Voice of the Industry

Digital consent management is key for data opportunities

Monday 2 December 2019 10:19 CET | Editor: Andra Constantinovici | Voice of the industry

Vincent Brennan, as Deputy Chairman of the Euro Banking Association, explains the intricacies of consent management in the context of Open Banking and PSD2Open Banking Report 2019


How can we put a ‘remote control’ into the hands of European consumers and businesses, which lets them unlock their data in a one-click approach for parties they would like to do business with? Cracking the digital consent management problem is the crucial next step towards putting the promises of Open Banking and a data economy into reality. 

This need is becoming very pressing as the number of providers accumulating and exchanging business data for analysis and value creation is on the rise. What is more, customers are increasingly expecting to join a new service or approve a transaction with no more than a couple of clicks. 

Many building blocks have already been put in place to pave the way for customers and providers wishing to reap the benefits of Open Banking. GDPR has enhanced the control of businesses and individuals over their data: it has strengthened their rights to provide (or withdraw) consent, allowing third parties to access personal and business information of these customers for the benefit of their service delivery. PSD2 regulates how authorised third parties can access bank accounts based on the consent of the account-holding customer. The eIDAS Regulation has set the legal framework for electronic identification and trust services. And the AML5 Directive, which is currently being implemented, recognises electronic identification based on the eIDAS Regulation as a valid way to identify customers, which should help to further digitalise KYC and other processes in the financial sector.  

But while the customers’ data ownership and data sharing rights are now clearly established, and there are rules determining how they can share their payment account data with certain third parties and how their digital onboarding with new providers could be facilitated, most digital consent-granting and onboarding activities still remain a cumbersome process. 

So, what does it take to move these processes closer to a one-click experience? There are essentially two missing elements: a pan- European approach to digital identification and, more broadly, to KYC processes. 

Digital identification (ID) allows individuals and businesses ‘to be verified unambiguously through a digital channel, unlocking access to banking, government benefits, education, and many other critical services’. As a 2019 research report by McKinsey sets forth, ‘individual countries could unlock economic value equivalent to between 3 and 13% of GDP in 2030 from the implementation of digital ID programmes’. 

Europe counts a number of thriving national digital ID schemes. What is lacking though, is a pan-European scheme that would support seamless and uniform digital identification across the Single Market.  

In the federated bank ID scheme used in Sweden, which was collectively developed by several banks, the customer’s identification is guaranteed by the bank issuing the BankID. This successful example supports the prevailing perception in the financial industry that banks would be well-placed to play a role in the collective development and deployment of such a scheme at a pan-European level: banks have a natural advantage in providing Digital ID (based on underlying government ID) because of the position of trust that they still enjoy and the extra levels of due diligence that they are required to perform by regulators’. 

However, many experts maintain that a mere ID scheme will not do the trick. They claim that the emerging data economy requires both harmonised customer identification (CI) and customer due diligence processes (CDD). Today, the lack of KYC mutualisation for retail and corporate financial services still leads to a siloed approach, where each financial service provider has to deploy full-scale CI and CDD processes even though the necessary information could be made available by a third party in a secure and reliable format.  

What is more, the requirements for these CI/CDD processes vary from one country to the next and there is no regulatory guidance on the level of assurance that KYC data should provide for financial services in particular. 

To remedy this situation, a sub-group of the EU Commission Expert Group on Electronic Identification and Remote Know-Your-Customer Processes is putting together a proposal for a pan-European KYC framework, which should be delivered before the end of this year. 

This framework will include an EU-wide CI/CDD standard, which should facilitate the interoperability of CI/CDD processes based on leading open IT protocols and existing IT standards. The framework will also propose a common set of attributes required for onboarding purposes (e.g. identity attributes such as name and age of a person or legal entity identifier of a company). To make sure that the assurance of the provided attributes is high and the applied CI and CDD processes generate reliable and trustworthy results, the proposal foresees the retrieval of relevant attributes and information from a variety of external sources, on a risk-based approach, including public registers as well as sanctions lists and other pertinent databases held by public authorities. 

For this approach to succeed, governments, utilities, financial institutions, and other key stakeholders involved in managing CI and CDD attributes will have to engage in a collaborative approach. There is much to be gained for everyone: banks and other stakeholders could generate tangible value by providing central and user-friendly onboarding and consent management facilities, and tools to their clients. This would facilitate Open Banking and other data-sharing opportunities in the Single Market. And customers could get the necessary overview and hands-on tools to manage the rights on their distributed data assets, enabling them to exert their data sovereignty in an easy and convenient way – as if they were indeed holding a remote control. 

The editorial was first published in the Open Banking Report 2019, which offers insightful editorials, interviews and expert analyses that paint an exhaustive picture of the Open Banking regulatory shifts and the important extents in which this impact the industry.

About Vincent Brennan 

Vincent is Head of Group Customer Services at the Bank of Ireland. Vincent is responsible for Cards and Payments Operations, for Group Resilience and Continuity, and for major change programmes at Bank of Ireland. He is Deputy Chairman of the Euro Banking Association and Chairman of the EBA Open Banking Working Group (OBWG), which has published multiple papers for banking and payment professionals. 


About the Euro Banking Association 

The Euro Banking Association (EBA) is a practitioners’ body for banks and other players in the payment ecosystem supporting a pan-European vision for payments. We involve member organisations and relevant stakeholders in thought leadership on innovation, help our members to understand and implement regulations, and support the development of market practices. Visit our website for more information.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Vincent Brennan, Euro Banking Association, PSD2, Open Banking, Open Banking Report, EU Commission Expert Group, KYC framework, CI/CDD, federated bank ID scheme, digital ID, consent management, sharing rights, Open Data Economy, EBA Open Banking Working Group
Categories: Banking & Fintech
Countries: Europe
This article is part of category

Banking & Fintech

Industry Events