A summary list of changes from V3.1.9 to V3.1.10
Changes are indicated as follows. Copy that has been removed is
struck out and copy which has been added is in blue.
|ID||Section/Location||Change||Reason for Change|
|1||Useful links||Removed few duplicate links to sections||Errata fix|
|2||Introduction||Sharing payment account transaction data empowers Third Party Providers (TPPs) to provide innovative new financial services products to their customers, and it is therefore vital that customers are given clarity, control and transparency over how their data will be used. This must be the cornerstone of the data-sharing economy of which open banking is a leading initiative.|
These TPP Guidelines set out standards of good practice in relation to open banking-enabled propositions. These guidelines follow the typical life cycle of a product, from initial set up, through obtaining consent, consent management, consent revocation, complaint management and customer off-boarding. The document is structured around desired customer outcomes and enabling principles and aligns with the FCA’s outcomes-based approach to regulation.
This document does not create any new legal obligations on TPPs, but it does signpost relevant underlying regulations and links to additional detail in other parts of the Open Banking Customer Experience Guidelines or Operational Guidelines.
The open banking ecosystem is a complex one, with a number of actors other than TPPs handling or processing customer data. It is important that firms who adhere to the principles set out here should also ensure that any agent acting on their behalf, any firm who receives data from a TPP on an onward sharing basis, or any Technical Service Provider (TSP) who provides technical services to support the product or service, also adheres to these principles. In this way, we ensure the widest dissemination and adoption of these principles.
This is the
|OBIE internal review|
|3||Product or Service Set Up|
|2. They use clear and plain language in explaining key concepts and how the product works. Materials should be tested with representative consumers to ensure they are widely understandable. [CEG here and here, FCA PRIN 2.1, UK GDPR Article 12 in relation to personal data]|
|4||Consent Set Up|
|1. They ensure they provide clear information about the data which is being accessed during the consent journey for the provision of their payment service so that customers understand what data the
4. Where an
|New points 4,5
4.Reconfirmation of PSD2 consents is clear, transparent and allows customers to make informed decisions on whether to reconfirm or cancel, free from bias or incentive.
5.Where a customer has not provided reconfirmation for a period of time, the connection becomes ‘dormant’ and there is limited prospect of the customer re-engaging, AISPs consider proactively deleting such dormant consents
6. They provide a clear and objective explanation of the implications of revocation. This explanation should be neutral and not seek to encourage customers to continue data sharing and use of the service if they wish to stop.
|6||Safe and appropriate use of data|
|5. They have in place a robust data breach reporting process and response plan for a personal data breach. [ICO Data Breach Checklist and UK GDPR Article 33]
|7||Leaving a Product or Service|
|3. They only store data which is strictly necessary. Data no longer needed is automatlcally deleted. [ICO Guidance: Storage Limitation Principle and UK GDPR Article
4. If data has been onward shared to other parties, firms ensure that other parties also follow the same principles and adopt fair and transparant approaches to managing personal data.
|Contract and Supplier Management|
|8||Information Security and GDPR||If your solution requires access to customers’ key systems, commercially sensitive information or personal data – you should demonstrate, through the tender process, how you are compliant. More information is provided in the section on