This page describes the design requirements for the consent collection screen, which customers using the API-only flow with Token’s license must adhere to.
For customers using Token.io's payment service with Token.io's license, the PIS consent collection screen for users should contain:
the payment amount
the currency
the beneficiary account name
the payment reference
wording indicating a 'secure' transaction or transfer
consent text including the Terms
You can use Token.io's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name]. The terms governing your use of Token.io's service can be found at Terms & Conditions. |
|---|
You can use Token's payment service to make a secure payment directly from your bank account to the benefit of the [TPP name]. We will ask your bank to share your account details. We will only use these details when necessary such as processing a refund request. The terms governing your use of Token's service can be found at Terms & Conditions. |
|---|
Customers sending PIS requests with the returnRefundAccount=true attribute must comply with specific legal requirements:
GDPR and PSD2 consent are two separate items and need to be treated separately.
For GDPR, Token is not the data controller, only a data processor. The TPP is the data controller.
For PSD2 consent, the consent language will be amended slightly to accommodate for multiple use cases opposed to calling out refunds only.
The data controller controls what the data can be used for.
For customers using Token.io's payment service with Token's license, the AIS consent collection screen for users should contain:
access permissions
transactions
account data
balance
standing orders
wording mentioning consent
mention of the regulated party
mention of the client's name
the date up until when the data will be accessible
consent text including the Terms
Token will access the above information from your selected accounts until [date] and will provide this information to you and [TPP name] who will use the same in fulfilment of its services to you. The terms governing your use of Token’s service can be found at Terms & Conditions. |
|---|
The Terms & Conditions to be used will depend on whether you have an outsourcing agreement in place or you are registered as an agent of Token.
| Token’s license… | Consent | Terms and conditions |
|---|---|---|
| … + Hosted Pages | Token’s consent (Hosted Pages) | Token’s Terms & Conditions (Hosted Pages) |
| … + Client UX with consent outsourcing | Token’s consent | Token’s Terms & Conditions |
| … + client registered as an agent of Token | Client’s consent referencing Token | Client’s Terms & Conditions, but these must align with Token’s and must include details of how to contact Token as the principal regulated party. |
Token's Terms & Conditions can be found on the Token.io website.
Agents of Token are TPPs using Token's license with Partner Permissions.
Consent language
Clients need to mention they are an Agent of Token, who are regulated by the FCA registration no: 795904. They must show unambiguous Consent text with a link to the Terms & Conditions, and present these to the user.
Terms & Conditions
The client’s own Terms & Conditions must align with Token’s and must include details of how to contact Token as the principal regulated party.
Alternatively, Token’s Terms & Conditions can be used (this is not mandatory).
If you have any feedback about the developer documentation, please contact devdocs@token.io