Independent research by Ipsos MORI showed a strong desire from real customers for intelligent notifications from TPPs and ASPSPs. Here we make recommendations for the implementation of effective notifications.
Other pages in this section Dashboards Overview AIS Consent Dashboard AIS Access Dashboard PIS VRP Consent Dashboard PIS VRP Access Dashboard CBPII Consent Dashboard CBPII Revocation of Consent CBPII Access Dashboard CBPII Access Revocation PSU Notifications
CX and other processing requirements 1 PSU cancels access from the ASPSP Access Dashboard The PSU follows the journey on TPP Access Dashboard & Revocation to cancel access to their account for a specific TPP. ASPSP should confirm to the PSU that access to the account(s) has been cancelled. 2 Real Time Push Notification from ASPSP to TPP The ASPSP should notify the TPP in real-time (i.e. immediately) after the PSU cancels their access at their ASPSP Access dashboard. The implementation of the real-time mechanism is defined in the OBL technical specifications. 3 Push Notification for Offline TPPs (ASPSP to TPP) ASPSPs should also be able to use push notification mechanisms to notify TPPs whose systems are offline that PSUs cancelled their access using the ASPSPs’ access dashboards. This removes the requirement for TPPs to have systems up and running 24×7 in order to receive real-time push notifications from ASPSPs. Once the TPPs’ systems are available again, ASPSPs should push again any notifications required to the TPPs, so that TPPs can update their systems. In addition to PSU cancellation of access, ASPSPs should be able to notify the TPPs when access to the account(s): has been suspended by ASPSP due to changes in the account access resource for any valid reason (e.g. CASS by PSU, joint holder cancelling access, account closed, etc.) and could provide the reason code, if appropriate. is no longer available due to changes in the state of the access token for any valid reason (e.g. token has expired, a token has been suspended by the ASPSP due to fraud etc.) and could provide the reason code, if appropriate. 4 Notification to PSU by TPP Upon receipt of the notification by the ASPSP, the TPP should notify the PSU, if required, that access to their ASPSP account(s) is no longer possible. TPPs should present the PSU with the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPs in order to provide access to the TPPs. If the latter, PSUs may also want to remove their consent with the TPPs.
CX and other processing requirements 1 Multiple PSUs revoke access from the ASPSP Access Dashboard Multiple PSUs, during a period of time, follow the journey for TPP Access Dashboard &B Revocation to revoke access to their account for a specific TPP. For each PSU access, revocation, the ASPSP should confirm to the PSU that access to the account(s) has been revoked. 2 ASPSP generates access revocation events in their events repository For all PSUs access revocations, the ASPSP should generate an access revocation event in the events Repository organised per each TPP. In cases where the TPP has subscribed to access revocation events for aggregated polling (or push notifications), the ASPSP should generate an access revocation event in the events Repository organised per each TPP. 3 Aggregated ‘Polling’ / Pull Notification of ASPSP by TPP Similar to basic polling, aggregated Polling is about the provision of notification of revocations from ASPSPs to TPPs, upon TPP request, enabling TPPs to update their records and contact the PSUs, if required, at the point in time of the request. However, the key difference is that rather than focusing on a specific access resource’s status (via a GET request on that specific resource), aggregated polling allows a TPP to poll for the outstanding or awaiting events in the ASPSP’s events repository related to multiple access consents from multiple PSUs. ASPSPs should provide to the polling TPP all the access resource status and other information stored in the repository for that specific TPP, upon TPP request. Please note that in case of access revocation, there is no change to the underlying consent resource. However, the event type is the same for both events, i.e. consent-authorization-revoked. In addition to PSU revocation of access (event UK.OBL.Consent-Authorization-Revoked), ASPSPs should be able to notify the TPPs for the below 2 events: UK.OBL.Resource-Update – An event that indicates a resource has been updated. UK.OBL.Account-Access-Consent-Linked-Account-Update – An event that indicates an account linked to consent has move-in/out of scope of the consent. Note: This functionality makes much more efficient usage of the ASPSPs and TPPs network bandwidth as multiple single polls, especially with no change of access status, are avoided. Moreover, it allows TPPs to receive all the required notifications without the need to implement systems with high availability (e.g. systems running 24×7) or systems based on real-time push notifications, providing full flexibility to TPPs about the timing they want to receive the notifications based on their business models. 4 Notification to multiple PSUs by TPP Upon receipt of the aggregated polling information by the ASPSP, the TPP should notify all the PSUs, when required, that their access to their ASPSP account(s) is no longer possible. TPPs should present to all PSUs the implications of the access revocation in case there are ‘unintended’ consequences’. However, unintended consequences may not be applicable in many cases. PSUs could then take their preferred actions such as continuing to use the service or stop. If the former, they will be required to authenticate again with their ASPSPs in order to provide access to the TPPs. If the latter, PSUs may also want to remove their consent with the TPPs.
CX and other processing requirements 1 PSU cancels consent from the TPP Consent Dashboard The PSU follows the journey on TPP Consent Dashboard & Revocation to cancel consent to their account for a specific ASPSP. 2 Real Time Pull Notification from TPP to ASPSP The TPP must notify the ASPSP in real-time (i.e. immediately) by calling DELETE API. 9c 3 The ASPSP must reflect the status as cancelled in the ASPSP access dashboard in real-time (i.e. immediately) after the TPP has called the DELETE API. 10e
CX and other processing requirements 1 PSU cancels access from the ASPSP Access Dashboard The PSU follows the journey on TPP Access Dashboard & Revocation to cancel access to their account for a specific TPP. ASPSP should confirm to the PSU that access to the account(s) has been cancelled. 2 Real Time Pull Notification by TPP from ASPSP The TPP must be able to poll the status of their account access at relevant ASPSP and notify the PSU if their access is no longer valid. PSU must be able to see the same status ‘Cancelled’ on both consent and access dashboard
CBPII Access Revocation Previous Related articles Please select API specifications Event Notification Subscription API Callback URL API Real Time Event Notification API Aggregated Polling API Customer Experience Checklist Next