There are two reasons why Starling users can get disconnected:
Reason 1: Consents only last for 90 days
To comply with PSD2, third-party consents given to Starling last for 90 days.
Starling notifies users 7 days prior to the expiration date using a mobile push notification. Users can simply refresh consents via the Starling app.
More info here from Starling's blog.
Reason 2: The user has re-connected their account to another or the same TPP using TrueLayer
Because TrueLayer holds a single certificate with Starling and AIB and so each time one of the applications tries to refresh their TrueLayer token, the bank token that we store is then refreshed.
Let's say there are two apps, A and B that use TrueLayer to connect their users.
- User Mary connects her Starling account using TrueLayer to app A;
- User Mary then decides to connect the same Starling account to app B, using TrueLayer.
- App A loses access to this user's Starling account.
The same will happen if user Mary connects her Starling account twice using app A. Only the last consent will be valid.
What to do next?
- Short-term solution: User Mary can re-authenticate using app A (although this will revoke her access to app B);
- Long-term solution: Get your own certificates with the bank and mitigate the issues.