90-Days Re-authentication

User Journey

The PSRs require Strong Customer Authentication (SCA) to be performed each time the PSU accesses its online payment account, either directly or using the services of an AISP. The frequency of authentication can be reduced if an ASPSP applies the exemption relevant to account information access (RTS, Article 10), however, this will still require the PSU to be authenticated at least every 90 days.​ A PSU having given long-lived consent to an AISP to avail account information services, has to undergo SCA if it is accessing its account information via the AISP online for the first time, or if more than 90 days have elapsed since the last time the PSU accessed the information and SCA was applied. Irrespective of the duration of the consent agreed between the AISP and the PSU for the provision of the account information service, the PSU would still need to undergo SCA with their ASPSP at least every 90 days. This frequency may also increase if the PSU holds multiple payment accounts with various ASPSPs as they would need to undertake SCA for each of those ASPSPs on an individual basis.

(It should be noted that the API specification allows the AISP to inform the ASPSP that the request is a refresh rather than a new request).

Wireframes

CEG Checklist 1

AISPs should alert the PSU when authentication needs to be performed to refresh AISP access.

Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space.

CX Considerations 2

AISPs must allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for access refresh.

CX Considerations 3

AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change.

If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP.

CEG Checklist 4

AISPs must also allow the PSU to confirm their request after selecting the accounts.

CEG Checklist 5

AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs.

CEG Checklist 6

AISPs should provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed.

Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s).

CEG Checklist Requirements & CX Considerations

AISPs should alert the PSU when authentication needs to be performed to refresh AISP access.

Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space.

16

AISPs must allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for access refresh.  

 AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change.

If the customer facing entity  is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP.

AISPs must also allow the PSU to confirm their request after selecting the accounts.

17a

AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs.

17b

AISPs should provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed.

Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s).

18a

NOTE:

Note: “Agent” means a person or entity who acts on behalf of an authorised payment institution or a small payment institution in the provision of payment services including account information services.

When an agent acts on behalf of the AISP, the PSU must in the case of requirement #3,   be made aware of this within the consent journey.

Please see details in requirements #3 .

    For more details on 90 day access period refer to Refreshing AISP access

    v3-1-4