90-day reconfirmation of consent in the UK without SCA
Context
Prior to the implementation of the 90-day consent reconfirmation in the UK, GC Bank Account Data (BAcD) end-users (PSUs) were required to undergo full Strong Customer Authentication (SCA) every 90 days with their bank. As a user of the BAcD API, you were restricted to creating consents with a maximum validity of 90 days.
By introducing a seamless reconfirmation of consent for an additional 90 days, we can significantly enhance convenience for PSUs (endusers), thereby promoting consistent use of Account Information Services (AIS) and improving conversion, while at the same time ensuring that they still want to use the service and share their data with us.
How has GoCardless as an AISP implemented the change?
Previously, GoCardless Bank Account Data consents in the UK were set for a duration of 90 days or less, depending on the specific use case of the merchant.
Starting from the date 2025-07-28, GoCardless Bank Account Data will introduce extended consent periods. This adjustment allows you to set longer consent periods; however, customers will still need to reconfirm their consent every 90 days. After this change, the maximum consent period is limited to 180 days, but GoCardless is working towards enabling even longer periods.
As the 90-day period approaches expiration, you will notify PSUs via email or a notification in their app up to 14 days in advance. PSUs will be directed to the GoCardless domain to reconfirm their consent. Customers will have the ability to view and manage each of their consents, including expiry dates, connected accounts, and the data being accessed. Additionally, they will be able to reconfirm consent for a specific bank account or for all their accounts simultaneously. If a customer misses the reconfirmation period, they can still reconfirm their consent up to 14 days after the expiration date; however, you will not have access to their data until consent is successfully reconfirmed.
Does this mean that the customer is no longer required to authenticate with their bank?
The enduser (PSU) will always be required to authenticate with their bank during the initial set up of each consent. However, the aim of reconfirmation of consent is to remove the need to re-authenticate with their bank every 90 days provided that are accessing balances and transactions executed within the last 90 days. However, banks are permitted to require authentication for objective reasons, for example, if they suspect fraud. While this is something that is highly unlikely , it could happen at any time during a valid consent.
Customers may be required to authenticate with a full SCA 14 days after the expiry of the initial 90-day period if they have not reconfirmed their consent. Additionally, they will need to authenticate every 180 days, as this is the maximum duration of consent that GoCardless can support.
How it works
Merchant experience in a nutshell
The Bank Account Data API provides a reconfirmation flag that needs to be enabled upon creating a new end user agreement (EUA) for UK institutions and a dedicated endpoint for reconfirmation. The new EUA reconfirmation endpoint enables merchants to generate the reconfirmation URL for a specific requisition. This reconfirmation URL, valid for 72 hours, is shared by the merchant with the PSU via email or merchant’s app.
When the customer (PSU) interacts with the reconfirmation URL, they can either reconfirm or decline account access for the merchant by leaving their consent un-reconfirmed. Based on the customer’s action, their consent for the specified account is updated. In cases where reconfirmation is successful, the merchant’s access is extended for the specific scope defined during the initial requisition creation.
Customer (PSU) journey in a nutshell
For consents longer than 90 days, once the initial 90-day period expires, up to 14 days before expiration date, customers can receive an email from merchant with information how to reconfirm their consent and link to the GC hosted reconfirmation page. Customers can reconfirm consent for access to all their accounts connected within a single requisition without requiring SCA at their bank. They can do this simply by selecting “Reconfirm” on the reconfirmation page.
What are the key-steps?
As a merchant
- Create an end user agreement (EUA) with
"reconfirmation": truethat indicates if this EUA/Consent is extendable.access_valid_for_daysvalue must be higher than 90 (days).
Example:
POST https://bankaccountdata.gocardless.com/api/v2/agreements/enduser/
{
"institution_id": "WISE_TRWIGB22",
"max_historical_days": 90,
"access_valid_for_days": 180,
"access_scope": [
"balances",
"details",
"transactions"
],
"reconfirmation": true
}⚠️ Institution must be a UK based bank that supports reconfirmation. (see details below)
Sample response
HTTP 201 Created
{
"id": "d57cf675-7ea6-4ada-841b-1e2950092e0f",
"created": "2025-05-02T15:29:28.702634Z",
"institution_id": "WISE_TRWIGB22",
"max_historical_days": 90,
"access_valid_for_days": 180,
"access_scope": [
"balances",
"details",
"transactions"
],
"accepted": null,
"reconfirmation": true
}- Create requisition with this EUA
Sample response:
HTTP 201 Created
{
"id": "cab12208-45cc-416c-b4c9-2d34ffad7759",
"created": "2025-05-02T15:31:27.364071Z",
"redirect": "https://localhost/test",
"status": "CR",
"institution_id": "WISE_TRWIGB22",
"agreement": "d57cf675-7ea6-4ada-841b-1e2950092e0f",
"reference": "cab12208-45cc-416c-b4c9-2d34ffad7759",
"accounts": [],
"link": "https://ob.gocardless.com/ob-psd2/start/4ec1d8bc-296b-43d9-a039-42fc21b67146/MODELBANK_SANDBOX_MOCKBICV3",
"ssn": null,
"account_selection": false,
"redirect_immediate": false
}- Before the 90-day expiry date, you must create reconfirmation link for the agreement.
POST {{baseUrl}}/api/v2/agreements/enduser/:id/reconfirm/
Reconfirmation is active up to 14 days before the expiry date and also up to 14 days after the expiry, however the specific reconfirmation URL is valid for 72 hours. URL validity period is returned in the response.
