Built by the community
Navigation
Metrics
Program
Service DeskPricingPoliciesDocument RepositoryLive Ecosystem
Developer Docs
TPP — Open Finance StandardsLFI — Integration GuideAPI SpecsKnowledge BaseRelease Notes & Erratas
NewsGitHub
Validate · Enforce · Trust

CMI — Bank Data Sharing Requirements v2.15 min read

The tables below define the display, labelling, and behavioural requirements for the Bank Data Sharing consents in the LFI Consent Management Interface (CMI). See the User Experience page for interactive wireframes of the dashboard and detail pages.

The LFI CMI shares the same structure and consent-type logic as the TPP CMI for Bank Data Sharing, with the differences noted below. Adjustments to the requirements below are permitted provided the customer can always clearly understand what consents they have granted. Any adjustments must be documented in your CX certification submission.

01 Section

Dashboard — tabs

Paused is not a valid status in the LFI CMI. It is a TPP-local concept that is not reflected in the API Hub.

The dashboard must present Bank Data Sharing consents across two tabs.

#
Rule
1
The Current tab must display all consents whose status is AwaitingAuthorization, Authorized, or Suspended.
2
The History tab must display all consents whose status is Rejected, Expired, or Revoked.
02 Section

Dashboard — filters

A filter panel must be available on the dashboard. The following three filters are required:

Filter
Options
TPP Name
Dynamically populated from the TPPs present in the customer's connections
Consent Type
Dynamically populated from the types present in the current tab
Consent State
Dynamically populated from the statuses present in the current tab
03 Section

Status labels

Consent statuses must be translated from their API values into user-friendly labels before display.

API status
Displayed label
Authorized
Active
AwaitingAuthorization
Pending
Revoked
Cancelled
Suspended
Suspended
Expired
Expired
Rejected
Rejected
04 Section

Consent type labels

Internal type
Displayed label
Data Sharing
Data Sharing
05 Section

Dashboard — card content

Each Bank Data Sharing consent card on the dashboard must show the following fields.

Field
Content
TPP name
Name of the TPP the consent was granted to
Status badge
Mapped label from Status labels
Account count
Number of connected accounts, e.g. 1 Account Connected or 2 Accounts Connected
Consent Type
Data Sharing
Last data received
Date the most recent data was retrieved under this consent
Connection expires
Date the consent expires
06 Section

Detail page

Selecting a consent on the dashboard opens its detail page. The detail page presents the same information the customer saw at the time they gave consent — the permissions, accounts, and conditions that defined what they agreed to. In addition to all fields shown on the dashboard card, the detail page must show a truncated Consent ID with a copy button (format: f47ac10b...d479).

Additional sections

Section
Content
Accounts
List of all accounts the customer has connected under this consent, each showing account type name and full IBAN
Data permissions
Expandable list of data categories the consent covers, derived from the consent's Permissions field

Detail page — List of Updates

customer isolation risk
When a consent is created it contains no customer information — the customer identity is only added later when the LFI patches in the customer ID. This means there is no inherent guarantee that two consents sharing the same BaseConsentId belong to the same customer. Unless the LFI explicitly validates this, there is a risk that the List of Updates exposes one customer to consents belonging to a different customer. LFIs must ensure that only consents belonging to the same customer are returned when resolving related consents by BaseConsentId.

When a consent carries a BaseConsentId, a List of Updates link must be shown on the detail page. Clicking this link navigates to a dedicated view that displays all consents related to the current consent through the same BaseConsentId. A consent is included in the list if:

  • its BaseConsentId matches the current consent's BaseConsentId, or
  • its ConsentId matches the current consent's BaseConsentId
The current consent must not appear in its own list of updates.

Each related consent card

Each related consent must be displayed in the same visual format as the dashboard connection list, with the following differences:

Field
Content
Title (bold)
Date the consent was last updated
Subtitle (italic)
TPP name
Consent Type
Type label from Consent type labels
Last data received
Date the most recent data was retrieved
Connection expires
Consent expiration date

Each card must include a chevron and hover interaction matching the dashboard, and clicking a card must navigate to the detail page for that consent. No status badge is shown on the update cards.

07 Section

Detail page — action buttons

The LFI CMI does not include Pause or Reactivate buttons. These are TPP-only concepts.
Button
Label
Shown when
Revoke
Stop Sharing
Status is AwaitingAuthorization, Authorized, or Suspended

No action buttons are shown when status is Expired, Rejected, or Revoked.

08 Section

Confirmation screen

When the customer selects Revoke, replace the detail view with a single confirmation screen that includes: a title, a description of the impact of the action on the service, a Confirm button, and a Go back button.

Revoke
Title
Stop sharing
Confirm button
Confirm stop sharing

Once a customer confirms the action, the change must take effect immediately — there must be no delay between confirmation and the consent reflecting its new state. The LFI must update the consent status via the Consent Manager API.