|Purpose||To clarify if the identifier used an FIP to authenticate and authorise account linking has to be the same as the identifier used by the FIP for discovery|
|Description||Discovery of an account, at an FIP, has to be on the basis of at least one STRONG identifier (mobile, email) AND one or more additional identifiers (DOB, PAN, etc.).
Account linking has to be authorised by an FIP on the basis of the account owner getting authenticated through an identifier that the FIP’s records have. Currently, the authentication is through a single-factor.
For all practical purposes, an identifier used for enabling a discovery call will be the same as that used to authenticate and authorise a linking request.
However, strictly speaking, it is not necessary for these to be the same. It is possible, e.g. for a discovery call to happen via an email ID seeded in the FIP’s records while linking may be authorised via a mobile number seeded in the FIP’s records.
Further, if and when multi-factor authentication becomes necessary for authorising linking, additional identifiers will be sought during linking but not during discovery.
|Purpose||To clarify if de-linking of an account also needs the FIP’s authorization|
|Description||No authentication and authorization is needed to be performed by the FIP, when it receives a “Delink” instruction from the citizen via the citizen’s AA.|
|Purpose||To clarify if linking of accounts can be authorised by an FIP if the account status is NOT active|
|Description||If the status of an account is NOT active (i.e. it is either dormant or suspended or closed, e.g.), it is in the interest of the citizen for additional services (such as the sharing of account information) to NOT be authorised by the FIP. Hence, linking of such an account should not be authorised.
This needs to be discussed with FIPs once.
|Purpose||To clarify if a citizen can de-link his/her account with an AA, via the FIP instead of doing this on the AA client interface|
|Description||A citizen should be able to instruct that his/her account be de-linked, through a channel offered by the FIP.
In addition, if the customer’s account with the FIP is CLOSED, the FIP may use the same channel to inform the AA. The AA is then expected to take appropriate action towards removing the linkage of the account with the AA profile.
The tech rails for this have to be discussed between FIPs and AAs.