| Expand | ||||
|---|---|---|---|---|
| ||||
|
...
Users can share data held with an LFI, by providing their data sharing consent to a TPP.
...
3.2 Customer Experience Journey
...
4. Rules & Guidelines
# | Step | Rules & Guidelines |
MICS-1 | Initiate User Set-up (Conditional) | Depending on the use case, the User may have to be onboarded with the TPP by agreeing to any relevant terms and conditions (e.g. regarding sharing and storage of personal data) and setting up an account with them if required. TPPs MUST: 1.1 Provide the User with a Terms & Conditions, and Privacy Notice outlining applicable rights and responsibilities in the context of relevant regulation and legal principles. This may need to include any onward sharing of personal data, recipients or categories of recipients who receive that data, and the lawful basis for processing personal data as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210796838/Consent+Setup#2.-Consent-Codification 1.2 Obtain the User's agreement to the above before setting them up and be able to request User consent as per the next step in the process 1.3 Provide an option to cancel the flow |
MICS-2 | Data Sharing Consent | Basic Consent Parameters TPPs MUST: 2.1 Request only data required to perform their service (or use case). 2.2 Use the data language standards to describe the data clusters and data permissions in user-facing interactions so that the User clearly understands the data that will be requested from their LFI to provide the service requested
2.3 Provide to User, the OFP and the LFI their trading/brand name clearly and the name of any other parties they are supporting (if applicable). 2.4 Allow the User to identify and select the LFIs for the Consent
|
Additional Consent Parameters TPPs MUST: 2.5 Set the Accepted Authorization Type (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#7.-Accepted-Authorization-Type). 2.6 Set the Authorization Time Window (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#8.-Authorization-Time-Window) if there are specific timing requirements that must be met for the Consent authorization. This is also relevant to cases where multiple authorizers are required to authorize the payment consent. 2.7 Obtain the Users' explicit consent to access information from insurance products held at LFIs (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210796838/Consent+Setup#2.1--Data-Sharing-Consent). | ||
MICS-3 | Consent Staging | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#10.-Consent-Staging |
MICS-4 | Hand-off to LFI | TPPs MUST: 4.1 Notify the User that they will be transferred to the selected LFI to undertake their authentication and consent Authorization (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#11.-Hand-off-to-LFI) |
MICS-5 | Authentication | LFIs MUST: 5.1 Enable Users to perform authentication with their LFIs, as per the following sections: 5.2 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if User Authentication has failed or Users opted to cancel the authentication/authorization process. |
MICS-6 | Disclosure Consent | LFIs MUST: 6.1 Enable Users to authenticate using Multi-Factor Authentication (MFA) in order to review and authorize the data sharing Consent. 6.2 Retrieve from the OFP the data sharing Consent details staged by the TPP using the unique Consent Identifier. 6.3 Display details of data that will be shared and for how long 6.4 Use the data language standards to describe data clusters and permissions in user-facing interactions so that the same information is displayed to the User |
MICS-7 | Confirmation/ Authorization | LFIs MUST: 7.1 Present to Users all the details in relation to data sharing Consent. 7.2 NOT allow Users to change any of the Consent parameters (e.g. permissions) staged by the TPP. 7.3 Request Users to authorize the data sharing Consent. 7.4 Enable Users to cancel the data sharing Consent request from within the authorization journey 7.5 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if Users opt to cancel the Consent authorization process before final authorization. 7.6 Check the Authorization Time window is valid as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#20.-Check-Authorization-Time-Window 7.7 Change the state of the data sharing Consent from Awaiting Authorization to Authorized, when all Authorizers (one or more) have authorized the data sharing Consent. 7.8 Update the data sharing Consent details stored in the OFP with all the information included in the data sharing Consent authorized by the User. |
OFP MUST: 7.9 Confirm back to the LFIs that the data sharing Consent details have been updated successfully. | ||
Multi-Authorization Journey Only | ||
MICS-8 | Hand-off back to the TPP | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#14.-Hand-off-back-to-the-TPP |
MICS-9 | Confirmation to User | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#16.-Confirmation-to-User |
...