Open Banking: Consent Is Key

John Bertrand

We have learned a lot about how not to do consent from Hollywood and the fashion industry. Consent has to be explicit, have a clear affirmative statement, an action of intent that cannot be misinterpreted, clearly given, specific, and informed.

In May 2018, through the UK Open Banking initiative, individuals will be “given legal rights over their own data.” As Open Banking is going to exist across millions of current bank accounts, explicit consent must be fully integrated into the end-to-end process involving all parties.

Under the Open Banking regulations, explicit consent must specify the particular types of data and the specific purpose for use. New transparency rules will require notification to all parties in that agreement. Evidential-like infrastructure needs to be put into place with a simple withdrawal mechanism.

Let’s step through the process of Open Banking with explicit consent.

An account holder at Bank A would like third-party B to provide a service, so:

  • Account holder notifies Bank A and third-party B
  • Before Bank A acts on the instructions, it asks third-party B for confirmation, and ensures B’s APIs and security are up to standard
  • Bank A notifies the account holder about any further requests from third-party B

This starts the consent process, as party B is now a trusted third party of Bank A. The account holder can have many third parties after each passes through the above end-to-end onboarding process.

The account holder can now respond to the offer from third-party B, as well as easily withdraw its participation in the offer.

Should the account holder decline the third party’s offerings at any time:

  • Account holder informs third-party B to stop and can ask for data return
  • Bank A is notified and awaits third-party B’s return of the account holder’s data

This all must be completely transparent to the account holder and the other parties in the process. Explicit consent comes with responsibilities that all parties must adhere to. The end-to-end consent process must be robust and capable of being audited. In addition, silence is not consent, so all must participate and there are penalties for misconduct.

UK banks have spent £3.5 million a year on misconduct in the form of fines and other charges. The largest contributor has been payment protection insurance (PPI), which will end in 2019. The infrastructure established to support PPI claim businesses will need to be disbanded, unless further opportunities occur. So banks have to make certain explicit consent is well managed.

On the positive side, the account holders, the banks, and the third parties know what has to be done. The responsibilities of each one can be measured. This will result in the banking industry further regaining trust and being digitally relevant.

Open Banking’s raison d’etre is consent par excellence. The latest technological advances in real time and personalized banking allow explicit consent at scale, making each client the center of attention, able to see who is doing what and how their data is managed at all times.

Learn more about why data security should be among your highest priorities; read The Future of Cybersecurity: Trust as Competitive Advantage.

This blog originally appeared on Finextra.