Strong Customer Authentication (UK)
SCA (Strong Customer Authentication) applies only to the banks that expose the Account Information Services PSD2 APIs.
After a user has authenticated using SCA with their bank, your client can fetch all the data from the Atto Data API which they have consented to share. This data may include one or more of the following data clusters.
- Parties
- Balances
- Transactions
Following is the list of the banks for the PSD2 integration that have a short lived SCA and allow only access to a limited set of data after the expiration.
| Bank | SCA Expiry Time |
|---|---|
| AIB Group (UK) | 5 mins |
| Bank of Scotland | 45 mins |
| Capital One (UK) | 5 mins |
| Chase (UK)* | 60 mins |
| Co-operative Bank (UK) | 30 mins |
| Danske Bank (UK) | 15 mins |
| First Direct | 60 mins |
| Halifax | 45 mins |
| HSBC (UK) | 60 mins |
| Lloyds Bank | 45 mins |
| Marks & Spencer | 60 mins |
| MBNA | 45 mins |
| Monzo | 5 mins |
| Nationwide Building Society | 60 mins |
| NatWest group | 60 mins |
| Revolut | 5 mins |
| Royal Bank of Scotland | 60 mins |
| Smile (UK) | 30 mins |
| Tesco Bank | 5 mins |
| TSB | 10 mins |
| Tide Business | 10 mins |
| Ulster Bank | 60 mins |
| Virgin Money | 60 mins |
For all other OpenBanking PSD2 bank's that are not listed above, their SCA expires after 90 days.
After the short lived SCA expiration, the client can retrieve Balances, Account Information and only fetch the last 90 days of transactions (given that the user has consented to share 90 or more days of transactions) except for the "Parties" cluster.
*After SCA expiry Chase (UK) is only allowing access to Balances and Transactions data clusters. Based on this, Account Information is not available which makes it impossible to fetch bank data via Data API. If you are using Atto storage, then it is possible to fetch data via Stored Data API. Refreshes via Stored Data API are also not possible for the same reason as Data API.
If you need the user's complete transaction history and "Parties" data that they have consented to share, you should consider fetching and storing it before the SCA expiration, ideally right after the user has connected their account.
EU institutions
In compliance with EU Strong Customer Authentication (SCA) regulations, access to transactional data is subject to the following restrictions:
- After 180 days from the initial SCA authentication, users must re-authenticate to maintain full data access.
- To regain access to older transactions, a new SCA authentication is required.