A critical component of the customer journey is the way in which customers share their data, granting, managing and revoking their consent with the Third Party Provider (TPP) and revoking access at ASPSP specifically in relation to the provision of their payment service. It is essential to empower individuals with the information, tools and protections to actively share their data with trustworthy organisations and importantly, that organisations understand their legal and regulatory obligations, as applicable both under PSD2 and GDPR.
For the purposes of the Customer Experience Guidelines, for each core use case customer journey, interaction and hand off have been broken into a set of clear, highly simplified white-label ‘wireframes’. These are intended to be platform-agnostic, to place focus on only the key elements within (e.g. messages, fields, checkboxes) and the specific number of steps that the customer must navigate. In all cases, they are constructed around the primary Open Banking Customer Journey, which is illustrated to the right.
At the core of all Open Banking, customer journeys are the mechanism by which the PSU gives consent to a TPP (AISP or PISP or CBPII) to access account information held at their ASPSP or to initiate payments from their ASPSP account.
In general, simplified terms, the consent request is initiated in the TPP domain (step 1 right). The PSU is then directed to the domain of its ASPSP for authentication (step 2 right). Then, once authentication is complete, the ASPSP will be able to respond to the TPP’s account information or payment initiation request and redirect the PSU back to the TPP for confirmation and completion of the journey (step 3 right).
Customer Data Sharing Journey
The Data Sharing Customer Journey is outlined below and consists of five stages: Set Up, Consent, Consent Management, Revocation and Off-Boarding. We now examine these stages and their requirements. You must familiarise yourself with the regulatory requirements for GDPR and PSD2 at each stage.
These are shown illustratively, and we use this pattern within these guidelines, although we recognise that this is not linear. This journey should be regarded as one overall experience and will vary from TPP to TPP. TPPs should consider how each part can work alongside the next, and not in separation. It is important that the number of screens is kept to a minimum, and how this journey is designed to feel intuitive and seamless. All wireframes have been created to illustrate the key principles of the customer journey and illustrate important regulatory points only.
- Set Up. This includes having sight of the TPPs Privacy Notice, which amongst other things, must confirm details of any onward sharing of personal data and importantly the recipients or categories of recipients who will receive that data. It must also include agreeing to a set of terms and conditions which confirm the provision of services being offered. Setting up a new service should not only be simple, but the key terms of the service being offered and the use of, and the lawful basis for processing personal data must be clear and transparent to the customer prior to any personal data being processed This is where GDPR comes to the fore.
2. Providing Consent, where the customer consents to allow the TPP to access their account for the provision of an AIS or PIS service. Here the relevant regulation is PSD2. The purpose, data being shared and duration of TPP access must be very clear.
3. Consent Data Sharing Management and Revocation stages, where PSD2 apply and Off-Boarding where both PSD2 and GDPR apply. The customer should be able to view, manage and revoke their consent easily with controls that are easily found.
The relationship between GDPR & PSD2
A key consideration throughout the Customer Journey is the regulatory requirements at each stage. TPPs will need to consider the application of the provisions of each regulation at each stage to ensure they meet the relevant requirements.
To find out more about your legal and regulatory obligations under GDPR, please see https://ico.org.uk
The principles of transparency and control to build trust are critical. In particular, when the customer is in the Set-Up phase, if and how the TPP onward shares data with other parties must be clear so customers have knowledge about what will happen to their data.
From the customer’s perspective, we can summarise the key aspects that are important.
TPPs must ensure that their terms and conditions and Privacy Notice outline applicable rights and responsibilities to their customer in the context of relevant regulation and legal principles.
This guidance in this document builds upon research commissioned by Open Banking and is designed to help Third Party Providers (TPPs) make informed decisions about how and where to focus their efforts.
Useful elements in the customer journey
Many customers are prone to skim through the information presented to them when setting up online products because the information is not well presented. In their desire to achieve the promised benefit, insufficient notice is taken of the implications of their actions, or the terms and conditions. It is commonplace to discover, once they have completed the customer journey, that they cannot spontaneously describe what they have just agreed to. The research has shown that a better understanding can be achieved by carefully designing the customer journey, and reveals that the solution is about the effective, intuitive presentation of information, and is not about introducing steps to slow the customer down or repeating information. The following methods have been found to be the most effective:
- Effective messages and navigation appropriate to the redirection screens when the customer is redirected from the TPP to the ASPSP, and then again when the customer is redirected back from the ASPSP to the TPP. For a customer that has granted consent to the TPP, the redirection screen creates a clear sense of separation as they enter the ASPSP’s domain where they authenticate, before clearly being passed back to the TPP. This provides a familiar and trusted experience to the customer and signposts the customer’s journey from one domain to the other
- Providing useful information presented in an intuitive and easily consumable way. The principle here is to ensure that the information that the customer is presented with is kept to a minimum. If it is unavoidably necessary for the TPP to convey more complex information, it is more likely to be read and understood when presented as a series of smaller amounts of information across more than one screen. This is a much more effective method than the use of a single text-heavy screen.
- Providing supplementary information at specific points in the customer journey is useful, helping the customer to understand the process as well as ensuring comprehension of a product or offer and its implications. If executed well, it will enhance the customer journey and does not lead to an increased propensity to drop off.
Unhelpful elements in the customer journey
The research has shown that superfluous information, poor or confusing choice of words, repetition, large amounts of text, too many steps or avoidable delays in the customer journey can lead to frustration, an even greater tendency to skim, and ultimately increase customer drop off. The following unhelpful elements were identified in the research and must be avoided:
- A customer authentication journey that takes too long and requires the use of separate devices such as one-time password generators, especially if applied multiple times in the customer journey.
- Where there are fewer screens but a significant amount of text on the screen. This is particularly evident when this requires customers to scroll up and down the screen to progress the customer journey.
- Providing superfluous information that does not add to the customer’s understanding or trust, especially when presented in a separate step or screen.
- Delays such as slow loading times, as well as web pages or apps that have not been effectively debugged, and unexpected crashing of web pages or apps.
- Inappropriate use of language, particularly language which may create a level of concern, uncertainty and doubt when going through the customer journey.
- The use of language that is too long, complex or legalistic to be easily understood when going through the customer journey.
- Asking for the same information twice, and asking for information for which there is no obvious purpose, e.g. replaying the consent to the customer that was granted to the TPP, or asking for a PIN when it is not needed.
- Forcing the customer to open a new browser window during the customer journey, and having to toggle between screens in order to progress.
- Introducing the requirement for a customer to input information that they don’t readily have to hand, such as unique customer reference numbers
- Requesting input of information that could reasonably be expected to be pre-populated once the customer has authenticated.
- Failing to differentiate between new users and experienced regular users who may want to shorten the customer journey without exposing themselves to risk.