| Table of Contents | ||
|---|---|---|
| maxLevel | 1 | |
| Table of Contents | ||
|
1.
...
AISPs must provide user/customers with a facility to view and revoke on-going consents that they have given to that AISP. They may have consented to share data from several ASPSPs with a single AISP. This section describes how these consents should be displayed and how the customer journey to revoke them should be constructed.
...
1.1 Customer Experience Checklist and Customer Experience Considerations
...
S. No.
...
Customer Experience Checklist and Customer Experience Considerations
...
Participant
...
Implementation Requirements
...
1
...
AISP should offer functionality (e.g. search, sort, filter) to enable a user/customer to search for the relevant consent. This will be of particular benefit as the number of consents for different ASPSPs/ accounts given by a user/customer to AISPs increases. AISP should provide user/customer with multiple selection options to manage/revocate consent.
AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the user/customer during the setup and revocation of consent. If the AISP is only trading with its registered company name then it must display that name to the user/customer.
If the AISP is not the customer-facing entity and there is an Agent who is acting on behalf of the AISP, then the Agent must make the user/customer aware that they are acting as an agent on behalf of the AISP and must also, display the AISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the AISP.
The customer-facing entity must provide user/customers with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off).
...
AISP
...
Required
...
2
...
AISPs must describe the data being shared through each consent using the structure and language recommended by BOBF and ensure this request is specific to only the information required for the provision of their account information service to the user/customer.
AISPs should present the data at a Data Cluster level and allow the user/customer to expand the level of detail to show each Data Permission.
The Consent Dashboard should also describe:
A description of the account information service that is being provided (including whether any other parties will have access to the information)
Where the request is for multiple product types, the detail should explain to the customer the product type to which it applies or state that it is shared across multiple product types.
The date when consent was first granted.
The length of time for which this consent is valid (e.g. one-off use, for a set period of time e.g. one year, or with no end date and the date of expiry).
The period for which the account information has been requested (e.g. transactions for the last 12 months).
...
AISP
...
Required
...
3
...
The consent dashboard must allow a user/customer to view or cancel the access they have given consent to. The functions “Cancel Permission” and “back” should be displayed with equal prominence to the user/customer
CX consideration:
The AISP must make the exact consequences of cancelling the consent clear to the user/customer – i.e. they will no longer be able to provide the specific service to the user/customer
...
AISP
...
Required
...
4
...
Once the user/customer confirms revocation, AISPs must inform the ASPSP that the user/customer has withdrawn consent by making a call ‘to PATCH’ the account-access-consent resource as soon as practically possible. This will ensure that no further account information is shared.
ASPSPs must support the Delete process. (This is not visible to the user/customer but will ensure no further account information is provided by the ASPSP to the AISP).
CX consideration:
As the account-access-consent resource has been deleted, AISPs must update the consent dashboard as soon as practicable. This update should include:-
An updated status of the user/customer’s sharing arrangement.
A statement indicating to the user/customer that the AISP is no longer collecting and using their data
...
AISP
...
Required
...
5
...
CX consideration:
AISPs should provide a message to consumers that revocation was successful. This message SHOULD be clearly visible on the dashboard and shown as soon as revocation has taken place.
ASPSPs should inform the user/customer that no further account information will be provided by the ASPSP to the AISP as the user/customer has withdrawn its access given to the AISP.
After the Delete endpoint is called by the AISP to remove the account-access-consent resource, the ASPSPs are advised to inform the user/customer via their own channels (for example via SMS or via a notification on their mobile phone) that AISP will no longer have access to their account. This is an additional confirmation to the user/customer that the AISP has completed the delete endpoint process correctly.
AISP
ASPSP
...
Required
Required
...
6
...
Post Customer revocation, AISPs must delete the entire customer data from their storage system
...
AISP
...
Required
2. Access Dashboard and Revocation
ASPSPs must provide user/customers with a facility to view and revoke on-going access that they have given to any AISP for each account held at that ASPSP. This section describes how AISP’s access should be displayed and how the customer journey to revoke them should be constructed.
...
2.1 Customer Experience Checklist and Customer Experience Considerations
...
S. No.
...
Customer Experience Checklist and Customer Experience Considerations
...
Participant
...
Implementation Requirements
...
1
...
CX consideration:
ASPSPs must display the AISPs trading name/brand name (i.e. the Client Name in the software statement) to the user/customer during authentication screens and on any Access Dashboards. They do not need to display the registered company name of the AISP even if it is different.
If there is an Agent acting on behalf of the AISP, ASPSPs must also, display the Agent company name (as captured in the ‘On behalf of’ field of the software statement) to the user/customer. (Please note that ASPSPs can only show the Agency/On Behalf field in cases where this information has been provided by AISPs).
CX consideration:
ASPSPs should offer a functionality (e.g. search, sort, filter) to enable a user/customer to search for the relevant access. This will be of particular benefit as the number of consents given by a user/customer to AISP increases
ASPSPs SHOULD prioritize information that is important to user/customers. This MAY include using tabs (e.g. active, pending, archived), or presenting key details up front, such as when consent was granted.
...
ASPSP
...
Required
...
2
...
ASPSPs must describe the data being accessed using the structure and language recommended by BOBF.
ASPSPs should present the data at a Data Cluster level and allow the user/customer to expand the level of detail to show each Data Permission.
The Access Dashboard should also describe:
The status of the access e.g. Active/Inactive.
When the AISP’s access to the account(s) will expire, if available.
The date the authorisation was granted.
And may include the date of last access.
ASPSPs must make available on all digital channels an access dashboard which allows user/customers to view access which has been previously granted and it must be easy and intuitive for user/customers to find and use.
CX consideration:
ASPSPs should make the status of AISP access clear by the use of emboldened words. The ASPSP should also make it clear, which party provided the AISP access, in the case of joint/ multiple account holders
...
ASPSP
...
Required
...
3
...
The access dashboard must allow a user/customer to view or cancel the access they have given consent to. These functions “cancel access” and “back” should be given equal prominence
...
ASPSP
...
Required
...
4
...
ASPSPs must advise user/customers that they should contact the associated AISP to inform them of the cancellation of access and/or understand the consequences of doing so before the user/customer confirms the revocation of access
...
ASPSP
...
Required
...
5
...
ASPSPs should inform the user/customer via their own channels (for example via SMS or via a notification on their mobile phone) that AISP will no longer have access to their account
...
ASPSP
...
Required
3. Swagger Code
...
Version Control
Version | Date | Description of Changes |
Bahrain OBF v1.0.0 | 25th Aug 2020 | Initial Release |
2. Introduction
The Open Banking Read API specifications support consent management services to third party players and ASPSP. A user/customer can review, refresh and revocate his/her consent that has been provided to the AISP. To enhance the customer experience, Bahrain OBF has created standards for managing the consent from both ASPSP and AISP. The attributes of the consent, which have been agreed between the third party player and the customer, cannot be altered or updated, it can only be refreshed or revoked. This section describes the Consent management core journeys that support the set-up and management of Account Information Services (AIS). The key components are:
Consent Dashboard and Revocation allows the user/customer to view, refresh and revoke consent that they have given to the AISP to access users'/ customers’ data
Access Dashboard and Revocation allows the user/customer to view and revoke access that they have given to that AISP through ASPSPs portal
Notifications allows the AISPs and PISPs to receive notifications from ASPSPsonce the event occurs
CENTRAL BANK OF BAHRAIN © 2020