When a consumer becomes ineligible due to closing all their online accounts held with a Data Holder (DH) what are the DH obligations with regards to any active consents?
DHs must not disclose data for ineligible consumers. All consents must expire if the consumer is no longer eligible from a CDR perspective.
Is the DH expected to notify the Accredited Data Recipient (ADR) that the customer has closed all their accounts and any future resource request will be rejected?
Is the DH expected to notify the customer that no further CDR data will be disclosed to their ADRs?
There are scenarios that require DHs to notify consumers of an authorisation's expiry, such as:
- When an authorisation sharing data from a joint account expires (rule 4A.14 in the v3 rules)
- When an authorisation given by a secondary user expires, the account holder must be notified (rule 4.28(2))
- As per privacy safeguard 10, via the dashboard, to update when the CDR data was last disclosed
- Via the dashboard in general, to ensure the dashboard is up to date (this relates to the 'clean-up' consent record query)
The CX Guidelines for DH dashboards recommend that DHs provide a 'CDR Receipt' to the consumer in writing, other than through the dashboard, when authorisations are:
- amended. Technically the authorisation is revoked and a new one established, but to the consumer it appears as if they are amending it via the full consent flow
The CDR Receipt can be sent to the consumer by email.
There are no standards permitting DH to revoke access tokens and refresh tokens. On consent withdrawal, DHs withdraw the consent and expire the consent, notifying the ADR of the withdrawal. As part of this process, the oAuth security tokens can be revoked.
Is the DH expected to revoke the active consent(s) and set the revocation date to the date/time the last account was closed?
DHs must withdraw any active consents where the consumer ceases to be ineligible. The rules generally provide notification and dashboard update time-frames that range from 'as soon as practicable' to 'within 2 business days'. The time of revocation should date from when the authorisation was actually withdrawn.
- Implementation Guide, Authorisation and Consent