Product Guide
Introduction to Open Banking
Yodlee FastLink application manages all aspects of consumer data right (CDR) requests, including redirection of the user/consumer to authorise and consent to data sharing, aggregate and verify accounts, and support both CDR-enabled sites and legacy credential-based sites in the same user experience. For more information about the FastLink
Account Aggregation through FastLink
The FastLink application takes the user through the process of linking a site. In the Configuration Tool, all aspects of the FastLink application, such as the product template, UI settings, region, language preferences, can be set. The user flow has three steps:
Step 1: Selecting a Site
The site selection screen is first displayed in the site linking process. In this screen, consumers can search for sites that require the consumer to grant permission to share data. Consumers can search for the sites in the search field or select them by tapping an icon corresponding to the site they want to aggregate.
Step 2: Provider Consent
The pre-consent screen, an optional implementation, displays the high-level steps to aggregate accounts. The consumer has to tap Get Started on the pre-consent screen to start providing consent. The Consent screen is then displayed, letting the consumer know that the consumer’s account information is being shared.
The consent-sharing period is displayed on the consent screen. The sharing period is when the consent was provided, and the date until the consent will be valid, with the time zone and timestamp. The time zone displayed on the consent screens is derived from the consumer's browser time zone. If the browser time zone is inaccessible, the consumer's registered country's time zone is considered. Customers can manage the timestamp visibility in the Configuration Tool by navigating to Global Settings > Open Banking Settings. By default, the timestamp is enabled. It is recommended to turn off the timestamp to display only the date and time zone on the consent screens.
Consumer must select the consent durations from the Sharing Period drop-down list to continue with the consent flow. Customers can configure any three duration periods during the OB application onboarding flow, and the three durations will be listed in the drop-down list in the descending order, for example, 365 days, 180 days, and 90 days. Once the consumer selects the duration, the statement in the Data Request section will display the selected sharing period. The consent sharing period is also displayed in the Sharing Period section. It is the date when the consent was provided and the date till when the consent will be valid, with time zone and timestamp.
ADR Model
🡆CDR Representative Model
🡆To grant consent and continue adding the site, the consumer has to tap I Consent. The status spinner and message indicate that the consumer is securely transferred to the data provider's site. The consumer authenticates his/her identity at the data provider site by entering the site login credentials. The data provider site then requests confirmation of consent from the consumer to pass his/her account data to the client application.
The account aggregation process is triggered once the consumer confirms. The status spinner lets the consumer know that he/she is securely transferred from the data provider site to FastLink and the account information is being gathered. After the data is retrieved, the Success screen shows the consumer that the account information is successfully aggregated.
Step 3: View Accounts
After the account information is received from the data provider site, the accounts summary screen is displayed with the following account attributes for each aggregated account in the view accounts screen under the appropriate financial institution and container heading:
- Account Name – Name of the account (for example, ABC Checking)
- Account Number – The account number (masked except for the last four digits)
- Account Type – Account type at the investment provider (Savings, checking, 401k, etc.).
- Account Balance – Balance of funds in the account
The Save & Finish button closes FastLink, whereas Save and Link More Accounts button redirects the consumer back to select a provider screen in FastLink so that they can add another provider if they choose to.
Data Access
Once the account is linked, call the GET /accounts or the GET /accounts/{accountId} endpoint to retrieve the account details of all the accounts that were added from the Open Banking provider.
Manage Consent
The CDR rules require that the data recipients give end users/consumers the ability to view and manage their consent. The Manage Consent screen in FastLink is used to provide this functionality. The consumer can land on the Manage Consent screen from a link in the customer’s application. The Manage Consent screen lists all the statuses of consent for a particular consumer: Active, Expired, and Withdrawn.
Active Consent
The consent is active when the consumer has already given consent, and it has not exceeded the consent validation period of 12 months. Tapping Active button on the Manage Consent screen will display the active consent details.
Expired Consent
The consent will be automatically marked as Expired if the consent validation period expires without revocation. The Expired Manage Consent screen displays the provider name, product, consented date, and expired date.
Withdrawn Consent
The Withdrawn consent screen is displayed when the user has revoked the consent.
