TECHNICAL NOTE The Role of Consumer Consent in Open Banking FINANCIAL INCLUSION SUPPORT FRAMEWORK DECEMBER 2021 FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE TECHNICAL NOTE The Role of Consumer Consent in Open Banking FINANCIAL INCLUSION SUPPORT FRAMEWORK DECEMBER 2021 © 2021 International Bank for Reconstruction and Development / The World Bank Group 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org DISCLAIMER This work is a product of the staff of The World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (Interna- tional Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. Since the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Pub- lisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@ worldbank.org. CONTENTS Acknowledgments v Acronyms vi EXECUTIVE SUMMARY 1 1 INTRODUCTION 2 A Brief Introduction to Open Banking 5 2 THE ECONOMICS OF INFORMATION IN FINANCIAL MARKETS 9 3 CONSENT AND ALTERNATIVES TO CONSENT 11 4 THE ROLE OF CONSENT IN RECONCILING OPEN BANKING, PRIVACY, AND DATA-PROTECTION FRAMEWORKS 13 Reconciling Open-Banking Rules with Data Protection and Privacy 14 Specific Purpose and Informed Consent 16 Clear and Plain Language 17 Consent Freely Given 17 Withdrawal of Consent 18 Explicit Consent 18 5 COUNTRY CASE STUDIES 21 United Kingdom and European Union Model 21 Phase 1: Consent 21 Phase 2: Authentication 21 Phase 3: Authorization 21 The Situation in Brazil 22 Perspective of Mexico 24 Consent for Open Banking in India 25 The Situation in Rwanda 27 Australia 29 6 CONCLUSIONS AND EMERGING GOOD PRACTICES 38 REFERENCES 40   iii iv   The Role of Consumer Consent in Open Banking BOXES Box 1:  Open-Banking Principles Will Be Extended to Energy and Telecommunications Sectors in Australia 13 FIGURES Figure 1: Open-Banking Developments Globally 4 Figure 2: Open-Banking Ecosystem 5 Figure 3: PISPs before and after Open Banking 6 Figure 4: AISPs before and after Open Banking 6 Figure 5: Scraping and Reverse Engineering versus APIs 7 Figure 6: Legal Provisions Affecting Customer’s Banking Data Sharing 15 Figure 7: Phased Approach to Open Banking in Brazil 23 Figure 8: Illustration of Consent Mechanism for Open Banking under the Brazil Framework 24 Figure 9: Illustration of Consent-Management Mechanism under Open-Banking Scheme 27 TABLES Table 1: Strengthening Consumer Data Protection and Privacy in Open Banking 39 ACKNOWLEDGMENTS This report was coauthored by Clare Sullivan, Managing Director of Cyber SMART, Georgetown University; Margaret Miller, Lead Financial Sector Economist, World Bank Group; and Fredesvinda Montes, Senior Financial Sector Special- ist, World Bank Group. The report was funded through the Financial Inclusion Support Framework program funded by the Bill and Melinda Gates Foundation and is part of a series of documents on consumer risks in the context of digital financial services and fintech. Peer reviewers and others who provided valuable guidance for this report included Graciela Miralles Murciego, Harish Natarajan, and James Neumann (World Bank); and Ariadne Plaitakis (Consultative Group to Assist the Poor). All errors and omissions are the sole responsibility of the authors.   v LIST OF ACRONYMS ACCC Australian Competition and Consumer Commission AISP account-information service provider API application programming interface CCA Competition and Consumer Act of 2010 (Cth) CDR Consumer Data Right EDPB European Data Protection Board GDPR General Data Protection Regulation LGPD General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais) OAIC Office of the Australian Information Commissioner PISP payment-initiation service provider PPD Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) PSD2 Revised Payment Systems Directive TPP third-party provider WP29 Article 29 Working Party vi EXECUTIVE SUMMARY ABSTRACT:  Open banking schemes provide consumers with more choice and new financial products and services through the use of technology, particularly application programing interfaces (APIS). The main objective of this paper is to provide guidance on how to implement consumer consent protocols to access bank account data under open banking scenarios. Digital financial services are creating opportunities to data, allowing third parties to provide services that require accelerate financial inclusion, closing the gap in access such data (payments, for instance) without the need to that has long existed, especially for low-income and rural collect or store the information. A key element of open consumers. In many instances, new non-bank providers banking is the sharing of the consumer’s personal data, of financial services are entering these markets, lever- including financial information, with a third party or par- aging their proximity to previously unbanked customers ties. In essence, this initiative is opening the traditional and the data they have. Mobile network operators are banking and finance sector to new participants, with the perhaps the best known of the non-bank providers of objective of increasing competition and innovation. digital financial services, but many others are in both the payment space and other areas, such as credit (peer-to- To date, over 22 jurisdictions around the world have peer lending or cash-flow lending on e-commerce plat- either implemented an open-banking initiative or are forms), microinsurance, or firms offering to optimize their working toward it. Jurisdictions have adopted different clients’ use of financial services. schemes that vary in scope and requirements, including governance, types and number of participants, type of In a bank-centric financial system, large institutions are data accessed, type of access to data (read or write), and responsible for managing customer data and, in many technological solutions to the access. However, a com- cases, share a limited amount of consumer data with mon challenge in all jurisdictions is the enabling of per- third parties. As non-banks enter financial markets, con- missioned customer data access to third parties. sumer account data—including data from the banking system—is necessary to provide additional and more This report focuses on the issue of consumer consent in efficient services as well as custom-tailored products. open banking, highlighting the jurisprudence in both the European Union, which serves as a model for many coun- Open-banking schemes provide consumers with more tries globally, and a select group of countries: Australia, choice and new financial products and services through Brazil, India, Mexico, and Rwanda. The report provides the use of technology, particularly application program- practical insights into how to implement consent mecha- ming interfaces, which enable smooth access to consumer nisms under an open-banking scheme.   1 1 INTRODUCTION Open banking is defined as the sharing and leveraging grow and access the market, while existing, and particu- of customer-permissioned data by banks with third-party larly larger, banks do not face adequate competition. This developers and firms to build applications and services, main observation—which affected a market composed of including, for example, those that provide real-time pay- 70 million active personal accounts3 and 5.5 million busi- ments, greater financial transparency options for account ness accounts—is based on the assumption that a large holders, marketing, and cross-selling opportunities.1 percentage of personal account holders would gain from switching to cheaper products. Traditionally, banks have In effect, open banking is opening broader access to bank been in control of the data of their customers and operate data.2 Some authors define it as “a standardized sharing within a closed architecture that allows them to make use of data and services through the opening and integration of such data and gives them a built-in advantage on the of systems” (Plaitakis and Staschen 2020). This access to, design and development of products and services offered and sharing of, customer data by banks and other financial to their clients. institutions that hold customer accounts with third-party providers (TPPs) is sometimes mandated by law—and cus- One of the main legal restrictions on banks’ ability to tomer consent is a central feature. share data with third parties is the existence of bank-se- crecy provisions that establish the duty of confidentiality Open banking was developed to encourage innovation on banks toward their clients. Violation of bank secrecy in in financial products and services and expand choice for many jurisdictions is considered a criminal offense, and consumers by breaking down barriers to competition aris- bank officials are therefore cautious about disclosing their ing from unequal access to customer information. The clients’ information with third parties. However, these pro- traditional banking system is based on the exclusive use visions are not absolute and are subject to exemptions—a of customer data for payments, investments, and money common exemption relates to the prevention of money management generally; only limited types of data, such as laundering and financial terrorism and to the monitoring repayment of loans, are shared with third parties. of credit risk. Another exemption to bank secrecy recog- nized under the famous Tournier v. Bank of England case Open banking is a model developed in the last decade is based upon the customer’s consent.4 Open banking to allow third parties access to information held by banks also creates an exception to bank-secrecy protections, with the permission of the customer. The European based upon customer consent, with the objective of Union’s revised Payment Services Directive (PSD2) and benefiting consumers by enabling third-party5 access to its forerunner, PSD1, are the basis for open banking. In account data held by banks. 2016, the Competition and Markets Authority published a report on the United Kingdom’s retail banking market that Since rules under an open-banking scheme are enacted observed that smaller and newer banks found it difficult to by different authorities, potential conflicts of law may 2 The Role of Consumer Consent in Open Banking   3 exist. In addition, one of the objectives of enabling open have fewer than five million open-banking customers as banking is to provide consumers more control over their of 2020—but Korea’s experience shows the potential for account information and the possibility to decide with open banking when conditions are right. Notable features whom they would like to share such data to obtain addi- of open banking in Korea include a strong regulatory tional and more convenient and attractive products or ser- framework and joint platform that doesn’t require bilateral vices. In such a context, the consumer’s consent to allow partnerships between banks and TPPs; the ability of both third parties access to information through application large and small fintechs to use the system to promote programming interfaces (APIs) has become a key issue in innovation and competition; functionality, including the the formulation of the legal and regulatory framework of ability to use open banking for wire transfers; and a very open banking. This document aims to explore practical high penetration of smartphones (over 90 percent of the solutions to the provision of consent, taking into consider- population).9 ation existing laws while also making use of technological solutions to address the need for customers’ permissioned The promise of open banking for financial inclusion is access to their data. There are several perspectives to potentially transformational, as it would allow not only consider regarding why the authorization of the customer access to new customers but also the offer of new prod- is necessary under open-banking schemes: (i) require- ucts and services to existing ones. By harnessing data ments of a contractual nature in relation to the access to, from a range of financial providers and commercial firms, and subsequent processing and storage of, personal data which may include fintechs and other technology compa- for the purpose of providing payment services; (ii) explicit nies, retailers, and utilities, open banking reduces infor- consent in line with article 6 of the General Data Protec- mation asymmetries, opens doors for new innovative tion Regulation (GDPR); and (iii) consent to allow access to products and services, and increases competition. How- a customer’s banking data as per bank-secrecy provisions ever, obtaining the benefits of open banking for financial (EDPB 2020a). The objective of the consent mechanism inclusion requires intentional design of policies and prod- is not to solve all measures related to the data-protection ucts, which, so far, is uneven across jurisdictions. Research framework but to provide for a framework that translates by the Consultative Group to Assist the Poor identifies permissioned access into the enabling technology. Brazil, Indonesia, and Mexico as three countries that have been proactive in leveraging open banking to increase While open banking increases transparency in finan- financial inclusion (Plaitakis and Staschen 2020). cial markets by making data more widely shared, it also creates concerns about personal data protection and While initial open-banking developments took place in privacy. Explicit consent addresses the inherent tension the European Union and United Kingdom, as of June that exists in the use of personal data for commercial pur- 2021 a number of countries are already implementing poses—such as open banking—by enabling consumers open banking in Asia, the Americas, and, to a lesser to exert control over the use of their data. This approach extent, Central Europe. Only two countries have devel- also reflects the legal approach to privacy for individuals oped open-banking initiatives thus far in Africa. The compared to firms—people are recognized to have a spread of open banking beyond Europe can be seen in right to privacy, while firms are not.6 In many jurisdictions, figure 1, which was produced for the Basel Committee on personal data-protection regimes are part of the broader Banking Supervision’s 2019 publication Report on Open legal framework for open banking and often based on Banking and Application Programming Interfaces. The another well-known European benchmark—the GDPR. following jurisdictions have currently implemented or are in the process of implementing an open-banking scheme: The potential for open banking is great; according to pro- Australia, Brazil, Chile, Colombia, the Czech Republic, jections by Allied Market Research, the global open-bank- the European Union, Georgia, Hong Kong, India, Israel, ing market will grow at an estimated annual rate of nearly Japan, Mexico, Singapore, Turkey, the United Kingdom, 25 percent between 2019 and 2026, going from $7.2 bil- and Uruguay. The United States launched an open-bank- lion in 2018 to over $43 billion by 2026.7 Millions of con- ing report and Malaysia an open-banking policy docu- sumers are already benefitting from open banking. South ment. Nigeria released an open-banking framework just Korea is a particular standout; 20 million consumers have in May 2021, and Rwanda issued open-banking regula- used open-banking services—approximately 70 percent tions in 2018. Indonesia issued the payment systems play- of the economically active population—in just the first two book, and China has not yet issued a policy document on years of such services becoming available (since 2019).8 open banking, but the fintech industry is driving efforts South Korea is an outlier in the speed of adoption—other on open banking. The Philippines is currently develop- countries, such as the United Kingdom and India, each ing the regulatory framework on opening banking, while 4   The Role of Consumer Consent in Open Banking FIGURE 1: Open-Banking Developments Globally The World of Open Banking Ukraine Draft payment services law. Nov 2020 Hong Kong SAR, China Hong Kong Monetary Turkey Authority (HKMA) issued its Open API Framework. The BRSA published the EU Banking Regulation July 2018 PS02 Implemented March 2020 September 2019 Georgia Rep. of Korea National Bank of Georgia establishing FSC launched Open Banking framework. 