New SCA Rules to Reduce Friction in Open Banking Payments


Changes to strong customer authentication (SCA) rules in Europe are aiming to reduce customer friction.

In the EU, the European Banking Authority (EBA) has updated its regulatory technical standards (RTS) to extend the 90-day “reauthentication rule” to 180 days.

Under the EU’s old RTS, customers needed to reconsent to third parties accessing their account data every 90 days. But under the new rules, which were adopted by the European Commission in August and will come into force next spring, that timeframe has been doubled.

Taking a different approach, in the U.K., the Financial Conduct Authority (FCA) has done away with reauthentication requirements in favor of a more streamlined version of the 90-day rule.

As of Sept. 30, customers no longer need to reauthenticate with their bank when they access their accounts through an account information services provider (AISP), an entity that collects account data from banks thanks to open banking rules.

Under the new regime, AISPs can obtain consent directly from users via a simple yes or no verification every 90 days.

The crucial change for the U.K.’s open banking ecosystem is the transition from reauthentication to reconfirmation.

Previously, open banking users needed to confirm access for every open banking service and with each of their connected banks every 90 days using strong customer authentication (SCA), which requires providing two or more different security credentials.

Now, however, once the initial authentication has been processed, AISPs can simply reconfirm that customers are happy for them to access their account data without needing to go through the SCA process with each connected bank.

The change will be most beneficial to AISPs that offer consumers a way to manage their finances across multiple banks from a single interface.

In the U.K., FinTechs like Plum and Cleo have built their money management services on the concept of aggregating account data from multiple sources.

Related: Pleo Teams With Yapily to Power SMB Cash Flow

But under the previous 90-day rule, consumers wanting to connect more accounts — the very people with the most to gain from aggregating their account data — also faced the most friction in reauthenticating with multiple banks.

Broadly speaking, the U.K.’s open banking industry has welcomed the changes.

Moreover, as Jan van Vonno, head of industry strategy at Tink, commented in a statement emailed to PYMNTS, the U.K. model calls into question the EU’s continued adherence to reauthentication.

He argued that the “change addresses the core problem of continuous friction for the consumer, and open banking businesses having to routinely re-onboard their entire customer base,” adding that “we view the U.K. model … as a much more workable option.”

EU and U.K. Diverge on SCA Rules

In the latest post-Brexit regulatory diversion between the EU and the U.K., consumers whose finances span both jurisdictions now find themselves subject to two separate rulebooks.

For example, a consumer who wants to connect an open banking financial management app to accounts in the European Union and the U.K. will now have to reconfirm every 90 days for their U.K.-based connections and reauthenticate every 180 days for accounts in the EU.

In another change to its SCA standards, the FCA has adopted a more expansive concept of “inherence” intended to allow for alternative technologies to be included under the umbrella of SCA.

In SCA jargon, inherence refers to something that someone inherently is, and is one of three identifying features of an individual that can be used to authenticate payments. The other two are knowledge (something the customer knows) and possession (something the customer has). To authenticate a payment, payment service providers must be able to verify identity by at least two of the three.

Referring to the EU rulebook by which U.K. firms were previously bound, the FCA writes that “we consider that the EBA guidance … may be unnecessarily restrictive and not accurately reflect the meaning of inherence.”

As such, the authority has updated its guidance to include data-based behavioral analytics such as spending patterns within its definition of inherence, a move that further differentiates the U.K.’s approach from the EU.

While biometrics and behavioral analytics rooted in physical attributes, such as typing speed or the angle with which a user holds their device, will continue to serve as adequate identifying features in both the EU and the U.K., only in the U.K. do non-physical behavioral data qualify as valid authentication factors for now.

For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.