Other pages in this section Account selection at PISP Account Selection at PISP – Supplementary Info Account Selection at ASPSP Scheduled Payments – Future Dated Standing Orders International Payments Bulk / Batch Payments Multi-authorisation Payments Confirmation of Funds for PISP – Y/N Response Payment Refunds VRP Payments with an SCA exemption VRP Payments under Sweeping Access VRP Payments with delegated SCA VRP Consent Dashboard & Revocation VRP – Access Dashboard & Revocation
This content is best viewed on a desktop browser. 1 CEG Checklist Requirements 1PSU Consent to PISP In addition to the PSUs’ consent to the payment initiation, PISPs must also request PSUs’ explicit consent before they are able to request their debit account details from the ASPSP for the purpose of refunds, as part of the payment initiation process. PSU consent for payment initiation and Refund Synchronous Information is provided in a single step. In cases where there is no realistic chance of the synchronous refund information data (i.e. PSU account details) to being used (e.g. where the merchant business model does not offer refunds), PISPs should not request the PSU consent for synchronous refund information and the account detains from the ASPSP. 2 CX Considerations 2PISPs should provide clear messaging to the PSUs in relation to providing consent to PISPs for requesting their debit account details for refund purposes. Example wording may be as follows: “We will ask your bank to share your sort code and account number with us. We will only use these details if you ask for a refund for this transaction” 3 CEG Checklist Requirements 3Synchronous Refund Information Sharing ASPSPs must include the PSU debit account details (e.g. sort code and account number) in the response message of the payment initiation performed by the PISP. This information should be in a format that will allow the PISP to initiation a refund payment in the future that can be routed to the PSUs’ account. Note: For international payments this may include IBAN and/or other payment routing information to allow the refund payment to reach its destination account. 4 CX Considerations 4PISPs should confirm to PSUs that they have received their debit account information to be used in the future for the purpose of refunds. Note: Using, accessing and storing the PSU account details is the responsibility of the PISP. PISPs would need to ensure that details are stored securely and in line with relevant regulatory obligations, specifically the obligations under GDPR. Please see the ICO Guidance on the lawful bases for processing personal data at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/. We consider the following parameters will be useful for PISPs to consider when storing the sort code and account number, for the purposes of a refund. Security: PISPs must have robust procedures in place to ensure account details are stored in a secure manner, in order to minimise risk of these details being compromised. For additional information, please refer to TPP Operational Guidelines, section TPP Information Security. Note: Under GDPR, account should be taken of the security principle which states that personal data should be processed securely by means of ‘appropriate technical and organisational measures’ – ICO Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/ Duration of storage: PISPs should ensure that the sort code and account number are stored for an appropriate length of time to meet the purpose for which they are required, and should not store these longer than necessary, in line with the refund policy and applicable regulatory obligations. Note: In line with principle (e) GDPR storage limitation, personal data should only be stored for as long a necessary. See ICO Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/ Purpose of storage for future use: PISPs must ensure that the account details are being stored solely for the purposes of making a refund. If PISPs want to use the account details for other purposes, for example, for the future transactions, PISP must ensure this is clearly communicated to the PSU as part of the consent journey.They must also consider the appropriate lawful bases under GDPR as set out above. 5 CX Considerations 5PISPs should also consider displaying some of the following information points, which customers indicated that their provision would be of value in relation to refunds: The type of information that will be accessed e.g. sort code and account number The purpose for which the information will be used e.g. to provide a refund How long the PISP will store the information Details on security and safety measures applied by the PISP An indication of how quickly refunds will be processed if requested. *This list is not intended to be exhaustive and PISPs should adapt this to include information relevant to their service offering. It is a mandatory obligation under GDPR to provide prescribed information in the form of a Privacy Notice. For further information on the requirements of a Privacy Notice and how to display content please see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-privacy-information-should-we-provide/. Select to scroll left Select to scroll right
CEG Checklist Requirements & Customer Experience Considerations 1 PSU Consent to PISP In addition to the PSUs’ consent to the payment initiation, PISPs must also request PSUs’ explicit consent before they are able to request their debit account details from the ASPSP for the purpose of refunds, as part of the payment initiation process. PSU consent for payment initiation and Refund Synchronous Information is provided in a single step. In cases where there is no realistic chance of the synchronous refund information data (i.e. PSU account details) to being used (e.g. where the merchant business model does not offer refunds), PISPs should not request the PSU consent for synchronous refund information and the account detains from the ASPSP. 8a 2 PISPs should provide clear messaging to the PSUs in relation to providing consent to PISPs for requesting their debit account details for refund purposes. Example wording may be as follows: “We will ask your bank to share your sort code and account number with us. We will only use these details if you ask for a refund for this transaction” 3 Synchronous Refund Information Sharing ASPSPs must include the PSU debit account details (e.g. sort code and account number) in the response message of the payment initiation performed by the PISP. This information should be in a format that will allow the PISP to initiation a refund payment in the future that can be routed to the PSUs’ account. Note: For international payments this may include IBAN and/or other payment routing information to allow the refund payment to reach its destination account. 8a 4 PISPs should confirm to PSUs that they have received their debit account information to be used in the future for the purpose of refunds. Note: Using, accessing and storing the PSU account details is the responsibility of the PISP. PISPs would need to ensure that details are stored securely and in line with relevant regulatory obligations, specifically the obligations under GDPR. Please see the ICO Guidance on the lawful bases for processing personal data at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ We consider the following parameters will be useful for PISPs to consider when storing the sort code and account number, for the purposes of a refund. Security: PISPs must have robust procedures in place to ensure account details are stored in a secure manner, in order to minimise risk of these details being compromised. For additional information, please refer to TPP Operational Guidelines, section TPP Information Security. Note: Under GDPR, account should be taken of the security principle which states that personal data should be processed securely by means of ‘appropriate technical and organisational measures’ – ICO Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/ Duration of storage: PISPs should ensure that the sort code and account number are stored for an appropriate length of time to meet the purpose for which they are required, and should not store these longer than necessary, in line with the refund policy and applicable regulatory obligations. Note: In line with principle (e) GDPR storage limitation, personal data should only be stored for as long a necessary. See ICO Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/ Purpose of storage for future use: PISPs must ensure that the account details are being stored solely for the purposes of making a refund. If PISPs want to use the account details for other purposes, for example, for the future transactions, PISP must ensure this is clearly communicated to the PSU as part of the consent journey.They must also consider the appropriate lawful bases under GDPR as set out above. 5 PISPs should also consider displaying some of the following information points, which customers indicated that their provision would be of value in relation to refunds: The type of information that will be accessed e.g. sort code and account number The purpose for which the information will be used e.g. to provide a refund How long the PISP will store the information Details on security and safety measures applied by the PISP An indication of how quickly refunds will be processed if requested. *This list is not intended to be exhaustive and PISPs should adapt this to include information relevant to their service offering. It is a mandatory obligation under GDPR to provide prescribed information in the form of a Privacy Notice. For further information on the requirements of a Privacy Notice and how to display content please see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-privacy-information-should-we-provide/
Confirmation of Funds for PISP – Y/N Response Previous Related articles Please select API specifications Refund Payments VRP Payments with an SCA exemption Next