CBPIIs must provide PSUs with a facility to view and revoke consents that they have given to that CBPII. PSUs may have consented to CoF access to several accounts from one or more ASPSPs.

Consent Dashboards must be easy and intuitive for PSUs to find and use. Careful consideration should be given to ensure that Dashboards are positioned logically and placed no more than two clicks from the CBPII’s Home Screen.

CBPIIs must carefully consider the naming of their Dashboard to aid PSU understanding and ability to find its location. Our research found that names such as “Permissions”, “Accounts”, “Logins” were not clear, and many consumers didn’t understand what they meant.

CBPIIs must use the preferred term “open banking connections” and/or “open banking connected accounts” for a Consent Dashboard specifically.

To aid clarity whilst providing detailed information if the PSU needs it, a Consent Dashboard should provide an overview screen (Consent Dashboard Home Page) which lists high level information for all consents, and a detailed page for each consent (Consent Dashboard Detailed Page).

The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision on the Consent Dashboard Home Page.

The CBPII Consent Dashboard must display all Confirmation of Funds access consents provided to the CBPII. Thus, for each PSU account, there must be a consent entry granting CoF access to the account for CoF purposes by the PSU.

As a minimum, CBPIIs must show on the Consent Dashboard Home Page:

• ASPSP Name (or nickname if used)
• Account type (if provided)
• ASPSP Sort Code and Account Number
• Start date i.e., date consent was first granted
• End date or where relevant the ongoing nature of the consent

The CBPII must also provide a manage button that allows the PSU to revoke consents for each specific ASPSP account.

The CBPII should offer functionality (e.g., search, sort, filter) to enable a PSU to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a PSU to CBPIIs increases.

For each ASPSP account granted CoF access, CBPIIs should display the PSU payment account identification (such as account name, sort code and account number) and expiration date and time.

Note: PSU account number should be masked.

The CBPII should also provide a history of all confirmation of funds checks.

Note: Refer to CoF History section below for details

CBPIIs must differentiate between current and historical consents. Consent is defined as active if it has a valid access token that has not expired, and the consent expiry date has not elapsed. This could just be displayed by showing active consents under “Current” and any expired or revoked ones under “History.”

CBPIIs must be mindful that a PSU could have revoked access at the ASPSP.

CBPIIs must not show different status messages at their Consent Dashboard to those that a PSU would see at their ASPSP Access Dashboard. There are a variety of methods that a CBPII can use to check that their access token is still valid. See this page for further details.

CBPIIs should provide the ability for a PSU to edit the ASPSP Name so that it can be replaced with a ‘nickname’ (such as “Household Account” or “Holiday Savings Pot”) to help PSUs identify their accounts easily.

CBPIIs should provide additional explanatory text to help PSUs understand complex areas such as the expiry date or the ongoing nature of the consent and how to cancel it. Using information bubbles helps to keep information manageable. In the example provided we use the language “ongoing” but CBPIIs can decide how best to explain this point.

CBPIIs must make available a list of consents that have been cancelled or expired (NB: this refers to the expiry of the consent, not access) so that the PSU has a record of old consents.

CBPIIs must provide a Consent Dashboard, Detailed Page, for each Consent, which includes:

• ASPSP Name (or nickname if used)
• Account type (e.g., current account)
• Sort Code and Account Number (or other product identifier depending on the account type e.g., PAN for credit cards)
• The date the consent was granted
• The expiry date of the consent
• The purpose for which the data will be used

CBPIIs may include the following at their discretion:

• Details about the purpose for which the funds check is used (including whether any other parties will have access to the information)
• Clear and reassuring messages about what information is made available from the ASPSP
• The date and time of the last occasion when a CoF check was requested – this should also be available as a historical list of all past fund checks.

The Consent Dashboard must allow a PSU to cancel the access they have consented to easily and without obstruction or excessive barriers.

 The CBPII should make the exact consequences of cancelling the consent clear to the PSU – i.e., they will no longer be able to provide the specific service to the PSU.

The CBPII should make the implications of cancelling clear to the PSU and make sure they want to proceed.

A confirmation screen should be provided after this to confirm.

Cancellation Request

CBPIIs must allow PSUs to confirm that they want to cancel CoF consent of their account to the CBPII.

CBPIIs should inform PSUs that once CoF consent is revoked, the CBPII will no longer be able to check the availability of funds in their account.

CBPIIs should give equal prominence to the choices of continuing or cancelling the CBPII CoF consent.

CBPIIs must inform the ASPSP that the PSU has withdrawn consent by making a call to the DELETE API endpoint as soon as practically possible (as described in Version 3 of the API specifications). This will ensure that no further CoF responses will be provided by the ASPSP.

ASPSPs must support the Delete process as described in the Version 3 API specifications. This activity is not visible to PSUs as it takes place in the background, however, it will ensure no further CoF responses are provided by ASPSPs to CBPIIs.

CBPII Confirmation

CBPIIs should confirm to PSUs that CoF consent to their account has been cancelled.

ASPSPs should inform the PSU that no further CoF responses will be provided by the ASPSP to the CBPII.

After the Delete endpoint is called by the CBPII to remove the resource, ASPSPs should inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that the CBPII will no longer be able to perform CoF calls and the ASPSP will not provide any further responses. This is an additional confirmation to the PSU that the CBPII has completed the delete endpoint process correctly.

CBPIIs must make available a list of consents that have been cancelled or expired (NB: this refers to the expiry of the consent, not access) so that the PSU has a record of old consents.

CBPIIs must make all the details of the consent available:

• Consent granted
• Consent expired/cancelled date
• Consent from account
• Consent status (Expired/Cancelled)