VRP Consent Dashboard & Revocation

User Journey

PISPs must provide PSUs with a facility to view and revoke VRP consent(s) that they have given to that PISP. PSUs may have agreed to several VRP consents for different ASPSPs with a single PISP. This section describes how these consents should be displayed and how the customer journey to revoke them should be constructed.

Wireframes

CX Considerations 1

PISP should offer functionality ( e.g. search, sort, filter) to enable a PSU to search for the relevant VRP consent. This will be of particular benefit as the number of VRP consents for different ASPSPs/ accounts given by a PSU to PISP increases.

CEG Checklist Requirements 2

PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU.

If the PISP is not the customer-facing entity and there is an Agent who is acting on behalf of the PISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the PISP and must also, display the PISP's full trading name/brand name or registered company name whichever is the customer-facing brand of the PISP.

PISPs must also, populate the Agent company name in the 'On behalf of' field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is an Agent acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ' On behalf of' field with the details of their TSP.

The customer-facing entity must provide PSUs with a list of all VRP Consent(s) which , at a minimum, include the following details:

ASPSP Name
Payer Account Details
Consent Granted Date
Consent Expiry Date
Consent Status
For examples of what names should be displayed, please refer to Consent Dashboard & Revocation, Examples.

CEG Checklist Requirements 3

The Consent Dashboard must also describe full details of the VRP Consent parameter(s):

ASPSP Name
Payer Account Details
Consent Granted Date
Consent Expiry Date
Consent Status - Active/Inactive/Expired/Cancelled.
The consent dashboard must allow a PSU to view or cancel the consent. The functions “Cancel VRP Consent” and “back” should be displayed with equal prominence to the PSU.

CEG Checklist Requirements 4

PISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the domestic-vrp-consents resource as soon as practically possible (as described in Version 3.1.8 of the API specifications). This will ensure that no further payments will be made using the cancelled VRP Instruction.

ASPSPs must support the Delete process as described in Version 3.1.8 API specifications. (This is not visible to the PSU but will ensure no further payments are initiated by the PISP)

CX Considerations 5

ASPSPs should inform the PSU that no further payments will be initiated by the PISP as VRP consent has been revoked at the PISP.

After the Delete endpoint is called by the PISP to remove the domestic-vrp-consents resource, the ASPSPs are advised to inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that PISP will no longer be able to make VRP payment(s) from their account.

CEG Checklist Requirements & CX Considerations

PISP should offer functionality ( e.g. search, sort, filter) to enable a PSU to search for the relevant VRP consent. This will be of particular benefit as the number of VRP consents for different ASPSPs/ accounts given by a PSU to PISP increases.

PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU.

If the PISP is not the customer-facing entity and there is an Agent who is acting on behalf of the PISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the PISP and must also, display the PISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the PISP. 

PISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is an Agent acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

The customer-facing entity must provide PSUs with a list of all VRP Consent(s) which , at a minimum, include the following details:

  • ASPSP Name
  • Payer Account Details
  • Consent Granted Date
  • Consent Expiry Date
  • Consent Status

For examples of what names should be displayed, please refer to Consent Dashboard & Revocation, Examples.

8

8d

The Consent Dashboard must also describe full details of the VRP Consent parameter(s):

  • ASPSP Name
  • Payer Account Details
  • Consent Granted Date
  • Consent Expiry Date
  • Consent Status – Active/Inactive/Expired/Cancelled.

The consent dashboard must allow a PSU to view or cancel the consent. The functions “Cancel VRP Consent” and “back” should be displayed with equal prominence to the PSU.

19a

PISPs must inform the ASPSP that the PSU has withdrawn consent by making a call to DELETE the domestic-vrp-consents resource as soon as practically possible (as described in Version 3.1.8 of the API specifications). This will ensure that no further payments will be made using the cancelled VRP Instruction.

ASPSPs must support the Delete process as described in Version 3.1.8 API specifications. (This is not visible to the PSU but will ensure no further payments are initiated by the PISP).

9a

ASPSPs should inform the PSU that no further payments will be initiated by the PISP as VRP consent has been revoked at the PISP.

After the Delete endpoint is called by the PISP to remove the domestic-vrp-consents resource, the ASPSPs are advised to inform the PSU via their own channels (for example via SMS or via a notification on their mobile phone) that PISP will no longer be able to make VRP payment(s) from their account.

Examples

Customer-facing entity name /Trading Name (Client Name in Software Statement)Registered Legal Entity Name (Company Name/ Organisation Name)‘On Behalf of’ Name (‘On Behalf of’ field in Software Statement)What to display
ABC TradesABC Company LtdABC Trades
ABC Company LtdABC Company LtdABC Company Ltd
ABC Company LtdABC Company LtdOBO LtdOBO Ltd on behalf of ABC Company Ltd
ABC TradesABC Company LtdOBO LtdOBO Ltd on behalf of ABC Trades