Consent Management
For a data recipient (Basiq) to collect, use and disclose CDR data, they must have consent from the consumer to do so. For this reason, partners wishing to access v3.0 of the Basiq API are required to use the Basiq Consent UI in their application.
Consent
Consent is a fundamental component of the Basiq Platform for all data sharing. The consent object describes the consent requested from a consumer to access specific data sets, and includes the purpose and duration of the consent.
Component | Relationship |
---|---|
Consent policy | The consent policy is a pre-defined set of requirements that a partner configures for their specific application (use case). The policy identifies all of the consents that need to be acquired from the user, and identifies the requirements for each one e.g. the duration of how long a consent should be held for. The consent policy enables partners to configure a consent policy per application. This consent policy will then be used to render the consent capture UI and capture additional configuration from the user which will be stored as the “user consent” object. For each application, a partner will configure their consent policy according to their data requirements. This consent policy provides a framework for:
|
Consent UI | The Basiq Consent UI renders the defined application consent policy within a flow that aligns with the rules and requirements proposed by the CDR, and the latest CX Guidelines. Partners will need to redirect their user to the Consent UI to record their consent and connect their institutions. It supports both DDC and CDR flows. |
User consent | When a user consents via the Consent UI, a snapshot of that consent is stored against their user object. This will determine how their data is managed, and for how long. User consent will also contain a list of all related Data Holder arrangements. |
Changing the Consent Policy
It is worth noting that whilst multiple consent policies may exist for a single application, only one Policy can be “current“.
This can occur when a partner configures an application to capture for example “account details” only, then later due to added functionality within their app changes the consent policy to also acquire “transactions”. In this example, a the application will have 2 consent policies of which one will be the latest (the one that needs accounts and transactions).
If a consent policy is amended, it will result in multiple policies against that application. This could, for example, lead to scenarios where legacy users have selected to share only accounts, and new users have consented to share both accounts and transactions.
A Partner will need to manage this scenario and decide whether to toggle off the new features for existing users or to ask their existing users to move across to the new consent policy to enable these consumers to benefit from the latest capabilities they are offering, this may (dependent on the type of change) require each consumer to go through the full consent flow.
Consent UI
The Basiq Consent UI is designed to handle all of the complexity behind CDR legislation, consent management, and CX guidelines, so partners can fast track their access to Open Banking data, and focus on innovation.
The Consent UI is driven by the application's own Consent Policy, which acts as a contract for end users to agree to before proceeding to connect their institutions.
Dynamic switching
The Consent UI focuses on providing a seamless user experience no matter the method of data retrieval. What this means, is that it can be used for both web, and Open Banking, connections. Consent applies to the application/user level, so all connections made under this will be handled the same way. The institutions presented to the user are decided by the partner and can be configured at any point via the dashboard. Everything else is handled by the UI.
Implementation
The Consent UI is hosted by Basiq and accessed by passing a CLIENT_SCOPE
. This token must be bound to the userId
for security, preventing unauthorised consents:
https://consent.basiq.io/home?token={{client_token_bound_to_userId}}
Access token and userId can be obtained through the Basiq API (See the quick start guide).
Updated 5 months ago