A critical component of the customer journey is the way in which customers share their data, granting, managing and revoking their consent with the Third Party Provider (TPP) for the provision of their service. It is essential to empower individuals with the information, tools and protections to actively share their data with trustworthy organisations.
Other pages in this section
For the purposes of the Customer Experience Guidelines, for each core use case customer journey, interaction and hand off have been broken into a set of clear, highly simplified white-label ‘wireframes’. These are intended to be platform-agnostic, to place focus on only the key elements within (e.g. messages, fields, checkboxes) and the specific number of steps that the customer must navigate. In all cases, they are constructed around the primary Open Banking Customer Journey, which is illustrated to the right.
At the core of all Open Banking, customer journeys are the mechanism by which the PSU gives consent to a TPP (AISP or PISP or CBPII) to access account information held at their ASPSP or to initiate payments from their ASPSP account.
In general, simplified terms, the consent request is initiated in the TPP domain (step 1 right). The PSU is then directed to the domain of its ASPSP for authentication (step 2 right). Then, once authentication is complete, the ASPSP will be able to respond to the TPP’s account information or payment initiation request and redirect the PSU back to the TPP for confirmation and completion of the journey (step 3 right).
The Data Sharing Customer Journey is outlined below and consists of five stages: Set Up, Consent, Consent Management, Revocation and Off-Boarding. We now examine these stages and their requirements. You must familiarise yourself with the regulatory requirements for GDPR and PSD2 at each stage.
These are shown illustratively, and we use this pattern within these guidelines, although we recognise that this is not linear. This journey should be regarded as one overall experience and will vary from TPP to TPP. TPPs should consider how each part can work alongside the next, and not in separation. It is important that the number of screens is kept to a minimum, and how this journey is designed to feel intuitive and seamless. All wireframes have been created to illustrate the key principles of the customer journey and illustrate important regulatory points only.
2. Providing Consent, where the customer consents to allow the TPP to access their account for the provision of an AIS or PIS service. Here the relevant regulation is PSD2. The purpose, data being shared and duration of TPP access must be very clear.
3. Consent Management, Revocation and Off-Boarding stages, where both GDPR and PSD2 apply. The customer should be able to view, manage and revoke their consent easily with controls that are easily found.
A key consideration throughout the Customer Journey is the regulatory requirements at each stage. TPPs will need to consider the application of the provisions of each regulation at each stage to ensure they meet the relevant requirements.
Find out more about the regulation and your obligations under GDPR and PSD2. Check the appropriate data request mechanism e.g. Article 15 of GDPR or Schedule 4 of PSD2.
The principles of transparency and control, to build trust are critical. In particular, when the customer is in the Set-Up phase, if and how the TPP onward shares data with other parties must be clear so customers have knowledge about what will happen to their data. Note that Special Category Data (e.g. membership of a Trade Union) carries specific obligations under GDPR which you must be aware of.
From the customer’s perspective, we can summarise the key aspects that are important.
This guidance in this document builds upon research commissioned by Open Banking, and is designed to help Third Party Providers (TPPs) make informed decisions about how and where to focus their efforts.
Many customers are prone to skim through the information presented to them when setting up online products because the information is not well presented. In their desire to achieve the promised benefit, insufficient notice is taken of the implications of their actions, or the terms and conditions. It is commonplace to discover, once they have completed the customer journey, that they cannot spontaneously describe what they have just agreed to. The research has shown that a better understanding can be achieved by carefully designing the customer journey, and reveals that the solution is about effective, intuitive presentation of information, and is not about introducing steps to slow the customer down or repeating information. The following methods have been found to be the most effective:
The research has shown that superfluous information, poor or confusing choice of words, repetition, large amounts of text, too many steps or avoidable delays in the customer journey can lead to frustration, an even greater tendency to skim, and ultimately increase customer drop off. The following unhelpful elements were identified in the research and must be avoided:
Consent & Data Sharing Management Previous
Introduction (section A) Next