2021 September 2019. Plans to revise UK Electronic Financial Transactions Act Canada Has started second phase of OBIE 2018 its “consumer-directed Bahrain Japan finance” consultation. CBB launches Open Open banking Banking Framework. regime June 2018. Oct 2020 APIs Sept 2020 USA Taiwan, China CFPB principles UST Taiwan’s FSC has granted 7 banks report 2019 Israel approval to enter second phase of The BOI released a draft of Open Banking Jan 2021 the “Proper Conduct of Banking Business Directive.” Jan 2020 Philippines Mexico Saudi Arabia FMAP hosted first Open Banking National Banking and Saudi Central Bank event September 2020 Securities Commission (CNBV) (SAMA) issued policy. Jan 21 Expected to publish transactional data rules during 2021 Nigeria Colombia Central Bank of Nigeria Malaysia Developing their own open Issued regulatory Singapore Regulatory framework being framework. Feb 2021 MAS launhed the Financial Data banking model and implementing regulation. Kenya Exchange (SGFinDex). established. 2020 Feb 2021 Central Bank of Kenya Dec 2020 5 year digitalisation plan. Jan 2021 Brazil Brazilian Open Banking Project approved by the Australia Central Bank in early 2019 South Africa India Date sharing mandatory (POPI) Act 1st July 2020. Hybrid Market/regulatory 1st July 2020 Market Driven Chile Guildelines on disclosure driven. UPI initiative by and processing of Banks driving the ecosystem. Regulatory Driven The finance ministry began personal information Nov 2020 work on a new open banking legal framework. Nov 2020 Source: Konsentus, July 2021 Source: Kosentus Israel released draft guidelines for credit card companies It is important to clarify that the intention is not to cover IBRD 46317 | and banks to allow non-bank financial institutions access all the necessary protective measures that are addressed DECEMBER 2021 to their data for payment services. Turkey started with This map was produced by the Cartography Unit of the World through broader data-protection, governance, and cyber- Bank Group. The boundaries, colors, denominations and any the other information shown on this map do not imply, on the part of the World Bank Group, any judgment on the legal status of amendment of the payment systems and e-money security frameworks. The authors also acknowledge that any territory, or any endorsement or acceptance of such boundaries. institutions law and their main legal text for open bank- consumer consent under the GDPR and similar data-pro- ing, although the banking law explicitly recognized the tection frameworks is not the same as that envisioned open-banking services and included services broader under PSD2, although the concepts are not contradictory. than just payments (that is, remote identity-verification The objective of this document is not to discuss these services). In all of these economies, consent is part of the additional scenarios and the potential risks of personal legal and regulatory approach to open banking, providing data sharing in general but to focus on permissioned a mechanism to protect consumers from unwanted disclo- access to data for either payment-initiation services or sures of personal data or overly aggressive digital market- other related services based on account information. ing, and to help justify greater transparency in financial The range of data-protection and privacy considerations markets as something driven by consumer demand. under data-sharing scenarios includes data-protection principles,10 data governance and enforcement, and data While consent is a core part of the legal and regulatory security, including cybersecurity, which fall out of the framework for open banking, clear guidance on how to scope of this document. By the same token, the usage implement consent is frequently lacking. Data-protection of data for artificial intelligence and potential negative laws provide general requirements on consent clauses but consequences resulting from data analytics and algorithm may not fully reflect the technology and market conditions development are part of a broader discussion and not present in open banking. the object of this paper. Aspects related to “silent-party” data under an open-banking scheme are also not subject The main objective of this paper is to provide guidance on to discussion in this paper, which aims at explaining in how to provide consent under open-banking scenarios. greater detail pragmatic solutions to the need for operat- The Role of Consumer Consent in Open Banking   5 ing under a customer-permissioned environment. Finally, of each open-banking scheme differs from one country to authors acknowledge that the term open banking is evolv- another, including the mandatory versus voluntary rules. ing, and some jurisdictions are embracing open finance However, even under mandatory schemes, the consent of and even open data beyond the financial sector. These the customer is required. This is different, for example, developments are at a very preliminary stage, and it is too than for credit reporting, where participation is mandatory early to draw any conclusions—thus, they are also beyond to protect credit quality and the soundness of the financial the scope of this paper. system. Under credit-reporting scenarios for credit data, the legitimate interest for data processing remains with This report also briefly discusses the limits on consent as the bank or credit provider in connection with overindebt- a way to protect consumers from abuse and identifies edness and financial stability. However, under open-bank- other actions regulators can take to balance innovation ing schemes, the main objective is not to evaluate the and transparency with privacy in a digital marketplace, in creditworthiness of the customer but to offer additional sections 2 and 3 of this report. Implementation options options to the consumer; therefore, the control and to consent, such as establishing a fiduciary standard for legitimate interest remains with the consumer. Since the open-banking providers to meet, are briefly discussed, benefit is intended to accrue especially to the customers, but in-depth treatment of these approaches is beyond the their permission is central to the transaction and provides scope of this report. part of the rationale for increased transparency. In addi- tion, enabling consumers’ permission to access their own account data by third parties allows the implementation A BRIEF INTRODUCTION TO OPEN of the data-portability concept, which is a key concept to BANKING increase market competition on financial services. Open-banking schemes involve different authorities, mar- Data flows under open-banking schemes take place ket participants, types of data, technology, standards, between a few relevant actors, including payment-initia- rules, and governance schemes. (See figure 2.) The design tion service providers (PISPs)11 and account-information service providers (AISPs).12 The role of the account-ser- FIGURE 2: Open-Banking Ecosystem Financial sector Competition Consumer and data protection Market data Transaction data (Maps, location of access points, fees, commissions) (payments flows, credit accounts, investments) Banks Finacial institutions TPPs—PISPs AISPs Insurance API FPP (data aggregators) Fintechs Others Governance Technical standards Regulatory authorities Self-regulatory body Consent mechanisms, redress, liability, security measures Source: World Bank (2020) 6   The Role of Consumer Consent in Open Banking vicing payment service provider13 has also been recog- tomer information, which can pose risks to customer data. nized under some jurisdictions. While under open-finance Web scraping refers to a computer program or bot that schemes, authorities are evaluating complexities of extracts human-readable data (as email addresses, phone involving third parties and may be considering implica- numbers, shopping behaviors, and more) from another tions of reciprocity, it is important to understand that the program, site, or platform. In the context of online bank- obligation relies on enabling access and not necessarily ing, for example, this means viewing the account balance, proactively sharing the data with third parties. Therefore, but bank customers must grant the service provider (the most of the schemes put emphasis on the establishment PISP) permission to access their banking data. For this of APIs and harmonization languages to enable data shar- purpose, they log onto the provider’s platform using their ing between different parties and not necessarily on the online banking data (for example, sharing username and actual data-sharing (sending-data) obligation. password with third parties). The reverse-engineering method allows access to the source code of an applica- Open banking can securely provide other financial insti- tion, the insight view of the architecture, and the third- tutions and TPPs with seamless access to customer data party dependencies. This method is considered a serious through APIs. Several methods are used to access cus- vulnerability in mobile applications and may cause a great FIGURE 3: PISPs before and after Open Banking Issuer bank Customer’s bank TPP • PISP Acquirer bank Card network Merchant Merchant Source: World Bank staff (2020) FIGURE 4: AISPs before and after Open Banking Financial Services Web scraping TPP • AISP Bank A Bank B Bank C Bank A Bank B E-money service Source: World Bank staff (2020) provider The Role of Consumer Consent in Open Banking   7 impact on the consumer as well as the bank. This infor- depending upon the national regulatory structure. Other mation can further be used to upgrade, make a copy, or relevant audiences include private-sector financial pro- pursue any other malicious purpose. The big change with viders engaging, or planning to engage, in open banking open banking is moving away from insecure screen scrap- and development practitioners supporting digital finance, ing and password sharing to APIs. APIs,14 on the contrary, open banking, consumer protection, and data protection. provide a secure and standardized way for applications to work with each other and deliver the information or The remainder of this report is organized as follows. Sec- functionality requested. For the “API call,” it is necessary tion 2 briefly discusses the economics of information to enable the customer permission/consent. in financial markets, to provide a high-level overview of changes in the use and availability of information by The primary audience for this report is financial regulators financial services providers and the importance of willing who are charged with the oversight and implementation customer participation in these systems. Section 3 dis- of open-banking regulations, as well as regulators from cusses arguments for alternative approaches to consumer other agencies who may also have jurisdiction due to the consent. Section 4 focuses on the foundational laws for use of consumer data for financial services. These include open banking and consent that are used widely as guides telecommunications and utilities regulators and authorities for laws in other countries: PSD2 and the GDPR. Country responsible for consumer protection and data protection, cases are presented in section 5. FIGURE 5: Scraping and Reverse Engineering versus APIs WEB SCRAPING REVERSE ENGINEERING APIS Flexible Process of decoding an object Secure and stable that reveals its architecture Easy to implement More control to banks to obtain relevant information Requires that customers Consumer control through Analysis of the device share username and consent mechanisms password Could lead to unintended High costs outcomes Stability Less flexible to Fintechs Access to source code No revoking rights Algorithms being reversed Accuracy of data incorrectly Source: Presentation by World Bank staff at the Financial Inclusion Global Initiative Symposium (2021) 8   The Role of Consumer Consent in Open Banking NOTES 1. Definition as per BCBS (2019). 2. The term is thought to have emanated from a United Kingdom initiative launched by the Open Banking Working Group to explore ways in which greater financial data access could assist consumers to understand their finances and make more-informed choices. The resulting UK Open Banking Standard relies on data being securely shared or openly published through open APIs that would let third parties, such as fintech companies, access users’ data through their bank accounts. See ODI and Fingleton (2019). 3. Personal customer accounts allow for making and receiving payments with or without using cash or storing of money. Most personal accounts also offer a facility to borrow money on a flexible short-term basis. Seven percent of these accounts in the United Kingdom are basic accounts. 