Dashboards play an important role in managing the data for which a PSU has provided access consent to an AISP. PSUs may have consented to share data from several ASPSPs with a single AISP. AISPs must provide PSUs a dashboard to view and revoke their ongoing consents.
Other pages in this section Dashboards Overview AIS Consent Dashboard AIS Access Dashboard PIS VRP Consent Dashboard PIS VRP Access Dashboard CBPII Consent Dashboard CBPII Access Dashboard PSU Notifications
AIS Consent Dashboard examples Expand sections to view dashboard examples: AIS Consent Dashboard – as home page Figure 1: AIS Consent Dashboard – zero-clicks from home page (desktop) AIS Consent Dashboard – one-click from home page Figure 2: AIS Consent Dashboard – one-click from home page (desktop and app) AIS Consent Dashboard – two-clicks from home page Figure 3: AIS Consent Dashboard – two-clicks from home page (app)
CEG Checklist Requirements & CX Considerations 1 AISPs must provide PSUs with a facility to view and revoke ongoing consents that they have given to that AISP. They may have consented to share data from several ASPSPs with a single AISP. 9b,9c 2 Consent Dashboards must be easy and intuitive for PSUs to find and use. Careful consideration should be given to ensure that Dashboards are positioned logically and placed no more than two clicks from the AISP’s Home Screen 9b 3 AISPs must carefully consider the naming of their Dashboard to aid PSU understanding and ability to find its location. Our research found that names such as “Permissions”, “Accounts”, “Logins” were not clear, and many PSUs didn’t understand what they meant. AISPs must use the preferred term “open banking connections” and/or “open banking connected accounts” for a Consent Dashboard specifically. 9a
CEG Checklist Requirements & Customer Experience Considerations 1 To aid clarity whilst providing detailed information if the PSU needs it, a Consent Dashboard should provide an overview screen (Consent Dashboard Home Page) which lists high level information for all consents, and a detailed page for each consent (Consent Dashboard Detailed Page). 2 The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision on the Consent Dashboard Home Page. As a minimum, AISPs must show on the Consent Dashboard Home Page: ASPSP Name (or nickname if used) Account type (if provided) The date on which AISP requires a 90-day reconfirmation of the consent (Note: Some PSUs find a countdown to when action is required helpful, but most found an expiry date for when access will end clearer. A countdown is an optional element. If provided it should be used in addition to an expiry date not instead of it. Note this refers to the AISP reconfirmation of consent required by date and not the expiry of the consent agreed with the AISP.) The date and time of the last occasion when data was synced from the connected account A status flag that is either “Active” or “Reconfirm” (see below on status messages) Warnings or alerts if access is close to expiry (i.e. at 90 days). The AISP can define how close to the reconfirmation date it should start to alert the PSU depending on their business model. The AISP must also provide a manage button that allows the PSU to revoke (disconnect) or reconfirm consent. 9d 3 AISP should offer functionality (e.g. search, sort, filter) to enable a PSU to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a PSU to AISPs increases. 4 AISPs must use just two status flags: “Active” or “Reconfirm”. Consent is defined as active if it has a valid access token that has not expired and the consent expiry date has not elapsed. AISPs must be mindful that a PSU could have revoked access at the ASPSP. There are a variety of methods that an AISP can use to check that their access token is still valid. See the PSU Notifications page for further details. 9d 5 AISPs should provide the ability for a PSU to edit the ASPSP Name so that it can be replaced with a ‘nickname’ (such as “Household Account” or “Holiday Savings Pot”) to help PSUs identify their accounts easily. 6 AISPs should provide additional explanatory text to help PSUs understand complex areas such as 90-day reconfirmation of consent and how to cancel. Using information bubbles helps to keep information manageable. In the example provided we use the language “at least every 90 days” but AISPs can decide how best to explain this point. The AISP should also explain to the PSU that the PSU must reconfirm their consent only with the AISP at least every 90 days in order to enable the AISP to continue to access their account and provide services. The AISP should also explain to the PSU that PSU may be required to re-authenticate with their ASPSP in permitted circumstances. 