Financial Conduct Authority updates guidance on 90-day Strong Customer Authentication

The UK-based regulator announced a change to the 90-day re-authentication rule in November 2021, meaning that customers will no longer need to reauthenticate when they access their account information through a third-party provider (TPP). Instead, the FCA said ‘TPPs will be required to obtain explicit consent from customers at least every 90 days’.

On 1 March 2022, the FCA updated its guidance on Strong Customer Authentication (SCA) to support the transition requirement of the UK- RTS Article 10A exemption including reconfirmation of consent by AISPs (pursuant to Article 36(6)).

This regulatory change comes into force on 26 March 2022. However, the FCA has provided the following updates: 

1. ASPSPs to apply the exemption as soon as possible after 26 March 2022 with a view to the widespread adoption of the exemption by 30 September 2022.
   
2. TPPs to be technically ready to reconfirm customer consent under Article 36(6) of the SCA-RTS as soon as possible after 26 March 2022. However, they may choose not to reconfirm consent until 30 September 2022 provided that SCA is applied at least every 90 days during that period.

The OBIE is supportive of these changes which we believe will minimise disruption to consumers and SMEs as the industry prepares to implement these changes.