4. “It is an implied term of the contract between a banker and his customer that the banker will not divulge to third persons, without the consent of the customer express or implied, either the state of the customer’s account, or any of his transactions with the bank, or any information relating to the customer acquired through the keeping of his account, unless the banker is compelled to do so by order of a Court, or the circumstances give rise to a public duty of disclosure, or the protection of the banker’s own interests requires it.” In Tournier, the bank’s duty of confidentiality extends to all information from account transactions. 5. It should be noted that not every third party under an open-banking scheme is allowed to access a consumer’s data. Rather, only those that have been approved by the data-governance body of the open-banking scheme are allowed to do so. 6. In many instances, where the focus is on firms, especially those which are publicly held, the objective of law is how to achieve transparency. 7. Gill and Sumant, 2020. 8. Hamilton, 2019. 9. Financial Services Commission, open-banking resources, https://www.fsc.go.kr/eng/po030101; and Statista for smartphone coverage data, https://www.statista.com/statistics/777726/south-korea-smartphone-ownership/. 10. Lawful-basis processing, purpose limitation, and data minimization. 11. Refers to the provider of a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider. 12. Means a provider of an online service providing consolidated information about one or more payment accounts held by the pay- ment service user with either another payment service provider or with more than one payment service provider. 13. Refers to a payment service provider providing and maintaining a payment account for payers, which are usually banks. 14. Please note that, depending on the type of API, the assets shared are more restrictive than private APIs. 2 THE ECONOMICS OF INFORMATION IN FINANCIAL MARKETS The collection and analysis of customer information has financial services providers (Miller 2003). In some cases, traditionally been viewed as a key role of financial institu- credit-reporting data from financial institutions are com- tions. Through transaction accounts with consumers as well plemented with data from other sources, including retail- as other products and services, including credit, savings, ers that provide credit, utility companies, and public and payment activities, financial institutions have access databases and registries. While consent clauses are often to a unique set of information about both the ability and included in financial contracts to support data sharing willingness of borrowers to repay obligations, addressing with credit-reporting agencies, another rationale is based issues of both adverse selection and moral hazard (Jaffee upon the public interest. Borrowers are viewed as having and Russell 1976; Stiglitz and Weiss 1981). These data can the obligation to share data on their loan performance to also be used to identify new sales and cross-marketing both monitor and incentivize good credit behavior and opportunities and to devise customer retention and col- thereby reduce the risk of default and loss of funds for lection strategies. AISPs present opportunities to enable depositors. This obligation is limited, though, to regulated additional services based on account information from financial institutions and information related to existing or banks and other financial institutions. The information past repayment obligations or credit operations. gains even greater predictive power through analytical tools and statistical modeling, frequently referred to as The transformation of many economic activities to digital credit scoring, which enables financial providers to quan- platforms and channels that create enormous quantities tify risks and adjust prices and policies accordingly (Bar- of data on customer preferences, behavior, and financial ron and Staten 2003). This helps to reduce the impact of activities—especially in terms of digital payments—are asymmetric information on financial markets, which can behind many innovative new fintech business models. result in credit rationing and underdevelopment of finance E-commerce platforms have also leveraged data from more generally. In the absence of information sharing, transactions on their platforms to offer credit to small large financial institutions have an advantage over smaller businesses. ones, as they can leverage data from many customers to strengthen empirical models and also have the resources Under open-banking schemes, PISPs are authorized to to invest in these technologies. initiate payments into or out of a user’s account without direct contact with their banks. PISPs are authorized to Credit-reporting systems were developed to reduce fur- make transfers on behalf of customers, rather than only ther the impact of asymmetric information on financial displaying account results. PISPs do this by using the markets by creating a mechanism for sharing information bank’s own resources to initiate transactions either to or about customers—both individuals and firms—through from the payer’s bank account. As a result of this type of centralized databases that include data from a number of action, PISPs have “read-write” access. The adoption of   9 10   The Role of Consumer Consent in Open Banking open-banking schemes also presents opportunities for However, there are also important limitations to the use e-commerce, such as (i) reduced fraud rates in the industry of consent as traditionally understood in other scenarios. and increased trust with consumers; (ii) increased online According to researchers from Carnegie Mellon, it would banking and payment options for e-commerce consumers; take 76 days for an average consumer to read just the pri- and (iii) merchants can leverage new payment aggregators vacy and consent forms for web-based activities typically to increase their strategic information on consumers. conducted during a year (Madrigal 2012; McDonald et al. 2009). If consumers read these documents (and they often As more nonfinancial sources of data are used to under- don’t), they are likely to have difficulties understanding stand financial behaviors, data protection and privacy have them, even if the consumers are literate and educated, gained even greater importance in the context of data due to the documents’ legalistic language. Small font sharing for finance. By helping to build trust and a sense sizes and formats that make it difficult to identify key data of control among consumers, data protection and privacy or topics quickly also contribute to consent being of lim- safeguards, including consent, can increase the uptake ited use to consumers in many cases. Too often, consent and use of digital financial products and strengthen the boxes are simply ticked without any review, as consumers formal economy. Clauses in data-protection and privacy see them as essentially required in exchange for the use regulations that establish time limits for the use of per- of the product or service. sonal data can give consumers with negative performance episodes incentives to improve their standing, reducing Consent alone is inadequate to support data protection the possibility that some consumers may become eco- and privacy, but it is a critical tool that gives consumers nomically marginalized for temporary problems. Con- some control over their data, if properly designed and sent can also provide an opportunity to teach consumers implemented. The next section of the report discusses about their rights and responsibilities in financial markets consent and alternatives and is followed by an analysis and with respect to data use, so they are better self-ad- of consent as laid out in PSD2 and the GDPR. Section 4 vocates and can help to enforce regulatory requirements also includes a discussion of the specific aspects of the and market discipline. Consent also creates the potential design of consent that can strengthen its effectiveness for for tailoring the use of personal data to the needs of the consumers, based on guidance related to implementation individual, thereby minimizing negative externalities while of the GDPR. working toward greater market transparency. 3 CONSENT AND ALTERNATIVES TO CONSENT Open-banking regulations are designed to encourage There are reasons to believe that the traditional way of the seamless sharing of data as part of improving com- providing consent through paper-based or electronic petition and encouraging innovation in the financial-ser- forms has some limitations. Therefore, this paper ana- vices sector. Part of the reforms introduced by PSD2 in lyzes new forms of obtaining consent from consumers the European Union give TPPs access to a customer’s pay- that provide them with broader control over their data as ment account data, assuming the customer provides the well as increased transparency from data controllers. As required consent. Other open-banking regulations (for discussed earlier in this report, research has shown that example, those in Australia, Brazil, and India) clearly estab- the burden on consumers for reading privacy policies is lish a consent protocol to access customer data, including great. In work done more than a decade ago, in 2008, additional safeguards such as limited access to accredited researchers at Carnegie Mellon estimated that it would institutions, adopting data-protection measures in addi- take 76 working days to read online privacy policies that tion to consent, and enabling an oversight framework and correspond to typical internet use (McDonald et al. 2009). data-governance structure, among others. That seems to With even more online and digital commerce and activ- be a straightforward approach, but as the analysis in this ities today, this burden would seem more likely to have paper shows, there are many issues relating to consent, increased than decreased. Many consumers simply tick including its legal nature, and to the interplay between boxes or provide other required forms of consent with- open-banking regulation and other regulation, especially out really understanding what they are agreeing to or data-protection and privacy laws and regulations. the implications (Murthy and Medine 2018). The practical guidance provided in this report, and in other publications Open banking is an economic reform, but it is based (Boyd and Hanouch 2021; Murthy and Medine 2018), on on processing personal data, with consumer consent. how to make consent more rigorous and effective can The use of such data could vary from enabling TPPs to strengthen consent requirements, but fatigue with disclo- provide payment-initiation services to comparators that sures and consent agreements may reduce the impact of use account information to compare services and prod- even the best-designed interventions. ucts offered to a specific consumer from different service providers. While the confidentiality of information is very Consent should be seen as one part of a more compre- relevant, the focus on open banking has shifted on how hensive approach to protecting consumers’ interests; an consumers are able to control and maximize the beneficial adequate data- and consumer-protection framework is nec- use of their banking data (Leong 2020). As the European essary to protect consumers effectively under open-bank- Data Protection Board (EDPB) observes, “If it is correctly ing schemes. In some instances, these involve consumer used, consent is a tool giving the data subject control over input, supervision, and feedback. In others, they relate to the processing of his data. If incorrectly used, the data the “privacy architecture” built into financial products and subject’s control becomes illusory and consent constitutes services, of which consumers may not ever be aware. an inappropriate basis for processing” (EDPB 2020b).   11 12   The Role of Consumer Consent in Open Banking In a related vein, privacy notices that lay out the terms tion for information on consumer data, individuals would and conditions for treatment of consumer data, and that have a better understanding of what data they have are required by law and/or regulation, can create the basis shared, for how long, and with whom. for regulatory supervision and enforcement. While these notices may not be used directly by consumers, even Using “legitimate purpose” as a requirement for access though they would be publicly available, they are valuable to and use of data is also an approach that has been both for regulators and for setting industry-wide expecta- employed effectively in the past—for example, in the con- tions of behavior. text of the US Fair Credit Reporting Act and credit report- ing. As with the example of the fiduciary standard, setting Developing a role for “learned intermediaries” who could out a legitimate-purpose requirement puts the burden on audit the privacy policies in open banking and other pro- financial providers to limit use of data to instances where viders of digital financial services and identify misuse of they are creating value for consumers. In the context of data or gaps in consumer protection has also been raised the US Fair Credit Reporting Act, this includes monitoring as a way to strengthen data protection. As with regula- credit performance and for fraud, but also for new credit tory oversight, the advantage is that skilled professionals offers that introduce competition into the marketplace. would engage in a review of data-protection and privacy policies and their effective implementation in provid- In fact, there may yet be more to go back and learn from ers. Rather than waiting for problems to come to light experiences with credit reporting and data protection and harm to come to consumers, this kind of audit and and privacy as they apply to open banking. For example, supervision activity could complement other regulatory adverse-action notifications are powerful for protecting actions and help to identify and correct problems pro- consumers, because they highlight when data has been actively. The governance arrangements adopted withing used and resulted in harm. In the case of credit report- the open-banking schemes could take into consideration ing, this may be a rejection of a credit application or a the adoption of mechanisms that are based on the con- higher interest rate on a loan that is provided. A similar cept of “privacy by design.” Therefore, the collaboration adverse-action notification could be developed for open between data-protection authorities and financial-sector banking, so that consumers are informed when their data regulators could be necessary when implementing con- has resulted in a negative outcome that could relate to sent mechanisms for open-banking schemes. paying a higher price for a financial product, receiving a smaller line of credit, or outright exclusion from certain The creation of online platforms that enable consumers to offers. The online platform for information on consumer review their personal data sharing quickly, including what data is similar in some ways to the reports that consumers they have consented to, is another innovative approach can request from credit bureaus, where inquiries to their designed to increase transparency and ultimately con- data in the bureau are identified, helping to identify fraud- sumer control of their data. By creating a common loca- ulent requests or other misuse. 