Expiry of accRefNumber should be standardised

[aypandey]

Problem Statement

On POST /Account/Discovery API call, FIP returns accRefNumber which is to be used in request payload of /Account/Link API post which linkRefNumber is generated. Once account is linked, user can approve consents with already linked accounts. Since there is no expiry set on accRefNumber, AAs are free to call /Account/Link API even after a long time since discovery had occurred due to which FIPs are obliged to keep the discovery responses forever.

Since discovery API is the second largest API invocation in numbers after FI/request, this creates additional cost of storage and large data sets for discovery metadata.

Solution

1. Once the account is linked, accRefNumber can be expired.
2. If Account is de-linked, user is obliged to rediscover the account which will end up creating the new accRefNumber.
3. A new accRefNumber should have a expiry of at least 15-30 days in which /Account/link can be called. If /Account/link is received post 30 days, the request can be discarded.
4. An expiry on accRefNumber is beneficial for FIPs and they are no longer obliged to keep the responses forever which can save infra cost for them.