Jack Wilson, Head of Public Policy at TrueLayer, notes that Open banking started back in 2018 thanks to appropriate regulations (PSD2) which gave consumers the right “to access their bank account data using third parties called account information services providers (AISPs).”
However, these same set of rules created a major pain point for consumers: they were required to confirm access for every open banking service and “with each of their connected banks, every 90 days, using strong customer authentication (providing two or more different security credentials).”
As explained in a blog post, the requirement has “led many consumers, even those highly engaged, to stop using open banking.” Many businesses are now reporting average ‘drop-off’ rates (the percentage of customers who abandon the open banking service when prompted to re-authenticate) “of above 50%.”
In November of last year, the UK regulator, the Financial Conduct Authority (FCA), stepped in to “address the issue by changing the rules.”
Now, instead of a consumer having to offer their bank credentials every 90 days (re-authentication), they “only need to provide their AISP with reconfirmation that they consent to having their data accessed.”
The TrueLayer team also mentioned that the change will “remove significant friction in open banking journeys, encouraging consumers to adopt and stick with services ranging from credit score tools and affordability checks, to financial management and loyalty schemes.”
As noted in the update, there are certain regulatory changes that consumers in the UK should experience and expect in the future after these rules are implemented.
The implementation process and challenges – where TrueLayer is “with implementation of the new rules and the challenges facing AISPs” include:
Status quo
To date, when a consumer uses an account information service provider (AISP) to access their account data, the following takes place:
- The consumer consents to the AISP to allow them to access or share their data.
- The consumer is redirected to their bank and strongly authenticates with their bank by providing credentials.
- The AISP then has access to that data for 90-days.
- There is then a legal requirement for the consumer’s bank to ‘re-authenticate’ the account access after 90 days. The process for this is:
- The AISP lets the consumer know that access to the account data has expired.
- The AISP redirects the consumer to their bank to re-authenticate.
- Access to the data for the AISP is renewed by the bank.
bank(s) at this point, the service is no longer connected to their data.
As noted by TrueLayer:
“When an AISP has obtained consent from a consumer, the AISP makes a call to the bank’s API and generates an access token and refresh token. Once issued by the bank, these tokens allows the AISP to request data from the bank without the consumer having to input credentials each time. These tokens are set to expire after 90 days. After 90 days, the consumer must input credentials with their bank in order for the AISP to obtain new access and refresh tokens.”
Regulatory changes
From 26 March 2022, banks are “strongly encouraged by the FCA to apply an exemption allowing them to authenticate only the first time a customer gives an AISP access to their account data.”
As noted by TrueLayer:
“The reason banks are only ‘strongly encouraged to apply an exemption’, rather than being required to, has to do with how the rules relating to authentication are written. As with the previous rules, which allowed re-authentication to be a requirement every 90 days rather than for every access request, the new rules are written as an exemption (Article 10) from authentication for the bank.”
The firm added:
“In practice the UK banks previously chose to use this exemption across the board. The hope is they will also implement changes to use the new exemption (Article 10A), given the benefits for consumers.”
The company also noted that instead of banks re-authenticating, AISPs will be required to re-“confirm consent with their customers.” AISPs will need to have “obtained the first re-confirmation by 26 July 2022, in order to be allowed to access account data after that date.”
For more details on this extensive update from TrueLayer, check here.