Data management

Introduction

Sharing payment account transaction data empowers Third Party Providers (TPPs) to provide innovative new financial services products to their customers, and it is therefore vital that customers are given clarity, control and transparency over how their data will be used. This must be the cornerstone of the data-sharing economy of which open banking is a leading initiative.

These TPP Guidelines set out standards of good practice in relation to open banking-enabled propositions. These guidelines follow the typical life cycle of a product, from initial set up, through obtaining consent, consent management, consent revocation, complaint management and customer off-boarding.  The document is structured around desired customer outcomes and enabling principles and aligns with the FCA’s outcomes-based approach to regulation.

This document does not create any new legal obligations on TPPs, but it does signpost relevant underlying regulations and links to additional detail in other parts of the Open Banking Customer Experience Guidelines or Operational Guidelines.

The open banking ecosystem is a complex one, with a number of actors other than TPPs handling or processing customer data. It is important that firms who adhere to the principles set out here should also ensure that any agent acting on their behalf, any firm who receives data from a TPP on an onward sharing basis, or any Technical Service Provider (TSP) who provides technical services to support the product or service, also adheres to these principles. In this way, we ensure the widest dissemination and adoption of these principles.

This is the second release of these guidelines. It is anticipated that this document will be refined and updated as part of the ongoing development of the Open Banking Standard.

Product or Service Set Up

Outcome

Customers must be able to easily understand the terms of the open banking-enabled service they are signing up to, how their data will be used and the value they get in exchange for sharing their data.

Principles

Firms will ensure that:

1. They adhere to the 5 Open Banking Customer Experience Principles (Trust, Control, Security, Speed, Transparency) in the way they explain how their product works, the role that open banking data plays in it and how that data will be stored and used. [Refer to –Design and experience principle]
2. They use clear and plain language in explaining key concepts and how the product works. Materials should be tested with representative consumers to ensure they are widely understood. [Refer to sections – Customer Communication and Improving Comprehension and FCA PRIN 2.1, UK GDPR Article 12 in relation to personal data]
3. Their agreements are clear, transparent and easy for customers to find, including seven Key Agreement Parameters (Customer Outcome Statement, Data Usage Statement, Managing Your Data Statement, Business Monetisation Statement, Complaints Handling Statement, Processing Legal Basis Statement, Accountability Statement) [Refer to – Customer journey]
4. They set out up-front a clear description of any onward sharing of data, including who else will be processing open banking data, the purpose of that processing and how the customer can manage this. [Refer to –AIS Consent Journey]
5. Their Materials and processes are inclusive and cater for all consumer types, including those with vulnerabilities as defined by the FCA. [FCA FG21/1]
6. They are clear with customers on what data customers are sharing, why that data is needed and how customers will be better off for having shared that data. Materials should be fair and not misleading. [FCA PRIN 2.1]

Consent Set Up

Outcome

Customers understand the terms of the consent which allows TPPs to access their data for the provision of their payment service, know if and with whom the data will be shared, and are given the information to make informed decisions about whether to proceed.

Principles

Firms will ensure that:

1. They ensure they provide clear information about the data which is being accessed during the consent journey for the provision of their payment service so that customers understand what data the AISP will have access to [PSR Reg. 70(3)(a)]
2. They set out the terms of the consent using the Codified Consent Parameters (Purpose, Benefits, Data Request, Duration, Agreement) [Refer to – Customer journey]
3. That their Consent agreements are written in simple plain English, using agreed open banking terms where defined. [FCA PRIN 2.1]
4. Where an AISP knows that it will be onward sharing data when the consent is set up, the nature of this agreement is clearly confirmed (who data is shared with, duration, purpose). This does not apply to onward sharing which is agreed or set up at a later point. [Refer to –AIS consent journey]
5. They have sufficient Management Information in place to monitor and measure the efficacy of their consent journeys and should undertake regular reviews of their journeys to ensure high levels of customer comprehension.
6. Where a TPP has a mobile app they support app-to-app redirection.

Consent management^[1]Note: whilst we have used the common term “consent management” for this section, it is intended to encompass PSD2 Consent Management, which could include broader management of any other onward … Continue reading

Outcome

Customers find it easy to review, confirm and cancel the payment service and consequently they have with a TPP so that customers feel in control of their data.

Principles

Firms will ensure that:

