90 Day Reconsent
Overview
A new FCA policy has been announced that no longer requires ASPSPs (Financial Institutions) to re-authenticate users every 90 days. Instead, it will be TPPs (API Clients) that will be responsible for renewing consent every 90 days.
Connections eligible for reconsent
Please see here for list of banks that support the reconsent journey. Please note that some connections with these banks can still have
tppConsent
as false in cases where there has been an error on the connection or the user has revoked consent directly with the bank, therefore requiring a re-auth.The re-authentication flow is still available to connections with tppConsent set as true.
How to use the new reconsent journey
To enable this, the following changes have been made:
-
New fields will be exposed on the
Identity
APIGET /users/{userId}/connections
endpointtppConsent
- a boolean flag added to connections to indicate if they require re-consent or full re-authentication. If true, this means the TPP is required to gain consent from the user every 90 days. If false, the existing process of re-authenticating every 90 days still applies.
-
The
expiresAt
field on connections can be used to identify if a connection has an expired consent. If the consent expires, connections will no longer sync and will be insync_error
status. -
A new endpoint will be added to the
Identity
API to update the consent on a connection once consent has been gained from the user. This endpoint will only be available for those API Clients that use their own consent screens. The endpoint will bePATCH /users/{userId}/connections/{connectionId}
. -
A new consent flow will be added for
https://identity.moneyhub.co.uk/oidc/auth
. There is a new scope calledreconsent
. If this scope is used, the consent screen that is shown will redirect back to theredirect_url
of the API Client rather than the bank after gaining user consent. This will update the connection (theexpiresAt
date on the connection will be updated from this).
Clients with their own consent screens
- A connection can have the
expiresAt
field updated to reconsent the connection using thePATCH /users/{userId}/connections/{connectionId}
endpoint (after the user has been shown the consent screen). This can happen at any time (i.e. don't need to wait untilexpiresAt
has passed). The connection has to be an Open Banking API connection (not legacy) and thetppConsent
flag needs to be true. Please see here for the endpoint reference. - If a connection has
sync_error
status,expiresAt
is in the past andtppConsent
flag is true on a connection then thePATCH /users/{userId}/connections/{connectionId}
can be used to extend the consent on the connection (after the user has been shown the consent screen). - The
PATCH /users/{userId}/connections/{connectionId}
endpoint is only intended for clients that use external consent screens i.e. have the bypass consent option enabled. - Please note the
PATCH /users/{userId}/connections/{connectionId}
endpoint will set theexpiresAt
field 2 hours before to ensure the connection expires well before the consent to time set. POST /auth-requests
can still be used for when full re-authentication is required.
This requires the
user:update
scope enabled for your API client
Clients that use Moneyhub consent screens
- A connection can have the
expiresAt
field updated to reconsent the connection using thereconsent
scope can be used withhttps://identity.moneyhub.co.uk/oidc/auth
to trigger a re-consent. This can happen at any time (i.e. don't need to wait untilexpiresAt
has passed) if the connection is an Open Banking API connection (not legacy) and thetppConsent
flag is true. - If a connection has
sync_error
status,expiresAt
is in the past andtppConsent
flag is true on a connection, this means that thereconsent
scope can be used withhttps://identity.moneyhub.co.uk/oidc/auth
to trigger a re-consent to keep the connection syncing successfully. - The new consent expiry date (not more than 90 days away) should submitted in the
mh:consent
claim using theexpirationDateTime
property. See here for more information on consent claims. - The
reauth
scope can also still be used as usual to fully re-authenticate the user.
Moneyhub reconsent screen
Webhooks
- Reauth reminders will remain the same for expired connections. The only difference is that the
tppConsent
field has now been added to the reauth reminder event body e.g.
{
"connectionId": "7d235ab0-e951-487f-acde-73cae1a18be0",
"bankName": "Test Bank",
"timeUntilReauthorizationInDays": 5,
"tppConsent": false
}
Example use cases
Below is a diagram illustrating some examples of the following:
- How the
expiresAt
andtppConsent
field can be used to identify connections that require re-consent (as opposed to full re-authentication). - How the new update connections endpoint (
PATCH /users/{userId}/connections/{connectionId}
) can be used to set the new expiresAt value.
Updated about 1 year ago