7 AISPs must make available a list of consents that have been cancelled or expired (NB: this refers to expiry or cancellation of the consent, not access) so that the PSU has a record of old consents. Where the connection has not been reconfirmed for more than 90 days, and therefore access is expired but can be reconfirmed, it should not be placed in the history, but listed on the Consent Dashboard homepage with a “Reconfirm” status. 9e 8 AISPs must provide a Consent Dashboard, Detailed Page, for each Consent, which includes: ASPSP Name (or nickname if used) Account type (e.g., current account) Sort Code and Account Number (or other product identifier depending on the account type e.g., PAN for credit cards) Data clusters being accessed: using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language section) The purpose of the data sharing The date the consent was granted The expiry date of the access (i.e. reconfirm connection by date the same as shown on the Consent Dashboard Homepage) The expiry of the consent (in situations where the consent is not aligned to reconfirm duration) The purpose for which the data will be used Where the request is for multiple product types, the detail should explain to the customer the product type to which it applies or state that it is shared across multiple product types AISPs should include the following at their discretion: The date when the customer last reconfirmed their consent. 9d
This content is best viewed on a desktop browser. 1 CEG Checklist Requirements 1The Consent Dashboard must allow a PSU to cancel the access they have consented to easily and without obstruction or excessive barriers. 2 CEG Checklist Requirements 2The AISP should make the exact consequences of cancelling the consent clear to the PSU – i.e., they will no longer be able to provide the specific service to the PSU. Once the PSU has clicked “Disconnect”, the AISP should only provide one screen prior to cancelling/revoking access, which clearly sets out the implications of cancelling to ensure that they want to proceed with the cancellation. A confirmation screen should be provided after this to confirm that the connection is no longer active. 3 CEG Checklist Requirements 3The confirmation screen must confirm what happens to any existing data which the AISP has already retrieved. AISPs must ensure that they are fair and transparent about how existing data is processed and that data that is no longer required is deleted, where appropriate. 5 CEG Checklist Requirements 5AISPs should inform the PSU that the connection to their account has been cancelled and no further account information will be provided by the ASPSP to the AISP as the PSU has withdrawn its access given to the AISP. After the Delete endpoint is called by the AISP to remove the account-access-consent resource, the ASPSPs are advised to inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that the AISP will no longer have access to their account. This is an additional confirmation to the PSU that the AISP has completed the delete endpoint process correctly. Select to scroll left Select to scroll right
CEG Checklist Requirements & Customer Experience Considerations 1 The Consent Dashboard must allow a PSU to cancel the access they have consented to easily and without obstruction or excessive barriers. 9c 2 The AISP should make the exact consequences of cancelling the consent clear to the PSU – i.e., they will no longer be able to provide the specific service to the PSU. Once the PSU has clicked “Disconnect”, the AISP should only provide one screen prior to cancelling/revoking access, which clearly sets out the implications of cancelling to ensure that they want to proceed with the cancellation. A confirmation screen should be provided after this to confirm that the connection is no longer active. 3 The confirmation screen must confirm what happens to any existing data which the AISP has already retrieved. AISPs must ensure that they are fair and transparent about how existing data is processed and that data that is no longer required is deleted, where appropriate. 8g 4 AISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the account-access-consent resource as soon as practically possible (as described in Version 3 of the API specifications). This will ensure that no further account information is shared. ASPSPs must support the Delete process as described in the Version 3 API specifications. (This is not visible to the PSU but will ensure no further account information is provided by the ASPSP to the AISP). 9c 5 AISPs should inform the PSU that the connection to their account has been cancelled and no further account information will be provided by the ASPSP to the AISP as the PSU has withdrawn its access given to the AISP. After the Delete endpoint is called by the AISP to remove the account-access-consent resource, the ASPSPs are advised to inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that the AISP will no longer have access to their account. This is an additional confirmation to the PSU that the AISP has completed the delete endpoint process correctly.
