Blog article
See all stories »

Open Banking: Consent is Key

We have learned a lot about how not to do consent from Hollywood and the Fashion industry.  Consent has to be explicit, have a clear affirmative statement and action of intent that cannot be misinterpreted, given clearly, specific and informed.

In May 2018, individuals “are given legal rights over their own data”.  As Open banking is going across millions of current bank accounts, explicit consent needs to be fully integrated into the end-to-end process involving all parties. 

Under regulations explicit consent must specify the particular types of data and the specific purpose for use.  New transparency rules will require notification to all parties in that agreement. Evidential-like infrastructure needs to be put into place with a simple withdrawal mechanism.

Let’s step through the process of Open Banking with explicit consent.

The account holder at Bank A would like 3rd party B to provide a service so:

  •      Account Holder notifies Bank A and 3rd party B
  •      Before Bank A acts on the instructions, asks 3rd party for confirmation  and insures  B’s APIs and security are up to standard
  •      Bank A notifies the Account Holder and any further requests from 3rd party B

This starts the consent process, as 3rd party B is now a trusted 3rd party of Bank A. The account holder can have many 3rd parties with each passing through the above end-to-end on-boarding process.

The account holder can now respond to the offer from Bank B. Here the ease of withdrawal comes into play.

Should account holder of Bank A decline the 3rd party offerings at any time then:

  •       Account Holder informs 3rd party B stop and can ask for data return
  •       Bank A is notified and awaits 3rd party B’s return of data

The above needs to be completely transparent to the Account Holder and the parties in the process. Explicit consent comes with responsibilities that all parties must adhere to. The end-to-end consent process must be robust and capable of being audited. In addition, silence is not consent, so all have to participate and there are penalties for misconduct.

UK Banks have spent £3,500 million a year on misconduct in the form of fines and other charges. The largest contributor has been payment protection insurance (PPI) and this ends in 2019.  The infrastructure established to support billion pound PPI claims business will need to be disbanded or unless further opportunities occur. So Banks have to make certain explicit consent is well managed. 

On the positive side, the account holders, the banks and third parties know what has to be done. The responsibilities of each and every one can be measured. This will result in the banking industry further regaining trust, and being digitally relevant. 

Technology advancements over the last few years have improved our knowledge, perception and understanding of diversity.  The new documentary by Sir David Attenborough, Blue Planet II, shows proof of these advancements. We see spectacular scenes, breath-taking action and a host of fish behaviour for the first time.   Similarly, the latest technological advances in real time and personalised banking allows explicit consent at scale. That is each client is the centre of attention and can see who is doing what and how their data is managed.

Open Banking raison d’etre is consent par excellence.

 

  

 

9311

Comments: (15)

Mark Santall
Mark Santall - Open Banking Limited - London 06 November, 2017, 13:051 like 1 like

To help ensure that the work being undertaken by the Open Banking Implementation Entity for the Competitions and Market Authority, in delivering the remedies defined within its Retail Banking Market Investigation Order.

The OBIE has released guidelines on Consent in line with the Open Banking Standards.

These guidelines are accessible via the Open Banking website: https://www.openbanking.org.uk/read-write-apis/ 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 November, 2017, 16:35Be the first to give this comment the thumbs up 0 likes

PFMs like MINT have had the online banking credentials of millions of people. Since they've been having this info for nearly a decade without any charges of hacking, I presume they have the requisite consent from those people to access their banking information.

Do they need to get any more consent from those people in the context of Open Banking?

A Finextra member
A Finextra member 06 November, 2017, 16:531 like 1 like

They do for sure - if theyu're screen scraping then they have access to everything the customer has (loans, cards, mortgages, etc).  The whole point of a great consent model is that you only allow a third party to have access to the data you want them to have access to - not everything!

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 November, 2017, 18:11Be the first to give this comment the thumbs up 0 likes

I get what's the whole point of a great consent model but my question is, how relevant is it to MINT - when it has already got what would seem the mother of all consent from those millions of customers who have willingly handed over their online banking creds to MINT.

A Finextra member
A Finextra member 07 November, 2017, 03:121 like 1 like

Mark - many thanks for guidelines report. When GDPR arrives in May 2018 the 'Revocation of Consent' will need to include the request for the return of data given to the TPP. Given the large fines that could be imposed, 4% Global Turnover, the banks need to show and prove compliance.

