Versions Compared

Version Old Version 8 New Version 9
Changes made by

CBB Admin

CBB Admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
stylenone

1. Introduction

CBB published an Open Banking rulebook which defines the risks, systems and controls, framework contracts and standards for authentication and communication for participants to adhere to. Several financial institutions in Bahrain participated in implementing the Open Banking framework. Certain gaps were identified with respect to customer experience that are essential to be addressed in order to promote widespread adoption.Customers will use Open Banking enabled products and services if:

  1. Their user experience and the interplay between Third Party Platforms, including but not restricted to Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP), and Account Service Payment Service Providers (ASPSP) is seamless as is possible;

  2. Information is presented in an intuitive manner that is easy to comprehend and allows them to make informed decisions; and

  3. Sufficient measures are taken to gain customer trust through a secure consent model.

The Customer Experience Guidelines serve as an enabler to provide customers with a seamless experience. The Customer Experience Guidelines have been designed to facilitate standardized sharing of data mandated by the Open Rulebook published by the Central Bank of Bahrain (CBB) in a simple and secure manner. 

In order to explicitly define customer journey and experience, the CBB has drafted the Customer Experience Guidelines and the Checklist in consultation with the industry expertise. The Guidelines and the Checklist form a part of the Open Banking Implementation Requirements, and set out the customer experience required to deliver a successful Open Banking ecosystem, alongside technical, performance, non-functional requirements and dispute resolution practices.   The Checklist has been developed for ASPSPs and TPPs to assess compliance to this aspect of the Open Banking Implementation Requirements.The following regulations have been considered and it has been ensured that the Guidelines and the Checklist are consistent with them. The Guidelines must be read in conjunction with the following:

  1. Processes and measures that protect customer data confidentiality and personalised security credentials consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.

  2. Prevention of anti-money laundering (AML) and combating terrorist financing (CTF).

  3. Module PB: Principles of Business, Paragraph, PB1.1.10, AISPs and PISPs must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

  4. Volume 1, GR-6 of the CBB Rulebook for conventional banks.

  5. CBB Open Banking Rulebook

  6. Vol 5, Type 7 of the CBB Rulebook for Ancillary Service Providers

existing regulations in Bahrain.

2. Customer Experience Principles

The CBB has laid emphasis on a number of design and experience principles while developing the customer experience guidelinesGuidelines. This section lays out certain standards that form the foundation to customer experience in Open Banking Implementation.  

The Open Banking customer experience must should ensure informed decision making while remaining understandable, intuitive and effective. The customer experience must should be shaped and positioned into content and functionality that clearly communicates and facilitates purpose, intent and relevance.


A series of guiding principles are outlined here that can be, through careful design, baked into a process or transaction, and dialled up and down where certain interactions become more critical:.Image Removed

...

1.

...

Control

For Open Banking, control comes from providing the right tools and clarity of information at the right time to the customer (e.g. knowing the account balance at the point of payment, or knowing that they can view and revoke consents given when they feel it is appropriate to do so).

AISPs, PISPs and ASPSPs through their journeys, should ensure transparency by clearly communicating the purpose of accessing specific data while ensuring they provide the user/customer with a clear sense of ownership/control over their datashould consider how they provide this sense of ownership and specific optionality throughout - enabling customers to feel this is a process they are both choosing and in charge of.

2.

...

Speed

Speed should be appropriate to the customer and the journey they are undertaking. Convenient, speedy and intuitive design is a question of execution and interaction. Speed must be appropriate to the customer and the journey they are undertaking.

Managing and optimising each interaction with speed, clarity and efficiency, but without sacrificing the principles of security and control, is of utmost importance.

The user journey must should support informed decision making through comprehension and clarity, allowing customers to, above all, move at a pace that suits them.

3. Security

...

Explicit clarity and reassurance will should be required in relation to data definition, usage, security and above all, protection. AISPs, PISPs and ASPSPs must should make sure essential measures are in place throughout the user journey.

...

It is therefore critical to establish and reinforce trustworthiness - trust in the service provider, trust in the transactional process and trust in the role and relationship with their ASPSPs  .

The principles of control, speed and security combine to create a trusted environment for the customer. AISPs, PISPs and ASPSPs need to should consider and promote values of trust through every part of their Open Banking customer journeys, to foster understanding, acceptance and adoption of new innovative products and services.

...

At the core of all Open Banking customer journeys is the mechanism by which the customer gives consent to a TPP (an AISP or /PISP ) to access account information held at their ASPSPs (Banks) or to initiate[SS1]  payments from their ASPSPs (Banks) ASPSP account.

...

The user journey begins with the pre-consent flow, in which illustrates product value and Open Banking value propositionthe customer chooses the product/service they would like to avail of. Subsequently, the consent request is initiated in the AISP/PISP domain. The user /customer is then directed to the domain of its ASPSPs for authentication and authorisation. The ASPSP then responds to the AISP’s account information or PISP’s payment initiation request and redirects the customer back to the AISP/PISP for confirmation and completion of the journey. The user journey can thus be divided into the following components:

...

The pre-consent stage consists of a general the customer onboarding experience and takes place prior to the Consent Flow. Customer trust is critical to Open Banking adoptionInformation regarding the product/ service must be presented in a clear, transparent manner to the customer.

2. Consent

Customer consent to share data is central to the Customer Experience Guidelines as it will give customers more control of their data, encourage more privacy conscious behaviour, and provide a more positive data sharing experience for customers. The Guidelines propose a number of requirements in relation to consent, within which the practical guidance on consent design must sitreside. These requirements have been elaborated upon in detail in each use case.

AISPs and PISPs should must ensure the following before authentication at the ASPSP depending upon the nature of authentication followed:

  • Redirection In case of redirection based authentication:

a.   Web- based: The redirection must take the user/customer to the ASPSPs web page (desktop/mobile) for authentication purposes only without introducing any additional screens.

b.   App- based: If the user/customer has an ASPSP app installed on the same device, the redirection must invoke the ASPSPs ASPSPs’ app for authentication purposes only without introducing any additional screens. 

AISP/PISP should must make the user/customer aware that they will be taken to their ASPSPs page for authentication.

  •  Decoupled  In case of decoupled authentication:

a.   User/customer provides a static identifier to the AISP/PISP which is used by the ASPSPs: The AISP/PISP must present the user/customer the authentication options supported by the ASPSPs which in turn can be supported by the AISP/PISP device/channel. The AISP/PISP must request the identifier from the customer which is supported by their ASPSP. The AISP/PISP must make the user/customer aware about how this identifier will be used.

...