy & Regulatory Affairs at TrueLayer. The views and opinions expressed are not necessarily those of AltFi.