This content is best viewed on a desktop browser. 1 CEG Checklist Requirements 1AISPs must alert the PSU when reconfirmation of consent is required. There are many ways a PSU could receive this notification: as an alert, a message from the homepage or when checking their consent dashboard. If the PSU reconfirms a single consent via their consent dashboard, the customer journey would be consent dashboard homepage, detailed consent page, a summary of reconfirmation details. If the PSU is notified that they need to reconfirm consent, the AISP can take the PSU straight to the Summary of reconfirmation page. If the PSU reconfirms multiple consents via their consent dashboard, the customer journey would be as in figure 10: Consent Dashboard Homepage (select multiple consents), Summary & Confirmation completion after authentication at AISP. AISPs must not access data if the PSU has not reconfirmed consent. 2 CEG Checklist Requirements 2 AISPs should allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for reconfirmation. AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g., the data permissions required, the purpose for which it will be used etc.) will change. 3 CEG Checklist Requirements 3AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU. If the AISP is only trading with its registered company name then it must display that name to the PSU. If the AISP is not the customer-facing entity and there is an Agent who is acting on behalf of the AISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the AISP and must also, display the AISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the AISP. AISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU. Only in instances where there is an Agent acting on behalf of the AISP, the ‘On Behalf of’ name must be displayed to the PSU. AISPs must not populate the ‘ On behalf of’ field with the details of their TSP. The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off). 4 CEG Checklist Requirements 4 AISPs must also allow the PSU to select each consent and view the data permissions (clusters) that are associated with the consent without the need to change the consent. 5 CEG Checklist Requirements 5 AISPs must allow the PSU to explicitly reconfirm their consent with equal prominence given to continue or discontinue the service. 6 CEG Checklist Requirements 6AISPs should provide confirmation to the PSU that reconfirmation of consent has been successfully completed. Select to scroll left Select to scroll right
CEG Checklist Requirements & Customer Experience Considerations 1 AISPs must alert the PSU when reconfirmation of consent is required. There are many ways a PSU could receive this notification: as an alert, a message from the homepage or when checking their consent dashboard. If the PSU reconfirms a single consent via their consent dashboard, the customer journey would be consent dashboard homepage, detailed consent page, a summary of reconfirmation details. If the PSU is notified that they need to reconfirm consent, the AISP can take the PSU straight to the Summary of reconfirmation page. If the PSU reconfirms multiple consents via their consent dashboard, the customer journey would be as in figure 10: Consent Dashboard Homepage (select multiple consents), Summary & Confirmation completion after authentication at AISP. AISPs must not access data if the PSU has not reconfirmed consent. 16a 16d 2 AISPs should allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for reconfirmation. AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g., the data permissions required, the purpose for which it will be used etc.) will change. 3 AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU. If the AISP is only trading with its registered company name then it must display that name to the PSU. If the AISP is not the customer-facing entity and there is an Agent who is acting on behalf of the AISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the AISP and must also, display the AISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the AISP. AISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU. Only in instances where there is an Agent acting on behalf of the AISP, the ‘On Behalf of’ name must be displayed to the PSU. AISPs must not populate the ‘ On behalf of’ field with the details of their TSP. The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off). 8e 4 AISPs must also allow the PSU to select each consent and view the data permissions (clusters) that are associated with the consent without the need to change the consent. 16b 5 AISPs must allow the PSU to explicitly reconfirm their consent with equal prominence given to continue or discontinue the service. 16d 6 AISPs should provide confirmation to the PSU that reconfirmation of consent has been successfully completed.
