Collect user consent (AISPs)

Learn how to create your own consent collection screen to get user consent when you're using TrueLayer's licences.

Regulatory requirements

🚧

This article talks about collecting user consent when TrueLayer is the AISP by creating your own consent screen within your application. Explicit consent is a regulatory requirement for Account Information Service Providers (AISPs) to obtain under PSD2 in the UK and EU, and under CDR in Australia.

If you are regulated to provide AIS in the UK or EU, you must collect consent from the user yourself. You can use this article as guidance for your copy and designs, but collecting explicit consent is ultimately your regulatory responsibility.

If you are not regulated to provide AIS in the UK in the UK or EU, you can use TrueLayer’s auth dialog, which you can configure within Console. Alternatively, you can design your own dialog.

📘

Reconfirmation of consent

When a user reconfirms consent to extend their connection to an application, the same principles about collecting consent on this page apply. We recommend you build your own reconfirmation consent screen.

Before you develop your consent flow

If you want to implement your own auth flow within which the user provides explicit consent to TrueLayer, please reach out to us before you begin development to discuss your use case. This feature is disabled by default. To create a screen for user consent collection:

  1. Consult with TrueLayer for guidance on the best integration for your use case.
  2. Follow the instructions in this article to implement your consent screens.
  3. Contact us so we can review your screens and enable your client_id.
    If you're submitting your reconfirmation UX for review, complete this form to submit the UX for review.

When you create your own auth flow, the user stays within your app. This is a better UX, particularly on mobile. Users move from your app to their bank app seamlessly.

Agents of TrueLayer (UK)

If you are an appointed agent of TrueLayer then you must include a regulatory disclosure on your website

{{your company name}} is acting as an agent of TrueLayer, who is providing the regulated Account Information Service, and is Authorised and Regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (Firm Reference Number: 901096)

Creating a UI where TrueLayer collects consent

63446344

Example consent screen mobile flow

🚧

In the UK and EU If you are not regulated to provide Account Information Services, then TrueLayer must obtain explicit consent from the user. You need to follow the instructions in this page and ensure that the mandatory wording is added within your own UI. This is to make sure your users are giving properly informed consent.

In this section, we provide the exact copy we use in our own auth dialog.

  • If you have your own AIS license(s) you can treat this as guidance or a jumping off point. You're responsible for making sure that you are compliant.

  • If you don't have your own AIS license(s), then you must:

    • Include this copy precisely.
    • Submit your UIs for review, to get the ability to collect consent.

Ensure that you add the following four distinct sections to your consent screen:

This copy is written in markdown. When using the mandatory copy, make sure to use the exact formatting included. Bold text is represented as **bold text**.

Consent language

If you are an agent of TrueLayer in the UK, check that you make this clear in your consent copy. Check the text in the following tabs to get the required consent language (with correct formatting) for unregulated clients and agents of TrueLayer.

{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer Ireland’s (Terms of Service)[https://truelayer.com/en-ie/enduser_tos] and (Privacy policy)[https://truelayer.com/en-ie/privacy].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer Ireland’s (Terms of Service)[https://truelayer.com/en-ie/enduser_tos] and (Privacy policy)[https://truelayer.com/en-ie/privacy].
{{client name}} uses TrueLayer to collect your account data 

<button>Allow</button>
{{client name}} needs your permission to access your account data


<button>Allow</button>

Localised Terms of Service and Privacy Policy

For unregulated clients using EU providers, we offer localised variants of the Terms of Service and Privacy Policy documents in the following languages:

How does this work?

Make sure to reference the correct TrueLayer entity depending on where in the world you're accessing data from. Check the text in the following tabs to get the correct information for UK and EU providers respectively.

When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer is authorised and regulated by the Financial Conduct Authority. FRN 901096
When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer Ireland is authorised by the Central Bank of Ireland, reference number C433487.
When you click ‘Allow’, we will pass you over to {{bank name}} to authorise collection of your banking data.

TrueLayer uses bank-grade encryption to connect to your bank and will never ask for your banking password.

Your login details are never shared with {{client name}} or third parties.

{{client name}} is a CDR representative of TrueLayer. Accreditation ID: ADRBNK000274

What data am I sharing?

Depending on which scopes you include in your request to TrueLayer, you must inform the user which categories of data you're asking them to share.

TrueLayer will share this data with {{client name}}: 

- {{scope 1 eg. accounts}}
- {{scope 2 eg. balance}}

Your data will only be shared with {{client name}}.

How is my data used?

You have to include a plain English explanation of what you'll do with the user's data.

The consent UI must inform the user how long their data will be accessed and who it will be shared with. Check the following tabs for the exact information the user must receive, depending on the length of the access time (one time only and ongoing access).

{{client name}} will use your data to {{explanation of how you'll use the data}}.

{{client name}} will only get one-time access to your data.
{{client name}} will use your data to {{explanation of how you'll use the data}}.

You can ask {{client name}} to stop accessing your data at any time.
{{client name}} needs to access your data for {{access duration}}. They will use your data to {{data use}}.

Supporting parties:
TrueLayer
Accreditation ID: ADRBNK000274
View TrueLayer's CDR policy

Data handling:
Your data will be deleted when it is no longer needed to provide you with this service, or when you stop data sharing, unless there is a legal reason to retain it.

Manage your data sharing:
You can stop data sharing at any time through the app or via your bank.
You can also notify {{client name}} via email to stop data sharing at  {{client email address}}.

{{Client name}} may not be able to {{data use}} when you stop sharing your data.
We need this data so we can {{data use}} and will have access to your data for {{access duration}}. We use the following parties to assist with accessing your data:

Supporting parties:
TrueLayer
Accreditation ID: ADRBNK000274
View TrueLayer's CDR policy

Data handling:
We will delete your data when it no longer needs it in order to provide you with this service, or when you stop data sharing, unless there is a legal reason to retain it.


Manage your data sharing:
You can stop data sharing at any time through the app or via your bank.
You can also notify us via email to stop data sharing at  {{client email address}}.

We may not be able to {{data use}} when you stop sharing your data.

Did this page help you?