Data privacy in Open Banking

image

Data privacy and consent are the quintessential components of customer experience when engaging with a business and yet consumer Personally Identifiable Information (PII) is rarely treated in accordance with established privacy regulations. Consumer data is critical to businesses for understanding how consumers behave, identifying the ways the business can improve and for offering new services to the marketplace. With PII data collected by companies increasing, regulators have introduced laws such as GDPR and CCPA to protect how this sensitive privacy data is collected and/or shared with businesses.

Governments worldwide have introduced the use of consent, to govern the terms by which consumers grant access to their data. This guarantees that access to data is always consciously granted by the consumer with limitations based on time, specificity and usage patterns. Consent of individual data elements provides consumers genuine choice and control over how their data is used, accessed, acquired and shared with other businesses. For organizations collecting consumer data, this means they must leverage technology that will seamlessly integrate with existing platforms to capture and store user consent and comply with privacy regulations.

However, this is particularly difficult in B2B environments such as Open Banking, Open Finance and the Open Economy. Examples include a retailer offering short-term financing for people buying goods, or a budgeting app that correlates banking transactions to help consumers budget and understand if a purchase is frivolous. The financial part of the transaction - from budgeting to loan approval - has been embedded into the retailer or the budgeting experience. However, to complete the transaction, significant amounts of PII may be required, such as SSN for credit checks; bank account numbers; or access to transactional data. How can the retailer or fintech app request and share this sensitive PII with a third-party financial service? User consent at an object-level of data privacy control is at the heart of the transaction and is often mandated to create zero-trust in this seamless and safe experience for customers.

This innovation for securely exchanging data with partners and customers is happening in the Open Banking ecosystem. In Open Banking, a bank acts as the data holder with APIs that allow information to be shared with other financial service applications. In these implementations, strict zero-trust API security controls are required where every transaction must be authorized, audited and consented to by the consumer. This requires tracking and consent of individual data elements by the consumer to the bank, which are then passed to, and managed by, third parties that use the consumer's data. This consent must be proven for every transaction and can be revoked at any time by the end customer.

How we enable consent controls

Our platform lets data custodians control sharing, while give sharing control to their customers and partners who are the ultimate data owners. We employ a mix of modern OAuth/OIDC server, policy engines and distributed authorizers to provide the authorization and consent granularity that modern business, applications, and partner ecosystems require.

In order to meet both security and regulatory requirements - now and in the future - financial institutions and fintech companies need to provide users fine-grained control over their PII. However, the single data privacy policies of the past are not enough to comply with data privacy regulations such as GDPR. Customers demand to know what’s being shared and have control each piece of information.

Our platform allows businesses to easily manage and enforce user consents according to privacy standards or business conditions. Application teams can easily integrate granular consents for each partner and make govern how that data is shared. Organizations can also use our platform to define which consents are optional and which are mandatory as required to use a core service. This enforces access to core services and optional services by including consent grant checks in access rules expressed as authorization policies. Our platform stores consent grants along with the metadata required for the GDPR-compliant statement, along with managing consent versioning.

Open Banking and data privacy

So, what does this look like in action? Let’s take a look at privacy related to Open Banking. Open Banking specifications require specific types of consent to share financial data. Open Banking regulations worldwide (our platform supports APAC, LATAM, EU, UK and North America) require special consent journeys and consent APIs that request, manage and revoke consent. Each Open Banking ecosystem defines consent journeys and consent APIs and requires communication with financial organizations to fetch available information from users’ accounts. Consent is stored as a piece of data that has a vast amount of detail about parties that were involved in the consent, including bank entity details and customer PII. Our platform can address challenges related to consent in the Open Banking space in particular, where consent journeys, APIs and authorization are strictly defined and vary between jurisdictions.