Contents

Disclaimer 

The Guidelines have been prepared for the sole purpose of providing indicative information and are for general purposes only. The Guidelines should be treated as a general guide or a starting point only.

The Guidelines are not specific advice and do not contain all the information that an API Standards User may need for the purpose of designing and using API Standards enabled products or complying with the API Terms (API Terms).

Adoption of the Guidelines does not replace API Standards Users’ obligations as set out in the API Terms. API Standards Users must independently ensure that they comply with the API Terms including the Customer Data Consent and Customer Payment Consent obligations. To the extent that the Guidelines conflict with the API Terms, the API Terms prevail.

The API Centre does not make any express or implied warranty, guarantee or representation regarding the Guidelines, including, without limitation, warranties that the Guidelines are fit for the purposes required by API Standards Users, customers or Permitted Users, that compliance with the Guidelines assures compliance with the API Centre Terms, or will ensure that any party might meet the standard of care required of them at law, or that any of the assumptions underlying the Guidance are accurate.

1 Introduction

The Customer Experience Guidelines (“Guidelines”) have been designed to facilitate widespread use of API Standards enabled products and services in a simple, secure and customer friendly manner.

The implementation of these Guidelines is not mandated by the API Centre, so live customer experiences will differ from this document.

The API Centre’s Account Information and Payments Initiation API Standards set out the base interactions and flows between the customer, the Third Party, and the API Provider.

The Guidelines:

• depict the customer facing user experience and journey across both Third Party and API Provider when they use the API Standards.

• address the “customer journey” that is the process that the customer follows starting within a Third Party online app or browser, through to authentication within the API Provider domain, and completion in the Third Party domain.

• provide examples of what a good customer experience and customer journey looks like when the customer interacts with services that are based on the API Standards.

• provide a starting point for API Standards Users to develop their own propositions.

Customers will only use products and services if their experience matches or betters their expectations, and information is presented in an intuitive manner allowing them to make informed decisions. It is therefore important that the interplay between the Third Party and the API Provider is as seamless as possible, while providing customer control in a secure environment.

It is essential that customers are clearly informed about the consent they are providing and the service they are receiving.

The intended audience for these Guidelines is API Standards Users (API Providers and Third Parties).

1.1 Acknowledgements

The Guidelines have been developed from the UK Open Banking Implementation Entity’s (OBIE) Customer Experience Guidelines and their associated research.

• https://standards.openbanking.org.uk/customer-experience-guidelines/introduction/section-a/latest/

 1.2 Purpose and approach

Illustrative guide

This document provides an illustrative guide. Wireframes are used to represent the basic requirements of the customer journey and the steps that a Standards User would be required to follow.

There is no requirement on API Standards Users to comply with the wireframes although they are required to comply with the rules as described in the API Standards and the API Centre Terms and Conditions (API Terms).

The Guidelines are designed to help provide a starting point for API Standards Users to develop their own propositions and therefore implementations may differ in practice.

Illustrative but not exhaustive

These Guidelines provide the main scenarios that the v2.3 API Standard supports. There are other scenarios, flows or variants that are supported by the v2.3 API Standard that are not illustrated in these Guidelines.

Iterative guidance

The Guidelines will evolve, and iterations will be released, based on additional functionality, ongoing feedback received and changing customer expectations.

1.3 Relationship with API Terms

Pursuant to the API Terms, the API Centre may create, maintain, amend and publish API Standards and any associated documentation. Accordingly, the Guidelines are published under the API Terms.

The Guidelines cover the customers Journey, interactions, and hand-offs. The Guidelines include suggested steps that the customer should navigate. The Guidelines refer to consent, authentication and authorisation which are the steps API Standards Users are required to take in relation to consent as set out in the API Terms. In these Guidelines:

Third Party consent in relation to Customer Data Consent or Customer Payment Consent refers to the consent given by the customer to a Third Party under which the customer authorises:

• a Third Party to contact the customer’s API Provider; and

• the use of the Customer Data for the purposes specified in the Customer Data Consent; or

• a payment under which funds will be debited from the customer’s account and credited to the beneficiary nominated in the consent.

Authorisation in relation to Customer Data Consent or Customer Payment Consent refers to the corresponding action by the customer in an API Provider app in which the customer authorises an API Provider to act on an instruction received from a Third Party. This is either in relation to customer data or on behalf of the customer in respect of that payment transaction.

Authentication refers to the process of an API Provider confirming the identity of a customer and their authority to act on the account, i.e. login.

1.4 Relationship with API specifications

The API Centre attempts to align the Guidelines to the API Standards. Generally, where the customer journey diagrams use the term ‘must’, it reflects a requirement in either the API Standards or the API Terms

1.5 Guideline Structure

The Guidelines are divided into sections dedicated to each of the following steps in the consent flow:

Authentication Methods

The primary forms of Authentication, in generic form, that may be used through a variety of services and interactions.

