Card Based Payment Instrument Issuers (CBPIIs)

CBPII Revocation of Consent

This version is:

Published 5 years ago 20 Dec 2019
User Journey CBPIIs must provide PSUs with a facility to view and revoke consents that they…

Other pages in this section

User Journey

CBPIIs must provide PSUs with a facility to view and revoke consents that they have given to that CBPII. PSUs may have consented to CoF access to several accounts from one or more ASPSPs.

This section describes how these consents should be displayed and how the customer journey to revoke them should be constructed.

 

Wireframes

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
Consent Dashboard The CBPII Consent Dashboard must display all Confirmation of Funds access consents provided to the CBPII. Thus, for each PSU account, there must be a consent entry granting CoF access to the account for CoF purposes by the PSU. The Consent Dashboard should also describe for each consent: The ASPSP. The ongoing nature of the consent and when the consent for CoF access to the account will expire. The date the CoF consent was granted by the PSU. In addition, the CBPII Consent Dashboard could also include details on the purpose for which the funds checks is used (including whether any other parties will have access to the information) and clear and reassuring messages about what information is made available from the ASPSPs, as per the examples described in 5.1.1, item #2.

3

CEG Checklist Requirements 3
CBPIIs must allow PSUs to revoke the CoF consent for each specific ASPSP account.

4

CEG Checklist Requirements 4
Cancellation Request CBPIIs must allow PSUs to confirm that they want to cancel CoF consent of their account to the CBPII. CBPIIs should inform PSUs that once CoF consent is revoked, the CBPII will no longer be able to check the availability of funds in their account. CBPIIs should inform PSUs of the exact consequences of cancelling their consent, for example it may cause their CBPII transactions to be declined or they will no longer be able to receive the specific services from the CBPIIs etc. CBPIIs should give equal prominence to the choices of continuing or cancelling the CBPII CoF consent.

5

CEG Checklist Requirements 5
CBPIIs must inform ASPSPs that PSUs have withdrawn their consent by making call to the DELETE API endpoint as soon as practically possible (as described in Version 3 of the Read/Write API specifications). This will ensure that no further CoF account access will be accepted by ASPSPs. Note1: ASPSPs must support the Delete process as described in the Version 3 Read/Write API specifications. Note 2: This activity is not visible to PSUs as it takes place in the background, however it will ensure no further CoF responses are provided by ASPSPs to CBPIIs).

CEG Checklist Requirements & Customer Experience Considerations

1

Consent Dashboard

The CBPII Consent Dashboard must display all Confirmation of Funds access consents provided to the CBPII. Thus, for each PSU account, there must be a consent entry granting CoF access to the account for CoF purposes by the PSU.

The Consent Dashboard should also describe for each consent:

The ASPSP.
The ongoing nature of the consent and when the consent for CoF access to the account will expire.
The date the CoF consent was granted by the PSU.

In addition, the CBPII Consent Dashboard could also include details on the purpose for which the funds checks is used (including whether any other parties will have access to the information) and clear and reassuring messages about what information is made available from the ASPSPs, as per the examples described in Single Domestic Payments – a/c selection @ PISP, item #2.

9

For each ASPSP account granted CoF access, CBPIIs should display the PSU payment account identification (such as account name, sort code and account number) and expiration date and time.

Note: PSU account number should be masked.

3

CBPIIs must allow PSUs to revoke the CoF consent for each specific ASPSP account.

9

4

Cancellation Request

CBPIIs must allow PSUs to confirm that they want to cancel CoF consent of their account to the CBPII.

CBPIIs should inform PSUs that once CoF consent is revoked, the CBPII will no longer be able to check the availability of funds in their account. 

CBPIIs should inform PSUs of the exact consequences of cancelling their consent, for example it may cause their CBPII transactions to be declined or they will no longer be able to receive the specific services from the CBPIIs etc.

CBPIIs should give equal prominence to the choices of continuing or cancelling the CBPII CoF consent.

9

5

CBPIIs must inform ASPSPs that PSUs have withdrawn their consent by making call to the DELETE API endpoint as soon as practically possible (as described in Version 3 of the Read/Write API specifications). This will ensure that no further CoF account access will be accepted by ASPSPs.

Note1: ASPSPs must support the Delete process as described in the Version 3 Read/Write API specifications.

Note 2: This activity is not visible to PSUs as it takes place in the background, however it will ensure no further CoF responses are provided by ASPSPs to CBPIIs).

9

CBPII Confirmation
CBPIIs 
should confirm to PSUs that CoF consent to their account has been cancelled.

What the research says

Research undertaken on behalf of OBIE with consumer PSUs has identified the following points:

“• PSUs would want to be able to view the expiration date of the CoF consent through the ASPSP dashboard or through the CBPII website or app.

• PSUs also want to be able to revoke their CoF consent from the CBPII website or app. This could be especially convenient if there are several ASPSPs involved – they can do it all in one place, rather than have to log-in to several systems.”

 

Click for customer research