4 THE ROLE OF CONSENT IN RECONCILING OPEN BANKING, PRIVACY, AND DATA-PROTECTION FRAMEWORKS Open banking in its current form is a relatively recent third approach is based on regulatory statutes, whereby development, having initially been approved by the Euro- a nation enacts legislation to mandate open banking. pean Union in 2015 and by the United Kingdom in 2018. Usually, law requires at least some financial institutions, Following this lead, similar legal frameworks are being typically the nation’s largest banks, to share data with established by other developed and developing nations accredited third parties with the consent of the consumer. in Africa, the Americas, and Asia, as governments seek to The analysis of consent in open banking in relation to PSD2 encourage open banking. Some nations are using a mar- and the GDPR presented in this section, and the country ket-driven approach, whereby open banking is permitted case studies developed for this paper and presented in but not specifically regulated and may or not be officially the next section, focus on countries with an open-banking encouraged. This type of “wait-and-see” approach to regulation because it is the most widely used approach regulation is likely to result in no firm requirements on and because it requires the sharing of consumer data with consent until formal laws or regulations are issued. Other third parties with consumer consent. jurisdictions are actively encouraging the development of open banking, often through the release of open APIs and Most countries are modelling their open-banking initia- technical standards and/or guidelines, but are not man- tives on PSD2, which provides the legal basis for open dating open banking. The focus on technical standards banking in the European Union (European Union 2015). may or may not be accompanied by regulatory guidance PSD2 influenced a similar regime that is in place in the on consumer-protection issues, such as consent. The United Kingdom15 and that nations outside Europe have BOX 1 Open-Banking Principles Will Be Extended to Energy and Telecommunications Sectors in Australia Open banking is really about data, specifically consumer data, and its access and use by TPPs. Around the world, the banking and financial-services sector is the first sector where this data sharing is being encouraged and facilitated through government policy and legislation. It can extend to other sectors and eventually be economy-wide. This is perhaps most clearly articulated by Australia, where open banking is now being imple- mented, and it will be extended to the energy and telecommunications sectors, paving the way for an envi- sioned economy-wide rollout.   13 14   The Role of Consumer Consent in Open Banking since adopted for their open-banking initiatives. PSD2 is a Reconciling Open-Banking Rules with Data European regulation for electronic-payment services and Protection and Privacy includes the regulatory framework for open banking. Fur- Open banking is market reform, and the legislation that ther, PSD2 was designed to strengthen competition, con- enables it is banking law. The data-protection law is sumer protection, and innovation in the payments market essentially human rights legislation that was originally and contribute to the development of new methods of conceived in the context of the protection of privacy in payment and e-commerce. PSD2 was an early model that the technology era. Moreover, data-protection frame- other countries could readily adopt, and as a result, its works also recognize the right to data portability, allowing influence is pervasive. Most nations follow PSD2 in terms consumers more control over their data. of its objective of economic reform through increasing competition and fostering innovation in the banking Access to customer data by third parties has occurred and finance sector. Most nations also follow the basic in the absence of APIs with the use of the widespread approach of PSD2 for consumer consent, as well as iden- practices of screen scraping or reverse-engineering tech- tity authentication and data-security requirements. niques, still prevalent in several markets. Some of the concerns associated with screen scraping and reverse The same pattern of international adoption that is occur- engineering have to do with security and customer pro- ring with open banking occurred earlier in relation to data tection, stability, and the lack of revoking rights on the protection. Almost without exception, nations around part of the customer. The Standing Senate Committee on the world follow, to some degree, the European Union’s Banking, Trade and Commerce of Canada paid particular data-protection framework as now set out in the GDPR. attention to the advantages and disadvantages of open This general similarity in data-protection requirements— banking versus screen scraping.17 According to the com- including consent and other lawful grounds for data mittee’s report, Canadians have little control over their processing, in addition to the right to portability—is signif- financial data, while the adoption of new banking tech- icant because open banking is being introduced, in many nologies, such as data aggregation and robo advisors, instances, in countries that have established data-protec- requires that fintech companies access this data easily tion legislation based on the European Union’s data-pro- and seamlessly. Currently, these companies use screen tection model.16 scraping, whereby banking log-in credentials are used to extract customer financial and transactional data. Because the European Union’s models for both open banking and data protection are the most widely followed In the context of the European Union, implementing around the world, they form the basis of the discussion access to permissioned consumer data requires an anal- of the key issues regarding open banking and consumer ysis of not only PSD2 but also the GDPR and the subse- consent in this paper. PSD2 does intersect with other quent guidance of the EDPB.18 One of the objectives of EU directives and regulations, including the Directive the PSD2’s technical standards was to put an end to the on Unfair Contract Terms in Consumer Contracts 93/13/ practice of screen scraping, long a point of contention for EEC (Unfair Contract Terms Directive). Similarly, con- banks. sumer law and the general law of contracts apply in other jurisdictions. However, while there are basic similarities Both laws discuss the role of consent, but PSD2 provides in intent and sometimes in approach, there are consid- less guidance on what would constitute the “explicit con- erable national differences. While consumer-protection sent” that consumers need to provide to comply with law and contract law have peripheral relevance and will data-protection and privacy regulations when they use be referred to more narrowly in this paper, PSD2 and the services enabled through open banking. Instead, PSD2 GDPR are of most direct relevance to consumer consent relies on the GDPR for a description of the elements of to data processing in an open-banking context. For these explicit consent. Since the GDPR is not specific to open reasons, the analysis in this paper starts with a detailed banking, however, there is scope for varying interpreta- analysis of PSD2 and the GDPR as the key international tions of the data-protection requirements. In the United model regulations applicable to open banking. Section 4 Kingdom, as a result of a Treasury consultation on the looks at a select group of countries that are in the process implementation of PSD2, the information commissioner of implementing open banking and analyzes how they are viewed open banking as a way in which individuals’ rights addressing consent. to data portability under article 20 of the GDPR may be given practical effect and help financial institutions meet their data-portability obligations. The information com- The Role of Consumer Consent in Open Banking   15 missioner also referred to the regulatory technical stan- legal and regulatory approaches. Attention is geared dards on strong customer authentication and secure toward the data-protection and privacy framework, but communication that have been developed by the Euro- the main driver to data-sharing permissioned environ- pean Banking Authority. ments is the existence of bank-secrecy provisions in most of the civil law jurisdictions, regardless if they are While most of the jurisdictions that have developed an advanced or emerging market economies. open-banking scheme already had a data-protection framework in place, some have amended the framework Open banking is based on access to consumer data held (that is, Australia) and others developed it later. Except- by banks and other financial institutions within the defi- ing the case of the United States, all advanced econo- nition of “account servicing payment service provider”19 mies already had a data-protection framework in place. in PSD2.20 The basis of this access as expressed in PSD2 Regardless of countries where such a framework does not is the explicit consent of the consumer, but neither con- exist (for example, the United States), the scheme recog- sent nor explicit consent is defined; rather, PSD2 defers to nizes the need for a data-permissioned environment. In the data-protection laws in place in the European Union, India, the lack of a data-protection framework was ques- notably the GDPR. Under PSD2, banks must allow TPPs to tioned by the courts and prompted its development in access customers’ payment account data only provided 2019, taking into consideration potential solutions to the that the TPPs have the “explicit consent” of the customer challenges faced when implementing a know-your-cus- (articles 64, 76, and 94, PSD2). Under the GDPR, besides tomer platform, such as the consent manager and data consent, there are other legal bases for data processing, fiduciary. Nigeria and Rwanda issued a payment regula- including the performance of a contract. However, PSD2 tion to allow PISPs to access bank data in 2019. increases the requirements for data processing included under the GDPR and clearly establishes the need to An important element of the regulatory framework of obtain consent. This approach is consistent with the bank- open banking is the existence of bank-secrecy provisions ing laws that typically include bank-secrecy provisions and that prevent banks from sharing information with third requires consumer consent to access customer data by parties. This is typically overlooked when discussing the third parties. FIGURE 6: Legal Provisions Affecting Customer’s Banking Data Sharing COUNTRY DATA PROTECTION BANK SECRECY Australia Amended with CDR in 2019 NO Brazil 2011 and amended in 2019 YES until 2019 Canada PIPEDA NO Colombia LPD 2012 YES (exceptions) European Union GDPR Some had until 2018 Georgia DPL 2012 NO India No, developed later DPA in 2019 NO Indonesia NO YES Malaysia 2010 YES Mexico 2010 YES New Zealand 1993 YES Nigeria Regulation YES Philippines 2012 YES Rwanda Developed in parallel 2019 NO Singapore 2012 YES Turkey 2016 YES UK DPA 1998 NO US Not comprehensive NO; the Bank Secrecy act actually aims at the opposite Source: World Bank staff elaborations using UNCTAD data (2020) 16   The Role of Consumer Consent in Open Banking Article 64 of PSD2 establishes that (1) member states shall Key Elements to Consider When Implementing ensure that a payment transaction is considered to be Consent under Open-Banking Schemes authorized only if the payer has given consent to execute The essential requirements for valid consent under the the payment transaction. A payment transaction may be GDPR are that the data subject’s consent is freely given, authorized by the payer prior to or, if agreed between specific, informed, and an unambiguous indication of the the payer and the payment service provider, after the data subject’s wishes by a clear affirmative action.21 Article execution of the payment transaction. (2) Consent to 7 of the GDPR sets out the following further conditions for execute a payment transaction or a series of payment consent: (i) the need to demonstrate that the data subject transactions shall be given in the form agreed between has consented to the processing of his or her personal the payer and the payment service provider. Consent to data, (ii) the request for consent shall be presented in a execute a payment transaction may also be given via the manner that is clearly distinguishable from the other mat- payee or the PISP. In the absence of consent, a payment ters, in an intelligible and easily accessible form, and uses transaction shall be considered to be unauthorized. (3) clear and plain language, and (iii) the right to withdraw Consent may be withdrawn by the payer at any time, but his or her consent at any time; withdrawal shall be easy. no later than at the moment of irrevocability in accor- (iv) When consent is conditional to the performance of a dance with article 80. Consent to execute a series of pay- contract, the processing of personal data shall be limited ment transactions may also be withdrawn, in which case to what is necessary for the performance of that contract. any future payment transaction shall be considered to be unauthorized. (4) The procedure for giving consent shall be agreed between the payer and the relevant payment service provider(s). SPECIFIC PURPOSE AND INFORMED CONSENT The AISP shall provide services only based on a payment service user’s explicit consent. Article 67 establishes that Consumers shall be informed about the purpose of the member states shall ensure that a payment service user processing, and