The latest consultation paper from the FCA contained a proposal to scrap the 90-day re-authentication limit on Open Banking connections. This would be a game-changer for the sector and Fintechs should come together to ensure a strong representation in the process.
The FCA released a consultation paper in January this year that proposed raising the contactless limit from £45 to £100 per transaction and from £120 to £200 per day cumulatively, a proposal that was widely covered in the media and broadly welcomed by fintechs. The publicity around the headline proposal has, however, drawn the spotlight away from other, equally fundamental changes proposed.
First amongst these is the proposed scrapping of the 90 day re-authentication limit, which forced users to repeat the authentication process with their bank every 90 days regardless of how often they used the service. This would be little short of a game-changer for Open Banking. The consultation paper highlights an example where a firm was seeing 40% drop off rates at 90 days despite having near 100% satisfaction ratings with the service - anecdotally, we’d say these kinds of drop off rates are not uncommon unless you have a very clear value proposition.
Introducing an exemption for AISPs is fundamental for Open Banking to achieve its potential, however the proposals could and should go further. As proposed, customers will no longer have to re-grant consent for access that they have already specifically requested. So, for example, if a customer logs into your budgeting app they will be able to log in again after 91 days and the app will be able to pull down the data since the last login without sending them back to their bank app to authenticate all over again. So far so good.
However, Open Banking also provides third parties with the ability to keep customers up to date by accessing data in the background up to four times a day. This is vital if you want to provide customers with valuable information like notifications based on their transaction data.
As things stand, the proposals would require customers to grant authorisation all over again for this type of service after 90 days and it’s unclear from the text of the consultation paper whether simply logging in again would count as authorisation - if so then great. We don't want to be accessing data from people who are no-longer using the services we enable and 90 days seems to be a broadly appropriate time-scale for assessing whether a user is active or not.
There are two challenges that have to be addressed in responses to the consultation.
Firstly - if re-authentication is required for ongoing data access but not for explicitly requested data, we’ll be left with a confusing two-tiered consent system. This would be damaging to consumers, leaving them unsure as to who has access to their data and when. And it would be damaging to competition with the ability to provide people with contextual information severely limited.
Secondly - the regulations need to be sensitive to the fact that people don’t interact with all of their financial products in the same way. A current account with no access in 30 days seems far more likely to be an inactive account than a pension account with no access in 90, and yet a pay-day notification to a user updating them on the contribution to their pension would seem to be exactly the kind of use-case that Open Banking and Open Finance, (when it arrives,) were designed to enable. We’ll be arguing for a consent framework where length that consent is valid for is sensitive to the kind of data that the customer is consenting to share.
The deadline for responses regarding the contactless increase is the 24th Feb and for all responses by 30th April this year. It's vital that, as a community of TPPs, we provide strong representation and we’ll be submitting a response that we'll commit to make public by the end of March. If you’d like a copy of that response before we submit, feel free to sign up below and we’ll get the copy to you as soon as it’s ready. We'd urge TPPs and all members of the Open Banking community to submit your own response using the resources provided here, but if you’d like to add your name to ours we’re happy to talk about that too. Sign up to get a copy of the response and we’ll drop you a note with the right contact details.
This consultation has the potential to have a real impact on the Open Banking space, so whatever you do, don’t be silent.
We put out a newsletter roughly once a month with highlights from the blog and updates on new roles. Sign up if that's your thing.
Bud® is authorised and regulated by the Financial Conduct Authority under registration number 765768 + 793327.