Yapily guidelines for SafeConnect AIS UX
Any AIS authorisation can be summarised as any request to pull a PSU's account information, balance and transaction data, requesting a consent that can last up to 90 days. For SafeConnect customers two distinct variations exist:
Introduce the PSU to the journey by creating an intent within the TPP application to obtain the user's account information. Depending on your use case (whether you're an agent or non-agent customer) you may or may not wish to be explicit about the request e.g. "Add account", "Link account"
Present the PSU with the option to select which bank they wish to complete an account information authorisation for (if not already pre-defined, e.g. as per a previously linked account).
Present the request for the user's account information to the PSU prior to the redirect to their bank.
The key SafeConnect requirement is that the PSU is made aware who SafeConnect is, with appropriate logos and legal details, before being redirected to their bank. This will help assure the PSU when they see SafeConnect as the consent recipient on their bank screens (and why it's not the details of the TPP who's service they are using) along with all of the relevant details should they wish to cancel the consent or understand who SafeConnect is and our legal responsibilities.
Everything inside the following box is required to be displayed to your customers, please replace the text in [brackets] with your product's information
The PSU is redirected to their bank (through the browser or the corresponding online banking mobile app) and neither Yapily or the TPP can control this part of the flow. The PSU is asked to login using the same credentials as their online banking which can be any combination of SCA e.g. fingerprint scanning, face ID, temporary codes or secure passwords/pass-phrases.
The bank will request the user to select all the accounts the want to share if this is a new authorisation request. In the event of a re-authorisation (where the TPP requests the user to re-authorise an existing consent), the PSU will typically be taken directly to the Step 6.
Now that the PSU is authenticated, they will be prompted to authorise the consent request SafeConnect is making on behalf of the TPP. Once the consent has been given (or not), the bank session will automatically close and the PSU will be redirected to the redirect url configured for the application within Yapily.
The TPP confirms that the authorisation request was approved by the user which will allow them to continue with the desired user journey now that the user's AIS data is accessible.
For TPPs using the Agent model, the data that is required to be displayed to the PSU can be clearly displayed.
The PSU should be given the ability to cancel their consent at any time. This can be an additional page, profile setting etc, or even an email address upon which the request can be actioned.