Sample response:
HTTP 201 Created
{
"created": "2025-05-02T16:11:10.844808Z",
"url_valid_from": "2025-05-02T16:11:10.793422Z",
"url_valid_to": "2025-05-05T16:11:10.793422Z",
"redirect": "https://localhost/test",
"last_accessed": null,
"last_submitted": null,
"reconfirmation_url": "https://bankaccountdata.gocardless.com/psd2/reconfirm/1eb4cbce-9f29-4b1f-af55-32cfcfbf93cd",
"accounts": {
"381c94fc-c26b-4280-8dba-9181f3448153": {
"reconfirmed": "",
"rejected": ""
},
"459fb4ae-2e27-4d34-aeed-1212da3ca241": {
"reconfirmed": "",
"rejected": ""
},
"8035dc69-c065-4e3f-b6b2-49ae3a8a39dd": {
"reconfirmed": "",
"rejected": ""
}
}
}- Send the customer an email reminding them to reconfirm their consent. We recommend sending this reminder 10 days prior, however it is possible to send it up to 14 days prior.
As a customer (PSU)
Consent creation
- The customer provides their initial consent for your service.
- The customer is redirected to GoCardless to provide their consent for the account information service and to share their account details with you.
- The customer authenticates with their bank.
- Upon successful connection with their bank, the customer is shown a success screen.
Consent reconfirmation
- Before the 90-day expiry date, you must send the customer an email reminding them to reconfirm their consent with us. We recommend sending this reminder 10 days prior, however it is possible to send it up to 14 days prior.
- The email must include information about consent reconfirmation and the reconfirmation URL that redirects the customer to the GoCardless-hosted reconfirmation page, where they will find all the relevant information needed to confirm their consent.
Reconfirmation page example
- Once customer has reconfirmed their consent, you will be able to access their bank account data for up to another 90 days (depending on the EUA value of
access_valid_for_days). In case if the total period of consent is longer than 180 days, after this period, a new end user agreement (EUA) will need to be created.
Success page example
Reconfirmation periods explained
TL;DR: The maximum reconfirmation period for account access is defined as 90 days.PSU is allowed to reconfirm their consent up to 14 days before and up to 14 days after their initial consent end date.access_valid_for_days must be more than 90 days for consents that require reconfirmation.
Maximum Reconfirmation Period and Access Validity for Account Access
The maximum reconfirmation period for account access is defined as 90 days. This means that the access_valid_for_days value cannot exceed 180 days; hence, once it reaches day 90, access can be reconfirmed for an additional maximum of 90 days.
access_valid_for_days value is determined by the terms outlined in the end-user agreement (EUA) created by the merchant. This value must remain above 90 days for consents that require reconfirmation.
However, if the access_valid_for_days is set to a period shorter than 180 days (for example, 120 days), and once it reaches day 90, PSU reconfirms the access, the access period should then be automatically extended by only the remaining days to reach a total of 120 days. In this case, the access period would be extended by 30 days after the reconfirmation, resulting in a cumulative total of 120 access_valid_for_days.
The access_valid_for_days value should not be modified, maintaining its original value that is set by the merchant in the end-user agreement (EUA).
Reconfirmation Time Window for PSUs
PSUs are allowed to reconfirm their consent for account access within a specific timeframe: they can do so up to 14 days before and up to 14 days after the initial consent end date.
This means that once the reconfirmation URL is generated, it becomes active 14 days prior to the consent end date, allowing merchants to send the URL to the PSU in advance. If a PSU neglects to respond to the merchant’s message and accesses the link after the consent has expired, they still have a 14-day grace period to reconfirm access. However, if the PSU attempts to open the link on the 15th day or later after the consent end date, reconfirmation will no longer be possible. In such cases, the merchant would need to create a new requisition with a new consent, necessitating PSU to go through a complete (SCA) process once more.
How can I verify if an institution supports the reconfirmation of consent?
We have added reconfirmation_of_consent as a supported feature for the institution endpoint.
To get details about a specific Institution, please use the /api/v2/institutions/:id/ endpoint.
Sample response:
{
"id": "WISE_TRWIGB22",
"name": "Wise",
"bic": "TRWIGB22XXX",
"transaction_total_days": "730",
"countries": [
"GB"
],
"logo": "https://storage.googleapis.com/gc-prd-institution_icons-production/UK/PNG/wise.png",
"max_access_valid_for_days": "180",
"supported_features": [
"account_selection",
"business_accounts",
"card_accounts",
"funds_confirmation",
"pending_transactions",
"private_accounts",
"reconfirmation_of_consent",
"submit_payment"
],
"identification_codes": []
}
Where are PSUs directed to reconfirm consent?
PSUs will be directed to the GoCardless hosted reconfirmation page to reconfirm their consent via the reconfirmation URL included in the notification.
What information can PSUs view and manage on the GoCardless reconfirmation page?
PSUs will have the ability to view and manage each of their connected accounts. This includes checking expiry dates, and the data being accessed for each connected account.
Can PSUs reconfirm consent for specific accounts or all accounts at once?
Yes, customers will be able to reconfirm consent for a specific bank account or for all their accounts simultaneously. They can reconfirm consent for access to all accounts connected within a single requisition without completing the entire SCA process
What happens if a PSU misses the reconfirmation period?
If a PSU misses the reconfirmation period, they can still reconfirm their consent up to 14 days after the expiration date. However, merchants will not have access to their data until consent is successfully reconfirmed. If a PSU attempts to open the reconfirmation link on the 15th day or later after the consent end date, reconfirmation will no longer be possible. In such cases, the merchant would need to create a new requisition with a new consent, requiring the PSU to go through a complete SCA process again.