A critical component of the customer journey is the way in which customers share their data, granting, managing and revoking their consent with the Third Party Provider (TPP) and revoking access at ASPSP specifically in relation to the provision of their payment service. It is essential to empower individuals with the information, tools and protections to actively share their data with trustworthy organisations and importantly, that organisations understand their legal and regulatory obligations, as applicable both under PSD2 and GDPR..
Other Journeys in ‘Get Started’.
For the purposes of the Customer Experience Guidelines, for each core use case customer journey, interaction and hand off have been broken into a set of clear, highly simplified white-label ‘wireframes’. These are intended to be platform-agnostic, to place focus on only the key elements within (e.g. messages, fields, checkboxes) and the specific number of steps that the customer must navigate. In all cases, they are constructed around the primary Open Banking Customer Journey, which is illustrated below.
At the core of all Open Banking, customer journeys is the mechanism by which the PSU gives consent to a TPP (AISP or PISP or CBPII) to access account information held at their ASPSP or to initiate payments from their ASPSP account.
In general, simplified terms, the consent request is initiated in the TPP domain (step 1). The PSU is then directed to the domain of its ASPSP for authentication (step 2). Then, once authentication is complete, the ASPSP will be able to respond to the TPP’s account information or payment initiation request and redirect the PSU back to the TPP for confirmation and completion of the journey (step 3).
The Data Sharing Customer Journey is outlined below and consists of five stages: Set Up, Consent, Consent Management, Revocation and Off-Boarding. We now examine these stages and their requirements. You must familiarise yourself with the regulatory requirements for GDPR and PSD2 at each stage.
These are shown illustratively, and we use this pattern within these guidelines, although we recognise that this is not linear. This journey should be regarded as one overall experience and will vary from TPP to TPP. TPPs should consider how each part can work alongside the next, and not in separation. It is important that the number of screens is kept to a minimum, and the journey is designed to feel intuitive and seamless. All wireframes have been created to illustrate the key principles of the customer journey and illustrate important regulatory points only.
This content is best viewed on a desktop browser.
2. Providing Consent, where the customer consents to allow the TPP to access their account for the provision of an AIS or PIS service. Here the relevant regulation is PSD2. The purpose, data being shared and duration of TPP access must be very clear.
3. Consent Data Sharing Management and Revocation stages, where PSD2 apply and Off-Boarding where both PSD2 and GDPR apply. The customer should be able to view, manage and revoke their consent easily with controls that are easily found.
A key consideration throughout the Customer Journey is the regulatory requirements at each stage. TPPs will need to consider the application of the provisions of each regulation at each stage to ensure they meet the relevant requirements.
To find out more about your legal and regulatory obligations under GDPR, please see https://ico.org.uk
The principles of transparency and control to build trust are critical. In particular, when the customer is in the Set-Up phase, if and how the TPP onward shares data with other parties must be clear so customers have knowledge about what will happen to their data.
From the customer’s perspective, we can summarise the key aspects that are important.
TPPs must ensure that their terms and conditions and Privacy Notice outline applicable rights and responsibilities to their customer in the context of relevant regulation and legal principles.
The guidance in this document builds upon research commissioned by Open Banking and is designed to help Third Party Providers (TPPs) make informed decisions about how and where to focus their efforts.
The journey should feel like an experience and not a contract. Ensuring that the customer clearly understands your proposition, the key terms they must commit to, and the benefit they will receive is an essential part of the customer journey.
When you are developing the Set-Up customer journey, ensure that you understand any relevant regulatory obligations, which must be included within your T&Cs and Privacy Notice.
The design pattern for most Terms and Conditions and Privacy Notice experiences is:
Current research consistently shows that the majority of people skip a careful reading of terms and conditions, can misunderstand if these are not clearly presented, and as a remain poorly informed at the point of agreement (i.e. a decision to sign up for a new product or service).By actively designing terms and conditions to inform and empower your customers, they are better able to make an active and informed choice. This guidance is intended to help you deliver a simple, actionable and meaningful disclosure experience to customers.
Setting up a new service should be simple and the key terms and use of personal data must be clear, and meet GDPR requirements. ‘Codification’ is used here to describe the Agreement Parameters that should be included in T&Cs and Privacy Notices.
When obtaining consent from the customer for the provision of an account information service an AISP must make it very clear why it’s needed, what’s being shared and for how long. This is where PSD2 is the regulatory driver.
Important: The definition of ‘explicit consent’ under PSD2 is not the same as the definition of ‘consent’ under GDPR. The guidance in this section refers to the definition under PSD2. For more information refer to FCA Payment Services and Electronic Money – Our Approach document para 8.55
Clarity and consistency in the way that language is used are critical to comprehension. Depending on your proposition, the description of the Purpose Statement that we recommend uses the following structure “To provide a [ Proposition Classification ] service, we need to [ Data processing activity ]”
Clarity and consistency in the way that language is used are critical to comprehension. Depending on your proposition, the description of the Purpose Statement that we recommend uses the following structure “To provide a [ Proposition Classification ] service, we need to [ Data processing activity ]
Many customers are prone to skim through the information presented to them when setting up online products because the information is not well presented. In their desire to achieve the promised benefit, insufficient notice is taken of the implications of their actions, or the terms and conditions. It is commonplace to discover, once they have completed the customer journey, that they cannot spontaneously describe what they have just agreed to. The research has shown that a better understanding can be achieved by carefully designing the customer journey, and reveals that the solution is about the effective, intuitive presentation of information, and is not about introducing steps to slow the customer down or repeating information. The following methods have been found to be the most effective:
The research has shown that superfluous information, poor or confusing choice of words, repetition, large amounts of text, too many steps or avoidable delays in the customer journey can lead to frustration, an even greater tendency to skim, and ultimately increase customer drop off. The following unhelpful elements were identified in the research and must be avoided:
Using the Customer Experience Guidelines Previous
Customer Experience Principles Next