UK regulator set to remove disruptive authentication requirements
Banks, fintechs and other financial institutions are awaiting a policy statement from the UK’s Financial Conduct Authority (FCA) that will do away with the widely-maligned 90-day Open Banking reauthentication rule.
The FCA – which first proposed changes to the rules in January – has told the Digital Banking Hub that a policy statement on the matter will be published this autumn.
As things stand, users must repeat the strong customer authentication (SCA) process with each of their bank every 90 days to confirm authorization of data sharing with third party providers (TPPs). The proposals replace that rule with a requirement for open banking providers to re-confirm consent with the customer every 90 days. In theory, customers will face a smoother journey, the responsibility of which would be with the TPP rather than the banks.
For all involved, the rule has been an unintentional consequence of regulations that has damaged the progress of Open Banking.
Several bodies have provided criticism: The Competition & Markets Authority (CMA) has said consumers and SMEs are being cut off from valuable services. The Department of Business, Energy, and Industrial Strategy (BEIS) said the requirement lacks transparency, leads to a poor customer experience, and “appears to cause attrition even among engaged consumers”. Fortunately, the FCA has agreed, saying the requirement “creates friction in the user experience, and hindering uptake of open banking services”.
Banks, currently shouldered with the responsibility of ensuring the 90-day requirement is met, have welcomed the suggestions: they can disable the function and chalk it off as one less compliance check box. For fintechs and TPPs, this is an urgent matter that needs resolved as quickly as possible, with some going as far as to say the rule has caused a 50% drop off of users. Those organizations that rely on sustained data access – such as those that provide consumers with money management insights and assistance – the current rule is ruinous. Such is the case therefore for aspirations of Open Finance.
The proposals were widely welcomed when they were announced but the hope is that they will be further clarified. They will need to make sure the TPPs are able to get reconfirmation of consent from each of the relevant bank accounts, for example. Rule makers must consider how providers will engage with the consumer for continued access to the data – such as in-app messaging, prompts and active opt-outs for those who do not wish to share data. Consideration may also be given to a grace period during which the consumer must grant access or break the bank connections. All this while supporting the seamless experience banks invest in while creating in-app experiences.
For the market as a whole the lifting of the rule should see an increase in the number of firms providing data intelligence to a user based on their longer term banking profile, such as offering information on creditworthiness, affordability and other financial advice. The likes of CreditLadder and other alternative credit score providers may flourish while competition enters their patch.
Granting access to Flux through the Starling Marketplace for 90 days, and disruption for
Plum’s automated savings due to account relinking requirements. Source: The Digital Banking Hub
Causing a great deal of anxiety for TPPs now is uncertainty around the timeline the FCA provides with the new rules. If the regulator gives banks the standard 18 months to implement the change, a lot of those Open Banking organizations will continue to see swathes of customers disappear. For some, extending the infeasibility of the current rules for much longer could prove too strenuous. For the sake of Open Finance, may the autumn be a short one.