What are the changes?
The regulations governing data sharing in open banking in the UK have been changed by the Financial Conduct Authority(FCA).
The FCA’s changes mean that the consumer no longer has to re-authenticate access with their bank every 90 days. Instead, the AISP is responsible for obtaining reconfirmation of consent from the consumer every 90 days, in order for data sharing to continue.
What is the benefit?
This is a positive change. Users experience less friction while retaining ultimate control over how they share their data.
There is no impact on your users’ existing connections as a result of implementing the change. They will only see the new process when they are next triggered to re-consent.
Does this mean re-authentication will no longer be required?
Re-authentication is still required for some scenarios:
- There are still exceptional circumstances where a bank can ask a user to go through strong customer authentication(SCA). This occurs in cases where the bank believes fraudulent data access is occurring. This is very rare.
- If your app supports connections to EU banks, re-authentication remains the only way to extend data access with these providers.
How can I implement reconfirmation of consent?
TrueLayer has built a new API called Connections, providing a single integration point that supports the full variety of user experiences for extending access to a user’s data.
We encourage customers to build their own UX/UI for reconfirmation of consent for optimal user experience. Any customers who are not a regulated AISP will need to follow TrueLayer’s UX/UI design requirements.
When can I implement the new Connections API?
Now! The Connections API is available in production.
If you are not a regulated AISP
- If you chose the white-labelled option you will need to submit your designs for review to ensure they meet TrueLayer’s requirements. You can submit your screens for review by submitting this form.
- Once we approve your designs, we will enable the Connections API for you in Production
If you are a regulated AISP
-
We have taken best efforts to pre-enable all regulated customers for the Connections API. However, if you are a regulated AISP and cannot now access the API in production please submit a ticket here.
What if I am not ready to implement?
This change is for you to opt into. If you are not ready to make the integration changes then the flow will stay the same as it is today.
Our existing re-authentication endpoint will continue to work as it does today, and you’ll still be able to create new connections in the same way you always have, either via an auth link or direct bank authentication.
Ready to get started?
- Review our implementation guide
- Build your user experience design
- Submit your UX for review(only if you are a not a regulated AISP)
- Go-live in production!
Stay tuned for more updates on our auth dialog release. Let us know if you have questions or feedback by submitting a ticket to our Client Operations team.