Last updated

Strong Customer Authentication (UK)

SCA (Strong Customer Authentication) applies only to the banks that expose the Account Information Services PSD2 APIs.

After a user has authenticated using SCA with their bank, your client can fetch all the data from the Atto Data API which they have consented to share. This data may include one or more of the following data clusters.

  • Parties
  • Balances
  • Transactions

Following is the list of the banks for the PSD2 integration that have a short lived SCA and allow only access to a limited set of data after the expiration.

BankSCA Expiry Time
AIB Group (UK)5 mins
Bank of Scotland45 mins
Capital One (UK)5 mins
Chase (UK)*60 mins
Co-operative Bank (UK)30 mins
Danske Bank (UK)15 mins
First Direct60 mins
Halifax45 mins
HSBC (UK)60 mins
Lloyds Bank45 mins
Marks & Spencer60 mins
MBNA45 mins
Monzo5 mins
Nationwide Building Society60 mins
NatWest group60 mins
Revolut5 mins
Royal Bank of Scotland60 mins
Smile (UK)30 mins
Tesco Bank5 mins
TSB10 mins
Tide Business10 mins
Ulster Bank60 mins
Virgin Money60 mins

For all other OpenBanking PSD2 bank's that are not listed above, their SCA expires after 90 days.

After the short lived SCA expiration, the client can retrieve Balances, Account Information and only fetch the last 90 days of transactions (given that the user has consented to share 90 or more days of transactions) except for the "Parties" cluster.

*After SCA expiry Chase (UK) is only allowing access to Balances and Transactions data clusters. Based on this, Account Information is not available which makes it impossible to fetch bank data via Data API. If you are using Atto storage, then it is possible to fetch data via Stored Data API. Refreshes via Stored Data API are also not possible for the same reason as Data API.

If you need the user's complete transaction history and "Parties" data that they have consented to share, you should consider fetching and storing it before the SCA expiration, ideally right after the user has connected their account.

EU institutions

In compliance with EU Strong Customer Authentication (SCA) regulations, access to transactional data is subject to the following restrictions:

  • After 180 days from the initial SCA authentication, users must re-authenticate to maintain full data access.
  • To regain access to older transactions, a new SCA authentication is required.