S. No. | Requirements and Considerations | Participant | Implementation Requirements |
1 | ASPSP selection | AISP | Required |
2 | Data Selection The AISP must provide the user/customer with a description of the data being requested using the structure and language recommended by Bahrain OBF (refer section ‘Permission and Data Cluster Structure’ below) and ensure that this request is specific to only the information required for the provision of their account information service to the user/customer The AISP must present the data at a Data Cluster level and allow the user/customer to expand the level of detail to show each Data Permission. The AISP should only present those data clusters relevant for the product type in question. Where the request is for multiple product types then the detail shown in the data cluster should explain to the user/customer the product types to which it applies or state that it is shared across multiple product types AISPs must allow the user/customers to choose the type of data to be collected and used by the AISP. AISPs must provide user/customers with sufficient information to enable user/customers to make an informed decision, for example, detail the purpose for which the data will be used (including whether any other parties will have access to the information) the period over which it has been requested and when the consent for the account information will expire (consent could be on-going or one-off) AISP must allow user/consumer to choose the period over which data will be collected and used by actively selecting or otherwise clearly indicating the period of that collection and use*
AISP details AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the user/customer during the setup and revocation of consent. If the AISP is only trading with its registered company name then it must display that name to the user/customer For examples of what names should be displayed, please refer the section “Sample displays by AISP” below
CX Considerations: AISP may consider the use of various consent capture design patterns such as checkboxes, toggles, scales, and binary yes/no choices to enhance user/consumer experience
| AISP | Required |
3 | User/Customer consent CX Considerations: AISP should make the user/customer aware on the inbound redirection screen that they will be taken to their ASPSP for authentication for account access. AISPs should provide messaging to inform user/customers that they will be taken to their ASPSPs to complete the process.Example wording: "You will be securely transferred to your ASPSP to authenticate and choose the account for accessing information" Generic AISP to ASPSP redirection screen and message
| AISP | Required |
4 | SCA - Strong Customer Authentication | ASPSP | Required |
5 | Information summary ASPSPs must display the AISPs’ trading name/brand name (i.e. the Client Name) to the user/customer during authentication screens and on any Access Dashboards. They do not need to display the registered company name of the AISP even if it is different ASPSPs must allow user/customers to select the account for data sharing with AISP ASPSPs must not seek confirmation of the consent that has already been provided by the user/customer to the AISP Once the user/customer has selected the account(s), refer to section Effective use of redirection screens for redirection messaging
For examples of what names should be displayed, please refer the section “Sample displays by AISP” CX consideration: If the ASPSP provides an option for the user/customer to view the data they have consented to share with the AISP as supplementary information, this must be done using the structure and language recommended by Bahrain OBF (see Data Cluster Structure & Language below). Display of such information must not be provided to the user/customer as a default Generic ASPSP to AISP redirection screen and message
| ASPSP | Required |
6 | AISP confirmation | AISP | Required |