In addition to the mandatory notifications between AISPs and ASPSPs (refer to section Mandatory notification mechanisms between AISPs and ASPSPs), OB Standards have been extended to provide additional notification mechanisms.
Other pages in this section Account Information Consent Refreshing AISP access Consent Dashboard & Revocation AIS Access Dashboard & Revocation Access Status Notifications by ASPSPs AIS Access for PSUs from Corporate Entities 90-Days Re-authentication Permissions & Data Clusters for AIS journeys
This content is best viewed on a desktop browser. 1 CX Considerations APSU revokes access from the ASPSP Access Dashboard The PSU follows the journey shown in section 3.1.4 to revoke access to their account for a specific AISP. ASPSP should confirm to the PSU that access to the account(s) has been revoked. 2 CX Considerations BReal Time Push Notification from ASPSP to AISP The ASPSP should notify the AISP in real time (i.e. immediately) after the PSU revokes their access at their ASPSP Access dashboard. The implementation of the real-time mechanism is defined in the OBIE technical specifications. 3 CX Considerations CPush Notification for Offline AISPs (ASPSP to AISP) ASPSPs should also be able to use push notification mechanisms to notify AISPs whose systems are offline that PSUs revoked their access using the ASPSPs’ access dashboards. This removes the requirement for AISPs to have systems up and running 24×7 in order to receive real-time push notifications from ASPSPs. Once the AISPs’ systems are available again, ASPSPs should push again any notifications required to the AISPs, so that AISPs can update their systems. In addition to PSU revocation of access, ASPSPs should be able to notify the AISPs when access to account(s): has been suspended by ASPSP due to changes in the account access resource for any valid reason (e.g. CASS by PSU, joint holder revoking access, account closed, etc.) and could provide the reason code, if appropriate. is no longer available due to changes in the state of the access token for any valid reason (e.g. token has expired, token has been suspended by the ASPSP due to fraud etc.) and could provide the reason code, if appropriate. 4 CX Considerations DNotification to PSU by AISP Upon receipt of the notification by the ASPSP, the AISP should notify the PSU, if required, that the access to their ASPSP account(s) is no longer possible. AISPs should present the PSU with the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPS in order to provide access to the AISPs. If the latter, PSUs may also want to remove their consent with the AISPs. 5 CX Considerations EMultiple PSUs revoke access from the ASPSP Access Dashboard Multiple PSUs, during a period of time, follow the journey shown in section 3.1.4 to revoke access to their account for a specific AISP. For each PSU access, revocation, the ASPSP should confirm to the PSU that access to the account(s) has been revoked. 6 CX Considerations FASPSP updates the access status on events Repository For all PSUs access revocations, the ASPSP should update the status of the access resources in an events Repository organised per each AISP. 7 CX Considerations GAggregated ‘Polling’ / Pull Notification of ASPSP by AISP Similar to basic polling, aggregated Polling is about the provision of notification of revocations from ASPSPs to AISPs, upon AISP request, enabling AISPs to update their records and contact the PSUs, if required, at the point in time of the request. However, the key difference is that rather than focusing on a specific access resource’s status (via a GET request on that specific resource), aggregated polling allows an AISP to request an aggregated set of access revocations and other account access events related to multiple access consents from multiple PSUs during a specific period. ASPSPs should provide to the polling AISP all the access resource status and other information stored in the repository for that specific AISP, upon AISP request. In addition to PSU revocation of access, ASPSPs should be able to notify the AISPs when access to account(s): has been suspended by ASPSP due to changes in the account access resource for any valid reason (e.g. CASS by PSU, joint holder revoking access, account closed, etc.) and could provide the reason code, if appropriate. is no longer available due to changes in the state of the access token for any valid reason (e.g. token has expired, token has been suspended by the ASPSP due to fraud etc.) and could provide the reason code, if appropriate. Note: This functionality makes much more efficient usage of the ASPSPs and AISPs network bandwidth as multiple single polls, especially with no change of access status, are avoided. Moreover, it allows AISPs to receive all the required notifications without the need to implement systems with high availability (e.g. systems running 24×7) or systems based on real-time push notifications, providing full flexibility to AISPs about the timing they want to receive the notifications based on their business models. 8 CX Considerations HNotification to multiple PSUs by AISP Upon receipt of the aggregated polling information by the ASPSP, the AISP should notify all the PSUs, when required, that their access to their ASPSP account(s) is no longer possible. AISPs should present to all PSUs the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPS in order to provide access to the AISPs. If the latter, PSUs may also want to remove their consent with the AISPs. Select to scroll left Select to scroll right
