Payments Risk & Compliance

PSD2 Alert: Authentication period for account information services extended to 180 days

Date:May 3, 2023

The European Union wants to make it easier for users of payment services to get an overview of their financial situation. That’s why the EU has taken an important step in reducing the obstacles to using account information services (AIS): online services for providing consolidated information about one or more payment accounts with different payment service providers.

Payment service users will soon have to go through the process of Strong Customer Authentication (SCA) less frequently. The obligation to re-authenticate after 90 days is extended to 180 days.

Although the new rules were already announced on December 5, 2022, Account Servicing Payment Service Providers (usually banks) do not have to implement them until July 25, 2023.

What does this mean for payment service users?

If account information is accessed through an account information service provider (AISP) or directly by an account holder, it must be authenticated via SCA. Instead of every 90 days, payment service users will only have to re-authenticate after 180 days. This means entering codes, looking up bank cards and readers, and navigating through bank interfaces half as often before account overviews are loaded.

For business users who use the service through an AIS accounting party, it reduces the chance of errors. For example, by limiting the number of potential “missed transactions”. These are transactions that the AISP cannot read because the business user lets too much time elapse between the last two moments of authentication. In short, the extension of the authentication period saves end customers time and reduces friction when using account information services.

What does this mean for AISPs?

Account information service providers gain more control over access to account information from different linked payment accounts within their service. In addition, it is expected that the usability of open banking for B2B use cases will increase. The decreased frequency of re-authentication is also expected to improve user retention as they do not have to go through the SCA flow again every 90 days.

What does this mean for banks?

Banks are obliged to change the technical interface for their payment accounts to comply with the new authentication periods. This mainly refers to the interface used for AISP access to payment account information. Banks must make the changes to the technical specifications of the interfaces available to AISPs no later than May 25, 2023.

Banks are also allowed to adjust the SCA periods for authentication and communication with their own account holders to 180 days, but this is not mandatory.

Want to know more?

Do you have any questions about the scope, interpretation, or implementation of PSD2? Our specialists are happy to help. Please feel free to contact us.

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.