Versions Compared

Version Old Version 9 New Version 10
Changes made by

CBB Admin

CBB Admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Customer consent to share data is central to the Customer Experience Guidelines as it will give customers more control of their data, encourage more privacy conscious behaviour, and provide a more positive data sharing experience for customers. The Guidelines propose a number of requirements in relation to consent, within which the practical guidance on consent design must reside. These requirements have been elaborated upon in detail in each use case.

AISPs and PISPs must ensure the following before authentication at the ASPSP depending upon the nature of authentication followed:

  • In case of redirection based authentication:

...

    • Web- based: The redirection must take the user/customer to the ASPSPs web page (desktop/mobile) for authentication purposes only without introducing any additional screens.

...

    • App- based: If the user/customer has an ASPSP app installed on the same device, the redirection must invoke the ASPSPs’ app for authentication purposes only without introducing any additional screens. 

AISP/PISP must make the user/customer aware that they will be taken to their ASPSPs page for authentication.

  •  In case of decoupled authentication:

...

    • User/customer provides a static identifier to the AISP/PISP which is used by the ASPSPs: The AISP/PISP must present the user/customer the authentication options supported by the ASPSPs which in turn can be supported by the AISP/PISP device/channel. The AISP/PISP must request the identifier from the customer which is supported by their ASPSP. The AISP/PISP must make the user/customer aware about how this identifier will be used.

...

    • User/ customer provides a dynamic identifier generated with their ASPSPs to the AISP/PISP: The AISP/PISP must provide the user/customer information on how the identifier can be generated with their ASPSPs and make the user/customer aware about how this identifier will be used.

ASPSPs must ensure the following for a seamless journey depending upon the nature of authentication followed :

  • Redirection based authentication (Web-based and App-based)

...

    • The redirection must take the user/customer to the ASPSP web page (desktop/mobile) or app for authentication purposes only without introducing any additional screens.

...

    • ASPSPs should make the user/ customer aware through an intermediary screen that they are being taken to their ASPSP for authentication.

  • Decoupled authentication

    • User/customer provides a static identifier to the AISP/PISP which is used by the ASPSPs: The AISP/PISP must present the user/customer the authentication options supported by the ASPSPs which in turn can be supported by the AISP/PISP device/channel. The AISP/PISP must request the identifier from the customer which is supported by their ASPSP. The AISP/PISP must make the user/customer aware about how this identifier will be used.

    • User/ customer provides a dynamic identifier generated with their ASPSPs to the AISP/PISP : The AISP/PISP must provide the user/customer information on how the identifier can be generated with their ASPSPs and make the user/customer aware about how this identifier will be used.

ASPSPs must ensure the following for a seamless journey depending upon the nature of authentication followed:

  • In case of redirection based authentication (Web-based and App-based):

    • The redirection must take the user/customer to the ASPSP web page (desktop/mobile) or app for authentication purposes only without introducing any additional screens.

    • ASPSPs should make the user/ customer aware through an intermediary screen that they are being taken to their ASPSP for authentication.

  • In case of decoupled authentication:

    • User/customer provides a static identifier to the AISP/PISP which is used by the ASPSPs: After the user/customer enters the specified identifier, if the user/customer has an ASPSP app then the ASPSP must notify the user/customer through the ASPSP app for authentication purposes without introducing any additional screens.

...

    • User/ Customer provides a dynamic identifier generated with their ASPSPs to the AISP/PISP: The user/ customer

...

    • must be able to easily provide the identifier to the AISP/PISP application. After the user/customer provides the ASPSP app generated identifier to the AISP/PISP then the ASPSP must display the payment request within the same session of the ASPSP app.
      The ASPSP must make the user/customer aware that they have been logged off from the ASPSP app and notify them to check back on the originating AISP/PISP app.

3. Authentication and Authorisation

UserThe user/Customer customer needs to go through a strong customer authentication (SCA) at their ASPSPs in order for an AISP/PISP request (i.e. access to information or payment initiation) to be actioned by the ASPSP. User/ Customer should The user/ customer must be able to use the elements they prefer to authenticate with their ASPSPs if supported when interacting directly with their ASPSP. The experience available to a user/ customer when authenticating a journey via an AISP/PISP should must involve no more steps, delay or friction in the customer journey than the equivalent experience they have with their ASPSPs when interacting directly.

The Bahrain Open Banking Framework OBF supports both redirection and decoupled authentication to allow a user/ customer to use the same authentication mechanisms while using an AISP or PISP as they use when accessing the ASPSPs directly.

  • Redirection In case of redirection based authentication: Redirection based authentication has a range of possible experiences for a user/customer based on whether the user/customer has an ASPSP app or not, and the device on which the user/customer is consuming the AISP/PISP service.

  • Decoupled In case of decoupled authentication: In decoupled authentication, the user/customer uses a separate, secondary device to authenticate with the ASPSP. This model allows for a number of innovative solutions and has the added benefit of allowing the user/customer to use their mobile phone to authenticate, taking advantage of biometrics for SCA, where they are engaging with an AISP/ PISP through a separate terminal such as a point of sale (POS) device.

...

Once consent has been granted to the AISP/PISP, measures should must be put in place to ensure the customer is informed.

ASPSPs must have the following measures in place depending upon the nature of authentication:

  • Redirection In case of redirection based authentication (Web-based and App-based):Redirection based authentication has a range of possible experiences for a user/customer based on whether the user/customer has an ASPSP app or not, and the device on which the user/customer is consuming the AISP/PISP service.

...

    • ASPSP

...

    • must have intermediary screen which indicates the status of the request and informing the user/customer that they will be automatically taken back to the PISP.

...

    • ASPSP

...

    • must inform the user/customer on the intermediary screen that their session with the ASPSP is closed.

  • Decoupled In case of decoupled authentication:

...

    • The ASPSP must make the user/customer aware that they have been logged off from the ASPSP app and notify them to check back on the originating PISP app.

AISPs and PISPs must PISPs must display the information received from the ASPSP and provide conformation to the customer.

 

The Open Banking User Customer Journey should must be read in conjunction with the Customer Experience Guidelines - User Journey Journeys illustrated in each use case to understand the detailed requirements at each stage of the journey.