Question

Is pushed authorization a mandatory requirement for all data holders?

Standards says "From November 2020, Data Holders MUST support Pushed Authorisation Requests via the pushed authorisation end point". It also says "If a Data Holder does not support Pushed Authorisation Requests (PAR), it MUST NOT support Request Object references".

Answer

To support transition the Standards include some statements to assist in the intermediate period when some Data Holders have implemented some of the newly introduced aspects of the information security profiles but not others.  These transitional statements will be removed once they are no longer needed.

These statements should not be seen as changing the fact that PAR is a mandatory component of the Standards once the future dated obligation dates have passed.

See

• Consumer Data Standards - Normative References