The SCA burden reduces, the user experience improves

With the introduction of PSD2 (the European Union's Payment Services Directive), the European Union aimed to increase competition and innovation in the financial sector. With the entry of new non-bank financial service providers into the market, the range of available financial services has expanded significantly in recent years. In order to ensure that the sector can continue to develop, it is essential that the legislator periodically amends the relevant rules to reflect these changes. The amendment of the regulatory technical standard on strong customer authentication and secure communications has introduced two important changes for third-party service providers. More on PSD2 in our earlier post.

What is behind the change?

The European Union requires banks to use two-step Strong Customer Authentication (SCA) whenever someone wants to access an account. Account Information Service Providers (AISPs) are exempt from this rule, subject to certain conditions. Previously, users were only required to identify themselves with SCA after 90 days of initial authorisation. However, this exemption has been applied differently by banks and has sometimes required strong customer authentication before the 90 days or even for each account access, creating difficulties for consumers and hindering the services provided by AISPs.

Standardised regulation and longer re-authentication period

With the amendment, the European Commission has made it mandatory for banks to apply the exemption, so that all AISPs will be exempt from the SCA from 25 July 2023. To ensure the security and protection of users' data, banks can continue to request SCA before the expiry of the consent if there is a risk of fraud or if someone wants to access a bank account directly, for example via netbanking or mobile banking. Users play a crucial role in innovation, so improving the customer experience is also a priority. With this in mind, the Committee has extended the previous 90-day re-authentication period to 180 days, allowing users to benefit from the services provided by AISPs on even more favourable terms.

What does this mean for Aggreg8 users?

Aggreg8 wants to offer the safest and most convenient solution for its users and customers, who can save valuable time due to the new changes. When a user authorises Aggreg8 to access their account information for the first time, strong customer authentication is still required on the banking side. However, after that, Aggreg8 can retrieve the data within 180 days - up to several times a day - without the active presence of the user, who only needs to authenticate with SCA on the bank side twice a year. The authorisation can of course be revoked at any time.