Archived 2023.09.21. Content moved to CDS Guide, Authorisation and Consent

Question

CX Guideline 15, under the default example in the Authorization to disclose CX Guidelines, states that 'CDR Rules require data holders to refer to the accredited person's name using the legal entity name held in the Register during Authorization'.

However CX Guideline 16, in Redirect with One Time Password artefacts, states that 'Data holders should use the Brand Name of the data recipient wherever the data recipient is referenced in consumer-facing authentication processes, including cancellation screens and OTP delivery...'

Is this a conflict? Which is correct?

Answer

Despite referring to different fields, those CX Guidelines are correct and as intended. That is, we recommend the brand name be used in the authentication flow and on dashboards, however the rules require the legal entity name to be used in the authorisation flow (and no rules or standards currently refer to the brand name being used in this context).
 
We intend to consult on standards for DHs to refer to the brand name in the authentication and authorisation flow to establish greater consistency and comprehension throughout the whole process. We do expect reference to the legal entity name to still be required, however, as the standards do not supersede the rules, but also because the rules rationale for this requirement was to provide transparency to the consumer. The CX Guidelines will contain a design pattern to intuitively present these dual fields.
 
The consultation on this was originally mentioned in Noting Paper 157 but has been deferred. This item will now be consulted on in Q3/4, which will commence when the proposal referred to in the placeholder for Decision Proposal 207 is published.