Open banking consent refers to the explicit permission given by a customer or account holder to a third-party provider (TPP) to access their financial data from a bank or financial institution.
Consent is a fundamental principle of open banking that ensures the protection of customer data and privacy. It places the control over data sharing in the hands of the customer, empowering them to decide which TPPs can access their financial information and for what purposes. By granting consent, customers allow TPPs to retrieve their account data, such as transaction history, account balances, and other relevant financial details, from their bank.
Consent is agreed between the Resource Owner (customer) and the Client (TPP). It includes what data is to be shared, what services are to be performed on the Resource Owner's behalf, the duration, and for what purpose. Once agreed, some of this information is used to start the Access Authorization flow through the Access Authorization API.
Open banking frameworks and regulations, such as the Revised Payment Services Directive (PSD2) in Europe, typically mandate that consent must be explicit, informed, and freely given. This means that customers must be fully aware of the data being accessed, the TPPs requesting access, and the specific services they are providing. Additionally, customers have the right to revoke or withdraw their consent at any time, giving them greater control and transparency over their financial information.
According to European Banking Authority (EBA) rules, AIS access tokens provided from 25 of July 2023 onwards will have a default (maximum) duration of 180 days, instead of 90 days. The consent duration is checked during every authorization and the change is applicable for all redirect and decoupled Access Authorization flows for all customer segments, in all the Nordic countries (Denmark, Finland, Norway and Sweden).
The consent duration change is introduced in Nordea API Market and Sandbox:
where you can learn more about it and try it out. The change will be released in the Production environment on the 25 of July. Please refer to our newsletter:
Note: Existing AIS consents created before 25 July 2023 will remain valid for maximum of 90 days while those created from 25 July 2023 will be valid for 180 days by default (maximum).
FAQ (Production environment):
- How many days of transactions can be retrieved directly after the consent has been created or by a separate authorization from the PSU (payment service user)?
Max 180 days, or according to what a TPP (third party provider) has agreed with a PSU.
- How many days of transactions can be retrieved at a later point in time when a PSU is not present?
Max 180 days, or according to what a TPP has agreed with a PSU.
- If a transaction ID is provided by a Nordea API, is it consistent within a session (access token), a consent or forever?
Internal transaction ID's are in fact exposed externally and could change if/whenever Nordea rearrange systems' integrations. They should not be considered lasting and globally unique for tracing/data mining purposes as we do not issue any guarantees in this regard.
- Is it possible for the PSU to revoke a consent via their online banking portal?
It is not possible to revoke a consent via the online banking portal at this time.
- Is it possible for a TPP to revoke a consent via a Nordea API?
Yes, it is possible to revoke a consent after it has been given. Please refer to our documentation for further details:
- Can a lifetime of a consent be changed by the PSU during an SCA (strong customer authentication) flow?
The lifetime of a consent is fixed and needs to be explicitly revoked. If not revoked explicitly, the consent will live for 180 days.
- Is a PSU able to change a scope (e.g., accounts, balances, transactions) of a consent during/after an SCA flow?
The PSU is not able to change the scope for an existing consent. If changes to scopes are desired, a new authentication flow is required to be completed with these new scopes.
- Can a PSU individually per account decide if they wish to share this account or not? Or an “all or nothing” approach is applied?
There is an option in the authentication flow as to which accounts a given consent applies:
- Why there is no duration and scope information on the consent page?
It's a legal requirement to not present these information in order to stay compliant with EBA (European Banking Authority) rules.
- Do Nordea APIs support granular/detailed consents in order to limit the access to transactions data as much as possible for PSU during PIS (payment initiation service)?
Yes, the customers can limit the consents given to TPPs. During the authorization process customers can set the duration, max transaction history, scopes and select accounts or cards they want to grant access to:
- Is it only possible for the PSU to adjust that or can anything be done to limit the consent and avoid putting that on the PSU? Is it possible to skip the entire AIS (account information service) step before initiating a payment to make it a PIS only flow for the PSU?
In this case it's recommended to use the Single SCA payment flows:
- Is there a way that Nordea PIS APIs allows for PIS only flows, where AIS is skipped and there's no need for PSU to give consent for continuous access to account information at all when initiating a payment?
The Single SCA flow is PIS only with a one time access
- Is an external API for checking consent status available?
At present, it is not.