Privacy working group meeting 4 – September 22, 2022

This discussion guide is provided to assist working group members in preparing for the privacy working group’s fourth meeting. The wireframe provided in the Annex is intended to serve purely as a visual guide for the discussion of the consent process.

For questions or comments, please contact obbo@fin.gc.ca

On this page:

Discussion guide

Consent standardization

While consent will form the cornerstone of the open banking system, the manner in which it will be granted and displayed will contribute to awareness and adoption. Cumbersome and demanding processes may add additional layers of complexity, discouraging consumers from completing their requests and fully leveraging the benefits of their financial data. An inefficient process may also leave consumers with the feeling of less control over their own information, preventing them from making informed decisions. These factors could culminate in low consumer uptake and create headwinds for the growth of the system.

Standardization may address this issue. The Advisory Committee Report on Open Banking recommended that as part of the common rules, consumers must have a clear standardized process to provide and revoke consent. Creating visual familiarity in this and in closely related journeys is intended to create a common and consistent approach across ecosystem participants. In addition to contributing to a positive customer experience, standardization can improve the consumer’s ability to understand how their data will be used as well as the value of the data they are sharing.

Experiences from other jurisdictions support the benefits of standardization. The United Kingdom’s Open Banking Implementation Entity (OBIE) has conducted research showing the high likelihood of consumers failing to complete a journey when they are required to complete unnecessary steps or additional screens, namely in the context of low-risk transactions or access requestsFootnote 1. The OBIE developed consumer experience guidelines to address these issuesFootnote 2. On a similar note, the Australian regime recognized the importance of consumer adoption as a success metric for the Consumer Data Right (CDR). Australia therefore developed experience guidelines in support, and referred to the work conducted by the OBIEFootnote 3.

The annex to this discussion guide is an initial step in the same direction. The wireframe proposes an approach where a consumer grants a data recipient consent to collect information, authenticates with the data holder and authorizes the financial information to be shared. The goal of this working group meeting will be to discuss the steps involved in the journey as well as the information to be provided along each step.

It is noted that both the OBIE and CDR guidelines were supported by working groups, market research, consumer testing and deep-dives into the customer journey, namely by providing greater detail regarding how financial information is displayed and grouped together in “clusters”. As such, the wireframe takes reference from the work conducted in these jurisdictions and proposes a first step. Future journeys may form part of the open banking system as it grows and matures.  

Discussion

  1. Other than consent, authentication and authorization, is there another customer journey that merits standardization? Similarly, is there any other wording/information that should be standardized?
  2. Is the wireframe journey proposed in Annex A appropriate and complete? Are any steps missing or unnecessary? Note that certain steps are proposed to be mandatory (must) whereas others optional (should).
  3. What authentication method would best be suited for the customer journey (for example, app-to-app redirection, push notification, web based)?
  4. Are the authentication principles listed in step 6 sufficient or are others necessary?
  5. Would any steps be materially different if a SME client was completing the journey?
  6. Would any steps be materially different if the process was conducted on a digital channel other than mobile (for example, a web browser)?

Annex A

Customer journey wireframe: Consent collection, authentication and authorization
Four mobile screens illustrating a process flow for consent collection, authentication and authorization of open banking data sharing
Text version

This graphic outlines a customer journey wireframe for the consent process through the consent collection, authentication and authorization phases.
There are four representations of mobile phone screens, each depicting successive points in the consumer journey. These are described from left to right.
(1) The first mobile screen shows a data recipient page prompting the consumer to select the account provider they wish to give access to, and an option to cancel or confirm.
(2) The second mobile screen shows a data recipient page prompting the consumer to connect their accounts, and includes details about what data needs to be shared to access the service, as well as an option to cancel or confirm.
Beneath the second and third mobile screens are two small boxes denoting intermittent points in the process.
(a) Following the second mobile screen, the data recipient indicates that the consumer will be transferred to their bank account provider.
(b) The data provider then prompts the customer to authenticate to provide access to their data.
(3) The third mobile screen shows the data provider page prompting the consumer to select the account they would like to give access to, a notice of the date the access will end, and an option to cancel or confirm.
Beneath the third and fourth mobile screens is one small box denoting an intermittent point in the process.
(a) Following the third mobile screen, the data provider indicates that the consumer will be transferred to their data recipient.
(4) The fourth mobile screen shows a data recipient page depicting clear confirmation that the process has been completed, and a prompt to view the consent dashboard.

Consent collection

  1. Data recipient must ask the consumer to identify their account provider before requesting consent.
  2. Data recipient must provide sufficient information to allow a consumer to make an informed decision, namely in consideration of the fundamental elements of valid consent discussed during the first meeting of the privacy working group.
  3. Data recipient must provide the consumer with a description of the data being requested using clear, simple and not misleading language (for instance, in a drop down menu, in alignment with the data-minimization principle discussed during the second meeting of the privacy working group).
  4. Data recipient must provide the date on which the consumer’s consent will need to be refreshed in line with the principles discussed during the first meeting of the privacy working group.

Authentication

  1. Data recipient should make the consumer aware that they will be redirected to their account provider for account authentication.
  2. Data provider must authenticate the user in-line with the following principles:
    1. The experience to authenticate when redirected from the data recipient should mirror that of the data holder’s digital channels in that the customer journey should be no more onerous or time consuming than if the customer were accessing the data holder directly;
    2. The customer should only be authenticated once in order to access their account information; and
    3. The data holder should not create unnecessary delays or obstacles in the process and should avoid anything that would discourage the customer from completing the process.

Authorization

  1. Data provider should display the name of the data recipient making the request on the inbound screen and must provide the types of account that the consumer can access their data from.
  2. Data provider should display the term of the consent granted by the customer as well as the name of the data recipient.
  3. Data provider must confirm the sharing request with the consumer without seeking additional consent.
  4. Data provider should have an outbound redirection screen which indicates the status of the request and informs the consumer that they will be automatically taken back to the data recipient page.

Information consent

  1. Data recipient should confirm the successful completion of the request.
  2. * The consent dashboard will be discussed in the next working group meeting.

Outcomes

Consent standardization

Discussion 1

Other than consent, authentication and authorization, is there another customer journey that merits standardization? Similarly, is there any other wording/information that should be standardized?

Discussion 2

Is the wireframe journey proposed in Annex A appropriate and complete? Are any steps missing or unnecessary? Note that certain steps are proposed to be mandatory (must) whereas others optional (should).

Discussion 3

What authentication method would best be suited for the customer journey (for example, app-to-app redirection, push notification, web based)?

Discussion 4

Are the authentication principles listed in step 6 sufficient or are others necessary?

Discussion 5

Would any steps be materially different if a SME client was completing the journey?

Discussion 6

Would any steps be materially different if the process was conducted on a digital channel other than mobile (for example, a web browser)?

Privacy working group attendees

Members

  • Bank of Montreal
  • Borrowell
  • Brim Financial
  • Coast Capital Savings
  • Desjardins
  • First Nations Bank of Canada
  • Interac
  • Mogo
  • Option consommateurs
  • Prospera Credit Union
  • Public Interest Advocacy Centre
  • Royal Bank of Canada
  • Scotiabank
  • Prosper Canada

External guests

  • Financial Consumer Agency of Canada
  • Financial Services Regulatory Authority of Ontario
  • Office of the Superintendent of Financial
    Institutions

Chair

  • Abraham Tachjian, Open banking lead

Secretariat

  • Department of Finance Canada

Page details

Date modified: