The definition of "Single Use"

[JamesMBligh]

In the ACCC draft rules it is specified that authorisation can be provided by a customer for "Single Use" as opposed to a duration of authorisation.

It is proposed that, for an authorisation that is "Single Use", only an access token will be returned and no refresh token will be returned. As a result, once the access token as expired, no further data retrieval will be possible and the authorisation is effectively also expired.

Does anyone have any concerns with this approach?

[NationalAustraliaBank]

NAB is supportive of this approach

[WestpacOpenBanking]

We support this approach, but note that customers are likely to experience token lifetime with joint consents unless access tokens are not granted until both parties authorise the accounts in a consent. We therefore suggest that approach.

[JamesMBligh]

The ACCC CDR Rules calls out that the need for a Bank to implement a Joint Account Management Service that will operate independently of the Consumer Data Request Service.

The implication of this is that a Single Use consent will only allow for the sharing of joint accounts that had previously be authorised for sharing by the joint account holders via the Joint Account Management Service.

[JamesMBligh]

BTW, this position is now represented in the InfoSec decision proposal 64

If there are no more comments I will close this issue with the acknowledgement that further comments can be provided on DP64.

-JB-