We're in the process of upgrading to v3 from v2.22. At the moment the expiry date isn't validated as part of a repeat transaction, but is this now required to be valid as part of v3.0?
I've not seen anywhere in their documentation (mainly here) that expiry dates are validated by SagePay. My current understanding is that they basically send a request off to the bank, which then validates it and authorises it or not.
However, I'm starting to question this as v3 also allows for tokenisation. As part of this SagePay presumably store the card details, which they must validate as I believe they bin off tokens and card details when the expiry date is no longer valid.
When you do a repeat transaction through Sage Pay, they will push through the expiry date that they hold - expired or not. It depends on the acquiring bank as to whether they will authorise the transaction with an expired date. In my experience, as long as you are using a continuous authority MID, it shouldn't be a problem if cards are expired.
As far as tokenisation goes, Sage Pay will delete tokens which have expired - eg: an expiry of 1016 will have been binned on the evening of the 31st October 2016. When the token is registered, they obviously will not accept an expired card.