CX and other processing requirements Real-time / Push Notifications A PSU revokes access from the ASPSP Access Dashboard The PSU follows the journey shown in section AIS Access Dashboard & Revocation to revoke access to their account for a specific AISP. ASPSP should confirm to the PSU that access to the account(s) has been revoked. B Real Time Push Notification from ASPSP to AISP The ASPSP should notify the AISP in real time (i.e. immediately) after the PSU revokes their access at their ASPSP Access dashboard. The implementation of the real-time mechanism is defined in the OBIE technical specifications. C Push Notification for Offline AISPs (ASPSP to AISP) ASPSPs should also be able to use push notification mechanisms to notify AISPs whose systems are offline that PSUs revoked their access using the ASPSPs’ access dashboards. This removes the requirement for AISPs to have systems up and running 24×7 in order to receive real-time push notifications from ASPSPs. Once the AISPs’ systems are available again, ASPSPs should push again any notifications required to the AISPs, so that AISPs can update their systems. In addition to PSU revocation of access, ASPSPs should be able to notify the AISPs when access to account(s): has been suspended by ASPSP due to changes in the account access resource for any valid reason (e.g. CASS by PSU, joint holder revoking access, account closed, etc.) and could provide the reason code, if appropriate. is no longer available due to changes in the state of the access token for any valid reason (e.g. token has expired, token has been suspended by the ASPSP due to fraud etc.) and could provide the reason code, if appropriate. Aggregated Polling / Pull Notifications D Notification to PSU by AISP Upon receipt of the notification by the ASPSP, the AISP should notify the PSU, if required, that the access to their ASPSP account(s) is no longer possible. AISPs should present the PSU with the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPS in order to provide access to the AISPs. If the latter, PSUs may also want to remove their consent with the AISPs. E Multiple PSUs revoke access from the ASPSP Access Dashboard Multiple PSUs, during a period of time, follow the journey shown in section AIS Access Dashboard & Revocation to revoke access to their account for a specific AISP. For each PSU access, revocation, the ASPSP should confirm to the PSU that access to the account(s) has been revoked. F ASPSP generates access revocation events in their events repository For all PSUs access revocations, the ASPSP should generate an access revocation event in the events Repository organised per each AISP. In cases where the AISP has subscribed to access revocation events for aggregated polling (or push notifications), the ASPSP should generate an access revocation event in the events Repository organised per each AISP. G Aggregated ‘Polling’ / Pull Notification of ASPSP by AISP Similar to basic polling, aggregated Polling is about the provision of notification of revocations from ASPSPs to AISPs, upon AISP request, enabling AISPs to update their records and contact the PSUs, if required, at the point in time of the request. However, the key difference is that rather than focusing on a specific access resource’s status (via a GET request on that specific resource), aggregated polling allows an AISP to poll for the outstanding or awaiting events in the ASPSP’s events repository related to multiple access consents from multiple PSUs. ASPSPs should provide to the polling AISP all the access resource status and other information stored in the repository for that specific AISP, upon AISP request. Please note that in case of in case of access revocation, there is no change to underlying consent resource. However, the event type, is same for both events, i.e. consent-authorization-revoked. In addition to PSU revocation of access (event UK.OBIE.Consent-Authorization-Revoked), ASPSPs should be able to notify the AISPs for the below 2 events: UK.OBIE.Resource-Update – An event that indicates a resource has been updated. UK.OBIE.Acount-Access-Consent-Linked-Account-Update – An event that indicates an account linked to a consent has move in/out of scope of the consent. Note: This functionality makes much more efficient usage of the ASPSPs and AISPs network bandwidth as multiple single polls, especially with no change of access status, are avoided. Moreover, it allows AISPs to receive all the required notifications without the need to implement systems with high availability (e.g. systems running 24×7) or systems based on real-time push notifications, providing full flexibility to AISPs about the timing they want to receive the notifications based on their business models. H Notification to multiple PSUs by AISP Upon receipt of the aggregated polling information by the ASPSP, the AISP should notify all the PSUs, when required, that their access to their ASPSP account(s) is no longer possible. AISPs should present to all PSUs the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPS in order to provide access to the AISPs. If the latter, PSUs may also want to remove their consent with the AISPs.
AIS Access Dashboard & Revocation Previous Related articles Please select API specifications Event Notification Subscription API Callback URL API Real Time Event Notification API Aggregated Polling API AIS Access for PSUs from Corporate Entities Next