...
AISPs must provide user/customer with a facility to view and refesh refresh the consents that they have given to that AISP. Consents provided to AISP are long lived and the AISP can access user/customers data till consent is valid (currently BOBF Bahrain OBF has defined the consent validity for a period of maximum 12 months).
This section describes the customer journey when a user/customer needs to re-authenticate AISP consent, so that the AISP can continue to provide the service previously consented to by authenticating again at their ASPSP. All other elements of the consent (data permissions required, purpose for which the data will be used, transaction history period and consent expiration date) remain unchanged. (It should be noted that the API specification allows the AISP to inform the ASPSP (Bank) that the request is a re-authentication/refresh rather than a new request).
...
# | Customer Experience Checklist and Customer Experience Considerations | Participant | Implementation Requirements |
1 | Notification by AISP AISPs must alert the user/customer when authentication needs to be performed to re-authenticate AISP access. CX consideration: | AISP | Required |
2 | Consent Selection ·AISP must allow user/customer to select the relevant consents for re-authentication The customer-facing entity must provide users/customers with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off) AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the user/customer. If the AISP is only trading with its registered company name then it must display that name to the user/customer
CX consideration: AISP should provide user/customer with multiple selection options to manage/re-authenticate consent AISP should offer functionality (e.g. search, sort, filter) to enable a user/customer to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a user/customer to AISPs increases
| AISP | Required |
3 | Consent Details AISPs must describe the data being shared through each selected consent using the structure and language recommended by BOBFBahrain OBF. CX consideration: | AISP | Required |
4 | SCA - Strong Customer Authentication ASPSP must allows user/customers to perform a SCA Authentication. The ASPSP authentication must have no more than the number of steps that the user/customer would experience when directly accessing the ASPSP channel ASPSPs must not replay the data requested (as a default) or seek re-confirmation of consent ASPSPs must display the AISPs’ trading name/brand name (i.e. the Client Name in the software statement) to the user/customer during authentication screens and on any Access Dashboards. They do not need to display the registered company name of the TPP even if it is different
CX consideration: If the ASPSP provides an option for the user/customer to view the data they have consented to share with the AISP as supplementary information, this must be done using the structure and language recommended by Bahrain OBF (see Data Cluster Structure & Language below). Display of such information must not be provided to the user/customer as a default Generic ASPSP to AISP redirection screen and message
| ASPSP | Required |
5 | AISP Confirmation AISPs must confirm the successful completion of the consent re-authentication to the user/customer. | AISP | Required |
...