Misconceptions of authentication and authorisation: why 90-day reauthentication does not work

The concepts of authorisation and authentication under PSD2 are legally captured by access and consent, but only work as intended when a consumer first connects their payment account to a Third Party Provider. The 90-day "reauthentication" requirement is problematic because it conflates reauthorisation with reauthentication, involving financial institutions in a way that harms consumers and the ecosystem. A new proposal by the FCA aims to remove this requirement and replace it with 90-day reauthorisation, which would benefit TPPs and ensure open banking works as intended for all parties involved.