The Armalytix View 90-day Reuthentication and Consent Duration Management
TL;DR: The recent proposals by the FCA to remove the need for individual banks to re-authenticate customer consent every 90 days are very welcome and represent a significant improvement on the current process. However, we believe they should be extended to allow customers greater freedom to manage the duration of their consents, which in turn will lead to a richer customer experience and allow businesses to provide improved and more varied services.
Background
As many of you will have seen, the FCA recently released their Consultation Paper CP21/3 in which they proposed various changes to the SCA‐RTS to support competition and innovation in the payments and e‐money sector. These have been warmly welcomed by the Armalytix team and other members of FDATA – as well as by the wider Fintech community.
One of the changes proposed is a new exemption from applying Strong Customer Authentication (SCA) when customers access their account information using Open Banking through an account information service provider (AISP) such as Armalytix. By way of background, the current rules essentially state that where a customer has granted access to their bank accounts, the access only lasts for 90 days, after which time each of the banks has to re-apply their individual SCA measures. This creates a level of friction for all customers, and particularly those with accounts at multiple banks. This has proved to be a significant barrier to customers’ ongoing use of Open Banking, with the FCA Consultation Paper itself reporting a significant loss of customers at the point where re-authentication by SCA is required.
In order to address this, the Paper proposes that the rules be changed to allow the AISPs themselves to manage the process of reconfirming consent every 90 days, thereby removing the barriers to customers’ continued use of Open Banking services. The benefits of this are clear:
- Third Party Providers (TPPs) will be able to attract and retain more customers as friction reduces – leading to better variety and quality of TPP services.
- Customers will have to spend less time authenticating.
As you might expect, at Armalytix we are fully supportive of this proposal, but in our opinion it doesn’t go far enough.
How could the proposal go further?
The intention of the FCA’s requirement that the customer must still provide “explicit consent every 90 days” is clear – to protect customers and stop the data sharing if they do not reconfirm their consent. However, among the numerous applications of Open Banking – including personal financial management, automated accountancy reconciliation, credit checking and ongoing loan risk management – there are many cases where the customer’s basic requirement is that the data should continue to be shared on an ongoing basis until they ask for it to stop. In such cases, asking the customer to reconfirm their consent every 90 days represents unnecessary friction in what should be a seamless experience for them.
In some cases, this additional friction may actually lead to increased risk for the customer. Consider the following examples:
- A firm using accounting software – what happens if the person in charge of online access to the Firm’s bank accounts is out of the office, or forgets to re-authenticate at the 90-day point, but others in the team still need to reconcile and review the Firm’s financial position? In this case a long-lived consent would ensure that the firm’s financial position was always up to date.
- A Personal Financial Management app sending notifications to suggest cash movements between the user’s accounts to avoid unnecessary overdraft charges – as soon as consent expires on any of these accounts, the app’s ability to manage risk appropriately is limited. The user is more likely to benefit from continued access than to be put at risk.
- A firm giving cheaper loans to customers in return for granular real-time insight into their financial position – would have no option but to recall their loan or increase the interest rate should the customer fail to reauthorise their accounts. Again, the customer would be likely to be put at risk by failing to re-consent in a timely fashion.
It would therefore seem logical to give the control of the duration of each consent to the customer. In much the same way as customers are asked on an app-by-app basis to provide consent to location sharing (e.g. “Never”, “Whilst Using the App”, “Always”, etc.), they could likewise be asked how long a particular bank consent should last at the point it is being granted (e.g. “Once”, “90 Days”, “1 year”, “Until Further Notice” etc.). This could be framed to the customer, alongside context from the TPP, by explaining why the relevant duration of consent is needed. For example, “We need ongoing access to your account to automatically reconcile your bank transactions – you can cancel this at any time from within the app or via your bank.”.
Individual apps could determine the most appropriate time period for customer consent to last based on their own specific use cases and what they thought would be acceptable for their customers. For example, an accounting package asking to access account information “Until Further Notice” would seem much more appropriate and likely to yield approval by a customer than a KYC platform asking the same thing.
Further thoughts and summary
In order to mitigate the risk of inactive customers forgetting active consents, longer duration consents could be supplemented by periodic reminders of account access that provide the customer with a clear explanation of the access that they have granted and how to revoke it if necessary. This would, in our opinion, ensure customers remain in full control of their data whilst negating the risk of an unwanted consent remaining active.
It’s worth also considering the minimal risk a “forgotten” consent actually represents for the customer, bearing in mind that the TPPs in question are all FCA-Regulated organisations subject to data storage and sharing rules governed by the ICO.
In summary, we believe the FCA can go further in its efforts to fix the 90D rule by moving to a duration-based model for consent, which coupled with periodic reminders, will result in minimal (and in many cases reduced) risk for inactive consumers. By making this small but important change, we believe that the proposal will move much closer to achieving its aims of giving customers control whilst removing barriers to the continued growth, innovation and competition in the payments and e-money sector. We believe this will more quickly result in the wide-reaching adoption of Open Banking that the FCA rightly hopes for.