Open Banking Consent Events
Our Open Banking (OB) event service allows customers to meet regulatory requirements concerning end-user notifications or to provide other functionality dependent on knowing the state of user consent to collect and use data.
To comply with Subdivision 4.3.5 of the CDR Rules, Australian (AU) OB customers must send notifications “in writing otherwise than through the CDR consumer’s dashboard” to end users whenever consent is granted, amended or revoked (CDR Receipts) as well as ongoing notifications for ongoing consents.
We recommend AU OB customers comply with this requirement by sending an SMS or email to end-users. The rules require that notifications must contain details of the consent, including the requested data, use of the data, time of grant and scheduled expiry, data access frequency, data provider name (e.g., ABC bank), the data recipient name and details of any disclosure consents (such as to trusted advisers or of CDR Insights).
Withdrawing Consent
The consumer can withdraw the consent or stop sharing the data by tapping the I want to stop sharing my data button on the active consent screen. The Stop Sharing screen is displayed when the consumer taps the I want to stop sharing my data button. The Stop Sharing screen displays what happens to the consumer’s data and the impact of not sharing the data. The data will be hard-deleted if the consumer selects the toggle on this screen. A consumer who continues without selecting the toggle can revoke the consent but will not delete the data.
When the consumer taps Continue, the second Stop Sharing screen is displayed to reconfirm. This Stop Sharing screen gives a detailed impact of withdrawing consent. On tapping Yes, Stop Sharing, the data sharing is successfully stopped, and the You are no longer sharing data screen is displayed with Withdrawn status on the screen to confirm that the data sharing is stopped and the account has been archived. This screen also details what data was collected and how the data was used, and the key dates in condensed form.
Advanced Integration
FastLink 4 supports various types of deeplinking and advanced integrations. See our Advanced Integration page for more information.
De-identification of Data
De-identification of data removes the consumer’s personal information associated with data, i.e., the data will not be associated with the consumer’s identity (name and contact details) after the de-identification process.
Data de-identification/deletion happens as per the consent data deletion preferences, after consent expires or when a consumer revokes the consent.
Note: After the consent period expires, Yodlee and its customers are authorised to use the de-identified data without further consent.
FAQs
Which account types does Yodlee provide access to through AU OB?
We provide access to a wide variety of personal and business account types including savings accounts, transaction accounts, credit cards, term deposits, personal loans, mortgages, and business finance products through open banking in Australia. We also provide access to data sources not available through open banking, including investment products, non-bank lending products and superannuation products through our hybrid solution. Individual and business customers are eligible to share data through open banking. Individuals must be over the age of 18 and have at least one open account accessible online to be able to share data. Contact us for an up-to-date provider list.
Is it possible to access joint account data through Open Banking?
Joint account data is included in the CDR. By default, any owner of an account can share data from joint accounts, however, both joint account holders can control sharing preferences and prevent joint account data sharing, if desired.
Is it possible to access business data through Open Banking?
Businesses are able to share data through Open Banking via nominated representatives who complete the consent process in a similar manner to consumers. Each bank has a process for setting up nominated representatives for a business. In most cases, this involves sending an authority form through a similar process enabling users to view or transact on business accounts.
Is it possible to migrate to Open Banking from screen scraping or credential-based aggregation?
Our product includes migration functionality that can be used to move customers from screen scraping to Open Banking data sources. The best approach for migration depends on the particular use case and how and if our client has integrated with us. Contact us to discuss the migration of existing users.
What integration points are required to access Open Banking data?
The key technical integration points with Yodlee using Australian Open Banking data are as follows:
- Invoking FastLink to allow users to grant consent.
- Connecting to our APIs and products.
- Invoking FastLink to allow users to manage consent.
- Connect to our webhook service to send end user notifications when required by the CDR rules, namely when consent is granted, amended, revoked, or when 90 days have elapsed from the latest of consent grant/amend, use of consumer dashboard or the last notification.
All of these integration points are required for regulatory reasons.
Is it necessary to be accredited? Which regulatory model for Open Banking does Yodlee recommend?
Access to Open Banking data in Australia is possible through a number of regulatory models and accreditation is generally not required. We will work with you to recommend a regulatory model suitable for your needs. In most cases we will recommend a CDR representative model.