AIS re-authentication extended to 180 days.

19/12/2022

The EU has taken an important step in easing frictions for account information services by reducing the frequency of re-authentication.

The changes were published on December 5 and will come into force on December 25, amending the regulatory technical standards on strong customer authentication and secure communication (SCA-RTS). Account servicing payment service providers (ASPSPs) will need to adhere to the changes by July 25 2023.

Where account information is accessed through an account information service provider (AISP) or directly by the customer, the period in which the user must perform strong customer authentication (SCA) again to re-authenticate has been extended from every 90 days to every 180 days.

Doubling the time interval required between SCA renewals through ASPSPs will save consumers a lot of time and reduce friction when using TPP services. At the same time, the prolonged consent period will afford TPPs greater control over accessing and managing multiple accounts from within their apps.

The renewal extension makes open banking more viable for daily and ‘out of business hours’ tasks so B2B use cases should receive a particular boost.

For Klarna Kosma, it means that we can provide clients with 180 days of account access for all banks we're connected to, not just in Sweden or Germany but also in France and Italy where we've historically seen the most challenges.

Note that the implementation of SCA-RTS in the UK is slightly different. Account access is still 90 days, but the user only has to perform the initial SCA. After 90 days, the AISP only needs to re-confirm the user's consent. It does not need to use SCA to re-authenticate.

The SCA-RTS is a delegated legislative act, under the revised Payment Services Directive (PSD2),  which was put in place in September 2019. The SCA-RTS further specifies rules for strong customer authentication and communication between payment service providers. Banks in the EU are expected to have these changes fully implemented in their APIs by mid-2023. In the UK, changes to its own version of RTS came into force on March 26 this year, with widespread adoption by the end of September.

Besides the extension to AIS re-authentication, there are two other notable amendments:

1. Mandated exemption

Account providers shall no longer apply SCA every time a customer uses an AISP to access or manage their payment account information, as long as certain conditions are met.

This should lead to improved retention rates — users will not have to undergo the SCA flow on a daily basis or suffer the frustration of constantly reconfirming their consent.

2. Voluntary exemption scope (under Article 10A)

This now only applies when customers access their account information directly with their ASPSP. It means that the ASPSP is free to decide if it wants to apply for the SCA exemption when the customer is accessing their account information directly through the bank's own online banking portal or mobile banking app. Essentially, ASPSPs are not obliged to let the PSU log in without SCA to other user interfaces than the PSD2 API.