On the 9th of July 2021, US President Joe Biden’s administration released an Executive Order i on Promoting Competition in the American economy.
Closures of banks over four decades had resulted in consolidation resulting in less competition and increased cost for consumers. Switching banks is not easy due to a “data hurdle”. Customers are unable to port or take the history of their financial transactions over to a new bank. This impacts the cost of future credit.
The executive order now is the beginning of a regulatory framework to drive competition, protect consumer choice, and enforce antitrust laws across the economy. The order encourages the Consumer Financial Protection Bureau (CFPB) to issue rules allowing customers to download their banking data and take it with them. The goal is also to enable the creation of newer innovative solutions while maintaining data privacy.
While the intent is to transfer more control to consumers, the implication is that the responsibility and burden of risk are also transferred to customers.
According to a survey by Deloitte ii, the top 3 concerns for a consumer in this model are
Usage of data beyond purposes that user has consented to
Sharing of data with other 3rd parties without consent
While APIs are a more secure approach than traditional screen scraping techniques used by 3rd parties, there is a concern that a more convenient API method will enable more frequent requests for data from 3rd parties, leading to an overhead of multiple consent requests to track and approve. This is similar to the challenge consumers today have while tracking subscriptions.
Simplified user-centric consent management, therefore, is critical to ally consumer fears and increase adoption. At a minimum, consumers have a right to expect
A simple user experience with plain language that helps them understand what they are consenting to
A central place where consumers can track the 3rd party permissions, specific data that 3rd parties have access to, and a single place from where they can conveniently “opt-out” of an agreement and revoke permissions
There are 3 ways to implement this -
Centralised, trust-based consent management by the custodian
Banks as custodians of the financial information (and money) enjoy the consumer’s trust and implement this functionality as part of the banking mobile application or the banking online web application. The interface should provide a way to view which parties accessed what information in an easy-to-understand chronological activity feed. The interface could provide a convenient way to switch off or revoke permissions.
Centralised consent management by 3rd party that connects businesses with custodians (or Banks)
Looking across the pond, in CEUR/UK, consents.online is a registered Account Information Service Provider (AISP) registered with the FCA. This solution provides all the features listed before. B2B clients of consents.online introduce them to consumers as part of their onboarding journey. Once a customer has given consent, they are given access to the consents.online via the website or the iOS or Android app, where they can control and monitor those consents. If a customer has provided consent to multiple parties to access multiple sources of information, all of the consents given can be managed in one place.
De-centralised solution using a combination of Open Banking and blockchain
While Open Banking enables cooperation between custodians and 3rd parties using APIs, it resembles a centralized model (either direct party to party OR connected via a 3rd party). A Blockchain-based solution is an emerging model that is used by decentralised finance applications (abbreviated as DeFi) that seeks to remove a central dependency leveraging automation.
A custodian, 3rd parties, and a consumer (in the middle) together represent a network relationship. Cooperation use cases in this context qualify for a complex solution like blockchain. It is possible to envisage that a combination of technologies such as a wallet & smart contracts on blockchain can implement the functionalities of central consent management described above -
wallet – where users retain full control of their private & public keys, and
smart contracts on blockchain – programs that are triggered when certain conditions are fulfilled (example, with 3rd party logic for desired actions like calculating loan eligibility)
One concern that could be uniquely addressed in this model is the distrust around the usage of data by 3rd parties beyond the approved purpose. The 3rd party would seek to use the data within the context of the consented relationship to perform a series of calculations or logic (e.g., determine score/fitness for a loan). This is typically deployed as an application under the 3rd party’s control and therefore sensitive data must be transmitted from the custodian to the 3rd party for this purpose. There is no way to ascertain if the 3rd party has stored the transmitted data for future use outside of the purpose that consent has been sought for.
Using a blockchain implementation (hopefully in the distant future, under the ambit of a regulator), the calculation should be implemented by the 3rd party as an inspectable smart contract residing on the blockchain (as opposed to calculation residing in a private virtual machine off-chain), and therefore restricting the transmission of consumer data beyond the purposes of the calculation. This is an evolving conversation with emerging guidelines on options around on-chain and off-chain computation (leveraging serverless or user device) and reliable scalability. But the potential of ensuring compliance to the usage of data within the boundaries of consent makes this an attractive problem to solve.
As Banks and Financial services adopt Open Banking, they will need to work out the right consent management strategy to address the concerns discussed above and remove the friction in the customer experience. This is an emerging space where there are many choices to make as one fleshes out the use case – what remains on the chain and what is best implemented off the chain, what are the regulatory and compliance implications, what are guidelines to make external API calls and be compliant with user privacy guidelines etc.
At Coforge, our engineers in the Technology Innovation Center have been engaging in the development of technology pilots using Blockchain, Ethereum DApps with clients to implement similar use cases. We can help refine your problem statement, crystallize the benefits, and provide concrete solutions to your problems in a collaborative model.