Collect user consent (AISPs)

Learn how to create your own consent collection screen to get user consent when you're using TrueLayer's licences.

🚧

This article talks about collecting user consent when TrueLayer is the AISP by creating your own consent screen within your application. Explicit Consent is a regulatory requirement for Account Information Service Providers (AISPs) to obtain under PSD2 in the UK and EU. This is also a regulatory requirement for AISPs to obtain under CDR in Australia.

We strongly recommend you use our Auth Dialog manage collecting consent.

If you are regulated to provide AIS in the UK, in the UK or EU, you must collect consent from the user yourself. You can use this article as guidance for your copy and designs, but collecting explicit consent is ultimately your regulatory responsibility.

If you are not regulated to provide AIS in the UK in the UK or EU we strongly recommend using TrueLayer’s auth dialog.

If you would like to implement your own auth flow within which the user provides explicit consent to TrueLayer, please reach out to us before you begin development to discuss your use case. This feature is disabled by default. To create a screen for user consent collection:

  1. Consult with TrueLayer - it's almost always a better option to use our auth dialog rather than rolling your own UI
  2. Follow the instructions in this article to implement your consent screens
  3. Contact us so we can review your screens and enable your client_id

When you create your own auth flow, the user stays within your app. This is a better UX, particularly on mobile. Users move from your app to their bank app seamlessly.

Instead of relying on the auth dialog to collect consent, you must pass a consent_id you've created that represents the consent provided by the user in order to skip the auth dialog's consent collection UI.

Agents of TrueLayer (UK)

If you are an appointed agent of TrueLayer then you must include a regulatory disclosure on your website

{{your company name}} is acting as an agent of TrueLayer, who is providing the regulated Account Information Service, and is Authorised and Regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (Firm Reference Number: 901096)

Creating a UI where TrueLayer collects consent

Example consent screen mobile flow

🚧

In the UK and EU If you are not regulated to provide Account Information Services, then TrueLayer must obtain explicit consent from the user. You need to follow the instructions in this page and ensure that the mandatory wording is added within your own UI. This is to make sure your users are giving properly informed consent.

We're adding the exact copy we use in our own auth dialog.

  • If you have your own AIS license(s) you can treat this as guidance or a jumping off point. You are responsible for making sure that you are compliant.

  • If you do not have your own AIS license(s), then you must:

    • Include this copy precisely
    • Submit your UIs for review, to get the ability to collect consent.

Make sure to add the following four distinct sections to your consent screen:

This copy is written in markdown. When using the mandatory copy, make sure to use the exact formatting included. Bold text is represented as **bold text**.

Consent language

If you are an agent of TrueLayer in the UK, check that you make this clear in your consent copy. Check the text in the following tabs to get the required consent language (with correct formatting) for unregulated clients and agents of TrueLayer.

{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer’s (Terms of Service)[https://truelayer.com/enduser_tos/] and (Privacy policy)[https://truelayer.com/privacy/].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

By continuing you agree to TrueLayer Ireland’s (Terms of Service)[https://truelayer.com/en-ie/enduser_tos] and (Privacy policy)[https://truelayer.com/en-ie/privacy].
{{client name}} uses TrueLayer to securely retrieve your account data

**TrueLayer needs your permission to access your account data and share it with {{client name}}**

<button>Allow</button> 

{{client name}} is an agent of TrueLayer. By continuing you agree to TrueLayer Ireland’s (Terms of Service)[https://truelayer.com/en-ie/enduser_tos] and (Privacy policy)[https://truelayer.com/en-ie/privacy].
{{client name}} uses TrueLayer to collect your account data 

<button>Allow</button>
{{client name}} needs your permission to access your account data


<button>Allow</button>

Localized Terms of Service and Privacy Policy

For unregulated clients using EU providers, we offer localized variants of the Terms of Service and Privacy Policy documents in the following languages:

How does this work?

Make sure to reference the correct TrueLayer entity depending on where in the world you're accessing data from. Check the text in the following tabs to get the correct information for UK and EU providers respectively.

When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer is authorised and regulated by the Financial Conduct Authority. FRN 901096
When you click ‘Allow’, we will pass you over to {{bank name}} to authorise access to your account data. 

TrueLayer uses bank-grade encryption to connect to your bank.

Your login details are never shared with {{client name}} or third parties.

TrueLayer Ireland is authorised by the Central Bank of Ireland, reference number C433487.
When you click ‘Allow’, we will pass you over to {{bank name}} to authorise collection of your banking data.

TrueLayer uses bank-grade encryption to connect to your bank and will never ask for your banking password.

Your login details are never shared with {{client name}} or third parties.

{{client name}} is a CDR representative of TrueLayer. Accreditation ID: ADRBNK000274

What data am I sharing?

Depending on which scopes you include in your request to TrueLayer, you must inform the user which categories of data you're asking them to share.

TrueLayer will share this data with {{client name}}: 

- {{scope 1 eg. accounts}}
- {{scope 2 eg. balance}}

Your data will only be shared with {{client name}}.

How is my data used?

You have to include a plain English explanation of what you'll do with the user's data.

The consent UI must inform the user how long their data will be accessed and who it will be shared with. Check the following tabs for the exact information the user must receive, depending on the length of the access time (one time only and ongoing access).

{{client name}} will use your data to {{explanation of how you'll use the data}}.

{{client name}} will only get one-time access to your data.
{{client name}} will use your data to {{explanation of how you'll use the data}}.

You can ask {{client name}} to stop accessing your data at any time.
{{client name}} needs to access your data for {{access duration}}. They will use your data to {{data use}}.

Supporting parties:
TrueLayer
Accreditation ID: ADRBNK000274
View TrueLayer's CDR policy

Data handling:
Your data will be deleted when it is no longer needed to provide you with this service, or when you stop data sharing, unless there is a legal reason to retain it.

Manage your data sharing:
You can stop data sharing at any time through the app or via your bank.
You can also notify {{client name}} via email to stop data sharing at  {{client email address}}.

{{Client name}} may not be able to {{data use}} when you stop sharing your data.
We need this data so we can {{data use}} and will have access to your data for {{access duration}}. We use the following parties to assist with accessing your data:

Supporting parties:
TrueLayer
Accreditation ID: ADRBNK000274
View TrueLayer's CDR policy

Data handling:
We will delete your data when it no longer needs it in order to provide you with this service, or when you stop data sharing, unless there is a legal reason to retain it.


Manage your data sharing:
You can stop data sharing at any time through the app or via your bank.
You can also notify us via email to stop data sharing at  {{client email address}}.

We may not be able to {{data use}} when you stop sharing your data.

What is the consent_id?

The consent_id is a unique identifier for a record you create and store when the user provides consent to share their data. You have to pass this value in the consent_id request body parameter when you make an API call to generate a direct bank auth link.

When you collect consent and generate this identifier you should store enough information to produce evidence that the user provided informed, explicit consent. This could include a range of data available in your application, but should include:

  • date and time
  • unique user identifier, user email address, ip address and/or device fingerprint
  • the list of data the user agreed to share (you can store the scopes you include in your API call to generate the direct bank auth link)
  • your TrueLayer client_id
  • the duration of the consent
  • the provider_id for the ASPSP the user is sharing data from
  • a reference to the UI presented to the user (this could be a build number, UI copy or a screen capture fo the consent screen. Something that allows you to retrospectively reference the copy a user was presented prior to granting consent)

Did this page help you?