who is ultimately responsible for such has the right to make use of services enabling access to processing, so that they can make informed decisions, account information. That right shall not apply where the understand what they are agreeing to, and withdraw their payment account is not accessible online. The article also consent. The EDPB establishes the following list of ele- includes other measures to protect a consumer’s data and ments that are required for obtaining valid consent to the limit the usage of such data by TPPs. These measures processing of personal information: include the need for personalized credentials, identifica- i. The controller’s identity tion for each communication session, secure communi- cation between service provider and user, limits on the ii. The purpose of each of the processing operations for information to which access should be associated with the which consent is sought payment transaction, a prohibition to request sensitive iii. What (type of) data will be collected and used payment data linked to the payment accounts, and lim- iv. The existence of the right to withdraw consent its on the purposes to access, process, and store data. In addition, the article also refers to conducting this service v. Information about the use of the data for automated in accordance with data-protection rules. decision-making vi. On the possible risks of data transfers due to absence Article 94 of PSD2 establishes that member states shall of an adequacy decision and of appropriate safe- permit the processing of personal data by payment sys- guards as described in article 4622 tems and payment service providers when necessary to safeguard the prevention, investigation, and detection The EDPB adds that, where the consent sought will be of payment fraud. This processing shall be carried out relied upon by multiple controllers, or if the data is to be in accordance with the GDPR. Section 2 of article 94 transferred to or processed by other controllers who wish establishes that payment service providers shall access, to rely on the original consent, all the controllers should process, and retain personal data necessary only for the be named. Processors, such as third parties used by AISPs provision of their payment services, with the explicit con- and PISPs, do not need to be named as part of the con- sent of the payment service user. sent requirements but to comply with articles 13 and 14 of the GDPR. Controllers have to provide a full list of recipi- ents or categories of recipients, including processors. The The Role of Consumer Consent in Open Banking   17 EDPB also notes that, depending on the circumstances compulsion, pressure or inability to exercise free will.”24 and context, more information may be needed to allow Furthermore, as the EDPB points out, “compulsion to the data subject to genuinely understand the processing agree with the use of personal data additional to what is operations at hand.23 strictly necessary limits data subject’s choices and stands in the way of free consent.”25 Obtaining valid consent is therefore preceded by the determination of a specific, explicit, and legitimate pur- Guidance from WP29 reinforces the role of article 7(4) in pose for the intended processing activity under article determining whether consent is freely given: “Article 7(4) 5(1)(b) of the GDPR or article 94 of PSD2. As the EDPB GDPR plays an important role. Article 7(4) GDPR indicates and Article 29 Working Party (WP29) indicate, specific that, inter alia, the situation of ‘bundling’ consent with consent and the purpose limitation in article 5(1)(b) are acceptance of terms or conditions, or ‘tying’ the provi- safeguards to the gradual broadening or blurring of pro- sion of a contract or a service to a request for consent cessing purposes, after a data subject has agreed to the to process personal data that are not necessary for the initial collection of the data. “This phenomenon, also performance of that contract or service, is highly undesir- known as function creep, is a risk for data subjects, as it able.” If consent is given in this situation, it is presumed to may result in unanticipated use of personal data by the be not freely given.26 Article 7(4) seeks to ensure that the controller or by third parties and in loss of data subject purpose of personal data processing is neither disguised control” (EDPB 2020b). nor bundled with the provision of a contract for a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal CLEAR AND PLAIN LANGUAGE data for which consent is sought cannot become directly or indirectly the counter-performance of a contract.27 The The EDPB also states that, “when seeking consent, con- EDPB adds that the term “utmost account” in article 7(4) trollers should ensure that they use clear and plain lan- “suggests that special caution is needed from the control- guage in all cases.” This means a message should be ler when a contract (which could include the provision of easily understandable for the average person and not a service) has a request for consent to process personal only for lawyers. Controllers cannot use long privacy pol- data tied to it.”28 icies that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable The GDPR makes clear that consent to the processing of from other matters and provided in an intelligible and personal data is not considered to be freely given if the easily accessible form. This requirement essentially means data subject has no genuine and free choice or is unable that information relevant for making informed decisions to refuse or withdraw consent without detriment and on whether to give consent may not be hidden in general where there is a clear power imbalance between the data terms and conditions. A controller must ensure that con- subject and the controller.29 Relating this to open bank- sent is provided on the basis of information that allows the ing, consent is unlikely to be regarded as freely given if data subjects to identify easily who the controller is and the provision of the service is conditional on the data sub- to understand what they are agreeing to. The controller ject’s consent to certain data-processing activities that are must clearly describe the purpose of the data processing unnecessary for the performance of that service.30 Con- for which consent is requested” (EDPB 2020b). The EDPB sent must also relate to specific processing operations says that if consent is to be given by electronic means, the and should cover all processing activities.31 The latter request must be clear and concise, and the board notes requirement is particularly important for open banking, that the controller must account for such factors as age in especially if the processing has multiple purposes.32 Con- ensuring that the information is understandable, including sent is also presumed not to be freely given if separate how it is presented (EDPB 2020b). consents are not permitted for different data processing when separate consents would be appropriate.33 CONSENT FREELY GIVEN While the GDPR lays down general principles regarding consent to the processing of personal data, there are Consent under the GDPR is valid only if the data subject many aspects to be considered when applying them to can make a real choice free from deception, intimidation, open banking. For example, is it clear that a consumer coercion, or significant negative consequences, such as who consents to a payment service understands and substantial extra costs, if he or she does not consent. consents to direct access to his or her banking account Consent is not freely given when “there is any element of and that access may be via a party other than the AISP or 18   The Role of Consumer Consent in Open Banking PISP? Does the consumer understand that he or she can ing of personal data, but the cut-off time is not in line limit the consent to access to specific data and can limit but justified by the specific needs of making payments the data that is processed for the particular open-banking efficiently.36 The withdrawal of consent on open banking service? If the AISP or PISP as data controller has conflated is similar to the revocation of authorization of automatic several purposes for processing and has not attempted to payments under a recurrent-payment service. This could seek separate consent for each purpose, consent is nei- be utility bills, card bills, car payments, gym fees, and so ther free nor informed. As to explicit consent, although forth. Under those circumstances, there are also timelines it is also not defined in the GDPR, recital 32 states that (for example, three business days before the payment is “silence, preticked boxes, or inactivity should not there- scheduled). fore constitute consent.” EXPLICIT CONSENT WITHDRAWAL OF CONSENT Consent, as required for part (a) of article 6(1), is defined A key element of consent is control by the data subject. in article 4(11) of the GDPR to mean “any freely given, Therefore, consent will not be considered to be free if the specific, informed and unambiguous indication of the data data subject is unable to refuse or withdraw his or her con- subject’s wishes by which he or she, by statement or by sent without detriment. As part of this control, under the a clear affirmative action, signifies agreement to the pro- GDPR the data subject has the right to withdraw consent cessing of personal data relating to him or her.”37 Explicit at any time. Article 7(3) of the GDPR provides that “the consent is not defined in the GDPR but is the subject of data subject shall have the right to withdraw his or her guidance from the EDPB: “The term explicit refers to the consent at any time and such withdrawal of consent shall way consent is expressed by the data subject” (EDPB not affect the lawfulness of processing based on consent 2020b, 20). This explicit consent is different in nature to before its withdrawal.” the explicit consent required under PSD2, which, accord- ing to the EDPB, is contractual consent allowing for law- The controller must ensure that consent can be withdrawn ful processing pursuant to ground (b) of article 6(1) of the by the data subject as easily as giving consent and at GDPR. Explicit consent is required under the GDPR when any given time. In the view of the EDPB, when consent the type of data or type of processing involves what is is obtained via electronic means through only one mouse regarded as heightened risk, so a greater degree of con- click, swipe, or keystroke, data subjects must, in practice, trol by the data subject is considered necessary. Explicit be able to withdraw that consent equally as easily. Where consent is required under article 9 for processing special consent is obtained through use of a service-specific user categories of data, when processing involves international interface (for example, via a website, an app, a log-on data transfer to a third country (in the absence of adequate account, the interface of a device connected to the Inter- safeguards) under article 49, and under article 22 for auto- net of Things, or e-mail), there is no doubt a data subject mated individual decision-making, including profiling. must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole rea- The EDPB clarifies that explicit consent under the GDPR son of withdrawing consent would require undue effort. means that the data subject must give an express state- Furthermore, the data subject should be able to withdraw ment of consent. Under the GDPR, the consent does not his or her consent without detriment. This means, among necessarily have to be in writing. Explicit consent can be other things, that a controller must make withdrawal of oral, albeit with the caveat that oral consent makes proof consent possible free of charge or without lowering ser- more difficult.38 An obvious way to make sure consent is vice levels.”34 explicit would be to expressly confirm consent in a writ- ten statement (EDPB 2020b, 20–21). In guidance that is Article 64(3) of PSD2, however, states that the consumer’s directly applicable to open banking, the EDPB states that, consent to the payment transaction may be withdrawn by where appropriate, in the digital or online context, “a data the payer at any time but immediately qualifies this with subject may be able to issue the required statement by fill- a cut-off time limit designed to ensure efficiency in the ing in an electronic form, by sending an email, by upload- payments system.35 The right of the consumer to withdraw ing a scanned document carrying the signature of the consent at any time is in line with the same right of the data subject, or by using an electronic signature” (EDPB data subject under the GDPR in relation to the process- 2020b, 21). The EDPB continues, “A data controller may The Role of Consumer Consent in Open Banking   19 also obtain explicit consent from a visitor to its website ject receives an emailed notification of the controller’s by offering an explicit consent screen that contains Yes intent to process a record containing data. The controller and No check boxes, provided that the text clearly indi- explains in the email that it asks for consent for the use of cates the consent, for instance ‘I, hereby, consent to the a specific set of information for a specific purpose. If the processing of my data,’ and not for instance, ‘It is clear to data subject agrees to the use of this data, the controller me that my data will be processed.’”39 Most significantly asks him or her for an email reply containing the state- to open banking, the EDPB states that “a controller must ment “I agree.” After the reply is sent, the data subject also beware that consent cannot be obtained through the receives a verification link that must be clicked, or an SMS same motion as agreeing to a contract or accepting gen- message with a verification code, to confirm agreement eral terms and conditions of a service. Blanket acceptance (EDPB 2020b, 21). of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data. The EDPB mentions a major issue for the digital era: click The GDPR does not allow controllers to offer pre-ticked fatigue and the diminishing effect of online consent mech- boxes or opt-out constructions that require an intervention anisms. The board acknowledges that “this results in a sit- from the data subject to prevent agreement (for exam- uation where consent questions are no longer read. This ple ‘opt-out boxes’).”40 Physical motions can constitute a is a particular risk to data subjects, as, typically, consent clear affirmative action in compliance with the GDPR, in is asked for actions that are in principle unlawful without the opinion of the EDPB (EDPB 2020b, 19). However, in their consent.” The EDPB notes that the GDPR “places accordance with recital 32, in the view of the EDPB, action upon controllers the obligation to develop ways to tackle “such as scrolling or swiping through a webpage or sim- this issue” (EDPB 2020b, 21). The opinion mentions the ilar user activity will not under any circumstances satisfy practice of obtaining the consent of internet users via their the requirement of a clear and affirmative action” (EDPB browser settings but says only that the consent must com- 2020b, 19). This is because it is difficult to differentiate this ply with the validity requirements set down in the GDPR activity as unambiguous consent. for consent (EDPB 2020b, 19–20). PSD2 uses two-stage verification of consent, and this is Section 5 discusses how a select group of countries have specifically supported by the EDPB as “a way to make built upon the foundations provided by PSD2 and the sure explicit consent is valid.” For example, a data sub- GDPR to tackle the issue of consent for open banking. NOTES 15. The United Kingdom’s Open Banking regime is implemented through the Competition and Markets Authority’s Retail Banking Market Investigation Order 2017, which requires the United Kingdom’s nine largest banks, upon request from customers, to pro- vide regulated providers access to the customer’s banking data via a secure and standardized format. 