Account Information Services

Consent Dashboard & Revocation

This version is:

Published 4 years ago 20 Dec 2019
User Journey   AISPs must provide PSUs with a facility to view and revoke on-going…

Other pages in this section

User Journey

 

AISPs must provide PSUs with a facility to view and revoke on-going consents that they have given to that AISP. They may have consented to share data from several ASPSPs with a single AISP. This section describes how these consents should be displayed and how the customer journey to revoke them should be constructed.

 

Wireframes

This content is best viewed on a desktop browser.

2

CEG Checklist Requirements 2
AISPs must describe the data being shared through each consent using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below) and ensure this request is specific to only the information required for the provision of their account information service to the PSU. AISPs should present the data at a Data Cluster level and allow the PSU to expand the level of detail to show each Data Permission. The Consent Dashboard should also describe: The purpose of the data request (including whether any other parties will have access to the information). Where the request is for multiple product types, the detail should explain to the customer the product type to which it applies or state that it is shared across multiple product types. If relevant, the length of time for which this consent is valid (e.g. one off use, for a set period of time e.g. one year, or with no end date) The period for which the transaction data has been requested (e.g. transactions for the last 12 months). When the TPP’s access to the data will expire. The date the consent was granted. If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. The consent dashboard must allow a PSU to view or cancel the access they have given consent to. The functions “cancel assess” and “back” should be displayed with equal prominence to the PSU. “Agent” means a person or entity who acts on behalf of an authorised payment institution or a small payment institution in the provision of payment services including account information services.

5

CEG Checklist Requirements 4
AISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the account-access-consent resource as soon as practically possible (as described in Version 3 of the API specifications). This will ensure that no further account information is shared. ASPSPs must support the Delete process as described in the Version 3 API specifications. (This is not visible to the PSU but will ensure no further account information is provided by the ASPSP to the AISP).

CEG Checklist Requirements & CX Considerations
CEG Checklist Reference

AISP should offer functionality ( e.g. search, sort, filter) to enable a PSU to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a PSU to TPPs increases.

2

AISPs must describe the data being shared through each consent using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below) and ensure this request is specific to only the information required for the provision of their account information service to the PSU.

AISPs should present the data at a Data Cluster level and allow the PSU to expand the level of detail to show each Data Permission.

The Consent Dashboard should also describe:

  • A description of the account information service that is being provided (including whether any other parties will have access to the information).  If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP.
  • Where the request is for multiple product types, the detail should explain to the customer the product type to which it applies or state that it is shared across multiple product types.
  • The date when consent was granted for the provision of the account information and the date when the service commenced.
  • The length of time for which this consent is valid (e.g. one off use, for a set period of time e.g. one year, or with no end date and the date of expiry).
  • The period for which the account information has been requested (e.g. transactions for the last 12 months).

The consent dashboard must allow a PSU to view or cancel the access they have given consent to. The functions “Cancel Consent” and “back” should be displayed with equal prominence to the PSU.

“Agent” means a person or entity who acts on behalf of an authorised payment institution or a small payment institution in the provision of payment services including account information services.

13b

The AISP should make the exact consequences of cancelling the consent clear to the PSU – i.e. they will no longer be able to provide the specific service to the PSU

4

AISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the account-access-consent resource as soon as practically possible (as described in Version 3 of the API specifications). This will ensure that no further account information is shared.

ASPSPs must support the Delete process as described in the Version 3 API specifications. (This is not visible to the PSU but will ensure no further account information is provided by the ASPSP to the AISP).

9

What the research says

“In addition, consumer research has shown that respondents prefer confirmation of a revocation in writing via email in addition to text on the website.”  

Click for customer research