Digital consent management is key for data opportunities

This need is becoming very pressing as the number of providers accumulating and exchanging business data for analysis and value creation is on the rise. What is more, customers are increasingly expecting to join a new service or approve a transaction with no more than a couple of clicks. 

Many building blocks have already been put in place to pave the way for customers and providers wishing to reap the benefits of Open Banking. GDPR has enhanced the control of businesses and individuals over their data: it has strengthened their rights to provide (or withdraw) consent, allowing third parties to access personal and business information of these customers for the benefit of their service delivery. PSD2 regulates how authorised third parties can access bank accounts based on the consent of the account-holding customer. The eIDAS Regulation has set the legal framework for electronic identification and trust services. And the AML5 Directive, which is currently being implemented, recognises electronic identification based on the eIDAS Regulation as a valid way to identify customers, which should help to further digitalise KYC and other processes in the financial sector.  

But while the customers’ data ownership and data sharing rights are now clearly established, and there are rules determining how they can share their payment account data with certain third parties and how their digital onboarding with new providers could be facilitated, most digital consent-granting and onboarding activities still remain a cumbersome process. 

So, what does it take to move these processes closer to a one-click experience? There are essentially two missing elements: a pan- European approach to digital identification and, more broadly, to KYC processes. 

Digital identification (ID) allows individuals and businesses ‘to be verified unambiguously through a digital channel, unlocking access to banking, government benefits, education, and many other critical services’. As a 2019 research report by McKinsey sets forth, ‘individual countries could unlock economic value equivalent to between 3 and 13% of GDP in 2030 from the implementation of digital ID programmes’. 

Europe counts a number of thriving national digital ID schemes. What is lacking though, is a pan-European scheme that would support seamless and uniform digital identification across the Single Market.  

In the federated bank ID scheme used in Sweden, which was collectively developed by several banks, the customer’s identification is guaranteed by the bank issuing the BankID. This successful example supports the prevailing perception in the financial industry that banks would be well-placed to play a role in the collective development and deployment of such a scheme at a pan-European level: banks have a natural advantage in providing Digital ID (based on underlying government ID) because of the position of trust that they still enjoy and the extra levels of due diligence that they are required to perform by regulators’. 

However, many experts maintain that a mere ID scheme will not do the trick. They claim that the emerging data economy requires both harmonised customer identification (CI) and customer due diligence processes (CDD). Today, the lack of KYC mutualisation for retail and corporate financial services still leads to a siloed approach, where each financial service provider has to deploy full-scale CI and CDD processes even though the necessary information could be made available by a third party in a secure and reliable format.  

What is more, the requirements for these CI/CDD processes vary from one country to the next and there is no regulatory guidance on the level of assurance that KYC data should provide for financial services in particular. 

To remedy this situation, a sub-group of the EU Commission Expert Group on Electronic Identification and Remote Know-Your-Customer Processes is putting together a proposal for a pan-European KYC framework, which should be delivered before the end of this year. 

This framework will include an EU-wide CI/CDD standard, which should facilitate the interoperability of CI/CDD processes based on leading open IT protocols and existing IT standards. The framework will also propose a common set of attributes required for onboarding purposes (e.g. identity attributes such as name and age of a person or legal entity identifier of a company). To make sure that the assurance of the provided attributes is high and the applied CI and CDD processes generate reliable and trustworthy results, the proposal foresees the retrieval of relevant attributes and information from a variety of external sources, on a risk-based approach, including public registers as well as sanctions lists and other pertinent databases held by public authorities. 

For this approach to succeed, governments, utilities, financial institutions, and other key stakeholders involved in managing CI and CDD attributes will have to engage in a collaborative approach. There is much to be gained for everyone: banks and other stakeholders could generate tangible value by providing central and user-friendly onboarding and consent management facilities, and tools to their clients. This would facilitate Open Banking and other data-sharing opportunities in the Single Market. And customers could get the necessary overview and hands-on tools to manage the rights on their distributed data assets, enabling them to exert their data sovereignty in an easy and convenient way – as if they were indeed holding a remote control. 

About Vincent Brennan 

About the Euro Banking Association