| | Criterion | Guidance Note | Specific Comments |
|---|
| 1 | A user can register on the extranet using their Unipass without the need to register for a password/PIN beforehand. | | Not applicable - Prudential does not issue usernames and passwords. |
| 2 | No user data already available from the certificate should need to be re-keyed. | - It is permissible to present this information to the user and allow them to edit it so long as it is clear that such a step is optional and does not detract from the process of completing any mandatory data items.
| No data entry required.
Branch postcode is presented for optional amendment by the user. |
| 3 | The registration process must be paper free. | | No paper process is involved in Unipass registration. |
| 4 | Unipass organisation and individual identifiers should be used as the keys to identity, and user access must persist without re-registering whenever a new certificate is issued in which these keys persist. | - Background processes which capture and store changed data are permissible so long as the user experience is not interrupted.
| Logged in successfully with a Unipass containing altered branch postcode but same identifiers – no re-registration required.
Note: for successful access to client data the branch postcode contained in the Unipass (or as overtyped by the user) and the firm’s FSA Reference Number contained in the Unipass must match the postcode and FSA Reference Number held in the Prudential Agency database under the Prudential agency number supplied. |
| 5 | Where the user has a pre-existing password/PIN and this will continue to be accepted for authentication, access using Unipass must not be suspended when the password/PIN is not refreshed in line with security policy. | - There may, and probably should be, a separate password reset process, but this is not covered by this scheme.
| Not applicable - Prudential does not issue usernames and passwords. |
| 6 | On presentation of a valid intermediary certificate and completion of supplementary data (including correct agency data), access to new business and quotations must be immediate, access to client data must follow within 1 working day, and confirmation should be provided to the user that such access has been granted. | - Where an intermediary firm or network is allowed to opt out of the standard registration process, this will not be within scope – see exclusions above.
- Access must be granted within the appropriate timescales in all cases other than the exceptions noted immediately above.
- “Immediate” access means within 10 minutes.
- Confirmation can be given either explicitly or implicitly.
- N.B. only the access described is in scope (e.g. commission systems are out of scope).
| Access to NB and quotations was immediate. In view of data protection considerations, Prudential’s assertion was accepted that access to client data would have been immediate if a valid agency number had been provided. |
| 7 | User data entry should be limited to 4 items. | - Marketing opt-in/opt-out, tick boxes for T&Cs, and navigation buttons do not count towards the total of data items entered.
- Multiple instances of a data item (e.g. agency) or split elements of a data item will count as one item.
| User data entry consists of: - (optional) select title (Mr, Mrs, et.c) from drop down list
- agency number (up to 4 may be entered)
- (optional) branch postcode may be amended
|
| 8 | For new accounts, if userID and password/PIN are to be explicitly created, this should not prevent access to client data by means of using Unipass. | - A userID and password/PIN may be created, and may or may not be displayed to the user, but access to client data via Unipass must not be delayed pending completion of an offline process relating to the provision of the userID, e.g. while a password is sent to the user by whitemail.
| Not applicable - Prudential does not issue usernames and passwords. |
| 9 | User messages must be clear and provide relevant status information (e.g. “Your Unipass has been revoked”, not “There’s a problem with your Unipass”). | - A full list/table of error messages must be provided during the audit.
| Error messages encountered were judged satisfactory. |
| 10 | The “landing point” on secure services within the provider site should be able to determine whether a Unipass has already been properly associated with a user account, and initiate log-in where this is the case. Where no such association pre-exists, the registration form should be presented. | - The landing point is the page to which the user is directed to log in with Unipass whether via a URL from the Unipass website or from a non-secured area of the provider’s website, e.g. the provider may opt to have the user directed from the Unipass to a public area of their extranet, where brochures and other non secured information and / or services are provided.
- It is acceptable to have alternative hyperlinks from the public area of the extranet for Unipass access on the one hand and username / password access on the other.
- It is not acceptable to have separate pages for Unipass login and initial registration with Unipass.
| Not applicable – Prudential does not have a registration process as such. The agency number used in each session is stored in a cookie and is presented as the default agency number at the start of the next session. |