Collect user consent

Learn how to create your own consent collection screen to get user consent when you're using TrueLayer's licences.

📘

This feature is optional. You can choose to let our Auth Dialog handle user consent.

Our Auth Dialog feature handles user consent. You can also choose to collect user consent by creating your own consent collection screen. If you have your own AIS licence(s), you can collect consent from the user.

This page talks about collecting user consent when you're using TrueLayer's licences by creating your own screen.

This feature is disabled by default. To create a screen for user consent collection:

  1. Follow the instructions to implement your consent screens.
  2. Contact us so we can review your screens and enable your client_id.

When you collect user consent, the user stays within your app for more of the authentication flow. Instead of relying on the auth dialog to collect consent, you must pass a consent_id you've created that represents the consent you collected from the user in order to skip the auth dialog's consent collection UI.

Regulations on consent collection

🚧

Collecting user consent is a regulated activity. These regulations are upheld by the Financial Conduct Authority (FCA) in the UK and the financial regulators of EU member states. For example, to conduct AIS in the EU, TrueLayer uses a license awarded by the Central Bank of Ireland (CBI). You can learn more about regulation in our Help Centre article.

If you rely on TrueLayer's licences, then TrueLayer must be the legal entity collecting consent. You need to follow the instructions in this page to do so within your own UI. We will periodically review your implementation of the consent collection UI. This is to make sure your users are giving properly informed consent.

Note that we will first advise you when we see areas for improvement and ultimately reserve the right to ask you to use the auth dialog to collect consent if your screens fall short of our standards of PSD2 requirements.

Customise the UI

We're adding the exact copy we use in our own auth dialog.

  • If you have your own AIS license(s) you can treat this as guidance or a jumping off point. You are responsible for making sure that you are compliant.

  • If you do not have your own AIS license(s), then you must:

    • Include this copy precisely
    • Submit your UIs for review, to get the ability to collect consent.

Make sure to add the following four distinct sections to your consent screen:

This copy is written in markdown. When using the mandatory copy, make sure to use the exact formatting included. Bold text is represented as **bold text**.

Consent language

If you are an agent of TrueLayer, check that you make this clear in your consent copy. Check the text in the following tabs to get the required consent language (with correct markdown formatting) for unregulated clients and agents of TrueLayer.

{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/en-ie/privacy] and (Privacy policy)[https://truelayer.com/en-ie/enduser_tos].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/en-ie/privacy] and (Privacy policy)[https://truelayer.com/en-ie/enduser_tos].

How does this work?

Make sure to reference the correct TrueLayer entity depending on where in the world you're accessing data from. Check the text in the following tabs to get the correct information for UK and EU providers respectively.

When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer is authorised and regulated by the Financial Conduct Authority. FRN 901096
When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer Ireland is authorised by the Central Bank of Ireland, reference number C433487.

What data am I sharing?

Depending on which scopes you include in your request to TrueLayer, you must inform the user which categories of data you're asking them to share.

TrueLayer will share this data with {{client name}}: 

- {{scope 1 eg. accounts}}
- {{scope 2 eg. balance}}

Your data will only be shared with {{client name}}.

How is my data used?

You have to include a plain English explanation of what you'll do with the user's data.

Depending on whether you request the offline_access scope, you have to inform the user how long you'll have access to their data. Check the following tabs for the exact information you need to give the user, depending on the length of the access time (one time only and ongoing access).

{{client name}} will use your data to {{explanation of how you'll use the data}}.

{{client name}} will only get one-time access to your data.
{{client name}} will use your data to {{explanation of how you'll use the data}}.

You can ask {{client name}} to stop accessing your data at any time.

What is the consent_id?

The consent_id is a unique identifier for a record you create and store when the user provides consent to share their data. You have to pass this value in the consent_id request body parameter when you make an API call to generate a direct bank auth link.

When you collect consent and generate this identifier you should store enough information to produce evidence that the user provided informed, explicit consent. This could include a range of data available in your application, but should include:

  • date and time
  • unique user identifier, session id, ip address and/or device finger print
  • the list of data the user agreed to share (you can store the scopes you include in your API call to generate the direct bank auth link)
  • a reference to the UI presented to the user (this could be a build number, UI copy or a screen capture fo the consent screen. Something that allows you to retrospectively reference the copy a user was presented prior to granting consent)

Did this page help you?