Barclays - PSUs can disable “Data Sharing” which renders Open Banking unavailable

[tobypinder]

PSUs can disable "Data Sharing" which renders Open Banking unavailable

Barclays allow PSUs to disable "Data Sharing" from their traditional online channels. This is available in the "Permission Control Centre" on Web and Mobile platforms.

After this option is toggled, when a PSU consents to a TPP and authenticates to the ASPSP after redirection, they are presented with the account selection screen as normal. However, the ability to consent for individual accounts is disabled - see the comparison image below.

The select box is disabled (Grey) for PSUs that have this option enabled, and PSUs would be unable to connect with AISP services.

The PSD2 Regulatory Technical Standards Article 32(3) makes clear that (emphasis added)

Account servicing payment service providers that have put in place a dedicated interface shall ensure that this interface does not create obstacles to the provision of payment initiation and account information services. Such obstacles, may include, among others, preventing the use by payment service providers referred to in Article 30(1) of the credentials issued by account servicing payment service providers to their customers, imposing redirection to the account servicing payment service provider's authentication or other functions, requiring additional authorisations and registrations in addition to those provided for in Articles 11, 14 and 15 of Directive 2015/2366, or requiring additional checks of the consent given by payment service users to providers of payment initiation and account information services.

While this toggle is disabled by default, PSUs may opt-out prior to understanding or wanting access to a TPP's services. In this case, they would not be able to access the services provided by a TPP. The Open Banking specification provides robust and granular consent control. This additional system does not benefit consumers but instead introduces a hurdle that exists outside of a PSU's interaction with a TPP, requiring them to abort a process, make changes to this setting using an online channel, then retry the consent. It is also not clear to the PSU on the select account page why access to account selection has been disabled - there exists only general advice and a link to the "Permission Control Centre". PSUs are expected to infer that there is a remedial action they can take elsewhere, instead of trying to "select" using a disabled checkbox.

This feature is especially puzzling as the "lockout" is performed client-side. A PSU is able to navigate past this with some rudimentary DOM manipulation skills (such as using "Inspect Element" in their browser) and still gain access to account information services. Based on this we conclude:

• The feature is not a security feature and is not intended to provide consumers with any protection since any user can perform this basic bypass technique to work around the functionality without visiting the "Permission Control Centre"

• The feature could be interpreted as misrepresenting the assurances that Barclays can provide. It would be reasonable for a PSU to assume that enabling the feature would provide some kind of protection against unwanted consents and this "peace of mind" was the stated justification for it in previous discussions on the topic. Given that the feature can provide no such assurance we think this misleads consumers.

Remediation

Barclays should remove this feature as soon as is practical and ensure all PSUs can access Open Banking Services without arbitrarily introduced sources of friction. Failing this, Barclays should provide immediate justification for how these design decisions fit into the current and foreseeable regulatory frameworks (PSD2 etc.).

[tobypinder]

Barclays response:

Barclays has discussed our design at an industry level and we’re committed to ensuring our customers have the ability to manage their consents themselves.

[jh-a]

As one of the very few Barclays customers who regularly goes through authentication in this context, my direct feedback is that this function adds absolutely nothing than an irritating impediment. I can manage consents easily enough without this - it adds nothing to this.

[tobypinder]

Barclays Response:

Incident discussed, Barclays position will remain unchanged at present

[jh-a]

In view of the response to the question relating to this, it is questionable whether the inclusion of this functionality can be seen as compliant.

Of particular note is the wording

As for the question whether ASPSPs could offer the PSU the possibility to generally "opt-out" being able to use the services of bank-independent TPP, such a general "opt-out" would undermine the very aim of PSD2 to create a level playing field between all market players offering these services, and specifically be in breach with the obligations of the ASPSPs under Article 66 and 67 and Article 68(5) of PSD2.

[ghost]

OTOH I really appreciate Barclays allow me to be in control of what I share.

Hopefully Barclays wont need to comply and wont be forced to make my account insecure, thanks to Brexit.