Yapily Connect AIS UX guidelines
Yapily Guidelines for User Journey Compliance
Introduction
An AIS authorisation is any API request to pull the PSU's account information from their bank. AIS requests (or calls) require consent that can last up to 90 days in the UK and 180 days in the EEA. In the UK PSUs are required to reconfirm their consent (SCA not needed) every 90 days so we can still access the data. In the EEA PSUs are required to re-authenticate their consent (SCA needed) with their bank every 180 days so we can still access the data.
Some Yapily Connect customers just require sight of the relevant account information.
Other Yapily Connect customers will wish to share some or all of the account information retrieved via the API call back to the PSU; in the UK, this can require a special agency arrangement to be put in place (see information box “What it means to be an agent for Yapily Connect Ltd” below).
Below are instructions for what steps you should take to ensure a compliant PSU journey.
Although these are described as “steps”, they do not need to be performed sequentially as long as each element has been appropriately reflected to support a robust consent. PSU’s consent always has to be obtained prior to redirection to the bank.
Step 1: Introduce the AIS journey to the PSU within your application
Introduce the PSU to the journey by creating an intent within the customer application to permit Yapily Connect to access the PSU’s account information on behalf of the customer.
If you're acting as an agent of Yapily Connect(see guidance - ‘What it means to be an agent of Yapily Connect Ltd below’), you also need to be explicit about the fact that you will be acting as an agent of Yapily Connect for purposes of showing account information back to the PSU..
Step 2: Capture the bank
Present the PSU with the option to select which bank they wish to complete an AIS authorisation for.
Step 3: Display the account information request summary
Present the request for Yapily Connect to access the PSU’s account information back to the PSU prior to the redirect to their bank.
The key Yapily Connect requirements are outlined below (depending on whether or not you are acting as an agent).
Everything inside the following “Consent screen” boxes must be displayed to the PSUs. Please replace the text in [brackets] with your product's information. Any changes to this information must still comply with Yapily Connect’s regulatory requirements and will need approval.
The “Terms & Conditions” and “Privacy Notice” links must connect through to Yapily Connect’s then current End User terms and Privacy Notice.
The button to click for confirmation has to be named “Confirm” or “Allow” and it should appear alongside an equally prevalent “Cancel” or “Leave” button at the end of the information displayed. You should make sure that the PSU is provided with the warning / notification message for them to be reminded of the 90 day period approaching, invitation to reconfirm their consent and how their payment account information will be used and whether any other parties will have access to that information.
Account Information Service (Non-Agency)
Consent screen
We have partnered with Yapily Connect to access your bank data at [bank]. You will now be securely redirected to [bank] to give access to the following information: Account(s) details Balances Transaction history [Other] By using the service, you agree to Yapily Connect accessing your bank data, the Terms & Conditions and Privacy Notice [Insert links]. This consent will be valid until [dd/mm/yyyy]. “Confirm” “Cancel” [insert buttons] |
---|
Account Information Service (Agency)
If you are acting as any agent, then you (as agent) must make the PSU aware of this.
Consent Screen
We have partnered with Yapily Connect to access your bank data at [bank] and act as their agent when we share this information back to you. You will now be securely redirected to [bank] to give access to the following information: Account(s) details Balances Transaction history [Other] By using the service, you agree to Yapily Connect accessing your bank data, the Terms & Conditions and Privacy Notice [Insert links]. This consent will automatically expire on [dd/mm/yyyy]. “Confirm” “Cancel” [Insert buttons] |
---|
What it means to be an agent of Yapily Connect Ltd
Agency for AIS is only applicable to customers of Yapily Connect Ltd. sharing consolidated account information back to UK-based PSUs. Yapily Connect UAB’s customers are allowed to show account information back to EEA-based PSUs without having to become agents of Yapily Connect UAB. Yapily Connect Ltd AIS customers who need to share “consolidated account information” back to UK-based PSUs must be registered with the FCA as an agent of Yapily Connect Ltd before doing so.
Agency is not required, if: the account information returned from the bank is not shown to the PSU (e.g. it only goes to Yapily Connect Ltd’s customer for it to make a loan decision); or youonly show “basic” account information to the PSU (i.e if the only information provided to the PSU is the PSU’s name, account number and sort code). This limited data set is not “consolidated account information”.
Agency is required if you show more than “basic” account information back to the PSU, e.g. transaction data is shared back via an accounting platform or personal finance management application.
To act as an agent for Yapily Connect Ltd, you must be party to a separate agency agreement with Yapily Connect Ltd and your company must have first been approved to do so both by Yapily Connect Ltd and by the FCA and you must appear on the FCA’s register as Yapily Connect Ltd’s agent.
It is illegal for you to share consolidated account information to UK-based PSUs without either having the regulatory permissions or being listed on the FCA’s register as an agent for a principal who does. This can have serious consequences.
Step 4: PSU Authenticates with their bank
Redirection model
The PSU is redirected to their bank (through the browser or the corresponding online banking mobile app) - neither Yapily Connect nor its customer can control this part of the flow. The PSU is asked by their bank to login using the same credentials as their online banking (which can be any combination of SCA e.g. fingerprint scanning, face ID, temporary codes or secure passwords/pass-phrases).
Redirection-based authentication has a range of possible experiences for a PSU based on whether the PSU has a bank’s app or not, and the device on which the PSU is consuming the AISP/PISP service. More information about the different authentication methods can be found in the section “Authentication methods” of the OBIE Guidelines.
Embedded flow model
The PSU remains in your application to authenticate with their bank. You need to provide the following additional screens:
- To collect the PSU’s banking credentials (these are the same credentials as their online banking)
- To present the list of available SCA methods to the PSU so they can select the method they would like the bank to use to contact them (can be skipped if only 1 method available)
- To collect the SCA code if this option is selected by the PSU. The code is sent directly to the PSU from the bank, and then needs to be captured in your application.
Step 5: PSU selects accounts
The bank will request the PSU to select all the accounts they want to share information about if this is a new authorisation request. If this is a re-authorisation (where you are requesting the PSU to re-authorise an existing consent), the PSU will typically be taken directly to Step 6.
Step 6: PSU redirected back to Yapily Connect’s customer
Now that the PSU has been authenticated by their bank, they will be prompted to authorise the Yapily Connect consent request. Once the consent has been given (or declined), the bank session will automatically close and the PSU will be redirected to Yapily Connect’s redirect URL. Then, within milliseconds, to your callback URL .
Step 7: Allow revocation of consent
You must ensure that a PSU has the ability to cancel their consent at any time e.g. via a “Consent Dashboard” page containing profile settings etc. The button on the user journey consent screens enabling withdrawal of consent automatically cancels the “Account-access-consent” call to the bank (this is built into the Yapily API functionality).
A more detailed description of how the user journey to revoke the consents should be constructed and what should be presented to the PSU after the revocation are provided in the OBIE Guidelines, Consent Dashboard and Revocation.