Capturing and Managing Consent for Account Information Services

Service propositions that are enabled or initiated by customers consenting to share their account data with Third Parties.

Capturing and Managing Consent for Payment Initiation Services

Service propositions enabled by customers consenting to Third Parties initiating payments from their payment accounts.

1.6 The high-level Customer Journey

Open

All customer journeys in this document are constructed around the primary customer journey, which is illustrated above.

At the core of each customer journey is the mechanism by which the customer gives consent to a Third Party to access account information held at their API Provider or to initiate payments from their API Provider account.

In general, simplified terms:

1. the consent request is initiated in the Third Party domain (step 1).

2. the customer is then directed to the domain of its API Provider for authentication (step 2).

3. once authentication is complete, the API Provider will be able to respond to the request and redirect the customer back to the Third Party for confirmation and completion of the journey (step 3).

2 Customer best practices

2.1 Customer in control

So that customers can make informed decisions while enjoying a simple and easy navigation and a secure customer journey, a key principle is to ensure clarity of information that is presented and described in a manner that ensures that each customer journey is easy to understand.

2.2 Useful elements in the customer journey

Research carried out by OBIE, in the UK, shows that better customer understanding of what they are agreeing to can be achieved by carefully designing the customer journey. It reveals that the solution is about:

• effective, intuitive presentation of information; and

• not introducing steps to slow the customer down or repeat information.

The following methods have been found to be the most effective:

• Clear messages and navigation in the redirection screens that pass the customer from the Third Party to the API Provider, and back again.

• The redirection screen should create a clear sense of separation as the customer enters the API Provider domain to authenticate, and as they return to the Third Party.

• Use redirect screens as signposts so that customers know and trust where they are in the journey.

• Present information in an intuitive and easily understood way.

• Keep it to a minimum.

• When it is necessary to show more complex information it is easier for the customer to understand when presented:

  • in a series of smaller amounts; and

  • across more than one screen.

• Avoid text heavy single screens.

• Providing supplementary information at specific points in the customer journey is useful, helping the customer to understand the process as well as ensuring comprehension of a product or offer and its implications. If executed well, it will enhance the customer journey and reduce drop off.

• Experience and branding should mirror existing online customer channels.

2.3 Unhelpful elements in the customer journey

OBIE research has shown that superfluous information, poor or confusing choice of words, repetition, large amounts of text, too many steps or avoidable delays in the customer journey can lead to frustration, an even greater tendency to skim, and ultimately an increase in customer drop off.

The following unhelpful elements were identified in the research and should be avoided:

• A customer authentication journey that takes too long.

• Where there are fewer screens but a significant amount of text on the screen.

• Customers having to scroll up and down the screen to progress the customer journey.

• Unnecessary information that does not add to the customer’s understanding or trust, especially when presented in a separate step or screen.

• Delays such as slow loading times, web pages or apps that have not been effectively debugged, and unexpected crashing of web pages or apps.

• Language which may create a level of concern, uncertainty and doubt when going through the customer journey.

• The use of language that is too long, complex or legalistic to be easily understood when going through the customer journey.

• Asking for the same information twice.

• Asking for information when it is not needed.

• Forcing the customer to open a new browser window during the customer journey.

• Requesting input of information that could be pre-populated once the customer has authenticated.

• Inconsistency in selecting an online channel when multiple channels are supported e.g., differentiating between personal and business banking.

2.4 Customer experience principles

The customer experience should balance informed decision making while remaining understandable, intuitive, and effective. The customer experience should provide content and functionality that demonstrates purpose, intent and relevance. It must meet the appropriate legal requirements relating to the customer disclosure.

This is especially true in the act of giving consent context, where customers always need to know and understand:

• What to expect from a process

• Where they are in a specific process

• Where they have come from

• What options, actions or steps they have in front of them

• The consequences of taking those actions or next steps

• A clear signal, feedback and/or response once that action is taken

OBIE customer research has demonstrated recurring themes that customers care, or are worried, about. To support and achieve the goal of creating trust, these themes have been combined and made into five experience principles. These principles underpin the range of core customer journeys and key customer interactions described throughout the Guidelines.

2.4.1 Control

The introduction of any kind of new transaction, product, or service - especially online - can create an opportunity for deeper engagement. However, it can also create barriers through poor implementation. From a consumer perspective, this is often driven by a loss of control in the process.

If customers understand what is going on in a process, they can make informed decisions and choices on their own terms – including the option to change their mind. It provides ownership and control over what is happening. In a transactional context, where money and data are potentially at stake, getting this right is essential.

