Once a PSU has confirmed their ability to perform open banking and selected their bank, the PSU has 300 seconds to authorize with the bank in another window, navigate to the open banking section, select accounts, read and understand the permissions they are going to consent to and then accept.
(see attached image)
From our telematics we can see that this process takes longer than 5 minutes for a significant cohort of users for users of even the most frictionless ASPSPs that do not yet have SCA components - we expect this timeline to only increase as brands align to PSD2.
A session expiry of 5 minutes does not, in our opinion, allow adequate time for a consumer to complete these process - while our concerns about usability are well known I would in particular state that such an aggressive timeline does not give adequate time for a PSU to investigate and consider the permissions they are consenting to, and opens up the ecosystem to risk of reputational or legal damages in cases where there might be disputes over consent.
We would also make the point that the user of "crosshairs" for the design of this timer appears in our testing to apply immediate pressure to a PSU to "rush" and is a visual design we'd call "user hostile" - this should be reworked to provide the information without the aggressive symbolism implied by "crosshairs".
Critical. Credit Kudos is of the position that we cannot go live with an integration that does not give users ample time to complete the process, and we have sufficient evidence on our side to suggest that many users would be impacted by the current time constraints. We also feel this may be construed as an "obstacle to the provision of [services]" under RTS Article 32 (3).
Revise this session length. Either factor in user activity or raise to something at or in excess of 15 minutes.