Dashboards

CBPII Access Revocation

This version is:

This is the latest version Published 5 months ago 28 Jun 2024

ASPSPs must provide PSUs with a facility to view and manage CoF access that they have given to any CBPII. This page describes how the customer journey to revoke CoF access should be constructed.

Other pages in this section

User Journey

Main content image

Regulation 68(6) PSRs states that if the PSU so requests, the ASPSP must inform the PSU of the CBPII which has made previous CoF and the answer given to that CBPII.

As part of enabling this, ASPSPs must provide PSUs with a facility to view and revoke CoF access that they have given to any CBPII for each account held at that ASPSP. This section describes how CBPII CoF access should be displayed, including CoF access history and how the customer journey to revoke them should be constructed.

 

Wireframes

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
Access Dashboard ASPSPs must provide PSUs with Access Dashboard. The ASPSP Access Dashboard must display all Confirmation of Funds access authorisations provided to each CBPII. Thus, for each PSU account there must be a corresponding explicit consent entry for each CBPII that has been granted CoF access to the account by the PSU. The Access Dashboard must also describe for each authorisation: The status of the authorisation e.g. Active/Inactive. The ongoing nature of the access or when the CBPII access to the account will expire. The date the CoF access was granted by the PSU.

3

CEG Checklist Requirements 3
ASPSPS must allow PSUs to revoke the CoF access for each CBPII to a specific PSU account. ASPSPs must advise PSUs that they should contact the associated CBPII to fully understand the potential implications of doing so.

4

CEG Checklist Requirements 4
Revocation Request ASPSPs must allow PSUs to confirm that they want to revoke CoF access of their account to a specific CBPII. ASPSPs should inform PSUs that once CoF access is revoked, the CBPII will no longer be able to check the availability of funds in their account. This may cause their CBPII transactions to be declined. ASPSPs must advise PSUs that they should contact the associated CBPII to inform them of the cancellation of CoF access to their account and/or fully understand the potential implications of doing so. ASPSPs must give equal prominence to the choices of continuing or cancelling the CBPII CoF access.

5

CEG Checklist Requirement 5
ASPSPs must update the status of the consent with appropriate reasons. ASPSP could allow the PSU to capture a reason and provide it to the PISP when queried using the relevant GET consent endpoint.

CEG Checklist Requirements & Customer Experience Considerations
CEG Checklist Reference

1

Access Dashboard ASPSPs must provide PSUs with Access Dashboard. The ASPSP Access Dashboard must display all Confirmation of Funds access authorisations provided to each CBPII. Thus, for each PSU account there must be a corresponding explicit consent entry for each CBPII that has been granted CoF access to the account by the PSU. The Access Dashboard must also describe for each authorisation:

The status of the authorisation e.g. Active/Inactive.
The ongoing nature of the access or when the CBPII access to the account will expire.

The date the CoF access was granted by the PSU

10

CoF Access History For each CBPII having CoF access, ASPSPs should display the PSUs account details including account name, sort code, account number and expiration date and time. ASPSPs must also provide PSUs with the ability to request all the CoF access history (CoF requests and responses) under a specific CBPIIThis must include the identity of the CBPII who made the request, and the response (Y/N) given. ASPSPs should provide this functionality via the Access Dashboard. Note: While OBL recommends the use of the Access Dashboard for provision of CoF Access History to the PSU, it is in the domain of each ASPSP  to consider alternative options to meet their regulatory requirements for the provision of the COF access history. The COF history could also include the following:

The date the Confirmation of Funds request has been received by the ASPSP.
The unique reference of the CoF request.
The amount in relation on the CoF request.

Please note that in case ASPSPs are unable to provide a response to a CoF request to the CBPII, a reason should be provided in the history entry for this CoF request. 

3

ASPSPS must allow PSUs to revoke the CoF access for each CBPII to a specific PSU account. ASPSPs must advise PSUs that  they should contact the associated CBPII to fully understand the potential implications of doing so.

10

4

Revocation Request ASPSPs must allow PSUs to confirm that they want to revoke CoF access of their account to a specific CBPII. ASPSPs should inform PSUs that once CoF access is revoked, the CBPII will no longer be able to check the availability of funds in their account. This may cause their CBPII transactions to be declined. ASPSPs must advise PSUs that they should contact the associated CBPII to inform them of the cancellation of CoF access to their account and/or fully understand the potential implications of doing so. ASPSPs must give equal prominence to the choices of continuing or cancelling the CBPII CoF access.

10

5

ASPSP should update the status of the consent. If the status of the consent is updated then they must provide appropriate reasons.

ASPSP could allow the PSU to capture a reason and provide it to the CBPII when queried using the relevant GET consent endpoint.

10g

ASPSPs should confirm to PSUs that CoF access to their account has been cancelled.

 

PSU Research Considerations

Research undertaken on behalf of OBL with consumer PSUs has identified the following points:

PSUs want to see the history of all the CoF requests and the response their ASPSP provided back to the CBPII.

PSUs expect to see the details of CoF request to their ASPSP such as the date & time the request was received, the transaction reference, the CBPII, the account checked and the response by their ASPSP to the requesting CBPII PSUs would want to be able to view the expiration date of the CoF consent through the ASPSP dashboard or through the CBPII website or app

PSUs want to be able to revoke their CoF consent from the ASPSP dashboard. This is the instinctive place to revoke such consents.

What the research says

“Research indicates that PSUs want to be able to review ‘Confirmation of Funds‘(CoF) consents via a dashboard at their ASPSP.”  

Click for customer research