Dashboards play an important role in clearly and transparently setting out what a PSU has provided consent for a CBPII to do on their behalf. PSUs may have consented to Confirmation of Funds (CoF) access to several accounts from one or more ASPSPs. CBPIIs must provide PSUs with a Dashboard to view and revoke these consents.
Other pages in this section Dashboards Overview AIS Consent Dashboard AIS Access Dashboard PIS VRP Consent Dashboard PIS VRP Access Dashboard CBPII Consent Dashboard CBPII Access Dashboard PSU Notifications
CEG Checklist Requirements & CX Considerations 1 CBPIIs must provide PSUs with a facility to view and revoke consents that they have given to that CBPII. PSUs may have consented to CoF access to several accounts from one or more ASPSPs. 9b 2 Consent Dashboards must be easy and intuitive for PSUs to find and use. Careful consideration should be given to ensure that Dashboards are positioned logically and placed no more than two clicks from the CBPII’s Home Screen. 9b 3 CBPIIs must carefully consider the naming of their Dashboard to aid PSU understanding and ability to find its location. Our research found that names such as “Permissions”, “Accounts”, “Logins” were not clear, and many consumers didn’t understand what they meant. CBPIIs must use the preferred term “open banking connections” and/or “open banking connected accounts” for a Consent Dashboard specifically. 9a
CEG Checklist Requirements & CX Considerations 1 To aid clarity whilst providing detailed information if the PSU needs it, a Consent Dashboard should provide an overview screen (Consent Dashboard Home Page) which lists high level information for all consents, and a detailed page for each consent (Consent Dashboard Detailed Page). 2 The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision on the Consent Dashboard Home Page. The CBPII Consent Dashboard must display all Confirmation of Funds access consents provided to the CBPII. Thus, for each PSU account, there must be a consent entry granting CoF access to the account for CoF purposes by the PSU. As a minimum, CBPIIs must show on the Consent Dashboard Home Page: ASPSP Name (or nickname if used) Account type (if provided) ASPSP Sort Code and Account Number Start date i.e., date consent was first granted End date or where relevant the ongoing nature of the consent The CBPII must also provide a manage button that allows the PSU to revoke consents for each specific ASPSP account. 9d 3 The CBPII should offer functionality (e.g., search, sort, filter) to enable a PSU to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a PSU to CBPIIs increases. 4 For each ASPSP account granted CoF access, CBPIIs should display the PSU payment account identification (such as account name, sort code and account number) and expiration date and time. Note: PSU account number should be masked. 5 The CBPII should also provide a history of all confirmation of funds checks. Note: Refer to CoF History section below for details 6 CBPIIs must differentiate between current and historical consents. Consent is defined as active if it has a valid access token that has not expired, and the consent expiry date has not elapsed. This could just be displayed by showing active consents under “Current” and any expired or revoked ones under “History.” CBPIIs must be mindful that a PSU could have revoked access at the ASPSP. CBPIIs must not show different status messages at their Consent Dashboard to those that a PSU would see at their ASPSP Access Dashboard. There are a variety of methods that a CBPII can use to check that their access token is still valid. See this page for further details. 9d 7 CBPIIs should provide the ability for a PSU to edit the ASPSP Name so that it can be replaced with a ‘nickname’ (such as “Household Account” or “Holiday Savings Pot”) to help PSUs identify their accounts easily. 8 CBPIIs should provide additional explanatory text to help PSUs understand complex areas such as the expiry date or the ongoing nature of the consent and how to cancel it. Using information bubbles helps to keep information manageable. In the example provided we use the language “ongoing” but CBPIIs can decide how best to explain this point. 9 CBPIIs must make available a list of consents that have been cancelled or expired (NB: this refers to the expiry of the consent, not access) so that the PSU has a record of old consents. 9e 10 CBPIIs must provide a Consent Dashboard, Detailed Page, for each Consent, which includes: ASPSP Name (or nickname if used) Account type (e.g., current account) Sort Code and Account Number (or other product identifier depending on the account type e.g., PAN for credit cards) The date the consent was granted The expiry date of the consent The purpose for which the data will be used CBPIIs may include the following at their discretion: Details about the purpose for which the funds check is used (including whether any other parties will have access to the information) Clear and reassuring messages about what information is made available from the ASPSP The date and time of the last occasion when a CoF check was requested – this should also be available as a historical list of all past fund checks. 9d