16. The extent to which data-protection legislation is followed and enforced varies. Plaitakis and Staschen (2020) also highlight the links between data-protection regimes and the introduction of open banking. 17. https://sencanada.ca/content/sen/committee/421/BANC/reports/BANC_SS-11_Report_Final_E.pdf. 18. Please note that the EDPB was the former Article 29 Working Party that provides jurisprudence on data protection. 19. “Account servicing payment service provider” is defined as “a payment service provider providing and maintaining a payment account for a payer,” but for ease of reference, this discussion continues to refer to these institutions as banks. 20. Article 4(17) of PSD2. 21. Article 4(11). 22. See EDPB (2020b), 15–16. This echoes the view of the WP29. See WP29 (2018), 13. See also recital 42 of the GDPR, which states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. … A declaration of consent preformulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. sets out these requirements.” 23. See EDPB (2020b), 16. 24. EDPB endorsing the opinions of the WP29. See EDPB (2020b), 9. 25. See EDPB (2020b), 10. 20   The Role of Consumer Consent in Open Banking 26. Recital 43 adds that consent is presumed not to be freely given if the process/procedure for obtaining consent allows data sub- jects to give consent for some processing but not for others. 27. WP29 (2018). The EDPB adds that “[I]f consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.” See EDPB (2020b), 7. 28. See EDPB (2020b), 11. 29. Recitals 42 and 43. 30. Article 7(4) and recital 43. 31. Recital 32 also states: “[C]onsent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” 32. See recital 32. 33. Recital 43. 34. See EDPB (2020b), 23. 35. The moment of irrevocability in accordance with article 80. Consent to execute a series of payment transactions may also be withdrawn, in which case any future payment transaction is considered to be unauthorized. 36. Articles 16–20 of the GDPR indicate in the case of withdrawal, when the processing is based on consent, the data subject has the right to erasure and the rights to restriction, rectification, and access. See EDPB (2020b), 32. 37. The GDPR places the onus on the data controller to demonstrate that the data subject’s consent is informed and not coerced. The GDPR now clarifies that consent will be considered not to be freely given if the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment, and where there is a clear imbalance between the data subject and the controller, though this is particularly stated in relation to a public authority. See recitals 42 and 43 of the GDPR. 38. Under the GDPR, the burden of proof is on the data controller to establish that all conditions for valid explicit consent are met. Under PSD2, the PISP or AISP must similarly establish consumer consent. See articles 66 and 67. 39. “An organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).” See EDPB (2020b), 21. 40. “When consent is to be given following a request by electronic means, the request for consent should not be unnecessarily disruptive to the use of the service for which the consent is provided” (EDPB 2020b, 19). 5 COUNTRY CASE STUDIES UNITED KINGDOM AND (number of days); and (iv) expiration process (when it will expire and how the user can revoke consent—typically 90 EUROPEAN UNION MODEL days if not revoked by the consumer). The process entails consent, authorization, and authentication. The model on consent developed in the United Kingdom is valid for 90 days. The consent token expires and needs to be renewed. If a consent needs to be modified, the Phase 1: Consent model allows to revoke the consent and provide a new In the consent phase, the interface shows the user what consent. PSD2 mandates the European Banking Authority information is requested and for what purposes. The user with developing regulatory technical standards on strong can opt out, and sufficient information is available about customer authentication and secure standards of com- the time-bound permission. This phase will be utilized by munications among account-servicing payment service both the TPP and banking interfaces. It is in the TPP inter- providers, PISPs, AISPs, payers, and payees. Commis- face where the customer is first provided with the consent sion Delegated Regulation (EU) 2018/389 supplement- details to which he or she is going to provide consent. ing PSD2 with regard to regulatory technical standards for When it comes to the banking backend, the consumer strong customer authentication and common and secure must first be authorized by the bank to provide the con- open standards of communication entered into force on sent details. March 14, 2018. The obligations set forth in the regula- tory technical standards should apply since September 2019, although an extension has been provided to enable Phase 2: Authentication smaller institutions to adopt these rules. AISPs and PISPs After the user is informed about providing consent, it is need to develop mechanisms for consumers to see their the bank’s responsibility to take over and provide the user consents provided and revoke them easily. Dashboards are within authentication mechanisms to ensure the security presented to inform consumers about the status of consent of the customer’s data. with different TPPs, and, in addition, consumers receive con- firmation emails of consent provided to the TPPs. Phase 3: Authorization Below is an example of a consent mechanism that was Finally, the consumer is presented with the details about developed by WSO2 and is compatible with regulation on the consent required on the bank-user interface and is open banking and data protection in the United Kingdom asked to allow or deny the TPP’s request to access the and European Union. It specifies the following: (i) to whom data shown. The user’s response needs to be recorded they are granting rights (TPP identity); (ii) for what purpose and stored. (payment/account details); (iii) for what period of time   21 22   The Role of Consumer Consent in Open Banking Phase 1: Consent Phase 2: Authentication THE SITUATION IN BRAZIL In Brazil, the Central Bank of Brazil’s Regulation on Open facilitate timely and efficient sharing by these institutions, Banking, Joint Resolution No. 1 of May 4, 2020,41 (Joint including a prohibition on such impediments as setting up Resolution) entered into force on June 1, 2020. The joint obstacles or limits on sharing.44 resolution sets out a timetable for phasing in open bank- ing. The first phase for sharing data on service channels, The stated open-banking objectives are to encourage products, and services was to be completed by Febru- innovation, promote competition, and increase the effi- ary 1, 2021, and full implementation of all phases is to ciency of the national financial system and the Brazil- be completed by December 15, 2021—dates that were ian payments system, promoting financial citizenship.45 slightly extended from initial plans due to the COVID-19 In fulfilling the objectives, the regulation requires that pandemic.42 The joint resolution provides for the imple- account service providers, data-transmitting institutions, mentation of open banking by financial institutions, pay- data-recipient institutions, and PISPs pursue their activi- ment institutions, and other institutions licensed by the ties ethically and responsibly, in observance of the legal Central Bank of Brazil. Article 6, part I(a), makes partic- and regulatory framework and observing the principles ipation mandatory for banks, and required sharing is of transparency, security and privacy of the data and extensive.43 The joint resolution contains provisions that services shared within the scope of the joint resolution, The Role of Consumer Consent in Open Banking   23 FIGURE 7: Phased Approach to Open Banking in Brazil PHASE 1 PHASE 2 PHASE 3 PHASE 4 Financial institutions Consumer registration Services Other data data and transaction Payment initiation Insurance Access channels Registry data Forward credit Pension Products/services Transactional data operation proposal Investment Deposit accounts Deposit accounts Foreign exchange Payment accounts Payment accounts Credit operations Credit operations Source: Banco Central do Brasil data quality, nondiscriminatory treatment, reciprocity, and The LGPD follows the European Union’s GDPR closely, interoperability.46 Article 31 of the resolution states that including its definitions of personal data, sensitive per- participating institutions are responsible for ensuring the sonal data, and requirements for data processing that reliability, integrity, availability, security, and confiden- generally apply to the customer data used for open bank- tiality with respect to the data and services sharing . . . ing. The right to data portability is also included, which is as well as for compliance with the legal and regulatory seen as a major step in fostering competition because it framework in effect.47 Consent must be obtained from the allows consumers to transfer their data to other provid- customer48 under article 10 for customer registration and ers. The LGPD replicates the GDPR exactly in relation to transactional data and for specified services related to the consent and the other non-consent legal grounds for data customer.49 processing. The GDPR has six lawful bases for that pro- cessing, while the LGPD has 10 grounds, but the LGPD Registration data includes data provided directly by the grounds generally do not differ substantially from those in customer or obtained by consulting public or private data- the GDPR, with an important exception: The LGPD allows bases, and it must be the most recent data available, spec- data processing “for the protection of credit, including ifying the date that it was obtained.50 Sensitive personal with respect to the provisions of the applicable law.”53 data, credit scores or ratings, and credentials and other This is a significant departure from the GDPR, and it sub- information used with the objective of authenticating the stantially broadens the possibility for lawful data process- customer are specifically excluded. Transaction data is ing in Brazil without consumer consent. data pertaining to the customer about products and ser- vices contracted with or distributed by the data-transmit- The open-banking joint resolution includes detailed ter institution and accessible through its electronic service provisions on consent in line with the European Union’s channels, including “pre-approved credit limits eventually model based on consent, authentication, and confirma- agreed.” At “a minimum, the data and transaction history tion. Article 8 establishes that the request for sharing this of the past 12 months with respect to the products and registration and transactional data and services comprises services with valid contracts within that period” must be the stages of consent, authentication, and confirmation. included.51 Consent is defined as “a free, informed, previous and unequivocal manifestation of will, made through elec- Open banking in Brazil must comply with the General tronic channels, by which a customer agrees to the sharing Personal Data Protection Law (Lei Geral de Proteção of data or services for specific purposes.” A data-recipient de Dados Pessoais, LGPD),52 which creates a new legal institution or PISP must identify the customer and obtain framework for the use and protection of personal data in his or her consent prior to the sharing. The consent must be Brazil by the private and public sectors. The legislation requested using clear, objective, and suitable language; went into immediate effect in September 2020, but pen- refer to specific purposes;54 have a validity period limited alties will not begin to be levied until August 2021. to 12 months;55 identify the data-transmitter institution or 24   The Role of Consumer Consent in Open Banking FIGURE 8: Illustration of Consent Mechanism for Open Banking under the Brazil Framework Institution authentication Identification Role of participants’ Consent directory Data recipient Payment initiator Data Transmitter Account Provider Choose the bank Data to be shared Account details • Limit to 12 months TPP Account beneficiary details • Compatible with specific purpose Products • Authentication performed only once Transaction credits per consent Balances Transaction debits Source: Author’s elaboration based on Banco Central do Brasil57 account service provider; specify the data or services that technology, with the purpose of sharing open financial will be shared; and include the customer identification. If data, aggregate data, and transactional data.58 The Fin- there is a change in purpose, validity period, data-trans- tech Law states that these entities are required to create mitter institution, or account service provider, or if the APIs and must share the following three types of data: data or service is to be shared, a new consent from the