This content is best viewed on a desktop browser. 1 CEG Checklist Requirements 1In circumstances where re–authentication needs to be performed by the ASPSP to refresh AISP access, AISPs should alert the PSU. There are many ways a PSU could receive this notification: as an alert, a message from the homepage or when checking their Consent Dashboard. If the PSU reauthenticates at their ASPSP via their Consent Dashboard, the customer journey would be as set out in the wireframes: Consent Dashboard Homepage, a Detailed Consent Page, a Summary of reauthentication details followed by a confirmation page. If the PSU is notified that they need to reauthenticate with their ASPSP, the AISP can take the PSU straight to the Summary of reauthentication page 2 CEG Checklist Requirements 2AISPs must present a high-level summary of the data that is being requested and make it clear that this data and the purpose for which it will be used are the same as when originally requested. This should be done using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below). AISPs must ensure that this request is specific to only the information required for the provision of their account information service to the PSU. AISPs should only present those data clusters relevant to the product type in question. Where the request is for multiple product types then the detail shown in the data cluster should explain to the customer the product type to which it applies or state that it is shared across multiple product types. AISPs should not redirect the PSU to their ASPSP without first summarising the reauthentication. 3 CEG Checklist Requirements 3AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g., the data permissions required, the purpose for which it will be used etc.) will change. If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. The customer-facing entity must also display the AISP’s full trading name. This can be presented to the PSU by displaying both the agent’s name and the regulated AISP name as: For you to use this service, acting on behalf of need to access information from your accounts at YOUR ASPSP. 4 CEG Checklist Requirements 4ASPSPs must not replay the data requested (as a default) or seek reconfirmation of consent. If an ASPSP is applying for the Art 10A exemption, following the application of initial SCA, ASPSPs must not apply SCA unless they have proportionate and objective reasons for doing so e.g. fraud or unauthorised access or revoked access accidentally at the ASPSP or request more data than permitted under Art 10a e.g. 100days of data. 5 CEG Checklist Requirements 5As part of the authentication journey, the ASPSP could have a call to action, for example, to an expandable section that the PSU can click on for information purposes only. If the ASPSP provides this option for the PSU as supplementary information, it will enable the PSU to view the data they have chosen to share with the AISP. This should be done using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below). ASPSPs must display the AISPs’ trading name/brand name (i.e., the Client Name in the software statement) to the PSU during authentication screens and on any Access Dashboards. They do not need to display the registered company name of the TPP even if it is different. If there is an Agent acting on behalf of the AISP, ASPSPs must also display the Agent company name (as captured in the ‘On behalf of’ field of the software statement) to the PSU. (Please note that ASPSPs can show the Agency/On Behalf field only in cases where this information has been provided by AISPs). For examples of what names should be displayed, please refer to the Examples section below. 6 CEG Checklist Requirements 6AISPs should confirm the successful completion of the account information request to the PSU. Select to scroll left Select to scroll right
CEG Checklist Requirements & Customer Experience Considerations 1 In circumstances where re-authentication needs to be performed by the ASPSP to refresh AISP access, AISPs should alert the PSU. There are many ways a PSU could receive this notification: as an alert, a message from the homepage or when checking their Consent Dashboard. If the PSU reauthenticates at their ASPSP via their Consent Dashboard, the customer journey would be as set out in the wireframes: Consent Dashboard Homepage, a Detailed Consent Page, a Summary of reauthentication details followed by a confirmation page. If the PSU is notified that they need to reauthenticate with their ASPSP, the AISP can take the PSU straight to the Summary of reauthentication page 16 2 AISPs must present a high-level summary of the data that is being requested and make it clear that this data and the purpose for which it will be used are the same as when originally requested. This should be done using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below). AISPs must ensure that this request is specific to only the information required for the provision of their account information service to the PSU. AISPs should only present those data clusters relevant to the product type in question. Where the request is for multiple product types then the detail shown in the data cluster should explain to the customer the product type to which it applies or state that it is shared across multiple product types. AISPs should not redirect the PSU to their ASPSP without first summarising the reauthentication. 