Open banking consent refers to the explicit permission given by a customer or account holder to a third-party provider (TPP) to access their financial data from a bank or financial institution.
Consent is a fundamental principle of open banking that ensures the protection of customer data and privacy. It places the control over data sharing in the hands of the customer, empowering them to decide which TPPs can access their financial information and for what purposes. By granting consent, customers allow TPPs to retrieve their account data, such as transaction history, account balances, and other relevant financial details, from their bank.
Consent is agreed between the Resource Owner (customer) and the Client (TPP). It includes what data is to be shared, what services are to be performed on the Resource Owner's behalf, the duration, and for what purpose. Once agreed, some of this information is used to start the Access Authorization flow through the Access Authorization API.
Open banking frameworks and regulations, such as the Revised Payment Services Directive (PSD2) in Europe, typically mandate that consent must be explicit, informed, and freely given. This means that customers must be fully aware of the data being accessed, the TPPs requesting access, and the specific services they are providing. Additionally, customers have the right to revoke or withdraw their consent at any time, giving them greater control and transparency over their financial information.
According to European Banking Authority (EBA) rules, AIS access tokens have a default (maximum) duration of 180 days. The consent duration is checked during every authorization.
FAQ (Production environment):
Q:
How many days of transactions can be retrieved by the TPP?
A:
TPP using Nordea access token with a period defined by the customer up to 180 days is only entitled to access the payment transactions executed in the last 90 days, unless new strong customer authentication is performed.
Q:
If a transaction ID is provided by a Nordea API, is it consistent within a session (access token), a consent or forever?
A:
Internal transaction ID's are in fact exposed externally and could change if/whenever Nordea rearrange systems' integrations. They should not be considered lasting and globally unique for tracing/data mining purposes as we do not issue any guarantees in this regard.
Q:
Is it possible for the PSU (payment service user) to revoke a consent via their online banking portal?
A:
It is not possible to revoke a consent via the online banking portal at this time.
Q:
Is it possible for a TPP to revoke a consent via a Nordea API?
A:
Yes, it is possible to revoke a consent after it has been given. Please refer to our documentation for further details:
Nordea | Open Banking Developer Portal (nordeaopenbanking.com)
Q:
Can a lifetime of a consent be changed by the PSU during an SCA (strong customer authentication) flow?
A:
The lifetime of a consent is fixed and needs to be explicitly revoked. If not revoked explicitly, the consent will live for max 180 days.
Q:
Is PSU able to change a scope (e.g., accounts, balances, transactions) of a consent during/after an SCA flow?
A:
The PSU is not able to change the scope for an existing consent. If changes to scopes are desired, a new authentication flow is required to be completed with these new scopes.
Q:
Can a PSU individually per account decide if they wish to share this account or not? Or an “all or nothing” approach is applied?
A:
There is an option in the authentication flow as to which accounts a given consent applies:
Redirect access authorization flow
Decoupled corporate access authorization flow (Nordea ID)
Redirect corporate access authorization workflow
Q:
Why there is no duration and scope information on the consent page?
A:
It's a legal requirement to not present these information in order to stay compliant with EBA (European Banking Authority) rules.
Q:
Do Nordea APIs support granular/detailed consents in order to limit the access to transactions data as much as possible for PSU during PIS (payment initiation service)?
A:
Yes, the customers can limit the consents given to TPPs. During the authorization process customers can set the duration, max transaction history, scopes and select accounts or cards they want to grant access to:
Redirect access authorization flow
Q:
Is it only possible for the PSU to adjust that or can anything be done to limit the consent and avoid putting that on the PSU? Is it possible to skip the entire AIS (account information service) step before initiating a payment to make it a PIS only flow for the PSU?
A:
In this case it's recommended to use the Single SCA payment flows:
PIS API scenarios for Single SCA
Q:
Is there a way that Nordea PIS APIs allows for PIS only flows, where AIS is skipped and there's no need for PSU to give consent for continuous access to account information at all when initiating a payment?
A:
The Single SCA flow is PIS only with a one time access.
Q:
Is an external API for checking consent status available?
A:
At present, it is not.
Q:
Do you support more than one active consent per client? Can a customer have multiple active consents at the same time?
A:
Yes, there can be many active consents at the same time.
Q:
Does a new consent invalidate a previous one?
A:
A new consent does not invalidate a previous one.
Q:
If the PSU account is created after the consent was granted is it an expected behaviour to not get the new account in an API GET /accounts response?
A:
Yes, the only way is to create a new consent.