For AIS (Account Information Service) requests, SCA (Strong Customer Authentication) validity is the timeframe imposed by banks for the retrieval of sensitive or historical transactional data following the initial consent and authentication of an end-user.
The SCA validity for data retrieval depends on the individual bank's policies.
In practical terms, this means that the PSU (payment service user or end user) will have access to transactional data, such as direct debits and standing orders, for a set amount of time. Typically, this is a number of minutes (e.g. 45 minutes), after the initial authentication of the end-user.
Once this period elapses, banks implementing SCA will only provide transactional data for the past 90 days. Requesting data beyond this timeframe will result in an error.
Next steps and recommendations for AIS customers:
To ensure that SCA validity timeframes do not interfere with the user experience, AIS customers should implement SCA logics on their side.
We have the SCA validity windows for several UK banks in this article.
We are working on documenting further validity timeframe for banks in other countries. In the meantime, this information is available in the banks’ developer documentation.
Additional steps to check:
- When authenticating a new user, obtain as much historical data as permitted by the bank.
- If ongoing access to historical data is necessary, it is advisable to securely store this information in a database.
- If your current approach involves retrieving all historical data after the SCA timeframe, modify it to only seek data from the past 90 days and iterate on the stored dataset accordingly.