customer is required. It is expressly forbidden to obtain • Open financials, which are nonconfidential data, the customer’s consent by means of a standard customer including information on services offered and access agreement, using a form with the agreement field filled points59 out in advance, or on presumption, without the customer • Aggregate data, which is that related to the statistical actively manifesting his or her will.56 Overall the joint res- information of its operations60 olution is much more detailed and prescriptive than PSD2 in relation to requirements for consumer consent, but as • Transactional data, which is that related to the use of discussed in the previous section on the data-protection financial products and services by a consumer framework, lawful data processing for credit does not require consumer consent. The authorities decided to start with the nonconfidential data and then move to transactional data and leave out of the scope the aggregate data. Of these categories, trans- PERSPECTIVE OF MEXICO actional data is relevant to open banking and to the issues discussed in this paper. Transactional data relates to the Mexican regulators approved Mexico’s Law to Regulate use of a product or service, including deposit accounts, Financial Technology Institutions (Fintech Law) in 2018. credits, and access means contracted in the name of Article 76 established open banking in Mexico, to be fur- the customers of regulated entities, as well as informa- ther developed through secondary regulation. The Mex- tion related to the transactions that customers have car- ican law is broad in terms of scope of participants and ried out or intend to carry out. This is personal data of data. Under article 76 of the Fintech Law, financial insti- the consumer. Under the Fintech Law, the transfer of data tutions, money transmitters, credit-reporting companies, and information is subject to secondary regulation that clearing houses, financial technology institutions, and governs the standards necessary for the interoperability companies authorized to operate with novel models are of API, the requirements for regulated entities and third required to establish APIs that enable connectivity and parties to obtain the authorization to access such data and access to interfaces developed or managed by other reg- information from the relevant authority, and the fees that ulated entities and third parties specialized in information regulated entities can charge for the transfer of data and The Role of Consumer Consent in Open Banking   25 information. Technical and security standards have been The PPD provides that financial or asset data72 requires published recently, but specific requirements for consent the explicit consent of the data owner, except as provided mechanisms have not been issued yet.61 in articles 10 and 37. Article 10 (part IV) sets out the cir- cumstances under which processing does not require con- Data protection for the private sector in Mexico is gov- sent and closely follows the European Union’s model by erned by the Federal Law62 on the Protection of Personal providing that consent for the processing of personal data Data Held by Private Parties (Ley Federal de Protección will not be necessary where “it has the purpose of fulfilling de Datos Personales en Posesión de los Particulares, obligations under a legal relationship between the data PPD), which entered into force on July 6, 2010.63 The PPD owner and the data controller.” The key difference from follows the European Union’s data-protection model and the GDPR is that, although the PPD does not specifically includes similar definitions64 and provisions regarding refer to the legitimate interest of the data controller, article consent of the “data owner,” the term used in the PPD 10 (part IV) is capable of applying to the legitimate inter- to refer to the data subject,65 and rights of data owners.66 ests of the controller. Article 37,73 which enables domestic As in the European Union’s model, processing is widely and international data transfers without consent, can sim- defined as the “collection, use, disclosure or storage of ilarly apply.74 personal data by any means. Use covers any action of access, management, exploitation, transfer or disposal The Fintech Law requires the supervisory commission and of personal data.”67 Interestingly, transfer is defined as the central bank to establish technical standards for the “[a]ny data communication made to a person other than interoperability of APIs, their governance, security, and the data controller or data processor.”68 The PPD also has consent mechanisms.75 These standards are being issued extraterritorial operation with some differences in com- progressively, and specific requirements for consent parison to the GDPR.69 mechanisms have not been issued yet. However, consid- ering the similarity of the PPD with the European Union’s The PPD requires that “data controllers must adhere to data-protection model, EU requirements for consent the principles of legality, consent, notice, quality, pur- provide a reasonable starting point for expectations on pose, fidelity, proportionality and accountability under future guidance from Mexican authorities. Mexico also has the Law.”70 Article 7 states that personal data must be other legislation that covers data processing for specific collected and processed in a lawful manner in accor- purposes and consumer protection legislation, including dance with the provisions established by the PPD and legislation that applies specifically to users of financial ser- other applicable regulations. Personal data must not be vices, so this will also require careful coordination. Overall, obtained through deceptive or fraudulent means. Article these laws may provide adequate consumer protection in 8 requires that that “all processing of personal data will be the context of open banking. However, dispersing the rel- subject to the consent of the data owner except as oth- evant provisions across several pieces of legislation, rather erwise provided by this Law. Such consent will be explicit than confining them within the open-banking law, can add when communicated verbally, in writing, by electronic or complexity to understanding and applying relevant law. optical means or via any other technology, or by unmis- takable indications.” The PPD distinguishes explicit con- sent from implied consent, which in article 8 of the DPP CONSENT FOR OPEN BANKING is called tacit consent: It will be understood that the data IN INDIA owner tacitly consents to the processing of his data when, once the privacy notice has been made available to him, Open-banking regulation in India closely follows PSD2 he does not express objection. Article 17 provides that and is focused on payments initially, following launch of a privacy notice must be made available to data owners the Unified Payment Interface.76 Developed and managed through print, digital, visual, or audio formats or any other by the National Payments Corporation of India, the Uni- technology when personal data is obtained from the data fied Payment Interface facilitates interbank transactions owner.71 Where data has not been obtained directly from through an API framework built in part on Aadhaar. The the data owner, the data controller must notify the data second stage is data sharing by a new class of non-bank owner of the change in the privacy notice. Article 8 also finance companies called account aggregators (AAs). states that consent may be revoked at any time without Currently, the Non-Banking Financial Company-Account retroactive effects. For revocation of consent, the data Aggregator (Reserve Bank) Directions, 2016, updated on controller, in the privacy notice, must establish the mech- November 22, 201977 (Master Direction), specifies a wide anisms and procedures for such action. range of “financial information” that can be aggregated by an account aggregator.78 This second stage of data 26   The Role of Consumer Consent in Open Banking sharing is yet to be fully implemented, but the framework is rendered accessible by a consent artefact, including the is in place. ability to revoke consent to obtain parts of such informa- tion. Upon revocation, a fresh consent artefact shall be Open banking in India will be subject to the nation’s new shared with the Financial Information provider.”85 Section Personal Data Protection Bill of 2019 (Indian DPA)79 when 7 covers the sharing of financial information when a valid it becomes law. On December 11, 2019, India’s minister consent artefact is presented.86 Section 10 sets out the for electronics and information technology introduced an rights of the customer, which include customer access to updated draft of the DPA in the Lok Sabha, India’s lower a record of the consents provided by him or her and the house of parliament. The bill has been referred to a joint financial information users with whom the information has select committee which was due to report back to the Lok been shared.87 A customer grievance policy is covered by Sabha before the 2020 budget session of parliament, but section 11.88 this did not occur and timing for passage remains unclear. The Indian DPA does not exactly mirror the sections of the The Indian DPA is modelled on the GDPR and follows GDPR that enable data processing without consent. Most its key provisions closely, including those discussed significantly, the Indian DPA, like its Mexican equivalent, in this paper, although some different terminology is also does not contain the legitimate-interests ground that used. For example, whereas the GDPR refers to data sub- enables processing in the absence of consent. However, jects, they are called data principals in the Indian DPA.80 similar to the GDPR, the Indian DPA does allow processing Instead of data controllers, the Indian DPA refers to data without consent in the interests of prevention, detection, fiduciaries. A data fiduciary is the entity that determines investigation, and prosecution of any offense or any other the purpose and means of the processing of personal contravention of any law.89 Clause 37 also states that “the data.81 The Indian DPA has extraterritorial reach, as the Central Government may, by notification, exempt from GDPR has.82 the application of this Act, the processing of personal data of data principals not within the territory of India, pursu- Like PSD2, explicit consent is the stated basis of open ant to any contract entered into with any person outside banking in India. The Master Direction is more detailed the territory of India, including any company incorporated than PSD2 in relation to the requirements for consent. outside the territory of India, by any data processor or any Section 6 sets out the consent architecture.83 Section 6.3 class of data processors incorporated under Indian law.”90 of the Master Direction provides that “the consent of the customer obtained by the AA shall be a standardized Interestingly, the Indian DPA introduces the concept of consent artefact which shall contain the following details, a “consent manager,” a data fiduciary that “enables a namely: data principal to gain, withdraw, review and manage his i. Identity of the customer and optional contact infor- consent through an accessible, transparent and interop- mation; erable platform.”91 India enabled an intermediary that will be responsible for the customers’ consent manage- ii. The nature of the financial information requested; ment. These intermediaries are licensed as non-banking iii. Purpose of collecting such information; financial companies. This is based on the concept of the iv. The identity of the recipients of the information, if any; account aggregator developed in India, which consol- v. URL or other address to which notification needs to be idates the financial information of a customer (called a sent every time the consent artefact is used to access financial institution user) held with different financial enti- information ties, spread across financial-sector regulators. Data cannot be stored in the aggregator and requires explicit consent vi. Consent creation date, expiry date, identity and signa- and purpose specification. The difference in India with ture/digital signature of the Account Aggregator; and other jurisdictions is that other nonfinancial information vii. Any other attribute as may be prescribed by the Bank.”84 can be retrieved and added with no consumer consent. To complement the consent framework, a set of core Under section 6.5, at the time of obtaining consent, the technical specifications have been framed by Reserve account aggregator shall inform the customer of all nec- Bank Information Technology Private Ltd., a wholly owned essary attributes to be contained in the consent artefact subsidiary of the Reserve Bank of India, for adoption by and the right of the customer to file complaints with rel- all regulated entities, acting either as financial informa- evant authorities in case of non-redressal of grievances. tion providers or financial information users in November An account aggregator “shall also provide its customers a 2019. The key features of a consent mechanism in India functionality to revoke consent to obtain information that include (i) the attributes to be contained in the consent The Role of Consumer Consent in Open Banking   27 FIGURE 9: Illustration of Consent-Management Mechanism under Open-Banking Scheme USER #1. Unbundling consent managers: #2. “Certified” information users: • For FIU—unleashes innovation • Certified by a third party agency • For consumer—single view, access to all (not regulated) consents; No relinking required each FIU • Enables faster scaling of FIUs 3 2 Consent to share Data access data request FINANCIAL 4 1 #3. Market pull FINANCIAL for becoming INFORMATION Request Request INFORMATION and information PROVIDERS for data for data CONSENT USERS provider: • Bank MANAGER • Flow-based credit • Principle of • Mutual fund houses reciprocity 5 • Personal finance • Insurance management • No regulatory provider mandates • Wealth management • Tax/GST platform E2e encrypted data flow (Based on user consent) • Robo advisors Source: Data Empowerment and Protection Architecture, National Institute for Transforming India, August 2020 format and the rights of the customer to file complaints, account held at another payment service provider.”95 (ii) functionality to revoke consent, and (iii) the responsibil- The Rwanda PSD specifies that a payment service con- ity to verify—validity