Change Log

A summary list of changes from V3.1.9 to V3.1.10

Changes are indicated as follows. Copy that has been removed is struck out and copy which has been added is in blue.

IDSection/LocationChangeReason for Change
Testing
1Useful linksRemoved few duplicate links to sectionsErrata fix
Data management
2IntroductionSharing payment account transaction data empowers Third Party Providers (TPPs) to provide innovative new financial services products to their customers, and it is therefore vital that customers are given clarity, control and transparency over how their data will be used. This must be the cornerstone of the data-sharing economy of which open banking is a leading initiative.

These TPP Guidelines set out standards of good practice in relation to open banking-enabled propositions. These guidelines follow the typical life cycle of a product, from initial set up, through obtaining consent, consent management, consent revocation, complaint management and customer off-boarding.  The document is structured around desired customer outcomes and enabling principles and aligns with the FCA’s outcomes-based approach to regulation.

This document does not create any new legal obligations on TPPs, but it does signpost relevant underlying regulations and links to additional detail in other parts of the Open Banking Customer Experience Guidelines or Operational Guidelines.

The open banking ecosystem is a complex one, with a number of actors other than TPPs handling or processing customer data. It is important that firms who adhere to the principles set out here should also ensure that any agent acting on their behalf, any firm who receives data from a TPP on an onward sharing basis, or any Technical Service Provider (TSP) who provides technical services to support the product or service, also adheres to these principles. In this way, we ensure the widest dissemination and adoption of these principles.

This is the firstsecond release of these guidelines. It is anticipated that this document will be refined and updated as part of the ongoing development of the Open Banking Standard.
OBIE internal review
3Product or Service Set Up
Principles
2. They use clear and plain language in explaining key concepts and how the product works. Materials should be tested with representative consumers to ensure they are widely understandable. [CEG here and here, FCA PRIN 2.1, UK GDPR Article 12 in relation to personal data]
4Consent Set Up
Principles
1. They ensure they provide clear information about the data which is being accessed during the consent journey for the provision of their payment service so that customers understand what data the TPPAISP will have access to [PSR Reg. 70(3)(a)]
4. Where an TPPAISP knows that it will be onward sharing data when the consent is set up, the nature of this agreement is clearly confirmed (who data is shared with, duration, purpose). This does not apply to onward sharing which is agreed or set up at a later point. [Refer to -AIS consent journey]
5Consent management
Principles
New points 4,5
4.Reconfirmation of PSD2 consents is clear, transparent and allows customers to make informed decisions on whether to reconfirm or cancel, free from bias or incentive.
5.Where a customer has not provided reconfirmation for a period of time, the connection becomes ‘dormant’ and there is limited prospect of the customer re-engaging, AISPs consider proactively deleting such dormant consents
6. They provide a clear and objective explanation of the implications of revocation. This explanation should be neutral and not seek to encourage customers to continue data sharing and use of the service if they wish to stop.


These principles have not been updated to reflect either the changes proposed to the CEG by the Trustee and the changes the FCA is currently consulting on in regard to Article 10A, 90-day reauthentication. If this change goes ahead as envisaged this section will be updated.
6Safe and appropriate use of data
Principles
5. They have in place a robust data breach reporting process and response plan for a personal data breach. [ICO Data Breach Checklist and UK GDPR Article 33]
7Leaving a Product or Service
Principles
3. They only store data which is strictly necessary. Data no longer needed is automatlcally deleted. [ICO Guidance: Storage Limitation Principle and UK GDPR Article 1317]
4. If data has been onward shared to other parties, firms ensure that other parties also follow the same principles and adopt fair and transparant approaches to managing personal data. [UK GDPR Article 28]
Contract and Supplier Management
8Information Security and GDPRIf your solution requires access to customers’ key systems, commercially sensitive information or personal data – you should demonstrate, through the tender process, how you are compliant. More information is provided in the section on Data breach policy and proceduresOBIE security counter fraud guide