13b 3 AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g., the data permissions required, the purpose for which it will be used etc.) will change. If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. The customer-facing entity must also display the AISP’s full trading name. This can be presented to the PSU by displaying both the agent’s name and the regulated AISP name as: For you to use this service, <Agent trading name> acting on behalf of <AISP Trading Name> need to access information from your accounts at YOUR ASPSP. 4 ASPSPs must not replay the data requested (as a default) or seek reconfirmation of consent. If an ASPSP is applying for the Art 10A exemption, following the application of initial SCA, ASPSPs must not apply SCA unless they have proportionate and objective reasons for doing so e.g. fraud or unauthorised access or revoked access accidentally at the ASPSP or request more data than permitted under Art 10a e.g. 100days of data. 17 17c 5 As part of the authentication journey, the ASPSP could have a call to action, for example, to an expandable section that the PSU can click on for information purposes only. If the ASPSP provides this option for the PSU as supplementary information, it will enable the PSU to view the data they have chosen to share with the AISP. This should be done using the structure and language recommended by OBIE following customer research (see Data Cluster Structure & Language below). ASPSPs must display the AISPs’ trading name/brand name (i.e., the Client Name in the software statement) to the PSU during authentication screens and on any Access Dashboards. They do not need to display the registered company name of the TPP even if it is different. If there is an Agent acting on behalf of the AISP, ASPSPs must also display the Agent company name (as captured in the ‘On behalf of’ field of the software statement) to the PSU. (Please note that ASPSPs can show the Agency/On Behalf field only in cases where this information has been provided by AISPs). For examples of what names should be displayed, please refer to the Examples section below. 6 AISPs should confirm the successful completion of the account information request to the PSU.
CEG Checklist Requirements & Customer Experience Considerations 1 AISPs must make available all the cancelled or expired consent including details of consent parameters under history of consents. Note: The duration of how long this is available on the Dashboard is in the competitive space of the AISP. 9e 2 AISPs must make all the details of the consent available: Consent granted Consent expired/cancelled date Ability to expand consent from account and to account details Consent status (Expired/Cancelled) 9d
CEG Checklist Requirements & Customer Experience Considerations 1 In addition to other requirements, if an AISP is using an agent when providing payment services, the AISP must ensure there are no additional obstacles to a PSU accessing the Consent Dashboard. The agent must provide a clear, easy to find the link to your Consent Dashboard so that the user is able to access this simply from within the agent’s website or app (or be seamlessly linked from it). It should not require additional logins or the creation of a separate account with the AISP. The PSU must be able to access the Consent Dashboard as simply as if they were using the service of the AISP directly. The Consent Dashboard Home Screen should include text that clarifies that “[Agent Name] is an authorised agent of [AISP Name]” to prevent PSU confusion. AISPs must populate the Agent company name in the ‘On behalf of’ field of the Software Statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU. Only in instances where there is an Agent acting on behalf of the AISP should the ‘On Behalf of’ field be populated on the Software Statement. AISPs must not populate the ‘On behalf of’ field with the details of their TSP 8e
CEG Checklist Requirements & Customer Experience Considerations 1 In addition to the requirements set out above, if an AISP is sharing data it has obtained via their account information service with a Third Party not providing AIS (as defined by the FCA here), it should detail this onward sharing arrangement on the Consent Dashboard. This should include: The party or parties who are receiving data from the AISP The data which is being shared (if it is a sub-set of extraction from the overall data which is accessed from the ASPSP) How long this onward sharing arrangement will continue How the PSU can stop the onward sharing arrangement (if possible) A reminder of why the data is being onward shared. This onward sharing statement should be constructed as follows, with the AISP including all details which are relevant for their version of onward sharing: “We are sharing [detail of data being shared] from your connected accounts with [list all other parties with who you share data] in order to [reminder of the service the TPNPA is providing]. This will continue until [insert date]. [Insert detail on how the PSU finds out more or manages this arrangement if appropriate]” 9f
Dashboards Overview Previous Related articles Please select API specifications Consent Revocation Changes to an Intent's Authorized State DELETE account-access-consents AIS Access Dashboard Next