As concerns over platform domination in all sectors are growing, businesses in Europe have been finding ways to proactively take part in the growing digital market place. Data sovereignty, the idea that data owners have control over their data, is emerging as the new paradigm. GDPR and PSD2 are already a first legal incarnation of data sovereignty. However, the complete infrastructure for citizens and companies to exert  control over their data is lacking. The banking industry could take the lead here by leveraging existing data assets and digital identities to create a new, digital, ‘soft’ infrastructure where consumers, businesses and governments have better control over data.

Recent EBA Open Banking Working Group publications have been exploring practical implications of the data sovereignty paradigm, which means that the right to exploit customer data is not automatically tied or granted to the party (e.g. application owner) that collects and stores this data. Tangible results of this work are the “Triple A model” and a call for a “Digital Consent Infrastructure” for banks and their customers in order to better leverage their own data. In the Triple A model three layers are distinguished: data, accessibility and analytics. In this model, data is put under the active control of the application user. This means that users must enter into an explicit transaction relationship with an application or a third party to allow their data to be used. For this to happen appropriately, users need to give and manage consent on a massive scale.

The banking industry has already become an industry of data. It is only a logical consequence that banks use data as an asset and help customers manage it well. While managing their money (which is held centrally by financial institutions) is easy for customers, managing their data is not. Data management is currently not centralised by financial institutions. While centralisation of data is debatable in terms of resilience and risk, the centralisation of data management, which means giving a customer access to a central and user-friendly consent management facility, is a very persuasive idea. Customers need to have an overview (e.g. dashboard, key locker, wallets) to be able to manage the rights on their distributed data assets.

With users having control of their decentralised data assets, any time data is needed for an application, a typical many-to-many challenge occurs in terms of consent services. In other areas in the financial industry, many-to-many challenges are well known. For example, when customers are using multiple payment cards, it is impossible to predict which payment cards will be used in which payment terminal at which time. Nevertheless, the network should be able to execute the transaction. Similar to GSM or emailing, widespread adoption creates wider reach and thus increases the value of the network. Consent will be the next transaction requiring such a network.

As banks are built upon verifiable trust (e.g. through KYC), there is a new opportunity of re-using assets. The banking industry could offer trusted consent standards and services for use in the “B2B2C” and “B2B2B” context. Operating such standards and services, banks could use and expand their existing digital identity infrastructure. Since GDPR, PSD2 and Open Banking are already driving banks to implement consent standards and services for themselves, the next step is to offer this capability for the wider economy. Quite similar to how Amazon, Google and Microsoft started offering their IT capability to other companies via the cloud, banks could offer their trust capabilities to other segments of the economy as well.