Consent Management

Bank Logins and Bank Connections

In order to establish a connection to a bank account, a bank login must be created. As such, every bank login is associated with a bank connection. Additionally, every bank login is identifiable through a unique identifier.

As already mentioned in the Overview, a bank login is a technical entity that represents the user's consent for accessing their bank data. Each bank login is associated with one or more bank accounts, and it serves as the basis for managing the connection to the bank. In our system's hierarchy, a bank login stands directly below the user level and above the individual bank accounts.

Bank logins are crucial for any process, that involves retrieving or synchronizing bank data. Without a valid bank login, our Banking module in unable to access the respective bank's system. Naturally, we provide endpoints to manage bank logins, including retrieving their synchronization status, creating synchronization sessions, and deleting logins when necessary:

• Get Logins Synchronization Status
• Create Synchronization Session
• Delete Login

Consent Management

A consent authorizes the Banking module to fetch bank data for a specific bank connection. At any given time, there can only be one valid consent for a unique bank login. Accordingly, there is no concept of multiple consents for the same bank login, as a new consent will automatically invalidate the previous one. In addition to that, there is no concept of an account-level consent, as the consent is always associated with the bank login, which can include multiple accounts.

Multiple different bank logins can be created for the same bank, as explained before in the Overview. Typically, as a rule of thumb, a user can create only one bank login for a unique bank account. However, there are exceptions to this rule, as some banks handle the login process entirely on their side, which can lead to multiple bank logins for the same bank account. We try to prevent this as much as possible, but still in some cases, we can only detect a duplicate connection after the connection process has been completed.

Disconnecting a bank login will result in the revocation of the associated consent, and the respective bank connection to that login will be deactivated as well. The same of course applies when just deleting a bank login. Similarly, disconnecting or deleting a user will also lead to the revocation of all consents and deactivation of all bank logins associated with that user.

Detecting an Expired Consent

A valid consent is a mandatory prerequisite for our synchronization feature to work properly. Typically, single-access scenarios, where the user only connects their bank account once and does not intend to synchronize it on a regular basis, have no need to worry about consent expiration, as the consent is only required for the initial connection process. As such, if your use case only involves a one-time connection without any further synchronization, you can simply ignore consent expiration, as it will not affect your use case.

Since a valid consent is required for retrieving bank data and triggering any process at the bank itself, it is crucial that we provide mechanisms to inspect the status of a consent. For that very reason, we provide multiple ways to check if a consent is still valid or if it has expired:

1. Via Sync Status Endpoint

• This endpoint returns the synchronization status for each bank login of one user, including:
  • status: Shows if a consent is valid (OK), if a consent renewal through new Strong Customer Authentication is required (SCA_REQUIRED) or if there was any error during the last synchronization attempt (SYNC_FAILED).
  • active: Indicates if automatic background synchronization is currently enabled.
  • lastSynchronization: Timestamp of the last successful data sync.
  • bankLoginId and userId: Identifiers for tracking the specific login and user.
• If status is SCA_REQUIRED or SYNC_FAILED, the consent has expired and needs to be renewed.

2. Via Get Synchronization Status Paginated

• This endpoint provides a paginated list of synchronization statuses for bank logins, allowing you to efficiently check the status of multiple users and their associated bank logins.

3. Via a Webhook Event

• If a webhook for error events is subscribed, the event ubasyncerror will be triggered if automatic banking sync cannot be completed. When the type is CHALLENGE_REQUIRED, the user consent has expired and a user action is required to renew the consent. Otherwise, automatic synchronization will be disabled for the respective bank login.

Unfortunately, there is no way to prevent consent expiration, as it is a requirement by the banks and regulatory authorities to ensure that users regularly review and renew their consents for data access. Also, not all banks provide the same consent duration, so the expiration time can vary significantly between different banks and even between different account types within the same bank. Lastly, the information about the exact expiration time of a consent is not provided by the banks, so there is no way to predict when a consent will expire, apart from when the initial consent is granted, which typically has a validity of 90 days, but can be shorter or longer depending on the bank's policies.

Consent Renewal

We currently provide two options for renewing an expired consent, which can be chosen based on your specific use case and user experience preferences:

a) Manual Renewal via the User Interface

1. Use our Create Management Session endpoint to create a management session for the user, which will provide you with a redirect URL to our Universal Bank Access platform.
2. After redirecting the user to the management session, they will be able to see an overview of all their connected bank accounts and manage them accordingly.
3. To renew the consent, initiate a synchronization for the respective bank login, which will automatically trigger a challenge for the user to complete the consent renewal process.

b) Automatic Renewal via API

1. Use our Create Synchronization Session endpoint to trigger a synchronization for the respective bank login.
2. This automatically initiates a challenge, prompting the user to renew consent.

Once consent is successfully renewed, the bank connection is reactivated, and data retrieval can continue.

Please note that in both cases your user needs to be actively involved in the consent renewal process, as the user must complete the necessary Strong Customer Authentication (SCA) steps to grant a new consent.