IAPP CIPT – GDPR and Payment Services Directive (PSD2) Part 4

12. Authentication Step

Hi guys. In this lesson we’ll discuss about the authentication step. The research has highlighted some suggestions to make this step more customer friendly. The presence of the ASPs branding and logo at this step is critical to engineering customer confidence and trust in the entire process. The more distinctive the authentication step when compared to the TPP’s online mobile experience, the better. The more consistent this ASPSP experience is to the online mobile banking experience of the ASPSP, the more familiar it seems to the customer. Therefore, the greater the sense of security and trust it engenders. Customers would welcome an authentication step which could be shortened without compromise, optimizing safety and security of the process. Example touch ID assurance was needed that no information being shared by the customer during this step is being made available to or is visible to the TPP.

13. Authorisation Step

Hi, guys. In this lesson, we’ll discuss about the authorization step. It should be made clear at the point of requesting authorization how it may be revoked. The use of standardized data clusters during the Authorization request AIDS clarity, trust and familiarity. The customer should not be able to deselect any of the data clusters presented as part of the Authorization request. However, they should be able to accept or reject the Authorization request in its entirety.

The research has shown that an ability to view up to date account balance information and being able to choose an account to pay with based on that information is of benefit and of importance to the customer. However, it’s also suggested that customers might also require some reassurance that their balances are not available or visible to the TPP. This could be achieved by including following text the information is not visible to TPP name. It is also recommended that the Authorization requested explicitly mentions that the payment is a single payment and it will be submitted by the ASPSP for execution.

After Authorization, the experience of the constant step on the various TPP’s websites or apps may vary. Therefore, for most online customer journeys, the authorization step will be the standardizing factor and will bring clarity to what customers are agreeing to. It is therefore important that the information displayed and the language used is standardized across ASPs, including the use of data clusters.

Again, it is revealed that consumer segments such as techno fields, financial progressives, and early adopters prefer a hybrid model where the authentication and authorization steps are combined. This was viewed as a good compromise between a customer understanding their actions and the simplicity or speed of the process. Although these segments represent a large minimum, estimated to be around 20%, the majority of the open banking addressable market showed a clear preference for a separate authorization step.

14. Redirection

Hi guys. In this lesson, we’ll discuss about the Redirection at lunch. The Open Banking Consent authentication and authorization steps. Follow the redirection model. This is where the customer is redirected from the TPP’s domain to the ASPSP domain for authentication and authorization. Redirection screens will be presented between the Consent and the authentication steps and then after the Authorization step, when the customer is redirected, back to the TPP’s domain. It was demonstrated that the redirection screens are a useful part of the process.

Providing customer Trust The following reasons are noted they help customers navigate their online journey and inform them of what is going to happen next. They help create a clear sense of separation between the TPP’s domain and the ASPSP’s domain. Also, a messaging on the redirection screen serves to reassure the customer that they are in control and helps engender trust. For example, customers will be more willing to trust the process if they feel there is a partner, either TPP or ASPSP, on their side. That is known and reputable in this sense, use of words that indicate that the customer is in control and taking the lead are key as. These are indications that the TPP or the ASPSP is working with or for the customer.

15. Data Minimisation & Permissions

Hi, guys. In this lesson, we’ll discuss about data minimization and permissions. TPPs need to follow a data minimization approach whereby they only request access to the PSU data that they need to deliver the specific service that they are offering. In the Open Banking API design, data elements are logically grouped together into permissions. As you see in the following table. It is at this level that TPPs will request data access. If they request access to a specific permission, they will have access to all the data elements in the permission. This provides a pragmatic approach, allowing TPPs to be selective, but at the same time creating a consent process that is at an acceptable level of granularity for the PSU.

The structuring of data elements into permissions is a core part of the read write API design and influences how participants should approach the implementation of the consent model. As part of a constant step, the TPP will have to describe the data that they are requesting access to. As part of the authorization step, the ASPSP will have to play back the data that the PSU has consented to provide access to. It is critical that the language used by both parties to describe the data is consistent so that the PSU can be sure that they are authorizing the ASPSP to provide the access to the TPP that they consented to.

The Dspsp will have no sight of the language used by the TPP. In the consent step, the ASPSP will only know which permissions have been included in the access request from the contents of the message delivered by the API. Participants are under no obligation to implement this language, but it has been recognized that failing to do so could lead to customer confusion and potentially reduce take up.

• Category: Uncategorized