A Finextra member
A Finextra member 07 November, 2017, 03:271 like 1 like

Ketharaman - the Finextra member is correct. Like the banks, who too have millions of customers, PFMs will have to make certain they are compliant with that individual's 'right to privacy' under the new laws.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 November, 2017, 10:24Be the first to give this comment the thumbs up 0 likes

@JohnBertrand:

Actually, many startups have become successful by deftly sidestepping regulation, as I'd highlighted in my blog posts Fintechs Need Marketers And Lobbyists – Not Lawyers and Fintechs Need Guts More Than Lawyers!. I'm sure MINT will one of the fintechs that shows that Innovative Fintechs Don’t Need No PSD2 Regulation. I predict it will claim that it has the mother of all consents because it has the online banking credentials of its millions of customers. Ergo, IMO, value proposition is more key than consent or anything else. But only time will tell.

For the moment, assuming that consent is key, let me move on to another topic, namely, the ownership and language of the consent.

As we've seen in the case of Overdraft Protection (see my blog post Overdraft Protection - Another Hot Opportunity For BPOs?), I tend to believe that the exact language is what will eventually differentiate a granular consent from a carte blanche.

I can think of at least three alternative languages: 

(A) I consent to PFM accessing all data in tables CUST_TRXN, CUST_MORTGAGE, but not in tables CUST_LOAN_TRXN and CUST_CREDITCARD_TRXN

(B) I consent to PFM accessing all data related to current account and mortgages but not loans and credit cards

(C) I consent to PFM accessing all data it requires to give me tips to maximize my yield but not to switch banks.

As you can see, the language shifts from technical to feature to benefit.

Any idea whether PSD2/Open Banking regulation has (1) defined who is responsible for obtaining the consent (between the Bank that holds the data and the PFM that seeks access to the data) and (2) frozen the content language (between technical or feature or benefit)?

A Finextra member
A Finextra member 07 November, 2017, 10:26Be the first to give this comment the thumbs up 0 likes

In Europe at least, the PSD2 RTS is likely to ban screen scraping so the likes of MINT and others will need to comply or they will be illegal

Mark Santall
Mark Santall - Open Banking Limited - London 07 November, 2017, 10:561 like 1 like

Ketharaman, neither PSD2 or the UK's Open Banking Order state how consent needs to be worded to a PSU, whilst GDPR states that it needs to be explicit.

At the OBIE we have recognised this challenge and have undertaken research into what are the most appropriate descriptions that are easily understood by PSU's, aligned to the technical capabilities that our API standards support (which the 9 largest Retail Banks in the Uk are delivering against).

From this we have created our consent guidelines, that whilst are not mandatory to any user (be it TPP or ASPSP) can be used to help drive a level of familiarity to PSU's by all the players in the Open Banking ecosystem, which we hope will, in turn drive customer trust and increased adoption.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 November, 2017, 10:57Be the first to give this comment the thumbs up 0 likes

Not so soon @FinextraMember. Handing over online banking creds to a third party has violated the TOS of every bank in the world I know and still the likes of MINT have gotten millions of people to do it for over a decade and made merry as a result. How many banks / regulators have declared MINT illegal during this period?

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 November, 2017, 11:01Be the first to give this comment the thumbs up 0 likes

@MarkSantall:

TY for the clarification. While on the subject of increased adoption, I've shared my thoughts here.

A Finextra member
A Finextra member 08 November, 2017, 05:371 like 1 like

Agree with Finextra Member on compliance to the new privacy laws and not sidestepping them. OBIE is doing an excellent job around this whole area and supports consent has to be explicit. Going forward banks, et al, have to change behaviour and show and prove compliance to the new laws...I feel another blog coming on

Kenneth Marritt
Blog group founder
Kenneth Marritt - Mere Digital - Daresbury, United Kingdom 25 November, 2017, 08:58Be the first to give this comment the thumbs up 0 likes

Great article John and I agree consent is critical. However, as Ketharaman has highlighted, there are some that will take liberties with the regulations and therefore policing and enforcement are arguably even more critical. It will be interesting to watch how things play out over time.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 19 January, 2018, 11:43Be the first to give this comment the thumbs up 0 likes

Blockchain is just the solution for consent. Not just of the nature handled by LegalFlings app 😉 but also for the consent involved in sharing of banking data with third parties under Open Banking.

A Finextra member
A Finextra member 19 January, 2018, 11:57Be the first to give this comment the thumbs up 0 likes

Ketharaman - agree Blockchain is a good solution for consent as all parties in the loop can see what happened.

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,372

Comments

5,784

More from Retired

This post is from a series of posts in the group:

Open Banking

Open Banking regulation, innovation and technology and it's potential to revolutionise the Financial Services Industry.


See all