Change Log
Detailed list of changes from V1.3 to V3.1.3 (no interim versions published)
Changes are indicated as follows. Copy which has been removed is struck out and copy which has been added is in blue.
| Item | Section Reference | Description of Change | Reason for Change | ||||
|---|---|---|---|---|---|---|---|
| Section Authentication methods | |||||||
| 1 | Authentication methods | 5. No Obstacles: ASPSPs must not create unnecessary delay or friction during authentication including unnecessary or superfluous steps, attributes, or unclear language, e.g. advertising of ASPSP products or services, language that could discourage the use of TPP services or additional features that may divert the PSU from the authentication process. | Additional clarification | ||||
| Section Account Information Services (AIS) | |||||||
| 2 | Account Information Services |
| Additional clarification | ||||
| 3 | Account Information Consent | In this journey the AISP presents to the PSU a description of the data that it requires in order to support its service proposition. PSU selects the ASPSP(s) where their payment account(s) is held. The PSU is then directed to the domain of its ASPSP for authentication and to select the account(s) they want to give access to. Once the PSU has been authenticated, their ASPSP will be able to respond to the AISP's request by providing the account information that has been requested. When considering AISP requests submitted by a PSU acting with delegated user authority on behalf of a corporate entity, the PSU may only be able to use AISP services, if this is permitted within the parameters of that delegated user authority. If the PSU does not have the appropriate delegated user authority, please refer to journey AIS Access for PSUs from Corporate Entities | Typos | ||||
| 4 | Account Information Consent | item #2 AISPs must provide PSUs with sufficient information to enable PSUs to make an informed decision, for example, detail the purpose for which the data will be used (including whether any other parties will have access to the information) the period over which it has been requested and when the consent for the account information will expire (consent could be on-going or one-off). If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. item #4 If the customer-facing entity is acting on behalf of an AISP as its agent the ASPSP should make the PSU | Typos and clarification | ||||
| 5 | Account Information Consent | Changes to the wireframe. | Clarification | ||||
| 6 | Consent Dashboard & Revocation | item #2 AISPs must describe the data being shared through each consent using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below) and ensure this request is specific to the only the information required for the provision of their account information service to the PSU. AISPs should present the data at a Data Cluster level and allow the PSU to expand the level of detail to show each Data Permission. The Consent Dashboard should also describe:
If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. The consent dashboard must allow a PSU to view or cancel the access they have given consent to. These functions “cancel access” and “back"should be displayed with equal prominence to the PSU. item #4 AISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the account-access-consent resource as soon as practically possible (as described in ASPSPs must support the Delete process as described in the item #1 AISP should offer functionality ( e.g. search, sort, filter) to enable a PSU to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a PSU to TPPs increases. | Clarification and backlog | ||||
| 7 | AIS Access Dashboard Revocation | Changes to the wireframe. | Clarification | ||||
| 8 | AIS Access Dashboard Revocation | item #3 ASPSPs must describe the data being accessed using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below). ASPSPs should present the data at a Data Cluster level and allow the PSU to expand the level of detail to show each Data Permission. The Access Dashboard should also describe:
item #5 The access dashboard must allow a PSU to view or cancel the access they have given consent to. These ASPSPs must advise PSUs that they should contact the associated AISP to inform them of the cancellation of access and/or understand the consequences of doing so. item #2 ASPSPs should offer a functionality ( e.g. search, sort, filter) to enable a PSU to search for the relevant access. This will be of particular benefit as the number of consents given by a PSU to TPPs increases. item #3 item #4 ASPSPs should make the status of TPP access clear by the use of emboldened words. The ASPSP should also make it clear, which party provided the AISP access, in the case of joint/ multiple account holders. | Clarification and backlog | ||||
