Santander| Approach to 90 Day Re-auth realignment under 3.1.10
The following briefing outlines the approach that Santander UK is taking to assist in the changes to Open Banking Re-Authorisations as a result of the OBIE 3.1.10 Instructions. We have also created some FAQ’s to answer different user cases and situations TPP’s may find themselves, depending on their own preparations for the changed processes. We hope we have been able to come up with a flexible approach which put the TPP in control of the transition, and we will be able to support you if you are ready straight away, or if you need more time to complete your changes ahead of the 30th September cut-off date.
Currently Santander UK issues AIS Refresh tokens to TPP’s which come with a 1 Year expiry date, from the point of creation of the initial consent, and have previously carried out an annual refresh to extend these tokens for an additional year. (Last refresh exercise was completed in July 2021).
We are proposing to complete another annual refresh of these tokens from 13th – 23rd June. This means that any TPP that calls for data with a current refresh token during that time period, will be given a new refresh token to use. We have extended the length of this token to 2 years. For example, a token that is refreshed on 20th June 2022, will have an expiry date of 19th June 2024. We therefore strongly recommend that you call for data at least once during the refresh period, to extend the life of all of your refresh tokens.
Question – Why are Santander not issuing unlimited Refresh Tokens at this time?
Answer – Santander is currently in the process of planning a re-platforming of our Open Banking solution from On-Prem to a Cloud based solution, this is expected to take 6-12 months to plan and implement, at that time existing consents and tokens will need to be re-issued. Current tokens will therefore last for the remaining expected life of our On-Prem solution.
Question – If as a TPP I call for data multiple times during the refresh window (13th to 23rd June 2022) what happens?
Answer – Each time you call during this refresh window, a new token will be issued, and replace the old refresh token – the last call you make during that window will therefore be the last token you should use going forward.
Question – What happens if I do not call for data during the refresh window (13th to 23rd June 2022)?
Answer – Your existing refresh token will not be updated and will therefore expire based on its current expiry date. After expiry, you will receive error messages 401 and data will not be shared for that customer. We therefore recommend that you ensure all Refresh tokens that are active during the Refresh Window to give you the maximum length of life.
Question – What happens for a new Token associated to a new Customer Consent?
Answer – From 13th June, for any new consent set up, you will be issued with a new refresh token valid for 2 years from date of issue.
Question – What happens if we set an expiry date within a Consent?
Answer – Your RT will expire on the date set within the Consent as it would today and subsequently would require a brand new Consent. To take advantage of the extended RT you will need to set up a Consent without an expiry date.
90 Day Re-Authorisation
From 13th June, you will now effectively be in charge of Re-authorisations for Santander customers, and whether you need to redirect customers to Santander for an SCA or not. Santander will not enforce the Re-auth journey from this point onwards and we are extending the application of the re-auth exemption for an extended period up to 30th September to allow you time to make your changes. (In the cases where a customer has revoked consent via our consent dashboard and wishes to re-authorise the original consent – that journey will remain unchanged.)
Question – I am a TPP and we are not yet ready to support the 90-day re-auth changes by 13th June?
Answer – If you are not ready, please continue to use your current 90-day re-auth journey process with the SCA handoff to Santander, which will still be available for you to use. Santander will not force the re-auth journey during this time.
Question – I am a TPP and we are ready to support the 90-day re-auth changes by 13th June?
Answer – If you are ready, please follow your revised process for TPP only Re-auth, and there is no need from this point to handoff to Santander or inform us of the Re-Auth switch. Santander will not reinforce the re-auth journey as the new rules effectively apply.
Question – Are Santander planning to communicate these changes to Customers?
Answer – No, with 150+ TPP’s connected to us for AIS services we have seen that there are various states of readiness across the TPP community, and we have decided to let each TPP control the messages/narrative and timelines in these changes, and with the above arrangements tried to give you the widest possible amount of time, and flexibility to complete the transition.
Question – Will I be able to test with the Sandbox environment?
Answer – No, the sandbox issues a new consent with each test/visit and will not support this one-off transition as outlined above.
Question – If I have questions or need support with the Santander solution where can I go?
Answer – If we haven’t answered your questions with the above, please feel free to contact Santander via a Salesforce ticket, and we will be happy to support you with any queries you may have.
|