Bank Connection Re-Authentication
Not all bank connections behave the same way once established. Some banks enforce a formal expiration on data-sharing consent, requiring clients to re-authenticate on a predictable schedule, while others remain connected indefinitely until something disrupts the credentials. Understanding which category each bank falls into helps your team proactively manage disconnections before they affect a client's workflow.
Two Types of Disconnections
Before diving into the bank-by-bank breakdown, it helps to understand that bank connections in Propio can break for two distinct reasons:
1. Credential-based disconnection: The connection breaks because something changed on the client's end (e.g., a password update, a triggered MFA challenge, or a security alert from the bank). This can happen at any bank, at any time, and is not predictable.
2. OAuth consent expiration: The bank formally enforces a time limit on how long a third-party app (such as Propio) can access account data. When the consent period ends, the client must actively re-authorize the connection, even if their credentials haven't changed. This is a bank-level policy, not a Propio or Plaid limitation.
The table below focuses on the second category (formal, bank-enforced consent expiration) since this is the one that can be anticipated and planned for.
Re-Authentication Frequency by Bank
| Bank | Consent Expiry | Frequency | Notes |
|---|---|---|---|
| American Express | ✅ Formal expiry | Every 12 months | Listed in Plaid's official OAuth consent refresh list |
| Bank of America | ✅ Formal expiry | Every 12 months | Applies to accounts migrated to BofA's new API (rollout: March–October 2026). See note below. |
| Capital One | ✅ Formal expiry | Every 12 months | Listed in Plaid's official OAuth consent refresh list |
| Citibank | ✅ Formal expiry | Every 12 months | Listed in Plaid's official OAuth consent refresh list |
| Chase | ⚠️ No formal expiry | Indefinite | Connection persists until credentials change or a duplicate Item conflict occurs. |
| Wells Fargo | ⚠️ No formal expiry | Indefinite | No formal consent clock. Disconnections are more commonly caused by WF security challenges and MFA triggers, occasional and unpredictable. |
| U.S. Bank | ⚠️ No formal expiry | Indefinite | OAuth-enabled. No consent expiry documented. |
| Regions Bank | ⚠️ No formal expiry | Indefinite | Not on Plaid's consent expiry list. |
| Banco Popular | ❓ No public information | No public information | Not mentioned in Plaid's OAuth documentation. Likely a non-OAuth connection. |
| Relay | ⚠️ No formal expiry | Indefinite | Plaid-connected. No documented consent expiry. |
Banks That Require Annual Re-Authentication
For banks with a formal 12-month consent cycle (i.e., American Express, Bank of America, Capital One, and Citibank), the client will need to re-authorize their connection once per year. This is triggered automatically when the consent period ends and does not require a password change or any issue with the account.
When re-authentication is needed, the client will be prompted to go through Plaid's re-linking flow, which typically takes a few minutes. For these banks, it's good practice to note the connection date in the client's file and anticipate the renewal roughly 12 months later.
What Happens When a Connection Expires
When a bank connection expires or is disrupted, Propio will surface an alert prompting the client to re-authenticate. The re-linking process goes through Plaid's standard Link flow and typically takes a few minutes. No transaction data is lost, the connection simply needs to be re-authorized to resume syncing.
For banks on the formal 12-month cycle, the expiration is clean and predictable. For banks like Wells Fargo where disconnections are credential-triggered, the process is the same but the timing is less predictable.
Important Considerations
For clients at banks with a formal annual consent cycle, building a re-authentication check into your annual client review cadence can prevent unexpected gaps in transaction sync. A disconnected account does not lose historical data, but it will stop pulling new transactions until re-authorized, which can create reconciliation gaps if not caught quickly.
Banco Popular's re-authentication behavior is currently undocumented in Plaid's official resources. If you manage clients with Banco Popular accounts and notice a pattern in connection behavior, that information would be worth tracking to establish a practical baseline.
Sources
- Plaid Documentation — Institution-specific OAuth behaviors: https://plaid.com/docs/link/oauth/#institution-specific-behaviors
- Plaid Documentation — Refreshing item consent: https://plaid.com/docs/link/oauth/#refreshing-item-consent