/
LFI Consent Management Interfaces

This space is deprecated and no longer supported. Please use the latest available version here.

LFI Consent Management Interfaces

Owned by Chris Michael
02 Aug 2024
6 min read

1. Overview

LFIs MUST provide Users with a facility to view and revoke ongoing Consents that they have given to any TPP for each account held at that LFI. Users may have consented for Data Sharing or Service Initiation from several accounts with many TPPs. This section describes:

  • How to make the LFI Consent Management Interfaces (CMIs) an effective tool for Users

  • How the revocation journey SHOULD be constructed

Consent Management Interfaces (CMIs) play an important role in clearly and transparently setting out what Consents Users have provided for TPPs. Therefore, Consent Management Interfaces (CMIs) a role in multiple user journeys, including:

  • Checking that the Consent is live (i.e. valid)

  • Reminding Users to which TPPs they are providing Data Sharing or Service Initiation access from and for how long

  • Informing Users how long TPP Consent will continue for

  • Clarifying what types of Data Sharing access they have given TPPs

  • Clarifying what type of Service Initiations TPPs can perform from their accounts

  • Providing the ability to revoke TPP Consents

Being able to find the LFI Consent Management Interfaces (CMIs) easily and making it easy to understand plays a key role in building trust with Open Finance-enabled services.

2. LFI Consent Management Interface (CMI) Examples

2.1 Wireframes

The following are example wireframes of LFI Consent Management Interfaces (CMIs), illustrating information that must be provided to Users for Data Sharing and Service Initiation Consents.

2.1.1 Data Sharing Consent Management Interface (CMI)

 

image-20240726-141109.png
Data Sharing Connections

 

 

image-20240726-141141.png
Data Sharing Connections History

 

2.1.2 Service Initiation Consent Management Interface (CMI)

 

 

 

 

2.2 Rules & Guidelines

ID

Rules & Guidelines

ID

Rules & Guidelines

1

LFIs MUST keep the Data Sharing and Service Initiation Consents separate to ensure clarity and prevent any misunderstandings by Users.

2

LFIs MUST provide Consent Management Interfaces (CMIs) with an Overview page displaying high-level details for all Consents and a Detailed page for each Consent.

3

LFIs MUST display the TPPs' trading name/brand name to Users. They MAY also display the registered company name of TPPs, if it is different.

4

LFIs MUST provide Users with comprehensive information to help them make informed decisions on the Consent Management Interface (CMI) Overview page. As a minimum, LFIs MUST display:

Consent Summary:

  • Consent State (“Awaiting", "Authorized", "Rejected", "Canceled", "Finished")

  • Service Provider Name (i.e. the TPP trading name)

  • Account type and the last 4 digits of account number

  • The expiry date for when the Consent will end (Note: A countdown is an optional element. If provided, it SHOULD be used in addition to an expiry date and not instead of it)

  • The date and time of the last occasion when Data Sharing or Service Initiation access occurred from the Users' connected account. This MAY be a specific date and time, or a range (e.g. within the last [x] days)

  • “View Details" button to view the details of the Consent

5

LFIs MUST provide Users with comprehensive information to help them make informed decisions on the Data Sharing or Service Initiation details.

These details MUST include all the values which are defined within the specific Data Sharing or Service Initiation Consent, when it was requested. These details are covered within the Rules & Guidelines for each of the areas of functionality covered by the Standard.

6

LFIs MUST offer functionality (such as search, sort, filter etc.) to enable Users to search for the relevant Consent. This will be of particular benefit as the number of Consents for different LFI accounts given by Users to TPPs increases.

7

LFIs MUST provide the following minimum set of filters in the Consent management Overview page:

  • Service Provider Trading Name (and TPP name if different)

  • Connected Account Number

  • Consent Type

  • Consent State

  • Consent Date

8

LFIs SHOULD provide extra explanatory text to help Users understand complicated topics such as how to cancel their Consent (e.g. using information bubbles helps to keep information manageable).

9

The Consent ID that is presented at the User-Interface (UI) MUST be user-friendly. LFIs MUST present the first and last four digits of the consent ID: 1234…….6789.

10

LFIs MUST offer a copy option that allows Users to copy the complete consent ID easily.

11

LFIs MUST provide the following Consent management options:

  1. Authorize & Reject options:

    • Will be shown when there are multiple payment authorizations (for example in joint/multiple account holders) or when the Authentication/Authorization request has failed at the LFI side.

  2. Cancel:

    • Will be shown when Users have completed the Authorization. This is not applicable for Single-use Consents for irrevocable Service Initiations such as Single Immediate Payments “SIPs”.

12

LFIs MUST provide a record of all past connections, including any previously granted Consents which had previously been:

  • Canceled at the LFIs or the TPPs

  • Expired

  • Authorization Time Window Elapsed

  • Rejected

  • Finished

3. Consent Revocation Journey

The ability to revoke TPP access to connected accounts is one of the primary roles of the LFI Consent Management Interface (CMI). The below journey illustrates the main steps involved:

3.1 Wireframes

The below are example wireframes of the Consent Revocation journeys for Data Sharing and Service Initiation.

3.1.1 Data Sharing Consent Revocation Journey

 

 

3.1.2 Service Initiation Consent Revocation Journey

 

3.1.3 Rules and Guidelines

ID

Rules & Guidelines

ID

Rules & Guidelines

1

In the Consent Management Interface (CMI) Detailed page, LFIs MUST show as a minimum:

  • When data was last shared or when Service Initiation was made by each TPP. This MAY be a specific date and time, or a range (e.g. within the last [x] days)).

  • The expiry date of the Consent.

2

In the Consent Management Interface (CMI) Detailed page, LFIs MUST allow Users to cancel the Consents they have provided to TPPs easily and without obstruction or excessive barriers.

3

In the Consent Cancellation Notification page (i.e. the last page), LFIs MUST advise Users that they SHOULD contact the associated TPP to inform them of the revocation of their Consent and to understand the consequences of their action.

4

In the Consent Management Interface (CMI) Overview page, LFIs MUST inform Users that the Consent has been withdrawn successfully and show “Canceled” state to the User.

4. Consent Management Interfaces (CMIs)when customer-facing service provider and TPP are different entities

If there are customer-facing service providers (e.g. Merchants) who are not TPPs but have commercial relationships with TPPs, the LFIs MUST display the customer-facing service provider name along with the TPP trading name on the Consent Management Interfaces (CMIs).

These entities are referred to as customer-facing service providers, as they are providing the end service to the end-Users, whereas TPPs in these cases are only undertaking the Data Sharing or Service Initiation activities. This could occur in merchant journeys for example, where a merchant contracts with a TPP to provide Variable Recurring Payments as a payment option on their platform.

4.1 Examples

TPP Trading Name 
(Client Name in the APIs)

Registered Legal Entity Name (Company Name/ Organisation Name)

Customer-facing entity name (‘via’ field in the APIs)

What to display

TPP Trading Name 
(Client Name in the APIs)

Registered Legal Entity Name (Company Name/ Organisation Name)

Customer-facing entity name (‘via’ field in the APIs)

What to display

ABC Trades

ABC Company Ltd

 

ABC Trades

ABC Company Ltd

ABC Company Ltd

 

ABC Company Ltd

ABC Company Ltd

ABC Company Ltd

OBO Ltd

OBO Ltd via ABC Company Ltd

[TPP Trading Name]

[TPP Company name]

[Merchant Trading name]

[Merchant Trading name] via [TPP Trading Name]

© CBUAE 2024
Open License and Contribution Agreement | Attribution Notice