It’s been three years since the Second Payment Services Directive (PSD2) marked the start of Open Banking in Europe. And while PSD2’s ambitious goals and worthy intentions were admirable, it’s also a good time to look at what isn’t working so as not to repeat these same mistakes when bringing Open Banking to other countries.
Reconsidering the 90 Day Reauthorization Rule
This past January, the United Kingdom Financial Conduct Authority (FCA) submitted a whitepaper highlighting changes it is proposing for Open Banking in the UK. Chief among these changes: remove users from having to reauthenticate their connections every 90 days, as now required by Secure Customer Authentication (SCA) regulations within P2D2.
As Ghela Boskovich, Regional Director/Head of Europe at Financial Data and Technology Associates (FDATA) notes in a recent LinkedIn post, “This is a very, very big deal for Third Party Providers (TPPS – or fintechs leveraging Open Banking data) because the requirements to implement SCA and perform 90 Day Reauthentication have had an extremely detrimental impact on those very TPPs PSD2 is meant to promote.” 1
How We Got To This Moment
Credit for this proposed change is due in large part to FDATA’s ongoing effort to present evidence of the 90 Day rule’s detriment to the market as an unintended consequence of PSD2 to UK regulators. Among the proof points FDATA gathered from a broad sample of mostly mature TPPs included:
• Economically unsustainable attrition rates (spanning between 13% to 65%) with firms losing customers who fail to reauthenticate for a variety of mostly technical and behavioral reasons. Not because of low service value.
• Testimony from many TPPs saying they’re thinking about returning money to shareholders because they can’t sustain their busines under these circumstances.
FDATA’s legal, technical and evidence-based arguments proved persuasive to both UK regulators and UK banks, resulting in a series of reports by governing policy groups calling out the 90 Day rule. This included the Competition & Markets Authority and the Department of Business, Energy, and Industrial Strategy, who, in their March 2020 Smart Data Research Report summed up their findings this way, “While PSD2 provides for 90-day re-authentication, it does not work well for either consumer or market.” 2
Now the FCA has reached a similar conclusion in their January 2021 whitepaper: “The requirement to re-apply SCA every 90 days has proven burdensome for customers, creating friction in the user experience, and hindering uptake of open banking services. [And] as a result, the full benefits of open banking to UK consumers and competition are not being realized.” 3, 4
Where Do We Go From Here
As a founding member of FDATA, Envestnet | Yodlee supports the efforts to compile and share this evidence and back the FCA’s proposed changes to the SCA. Envestnet | Yodlee works with many financial institutions and regulators around the world looking to emulate Europe’s Open Banking standards and as such, we are seeing some features - like 90- day reauthentication – gain traction. As we continue to build direct partnerships with banks in other countries where Open Banking is being considered, we’ll urge these jurisdictions to learn from the European experience with SCA and look to do a better job in balancing the consumer experience with security and safety concerns.
References
2 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/909363/Dgen_and_BEIS_-_Smart_Data_-_Consent.pdf , Page 45
3 https://www.fca.org.uk/publication/consultation/cp21-3.pdf, Page 9 Paragraph 3.8
4 Ibid, Page 10, Paragraph 3.9