The detrimental impact of SCA and 90-day reauthentication on the Open Banking market

Secure Customer Authentication (SCA), combined with the requirement for end-users to reauthenticate every 90 days, is meant to provide a secure and reliable way for consumers to connect their bank accounts to regulated fintech services. But the road to Hell is paved with good intentions, and the path that SCA and the 90 Day Reauth rule have created has been chthonic at best, and hellish at worst: the entire Open Banking market has suffered from lost revenues, lost opportunities, and less innovation with fewer value propositions brought to market because of it.

The PSD2 Regulatory Technical Standards (RTS) requirements for SCA set two opposing forces in the same legal text: it requires banks to introduce SCA and to not introduce obstacles to Third Party Providers (TPPs, fintechs) that break their connections with customers. Experience has proven that these are incompatible requirements given the current market context, and it has created several unintended consequences, from interrupting critical services to many millions of customers, including small businesses, while severely impeding TPP businesses and creating a range of unnecessary risks for banks.

In mid-2020, members of the Financial Data and Technology Association (FDATA) compiled data on how the combination of these two rules was killing the market and putting the successful delivery of PSD2 at serious risk. This evidence was shared with both the UK and European authorities. The UK regulators have chosen to remedy the situation; the European authorities have not yet taken any remedial action.

The evidence showed that customer attrition rates span between 13-65% depending on the business model. These rates are simply not economically sustainable, with firms losing customers who fail to reauthenticate for a variety of mostly technical and behavioural reasons, not because of a low service value. 

One TPP reported a 32.7% drop in users who did not reauthenticate after day 90. In that same group, however, more than 50% of them logged in after Day 90, indicating that they still want the service but that the hassle of reauthentication, or indeed bank API failures during the reauthorisation process, means that the service is interrupted and no longer available to them.

Of the remaining 67% of customers, only 40% of those users reauthenticate at day 90. The rest of them reconnect to the fintech after the 90-day mark. The customer also has to set up the service, again, from scratch.

To make matters worse, some banks have an exemption to providing an API, and instead, have a modified customer interface (MCI). MCIs require a customer to be present for every data transfer from the bank to a TPP. In this case, the SCA and 90 Day rules result in a near 100% customer attrition rate for the TPP if the customer’s bank has an MCI.

For the last 15 years, TPPs have built services leveraging many types of whole market financial data, services widely used across many customer types and business models that didn’t require the customer to be present. This was pre-PSD2; post-PSD2, SCA requires the customer to be present for any data request beyond payments data. 

Banks are required to design systems to enable the TPP to access the customer’s payments data when they are not present. However, any non-payment data is not included in the scope of PDS2 and the RTS. Consented access to that data is prevented because SCA is implemented at the front gate of bank customer interfaces. SCA is applied to both payment and non-payment. 

Because non-payment data (savings, investment, and credit data) are not subject to SCA under the RTS this data should be obtainable and flow freely if the customer has already consented the TPP to access it. However, because of how SCA has been implemented – and in part to reduce/avoid customer double-login requirements – non-payment data cannot and does not flow. In short, all the myriad non-payments data held by banks is being restricted by technology, whereas it is not restricted by regulation.

SCA was to be about security, but it was not meant to be applied carte blanche across all services. By legislation, SCA is limited to payments data, but it affects all the other data, too. Moreover, no other market allows incumbent firms to control their competitors’ market access, yet this is the de facto standard under PSD2. 

Banks can and do control TPP’s ability to access customer data, despite an end customer granting that permission to the fintech; it is controlled both in part by how and when SCA is applied in the customer journey, and by the cliff-edge 90-day rule imposed by the SCA-RTS. This asymmetric control of market access is anticompetitive.

And in no other market are incumbent firms in control of their competitors’ relationship with their end customers, yet this is exactly what PSD2 enables, as it puts banks in charge of reminding fintechs’ customers of the data access connection and service. Consent resides with the TPP, however, reauthentication takes place at the bank.

PDS2’s political objective is to nurture companies that bring competition to the market, promote innovation, and improve security. None of this is happening because of how SCA and 90 Day Reauth have been designed and implemented. Unless these rules are changed – with regulators taking all practical steps – PSD2 will be a failure, a very public failure at that.

A regulatory economist by training, Ghela Boskovich is the head of FDATA Europe, championing a level competitive playing field for fintechs in Open Banking and Finance to bring to market their innovative value propositions to the end consumer.

About FDATA

The Financial & Data Technology Association (FDATA) lobbies government, regulators, policy makers, and key stakeholders to support the benefits of Open Banking and Finance bring to end customers; FDATA provides collective bargaining and negotiating power for fintechs in the Open Banking ecosystem.