For API Standards, control comes from providing customers with the right tools and clarity of information at the right time (e.g., knowing the account balance at the point of payment or knowing that they can view and cancel consents when they want to).

Standards Users need to consider how they provide ownership and control to customers throughout – enabling customers to understand and take ownership of the decisions made through this process and that this is something that they are choosing and in charge of.

2.4.2 Speed

Speed should be appropriate to the customer and the journey they are undertaking. Convenient, speedy, and intuitive design is a question of execution and interaction.

In transactional context, anything that seems more time consuming or difficult than customers are used to (or expecting) is going to degrade adoption. Each interaction should be managed and optimised, as well as hand-off between systems for speed, clarity, and efficiency, but without sacrificing the principles of security and control.

In addition, be mindful that speed of transaction or interaction is not necessarily about the ‘fastest possible’ experience. As we have indicated, informed decision making needs to be supported through comprehension and clarity (especially in the context of Account Information Services), allowing customers to, above all, move at a pace that suits them and ensuring that the customer knows what they are consenting to.

Third Parties and API Providers need to ensure that API Standard customer journeys remain flexible enough to support different customer contexts, expectations and situations and – critically – avoid any unnecessary friction in the completion of any journey.

2.4.3 Transparency

Transparency of choice, action, and, importantly, the consequences of actions or sharing of data, is crucial to promoting the benefits of API Standards.

In new transactional scenarios where customers are being encouraged to share personal information this is critical. Be clear on what is required from the customer, why, for what purpose and what the consequences could be.

Sharing information is a trade-off for convenience and benefits. The value exchange for the consumer should be made explicitly clear.

This is, however, a balancing act. We do not want to overburden the customer or weigh down the experience with excessive explanations. Transparency is therefore about providing progressive levels of information, in plain language, that inform and support customer decisions

2.4.4 Security

In the context of security, the key concerns for customers are fraud and data privacy.

Many will understand fraud, but data privacy may be less well defined in the minds of consumers. Not everyone has the same idea about what ‘my data’ means (e.g., is it my name and address? Passwords? Names of my kids? Transactional history?) Nor is it well understood what businesses even do with their data once they have access to it. Such concerns can be even deeper with newer brands, lacking established consumer confidence.

Explicit clarity and reassurance will be required in relation to data definition, use, security and, above all, protection.

In addition to personal data, transactional (data) security is the critical factor to ensure long term use of Third Party services. As a minimum, Third Parties and API Providers should ensure this is no less than consumers expect today.

All security messaging should be clear.

2.4.5 Trust

Building trust with early adopting customers is crucial and can be done by communicating clearly what is going to happen and ensuring their experience matches that.

The principles of control, speed, transparency, and security combine to create a trusted environment for the customer.

Standards Users need to consider, create, and promote values of trust through every part of their API Standard customer journeys, to foster understanding, acceptance and adoption of new innovative products and services.

2.5 Protection for vulnerable Customers

Standards users should be thinking of making their services suitable for vulnerable customers. Those who are seen as vulnerable, or in vulnerable circumstances, may be significantly less able to effectively manage or represent their own interests than the average customer, and more likely to suffer detriment. This may take the form of unusual spending, taking on unnecessary financial commitments or inadvertently triggering an unwanted event.

Any customer can become vulnerable at any time in their life, for example through serious illness or personal problems such as divorce, bereavement or loss of income. Consent and data privacy issues are particularly relevant and important for people with mental health issues.

For reference, the NZBA, FMA, and NZHRC have published guidelines that specifically relate to the provision of services to vulnerable persons:

• https://www.nzba.org.nz/consumer-information/code-banking-practice/older-and-disabled-Customer-guidelines/.

• https://www.fma.govt.nz/assets/Reports/CustomerVulnerability-ourexpectationsforproviders.pdf

• https://www.icnz.org.nz/wp-content/uploads/2023/01/HRC_Vulnerability_Guidelines.pdf

It should be noted, however, these Guidelines still apply to the provision and communication of services to vulnerable persons. A Standards User should look to enhance the service provided in ways that would benefit an identified vulnerable group i.e., using large print or clear fonts for users with impaired vision.

3 The Customer Experience Guidelines

The guidelines are structured into three separate sections as below. To read the guidelines you may either use the Confluence preview window in your browser or download a copy to your device.

3.1 Authentication

This section covers how customers are transferred between the Third Party and the API Provider, as well as how they are authenticated by the API Provider.

Open

3.2 Account Information

This section covers how customers are presented information relating to the use of the Account Information API and associated resources.

Open

3.3 Payment Intiation

This section covers how customers are presented information relating to the use of the Payment Initiation API and associated resources.

Open