Open JamesMBligh opened 5 years ago
NAB is supportive of this approach
We support this approach, but note that customers are likely to experience token lifetime with joint consents unless access tokens are not granted until both parties authorise the accounts in a consent. We therefore suggest that approach.
The ACCC CDR Rules calls out that the need for a Bank to implement a Joint Account Management Service that will operate independently of the Consumer Data Request Service.
The implication of this is that a Single Use consent will only allow for the sharing of joint accounts that had previously be authorised for sharing by the joint account holders via the Joint Account Management Service.
BTW, this position is now represented in the InfoSec decision proposal 64
If there are no more comments I will close this issue with the acknowledgement that further comments can be provided on DP64.
-JB-
In the ACCC draft rules it is specified that authorisation can be provided by a customer for "Single Use" as opposed to a duration of authorisation.
It is proposed that, for an authorisation that is "Single Use", only an access token will be returned and no refresh token will be returned. As a result, once the access token as expired, no further data retrieval will be possible and the authorisation is effectively also expired.
Does anyone have any concerns with this approach?