1. They provide their customers with a tool to review, confirm and cancel ongoing PSD2 consents in an easy and accessible way. This could be in the form of a consent dashboard or equivalent functionality. [Refer to AIS consent dashboard – revocation]
2. They use agreed common language (open banking connections) for their PSD2 consent management tool to build familiarity and trust. These tools should be easy to understand and use agreed terms where these have been defined. [Refer to AIS consent dashboard – revocation]
3. Cancellation of PSD2 consent is easy, simple and without excessive steps or barriers. [Refer to AIS consent dashboard – revocation]
4. Reconfirmation of PSD2 consents is clear, transparent and allows customers to make informed decisions on whether to reconfirm or cancel, free from bias or incentive.
5. Where a customer has not provided reconfirmation for a period of time, the connection becomes ‘dormant’ and there is limited prospect of the customer re-engaging, AISPs consider proactively deleting such dormant consents.
6. They provide a clear and objective explanation of the implications of revocation. This explanation should be neutral and not seek to encourage customers to continue data sharing and use of the service if they wish to stop.
7. They use notifications to keep customers informed of the status of their PSD2 consent.
8. Where they onward share data to other parties, they provide a dashboard or other tool to enable customers to review, understand and manage this arrangement. For example, if a customer as part of the TPP service, has entered a contract for open banking data to be shared with a panel of other companies, that should be made clear to the customer on a dashboard or other tool.
9. Where a TPP is also an ASPSP, particular care is taken to avoid confusion between the access dashboard as an ASPSP and consent dashboard as a TPP.
10. Dashboards (or other consent management tools) are tested with real customers to ensure high levels of comprehension and clarity.
11. Where a TPP offers services through agents or onward shares data with parties outside the PSD2 perimeter, they ensure that these parties adhere to a similarly transparent approach to data sharing.

Safe and appropriate use of data

Outcome

Customers are confident that their data is kept safe and that their data will be used in a way that is in their best interests.

Principles

Firms will ensure that:

1. They have robust processes and governance in place to ensure fair data management and use. They have in place the technical and organisational measures to demonstrate fair and transparent processing of personal data. [ICO Guidance: Accountability and Governance and UK GDPR Article 5(2)]
2. The ways in which firms use data in decision-making are not subject to algorithmic bias or are acting against the interests of some groups or types of consumers. [ICO Guidance: Fairness and UK GDPR Article 22]
3. They have robust security and counter-fraud controls in place, with regular assurance to ensure these continue to operate effectively and address evolving threats. [EBA’s Guidelines on Security Risk Management, ICO Guidance: Security Checklist and UK GDPR Article 32]
4. They ensure that other parties involved in the processing of customer data are also secure and mitigate against third-party-related cyber attacks and data breaches, In particular, firms must ensure that any third parties handling customer data adhere to required and appropriate levels of security. This could include firms undertaking technical services on the firm’s behalf (eg, TSPs), agents acting on behalf of the firm or parties receiving data on an onward shared basis. [ICO Guidance: Integrity and Confidentiality Principle and UK GDPR Article 32]
5. They have in place a robust data breach reporting process and response plan for a personal data breach. [ICO Data Breach Checklist and UK GDPR Article 33]
6. If they present financial data to customers, they clearly communicate how recent the data is, and if there is any risk that they are presenting out of date information to prevent customers from making wrong decisions or drawing incorrect inferences about their finances.

Leaving a Product or Service

Outcome

Customers can exit products easily and understand what happens to their data when they do so. Where a firm or product closes or goes out of business, customers are also clear about what happens to their data afterwards.

Principles

Firms will ensure that:

1. Leaving or closing products is easy, simple and without excessive steps or barriers.
2. They are transparent and fair about their policy for what happens to data after a consumer leaves a product or service, including setting out if and why certain data needs to be retained and for how long.
3. They only store data which is strictly necessary. Data no longer needed is automatically deleted. [ICO Guidance: Storage Limitation Principle and UK GDPR Article 17]
4. If data has been onward shared to other parties, firms ensure that other parties also follow the same principles and adopt fair and transparent approaches to managing personal data. 
5. Where data has to be retained for purpose of audit or for legal reasons, steps are taken to ensure the security of this data including pseudonymising it where possible, by storing customer data separately from transaction data.
6. They no longer use or benefit from data after a customer has left a product or service.

In cases where a product or firm closes or goes out of business, firms apply fair and transparent approaches to the handling of customers’ data.

Complaints

Outcome

Customers understand how to complain if something goes wrong and are clear on their rights to redress.

Principles

Firms will ensure that:

1. They clearly communicate to consumers their right to complain, how to complain and how that complaint will be treated. [DISP]
2. When dealing with a complaint, firms should provide a full written response within 15 business days after the day which the complaint was received (or 35 business days in exceptional circumstances). This information should clearly reference the customer’s right to take their complaint to the Financial Ombudsman Service if they are not satisfied with how their complaint has been handled. [DISP, PSRs Reg. 101]
3. They have suitably trained and experienced resources to deal with complaints efficiently and effectively. [DISP]
4. No barriers should be put in place to prevent consumers from complaining. Convenient methods should be made available to complain, including channels customers would reasonably expect. [DISP]

They keep information on the type and number of complaints and report them in line with FCA requirements [DISP] and the UK GDPR process if they relate to the handling of personal data [UK GDPR Article 77]

Vulnerable customers

Outcome

Vulnerable customers should experience outcomes that are as good as those for other customers [FCA FG21/1]

Principles

Firms will ensure that:

1. They understand the nature and severity of characteristics of vulnerability within their target market.
2. They have in place systems and processes to help identify and support consumers who may need extra support
3. Their products are accessible so they can be used easily by target customer groups.
4. The fair treatment of vulnerable customers is a core part of their culture, across all parts of the organisation not just in customer-facing teams and is embedded across the workforce.
5. They have in place processes in place to monitor whether the needs of vulnerable customers are being met and make improvements where required.