This content is best viewed on a desktop browser. 1 CEG Checklist Requirements 1The Consent Dashboard must allow a PSU to cancel the access they have consented to easily and without obstruction or excessive barriers. 2 CEG Checklist Requirements 2The CBPII should make the exact consequences of cancelling the consent clear to the PSU – i.e., they will no longer be able to provide the specific service to the PSU. The CBPII should make the implications of cancelling clear to the PSU and make sure they want to proceed. A confirmation screen should be provided after this to confirm. 3 CEG Checklist Requirements 3Cancellation Request CBPIIs must allow PSUs to confirm that they want to cancel CoF consent of their account to the CBPII. CBPIIs should inform PSUs that once CoF consent is revoked, the CBPII will no longer be able to check the availability of funds in their account. CBPIIs should give equal prominence to the choices of continuing or cancelling the CBPII CoF consent. 5 CEG Checklist Requirements 4CBPII Confirmation CBPIIs should confirm to PSUs that CoF consent to their account has been cancelled. ASPSPs should inform the PSU that no further CoF responses will be provided by the ASPSP to the CBPII. After the Delete endpoint is called by the CBPII to remove the resource, ASPSPs should inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that the CBPII will no longer be able to perform CoF calls and the ASPSP will not provide any further responses. This is an additional confirmation to the PSU that the CBPII has completed the delete endpoint process correctly. Select to scroll left Select to scroll right
CEG Checklist Requirements & CX Considerations 1 The Consent Dashboard must allow a PSU to cancel the access they have consented to easily and without obstruction or excessive barriers. 9c 2 The CBPII should make the exact consequences of cancelling the consent clear to the PSU – i.e., they will no longer be able to provide the specific service to the PSU. The CBPII should make the implications of cancelling clear to the PSU and make sure they want to proceed. A confirmation screen should be provided after this to confirm. 3 Cancellation Request CBPIIs must allow PSUs to confirm that they want to cancel CoF consent of their account to the CBPII. CBPIIs should inform PSUs that once CoF consent is revoked, the CBPII will no longer be able to check the availability of funds in their account. CBPIIs should give equal prominence to the choices of continuing or cancelling the CBPII CoF consent. 9c 4 CBPIIs must inform the ASPSP that the PSU has withdrawn consent by making a call to the DELETE API endpoint as soon as practically possible (as described in Version 3 of the API specifications). This will ensure that no further CoF responses will be provided by the ASPSP. ASPSPs must support the Delete process as described in the Version 3 API specifications. This activity is not visible to PSUs as it takes place in the background, however, it will ensure no further CoF responses are provided by ASPSPs to CBPIIs. 9c 5 CBPII Confirmation CBPIIs should confirm to PSUs that CoF consent to their account has been cancelled. ASPSPs should inform the PSU that no further CoF responses will be provided by the ASPSP to the CBPII. After the Delete endpoint is called by the CBPII to remove the resource, ASPSPs should inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that the CBPII will no longer be able to perform CoF calls and the ASPSP will not provide any further responses. This is an additional confirmation to the PSU that the CBPII has completed the delete endpoint process correctly.
CEG Checklist Requirements & CX Considerations 1 CBPIIs must make available a list of consents that have been cancelled or expired (NB: this refers to the expiry of the consent, not access) so that the PSU has a record of old consents. 9e 2 CBPIIs must make all the details of the consent available: Consent granted Consent expired/cancelled date Consent from account Consent status (Expired/Cancelled) 9d
CEG Checklist Requirements & CX Considerations 1 CBPIIs should make available a list of the CoF checks associated with each consent on the fund check history page.
PIS VRP Access Dashboard Previous Related articles Please select API specifications CBPII Consent Revocation DELETE funds-confirmation-consents CBPII Access Dashboard Next