Renew an Open Banking account-information consent under the updated FCA 90-day re-authentication rules (confirmation-only reauth, not full SCA)

Verified steps

1. At 85–88 days after the original consent authorisation, generate a re-authorisation notification to the PSU; the FCA's updated rules (post-2022 amendment) require the PSU to confirm continued consent every 90 days but no longer require a full SCA re-authentication
2. Redirect the PSU to the ASPSP's consent dashboard or to your own confirmation screen; present a simple 'Yes, continue sharing' / 'No, stop sharing' choice — do not require the PSU to re-enter credentials or complete a second SCA factor
3. If the PSU confirms, the ASPSP extends the consent validity by a further 90 days; capture the new access token and updated expiry from the token endpoint response
4. If the PSU declines or does not respond within a grace period, mark the consent as revoked in your system and cease data retrieval; attempt to notify the ASPSP of the revocation via DELETE /account-access-consents/{ConsentId}
5. Log the confirmation event with timestamp and consent scope for FCA audit purposes; the log should record which PSU confirmed, what data scope was reconfirmed, and the new expiry date
6. Repeat the 90-day cycle; note that the FCA may further relax the 90-day rule via statutory instrument in Q4 2026 — poll openbanking.org.uk and FCA regulatory updates before hard-coding the 90-day interval