12. 07. 2017
User consent: At the heart of open banking
Customers will have the power to control their data through user consent. Are banks ready? And, honestly, is anyone?
Customers’ consent to using their data has quickly gone from a hot topic to the single most important one. And banks cannot not address it any longer. All because financial institutions collect more and more information on clients and share it with third-party developers thanks to open banking, a data-driven innovation reshaping customer experience.
Compliance with new rules is also a tough issue. The EU’s Second Payment Services Directive (PSD2) will regulate a load of different aspects of using personal data. And let’s not forget about the General Data Protection Regulation (GDPR). It is another EU law that will take effect in 2018 and will require institutions collecting and sharing customer data to get “freely given” and “informed” consent from their customers.
What does user consent mean for banks?
Data consent and protection have been the elephant in the room for many financial institutions. Mostly because they have traditionally viewed the protection of client data as a responsibility, rather than an asset to be commercialized, says McKinsey. But new rules will soon make this gatekeeper role a thing of the past and allow clients to directly authorize sharing their data. And if data sharing is done well, it can actually increase data security through identity validation and fraud detection.
Banks still have a lot to cover, though, Capgemini says:
- Find tools to integrate data protection requirements in existing systems,
- Ensure strong lines of defense for data confidentiality;
- Revisit end-user controls and internal reporting, taking in-flight programs into account;
- Make sure that data collection is justified.
Education to the rescue
Of course, one could say that customers who give user consent have already set the agenda for services they want to open to third parties. But different data categories involve different security levels. And it’s not always 100% sure that clients fully understand the implications of consenting. This is very important to keep in mind, especially because many clients often click on the “I Agree” button without actually reading a word of the terms and conditions.
Educating and empowering clients without confusing or scaring them may be a delicate task for this sector. Consumers do not necessarily see certain data of the same value and sensitivity as banks or regulators do. Also, many questions remain about the duty to redact or delete sensitive data after a certain amount of time. It’s understandable that these issues make banks worried, as the smallest misstep could negatively affect their brand.
If clients have a change of heart
Customers see banks as highly secure organizations and financial institutions should use this trust to educate clients on data sharing, according to information services firm Experian. Clients, of course, must also be given the option to change their minds. A handy solution can be a dashboard where customers can manage their consent whenever and however they want.
Another tool banks may consider is pinning data from multiple sources to a single profile to get a single view of their customers. They can also use digital identities to improve identity management and fend off fraud. The Open Banking Register, a central register in the UK, can also take a load off: it ensures that data is only shared with organizations accredited with the Financial Conduct Authority (FCA).
User consent: give us the tools
Let’s have a look at the solutions that might come in handy when dealing with the issue of customer consent. The OAuth 2.0 authorization standard, for example, enables users to consent to an application acting on their behalf without sharing their personal data with the app. It’s often used to connect third party apps to Google Drive accounts without the app needing to know the user’s Google credentials.
Some of the recently launched banks, like Monzo and Starling Bank, have already put this tool to use to authorize access to specific account functions. Such functions are reading bank statements or even making transactions, Information Age reports. Another solution, OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It’s typically used for federation authentication (for example, logging in with a Google account). It also offers a variety of standardized security tuning features and a consent mechanism when making dynamic payments. The Open Banking Work Group in the UK swears by the use of OIDC when it comes to open banking. So any bank, third party or retailer entering the ecosystem must be OIDC-enabled.
For more on open banking APIs, download W.UP’s white paper The Ultimate Guide To Digital Banking Tools and Strategies.