Deep Dive: The Role of Consent Management in Open Banking Privacy Regulations

Open banking relies on consumers’ consent for regulated third-party financial services providers to securely access their bank transaction histories. The model makes digital payments easier for consumers and means that banks and third-party organizations can transform information into personalized financial advice or recommendations, such as suggesting a savings account to maximize interest rates or providing offers based on an individual’s specific credit score.

Research shows that 51% of Americans feel positively about open banking’s future, but they are still ambivalent about how third parties are collecting their data and what they actually wish to share. A 2019 study also found that 73% of consumers were concerned about how brands are using their personal data, making compliance in the open banking arena — specifically around consent management — a hot topic.

Amid growing demands for privacy, financial institutions (FIs) and other organizations must keep pace with evolving regulations for protecting consumer data. Consent management — the process of prompting, collecting and managing bank customers’ consent before third-party providers can collect or share their financial data — is one of the most important components of open banking regulations with which organizations must comply.

The following Deep Dive examines the role of consent management in open banking and explains how a proactive approach to this process can assist FIs’ and third parties’ compliance with the growing array of consumer privacy laws regulating open banking.

Why Consent Management Matters

Legally collecting and retaining information from consumers requires organizations to use strong identity verification through online document proofing and data verification checks. FIs that fail to execute this process properly not only can allow bad actors to enter their systems but also may betray consumer trust by sharing their customers’ sensitive information with unauthorized companies.

A 2021 survey found that nearly 70% of consumers said FIs need to place a greater emphasis on data protection and revealed that more than 80% of respondents were uneasy about sharing their financial data without knowing whether it is secure. Another study showed that only 30% of banking customers across Europe were comfortable sharing financial data with third-party vendors, even if they had given consent previously.

Empathy with customers is not the only impetus for consent management. Compliance with regulations is another. Organizations that do not have a strong consent management system in place can face hefty fines. Two Spanish banks, for example, were charged $11.5 million in fines from 2020 to 2021 for not abiding by General Data Protection Regulation (GDPR) legislation concerned with customer data sharing.

Consent Management Innovations Can Ease Compliance

Consumers have expressed interest in opting out of data sharing, but research indicates that they often have difficulty removing themselves from the system. Organizations, especially those that operate across borders, must be more mindful of opt-out features to improve the customer experience and avoid compliance hiccups. Firms in the European Union and Singapore, for example, must explicitly offer consumers the ability to withdraw from consent at any time or risk noncompliance fines from their governing bodies. Adding an opt-out feature proactively can be a great differentiator for open banking entities.

Consent expiration, in which consent is automatically revoked after a set time period, is another growing trend for organizations to stay in compliance with data privacy regulations. This practice already is required in some countries. The Australian Prudential Regulation Authority (APRA) and Privacy Act, for example, compels organizations to provide consumers with the ability to select specific types of data that can be shared as well as the duration for which it can be stored.

The most technologically adept organizations will have a strong customer authentication (SCA) process, which helps streamline compliance along with user experience and often does not rely solely on password authentication. Passwords still are the most widely used authentication method in the world, but they are proving to be the least effective. Organizations such as the FIDO Alliance are working to make passwordless authorization the industry standard by implementing more secure methods of identification, including biometric authentication. A FIDO study revealed that 32% of consumers said they believe biometrics is the most secure form of authentication.

Consumers opting into consent by leveraging transaction confirmation with FIDO will digitally sign a hash. Organizations looking to enhance authentication security measures also have the ability to save agreement hashes on a blockchain, which ensures their safekeeping with a trusted third party. This practice currently is less common, but it is well worth considering as organizations rush to prove trustworthiness and improve their overall customer experience.

Organizations that implement newer technologies — such as biometric authentication — can open many new possibilities for digital agreements. Taking these and other proactive approaches to managing consent promises to improve open banking customization to benefit consumers and FIs alike.