Open-banking connections in the UK and EU are time-limited: consumers must periodically renew access for Account Information Services, and if consent is not renewed, data import stops from the consent’s expiry date. In practice, UK connections typically require a simple third‑party reconfirmation roughly every 90 days, while EU connections require Strong Customer Authentication renewal at the bank every 180 days; failing to renew halts feeds until consent is restored.
Under PSD2’s SCA rules, AIS access originally required SCA at first use and at least every 90 days, which created friction and inconsistent experiences across banks and aggregators. The UK regulator reformed the 90‑day journey so users re‑confirm consent with the third‑party (AISP/TPP) instead of re‑authenticating with the bank, significantly reducing renewal friction while retaining customer control and security oversight. In the EU, the EBA amended the RTS to extend the SCA renewal cycle for AIS from 90 to 180 days and introduced a mandatory AISP access exemption, balancing security with innovation and user experience.
Aspect | UK | EU |
Consent/SCA cycle | Re‑consent with the TPP roughly every 90 days (no bank SCA needed for renewal) . | SCA renewal required at the bank every 180 days for AIS access . |
Who triggers renewal | The AISP/TPP prompts in‑app “manage consent” reconfirmation . | The AISP redirects the user to the bank to perform SCA after 180 days . |
First‑time setup | SCA at the bank on first connection is required . | SCA at the bank on first connection is required . |
If not renewed | Access lapses; accounting feeds stop importing from the expiry date . | Access lapses; AIS cannot fetch data until SCA is renewed . |
Fraud/Security override | Banks may revert to SCA if objectively justified (suspected fraud) . | Banks may revert to SCA if objectively justified (suspected fraud) . |
Re‑authentication means the user completes SCA with the bank again (e.g., app/biometric/2FA) to keep AIS active, which is the EU’s model at 180‑day intervals after first access. Re‑consent means the user confirms ongoing data sharing with the third party without re‑doing bank SCA, which is how UK renewals now work after the initial SCA at first connection. UK accounting and finance apps reflect this by showing an in‑product consent banner/workflow to “manage” or “confirm” consent rather than sending users back to online banking each renewal cycle.
Once consent expires, AIS access halts until consent is reconfirmed or SCA is renewed, so no new transactions can be fetched during the lapse period. In accounting tools using open banking feeds (e.g., Xero connections that support the new UK flow), transactions stop importing from the date consent expired, which is why timely renewals are critical for uninterrupted bank feeds.
The UK changes removed the need for customer SCA every 90 days and shifted renewal to TPP‑managed re‑consent, improving UX while maintaining initial SCA on first connection and ongoing user control. In the EU, the amended RTS introduced a 180‑day renewal cycle and a mandatory exemption framework; banks were required to implement the change within seven months of publication in the Official Journal, and providers widely aligned by July 25, 2023 as communicated by aggregators. These timing rules apply to Account Information Services (AIS), which cover access to balances and recent transactions without sensitive payment data; Payment Initiation Services follow different flows and are not governed by the 90/180‑day AIS renewal cadence in the same way.
In UK Xero feeds that support the new flow, renewal often appears as a simple “renew/confirm connection” control in Xero; if not reconfirmed after 90 days, the feed stops from expiry until reconfirmation. Not every UK bank supported the simplified reconfirmation at the same pace, so some connections may still require bank‑level steps depending on the provider’s implementation timeline. In QuickBooks UK, renewals are an in‑product consent journey where users select Manage consent, then confirm or withdraw to keep the bank connection active after the 90‑day mark, reflecting the TPP‑managed UK reconfirmation model.
Calendar the renewal window: plan a renewal before 90 days in the UK or 180 days in the EU to prevent lapsed access and missing transactions.
Use in‑app consent prompts: complete UK reconfirmation inside the aggregator/app where available to minimize friction and downtime.
Verify team permissions: in tools like Xero, ensure authorized staff can perform the reconfirmation so access doesn’t lapse when the owner is unavailable.
Watch for exceptions: some UK bank connections may still need bank steps depending on bank rollout; if prompts look different than expected, follow the current provider guidance.
Respond to security overrides: if a bank requests SCA due to suspected risk, complete it promptly to restore automated access.
PSD2 requires SCA when accessing account data online, but regulators balanced this with exemptions and renewal cycles to keep AIS usable, which initially meant SCA at first access and at least every 90 days. Experience showed the 90‑day cadence created churn and friction, so the UK moved reconfirmation to TPPs and the EU extended the renewal interval to 180 days while allowing banks to require SCA when fraud risk is suspected.
Is this only for AIS (data access), not payments? Yes, the timelines discussed are for AIS access to balances and recent transactions, not for initiating payments.
Will transactions backfill after renewing? The safe assumption is that access resumes from renewal; in Xero guidance, feeds stop from the expiry date if not reconfirmed, reinforcing the need to renew on time to avoid gaps.
Do all UK banks support in‑app reconfirmation? Many do, but not all implementations arrived at once; check the app’s bank‑specific guidance and complete the presented flow.
What if there are security concerns? Banks can revert to SCA or deny access if they have objectively justified, evidenced reasons to suspect unauthorized or fraudulent access.