90 Day Reconsent

Overview

A new FCA policy has been announced that no longer requires ASPSPs (Financial Institutions) to re-authenticate users every 90 days. Instead, it will be TPPs (API Clients) that will be responsible for renewing consent every 90 days.

📘

Connections eligible for reconsent

Please see here for list of banks that support the reconsent journey. Please note that some connections with these banks can still have tppConsent as false in cases where there has been an error on the connection or the user has revoked consent directly with the bank, therefore requiring a re-auth.

The re-authentication flow is still available to connections with tppConsent set as true.

How to use the new reconsent journey

To enable this, the following changes have been made:

  1. New fields will be exposed on the Identity API GET /users/{userId}/connections endpoint

    • tppConsent - a boolean flag added to connections to indicate if they require re-consent or full re-authentication. If true, this means the TPP is required to gain consent from the user every 90 days. If false, the existing process of re-authenticating every 90 days still applies.
  2. The expiresAt field on connections can be used to identify if a connection has an expired consent. If the consent expires, connections will no longer sync and will be in sync_error status.

  3. A new endpoint will be added to the Identity API to update the consent on a connection once consent has been gained from the user. This endpoint will only be available for those API Clients that use their own consent screens. The endpoint will be PATCH /users/{userId}/connections/{connectionId}.

  4. A new consent flow will be added for https://identity.moneyhub.co.uk/oidc/auth. There is a new scope called reconsent. If this scope is used, the consent screen that is shown will redirect back to the redirect_url of the API Client rather than the bank after gaining user consent. This will update the connection (the expiresAt date on the connection will be updated from this).

Clients with their own consent screens

  • A connection can have the expiresAt field updated to reconsent the connection using the PATCH /users/{userId}/connections/{connectionId} endpoint (after the user has been shown the consent screen). This can happen at any time (i.e. don't need to wait until expiresAt has passed). The connection has to be an Open Banking API connection (not legacy) and the tppConsent flag needs to be true. Please see here for the endpoint reference.
  • If a connection has sync_error status, expiresAt is in the past and tppConsent flag is true on a connection then the PATCH /users/{userId}/connections/{connectionId} can be used to extend the consent on the connection (after the user has been shown the consent screen).
  • The PATCH /users/{userId}/connections/{connectionId} endpoint is only intended for clients that use external consent screens i.e. have the bypass consent option enabled.
  • Please note the PATCH /users/{userId}/connections/{connectionId} endpoint will set the expiresAt field 2 hours before to ensure the connection expires well before the consent to time set.
  • POST /auth-requests can still be used for when full re-authentication is required.

📘

This requires the user:updatescope enabled for your API client

Clients that use Moneyhub consent screens

  • A connection can have the expiresAt field updated to reconsent the connection using the reconsent scope can be used with https://identity.moneyhub.co.uk/oidc/auth to trigger a re-consent. This can happen at any time (i.e. don't need to wait until expiresAt has passed) if the connection is an Open Banking API connection (not legacy) and the tppConsent flag is true.
  • If a connection has sync_error status, expiresAt is in the past and tppConsent flag is true on a connection, this means that the reconsent scope can be used with https://identity.moneyhub.co.uk/oidc/auth to trigger a re-consent to keep the connection syncing successfully.
  • The new consent expiry date (not more than 90 days away) should submitted in the mh:consent claim using the expirationDateTime property. See here for more information on consent claims.
  • The reauth scope can also still be used as usual to fully re-authenticate the user.

Moneyhub reconsent screen

Webhooks

  • Reauth reminders will remain the same for expired connections. The only difference is that the tppConsent field has now been added to the reauth reminder event body e.g.
{
	"connectionId": "7d235ab0-e951-487f-acde-73cae1a18be0",
	"bankName": "Test Bank",
	"timeUntilReauthorizationInDays": 5,
  "tppConsent": false
}

Example use cases

Below is a diagram illustrating some examples of the following:

  • How the expiresAt and tppConsent field can be used to identify connections that require re-consent (as opposed to full re-authentication).
  • How the new update connections endpoint (PATCH /users/{userId}/connections/{connectionId}) can be used to set the new expiresAt value.