Collect user consent
Learn how to create your own consent collection screen to get user consent when you're using TrueLayer's licences.
Regulatory requirements
This article talks about collecting user consent when TrueLayer is the AISP by creating your own consent screen within your application. Explicit consent is a regulatory requirement for Account Information Service Providers (AISPs) to obtain under PSD2 in the UK and EU.
If you are regulated to provide AIS in the UK or EU, you must collect consent from the user yourself. You can use this article as guidance for your copy and designs, but collecting explicit consent is ultimately your regulatory responsibility.
If you are not regulated to provide AIS in the UK in the UK or EU, you can use TrueLayer’s auth dialog, which you can configure within Console.
Alternatively, you can design your own dialog. However, you must ensure you state that TrueLayer collects the consent, and include the wording detailed on this page. TrueLayer must review the screens to ensure they're compliant.
Reconfirmation of consent
When a user reconfirms consent to extend their connection to an application, the same principles about collecting consent on this page apply. We recommend you build your own reconfirmation consent screen.
Before you develop your consent flow
If you want to implement your own auth flow within which the user provides explicit consent to TrueLayer, please reach out to us before you begin development to discuss your use case. This feature is disabled by default. To create a screen for user consent collection:
- Speak to TrueLayer for guidance on the best integration for your use case.
- Follow the instructions in this article to implement your consent screens.
- Contact us so we can review your screens and enable your client_id.
If you're submitting your reconfirmation UX for review, complete this form to submit the UX for review.
When you create your own auth flow, the user stays within your app. This is a better UX, particularly on mobile. Users move from your app to their bank app seamlessly.
Ther user_has_granted_consent object tracks how you are collecting consent: whether you are regulated and collecting it yourself, or TrueLayer is collecting consent for you.
If you are using your own consent flow, set consent_granted to true, and provide a consent_id (this can be any alphanumeric string) alongside it.
If you are using TrueLayer's consent flow, set consent_granted to false.
Creating a UI where TrueLayer collects consent
Example consent screen mobile flow
In the UK and EU If you are not regulated to provide Account Information Services, then TrueLayer must obtain explicit consent from the user. You need to follow the instructions in this page and ensure that the mandatory wording is added within your own UI. This is to make sure your users are giving properly informed consent.
In this section, we provide the exact copy we use in our own auth dialog.
-
If you have your own AIS licence(s), then you can treat this as guidance or a jumping off point. The provided copy is compliant: should you choose to deviate from this, you're responsible for making sure that you are compliant.
-
If you don't have your own AIS license(s), then you must:
- Include this copy precisely.
- Submit your UIs for review, to get the ability to collect consent.
Ensure that you add the sections to your consent screen:
This copy is written in markdown. When using the mandatory copy, make sure to use the exact formatting included. Bold text is represented as **bold text**. Check the text in the following sections to get the required consent language (with correct formatting) for unregulated clients and agents of TrueLayer.
Consent header
This copy must inform the user who they are granting permission to and how long their data will be accessed. The duration is determined by whether you use the offline_access scope. If you use this scope, duration is "90 days". Otherwise it's "one off" or "one time".
# Connect your account
{{client name}}’s partner, TrueLayer, would like {{duration}} access to your {{bank name}} account details.
# Connect your account
{{client name}} would like {{duration}} access to your {{bank name}} account details.
Consent body
This copy must inform the user what their data is being accessed for (your use case) and what data categories are being accessed. In addition, we recommend including additional copy explaining more about the open banking process to the user to gain their trust and improve conversion.
# What details am I sharing?
To {{use case description}}, TrueLayer need permission to access the following information and share it with {{client name}}.
* **{{data category 1 e.g. Full Name}}**
* **{{data category 2 e.g. Balance }}**
TrueLayer are FCA-regulated, and won’t share or use your personal data for anything else.
To keep your information secure, TrueLayer connects to your account using bank-grade encryption.
<button>Allow</button>
# What details am I sharing?
To {{use case description}}, TrueLayer need permission to access the following information and share it with {{client name}}.
* **{{data category 1 e.g. Full Name}}**
* **{{data category 2 e.g. Balance }}**
TrueLayer regulated by the Central Bank of Ireland, and won’t share or use your personal data for anything else.
To keep your information secure, TrueLayer connects to your account using bank-grade encryption.
<button>Allow</button>
# What details am I sharing?
To {{use case description}}, {{client name}} needs your permission to access the following information:
**{{scope 1 e.g. Full Name}}**
**{{scope 2 e.g. Balance }}**
We won’t share or use your personal data for anything else.
To keep your information secure, we connect to your account using bank-grade encryption.
<button>Allow</button>
The scopes you select must dictate which data categories you include in your consent screen. Use the table below to compose the appropriate list of data categories for your use case.
| Data category | Scopes | Recommended copy |
|---|---|---|
| Personal information | info | Full name |
| Account information | accountscards | Account number and sort code |
| Balances | balance | Balance |
| Transactions | transactionsstanding_ordersdirect_debits | Transactions, direct debits and standing orders (delete as appropriate) |
Consent footer
All clients must include TrueLayer's terms and conditions and privacy policy in the footer. If you are an agent of TrueLayer UK, be sure to make this clear in the footer too.
By choosing ‘Allow’, you agree to TrueLayer’s Terms of Service [ToS link] and Privacy Policy [PP link]
{{client name}} is an agent of TrueLayer. By choosing ‘Allow’, you agree to TrueLayer’s Terms of Service [ToS link] and Privacy Policy [PP link]
By choosing ‘Allow’, you agree to {{client name}}’s Terms of Service [ToS link] and Privacy Policy [PP link]
Terms of Service and Privacy Policy
It's important to include links to the appropriate terms of service and privacy policy documents. The link you must include in the consent page is determined by the country of the provider the user has selected.
Agents of TrueLayer (UK)
If you are an appointed agent of TrueLayer then you must include the regulatory disclosure below in several places:
- In the footer of your website (terms and conditions alone are not sufficient).
- In your Google Play Store app listing description (if applicable).
- In your Apple App Store app listing description (if applicable).
Regulatory disclosure for agents
{{your company name}}is acting as an agent of TrueLayer, who is providing the regulated Account Information Service, and is Authorised and Regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (Firm Reference Number: 901096)
Updated about 2 months ago