| 9 | AIS Access Status Notifications by ASPSP | Mandatory notification mechanisms between AISPs and ASPSPs: C. Real Time Notification from AISP to ASPSP on revocation of consent This functionality enables the AISP to notify the ASPSP in real time (i.e. immediately) after the PSU revokes their consent at their AISP consent dashboard, provided that the AISP takes immediate action upon the PSU revocation. The current Open Banking V3 Read/Write specifications enable an AISP to use the 'DELETE' API endpoint and notify the ASPSP that the PSU has revoked their consent. The implementation of the ‘DELETE’ API endpoint is mandatory for ASPSPs. Note: For AISPs, when the PSU revokes their consent at the consent dashboard, AISPs must not call any protected data resource which falls within the scope of the consent originally granted. This AISP must delete the account-access-consent resource with the ASPSP | Clarification | ||||
| 10 | Permissions and Data Clusters for AIS journeys | Permission Language Any other name by which you refer to this account, and/or the currency of the account. | Clarification | ||||
| 11 | Permissions and Data Clusters for AIS journeys | Contact and party details | Optionally this can also include your address, telephone numbers and email address as held by the bank/card issuer* | Clarification | |||
| Account specific: Parties | Party | The full legal name(s) of account holder(s). Address(es), telephone number(s) and email address(es)* | The name of the account. Full Legal Name(s), Account Role(s), Beneficial Ownership, Legal Structure, Address or addresses, telephone numbers and email address as held by the bank/card issuer and party type (sole/joint etc.). | ||||
| * Include or delete as appropriate | |||||||
| 12 | Single Domestic Payments - a/c selection @ PISP (Supplementary info) | ASPSPs should inform PSUs about their “point of no return” for making the payment and that their payment will be made after pressing the Proceed button. Example wording: “Press Proceed to make payment“ In principle, while the PSU has the ability to cancel an authentication journey the expectation is for the ASPSP to redirect the PSU to the domain of the TPP and send the appropriate error code and description to the TPP, as supported by the OIDC Redirect Model. | New change to reflect and additional clarification to CX | ||||
| 13 | Single Domestic Payments – a/c selection @ ASPSP | See changes to wireframe | New change to reflect FCA High-Cost Credit Review. | ||||
| 14 | Single Domestic Payments – a/c selection @ ASPSP | Additional Parameters ASPSPs must allow PSUs to select the payment account to complete the payment order for execution. ASPSPs must ensure that they comply with their obligations relating to the FCA’s High Cost Credit Review: Overdrafts consultation paper and policy statement (CP18/42). | New change to reflect FCA High-Cost Credit Review. | ||||
| Section Card Based Payment Instrument Issuers (CBPIIs)s | |||||||
| 15 | CBPII Access Dashboard & Revocation | Change to wireframe. | Clarification/ backlog | ||||
| 16 | CBPII Access Dashboard & Revocation | item #3 ASPSPS must allow PSUs to revoke the CoF access for each CBPII to a specific PSU account. ASPSPs must advise PSUs that they should contact the associated CBPII to their payment account to inform them of cancellation of CoF access to their account and/ or to fully understand the potential implications of doing so. item #4 Revocation Request ASPSPs must allow PSUs to confirm that they want to revoke CoF access of their account to a specific CBPII. ASPSPs should inform PSUs that once CoF access is revoked, the CBPII will no longer be able to check the availability of funds in their account. This may cause their CBPII transactions to be declined. ASPSPs must advise PSUs that they should contact the associated CBPII to their payment account to inform them of cancellation of CoF access to their account and/ or to fully understand the potential implications of doing so. ASPSPs must | Clarification | ||||
| 17 | CBPII Revocation of Consent | CBPIIs must inform ASPSPs that PSUs have withdrawn their consent by making call to the DELETE API endpoint as soon as practically possible (as described in Note 1: ASPSPs must support the Delete process as described in the Note 2: This activity is not visible to PSUs as it takes place in the background, however it will ensure no further CoF responses are provided by ASPSPs to CBPIIs). | Clarification | ||||
| Section The Customer Experience Checklist | |||||||
| 18 | Explanation of the Customer Experience Guidelines Checklist | Customer-Experience-Guidelines-Checklist-v3.1.3-Final.xlsx Checklist now called 3.1.3 | |||||