of the consent, specified date, and tract may be a single payment transaction contract96 or usage of it—and the credentials of the account aggrega- a framework contract97 and in transparency and required tor rely on the financial information provider. content of payment services contracts,98 and also includes details on the information required before and after pay- The Indian DPA also imposes additional requirements, ment transactions.99 such as a requirement to obtain the consent of a parent or guardian for the collection of a child’s personal data.92 In 2020, Rwanda planned to enact a new Law on Data Unlike the GDPR, the Indian DPA includes “financial data” Protection and Privacy (Rwanda DPP). It was approved in the definition of sensitive data, so that its processing by the cabinet in October 2020 but has not been passed requires explicit consent. into law yet. The stated purpose of the DPP is “to pro- vide mechanisms through which the protection and pri- vacy of personal data will be ensured in connection with THE SITUATION IN RWANDA its processing in Rwanda; and to ensure the free flow of non-personal data within and outside Rwanda by laying On February 24, 2020, Rwanda gazetted Regulation down rules relating its protection.”100 Privacy is defined in 31/2019 of December 16, 2019 on Protection of Payment the Rwandan DPP as “a fundamental right of a person to Service Users (Rwanda PSD), which closely follows the EU decide by whom, when, why, where, what and how his/ PSD2 in relation to payments. The Rwanda PSD is part of a her personal data can be accessed.”101 The Rwanda DPP suite of recent legislation governing payments.93 The reg- follows the GDPR102 very closely, including the principles ulation sets out “the rules to protect the users of payment of data protection, which the DPP extends to apply to services provided totally or partially in Rwanda as well as “any involved third party,”103 extraterritorial reach,104 data the enforcement of rights and/or obligations in the provi- subject rights, and other key provisions of the GDPR that sion of payment services.”94 The aim also appears to be to relate to consent. facilitate data sharing and encourage data portability as part of encouraging new market entrants, innovation, and The Rwanda DPP requires that a person intending to act competition, but at present the legislation covers pay- as a controller or processor must be registered as such.105 ments. The regulation defines a payment-initiation service Personal data is more simply defined as “any information as “a service to initiate a payment order at the request relating to an identified or identifiable data subject,”106 of the payment service user with respect to a payment potentially casting a wider net than even the GDPR. 28   The Role of Consumer Consent in Open Banking Consent of the data subject is defined in article 3(2) of been informed of the possible risks of the transfer, owing the Rwandan DPP as “any freely given, specific, informed to the absence of appropriate safeguards. This article also and unambiguous indication of the data subject’s wishes allows transfer when “necessary” and, apparently, in the by which he or she, by a statement or a clear affirmative absence of consent of the data subject. The grounds listed action, signifies agreement to the processing of personal as “necessary” are very similar to the non-consent grounds data relating to him or her.” Like the GDPR, the Rwanda in article 43, including the legitimate-interest basis. DPP gives the data subject the full right to withdraw his or her consent at any time and provides that its withdrawal Customer consent is required under article 2 of the does not affect the lawfulness of processing based on Rwanda PSD. The PSD regulation defines consent as “any consent before withdrawal.107 freely given, specific, informed and unambiguous indica- tion of the data subject’s wishes by which he or she, by a The Rwandan law also includes additional details regard- statement or by a clear affirmative action, signifies agree- ing valid consent. Article 7 covers the consent process, ment to the processing of personal data relating to him or stating that “[T]he controller shall bear the burden of her.” Article 22 covers consent and withdrawal of consent proof for establishing a data subject’s consent to the col- and provides the following: lecting and/or processing of his/her personal data for a specified purpose. Consent is effective only when it is “A payment service is considered to be authorized only if based on the data subject’s free decision. The data sub- the payer has given consent to execute such a payment ject shall be informed in advance of the consequence of transaction or the execution of a series of payment trans- his or her consent. The consent may be given in a form actions. Such consent of a written statement including electronic means, or oral 1 May be given before or, if agreed between the payer statement.” The DPP also requires that “[T]he data sub- and its payment service provider, after the execution of ject’s consent given in the context of a written declaration, the payment transaction; which also contains other matters, shall be presented in a manner which is clearly distinguishable from those other 2 Must be given in the form, and in accordance with the matters, in an intelligible and easily accessible from using procedure, agreed between the payer and its payment a clear, plain and understandable official language to the service provider; data subject. Any part of such a declaration which consti- 3 May be given via the payee or a PISP.” tutes an infringement to the provision of this Law shall not be binding.” Article 10 also clearly and succinctly covers The payer may withdraw its consent to a payment trans- consent of a child, stating that the “processing of the per- action at any time before the point at which the payment sonal data of a child shall be lawful where the child is at order can no longer be revoked, pursuant to article (5) least 16 years old. Where the child is below that age, such of this regulation. Where consent does not exist for the processing shall be lawful only when it is given by either execution of a payment transaction, then the payment both parents or the legal guardian.” transaction shall be deemed to be unauthorized. If con- sent for the execution of several payment transactions In article 43, the Rwanda DPP allows the processing of is revoked, then every subsequent payment transaction personal data in the absence of consent, including the shall be deemed to be unauthorized. This approach mir- legitimate-interests ground.108 The Rwanda DPP does rors that taken by PSD2 in the European Union as regards not specifically include explicit consent as a ground for limits to withdraw consent. lawful processing, and the grounds for processing in the absence of consent are generally broader. For example, Article 27, on automated decision-making and profiling, article 11(a) permits processing that is “necessary for the includes the right of a data subject not to be subject to a purposes of carrying out the obligations of the data con- decision based solely on automated processing, including troller or data processor, or exercising specific rights of profiling, “which produces legal effects concerning him/ the data subject, in accordance with applicable Laws.”109 her or significantly affects him/her.” However, the DPP specifies significant exceptions, in addition to explicit con- Consent in Rwanda is also required when data is trans- sent,110 including where the decision is “(a) necessary for ferred across borders, with some exceptions. Under article entering into, or performing, a contract between the data 54 of the Rwanda DPP, a data controller or data proces- subject and a controller and (b) authorized by a law or a sor may transfer or share personal data to another coun- regulation into force to which the controller is subject and try where it has the authorization granted by the Rwanda which lays down suitable measures to safeguard the data data-protection authority and the data subject has given subject’s rights, freedoms and legitimate interests.” explicit consent to the proposed transfer, after having The Role of Consumer Consent in Open Banking   29 Interestingly, the law prohibits automated processing data is the basis of that request. The accredited person when it is based on sensitive data that is relevant to open then collects this CDR data by making a “consumer data banking in case financial data is used to develop credit request”117 to the relevant data holder or holders. scores. The legal provision concludes with this: “Any auto- mated processing of personal data intended to evaluate Three types of requests can be made to a data holder to certain personal aspects relating to an individual shall not disclose CDR data: (i) product data118 requests made by be based on sensitive personal data.” This is highly rele- any person; (ii) consumer data119 requests made by eligi- vant to open banking because, as noted earlier, sensitive ble CDR consumers;120 and (iii) consumer data requests data is defined to include “property or financial details” made on behalf of CDR consumers by accredited per- and data revealing family details, “including names of the sons. Consumer data is most relevant to the discussion person’s children, parents, spouse or spouses.” in this paper. Consumer data relates to an identifiable, or reasonably identifiable, CDR consumer and is personal information. AUSTRALIA The CDR is designed to be cross-sectoral and will even- In Australia, the term “open banking” is used as short- tually apply to a wider set of consumer data than bank- hand for the implementation of a new right in the bank- ing data, which will initially be followed by energy data ing sector, the Consumer Data Right (CDR). In essence, and telecommunications data, with the aim of enabling this “open banking” in Australia comprises three key cross-sector data interoperability. “The Government ex- elements: (i) customers having greater access to and con- pects that such data sharing will improve price trans- trol over their banking data; (ii) banks being required to parency and facilitate comparison services that enable share product and customer data with customers; and, (iii) a customer to use price data, and data about their own with the consent of the customer, banks being required spending and transactions, to choose products that are to share product and customer data with accredited third most appropriate for their personal or business circum- parties. The accreditation of third parties is addressed in stances, and facilitate switching from one provider to rules produced by the Australian Competition and Con- another” (Hamilton 2019). sumer Commission (ACCC), the lead regulator for open banking.111 As in other nations, there is more than one regulator, but the relationship and roles are more clearly defined with The Australian open-banking implementation is focused a dual-regulator model. The ACCC is lead regulator but on data and not necessarily on customer account data. is supported by the federal privacy regulator in Austra- The banking and finance sector is the first sector to which lia, the Office of the Australian Information Commissioner the new right applies. The longer-term plan is for it to (OAIC). ACCC is responsible for assessing sectors for CDR apply economy-wide. The CDR is enshrined in the Trea- application, accreditation criteria, overseeing the Data sury Laws Amendment (Consumer Data Right) Act of 2019 Standards Body, and strategic enforcement. The OAIC is (Cth), which inserts “Part IVD—Consumer data right” into responsible primarily for handling complaints from indi- the Competition and Consumer Act of 2010 (Cth) (CCA) viduals and small and medium-sized enterprises. The that was passed on August 1, 2019,112 to create the new OAIC is also responsible for advising the treasurer and the CDR regime.113 The framework established in Australia ACCC on the privacy implications of designating sectors. under the CCA includes rules114 and standards governing how data is shared and detailed technical standards for Data protection in Australia is governed by the federal sharing data. Privacy Act 1998 (Cth) (Privacy Act). It is based on a set of fundamental data-protection principles, the Australian The CDR gives consumers the right to share their data Privacy Principles (APPs). However, the CDR Act includes with the authorized third parties of their choice. Where an privacy safeguards that apply specifically to CDR data.121 accredited person 115 is offering a good or service through The privacy safeguards in the CCA are comparable to the the CDR regime and requires access to the consumer’s APPs in the Privacy Act and “seek to ensure the privacy and CDR data to provide that good or service, the accredited confidentiality of consumers’ data by providing for only person must obtain the consumer’s consent to the collec- authorized access to, and use of, CDR data” (ACCC 2020, tion and use of their CDR data. The regime is designed 14). The accreditation of persons collecting and using so that an accredited person can collect data only in CDR data is subject to the privacy safeguards. Privacy response to a “valid request” from the consumer.116 The Safeguard 3, for example, prohibits an accredited person consumer’s consent to the collection and use of their CDR from seeking to collect data under the CDR regime unless 30   The Role of Consumer Consent in Open Banking it is in response to a “valid request” from the consumer. data rules (CDR Rules), which require that consent to be Privacy Safeguard 6 requires that the accredited person voluntary, express, informed, specific as to purpose, time use or disclose a consumer’s CDR data only in accordance limited, and easily withdrawn and to comply with the with a current consent from the consumer. data-minimization principle. The consent process must also comply with the CDR data standards and have regard The framework established in Australia under the CCA to the Consumer Experience Guidelines, which set out includes rules and standards governing how data is best-practice interpretations of several CDR Rules relating shared and detailed technical standards for sharing data. to consent.127 A data holder may disclose CDR data only The Competition and Consumer (Consumer Data Right) with the authorization of the relevant CDR consumer or Rules 2020 (CDR Rules)122 are based on the right to pro- consumers.128 Consumer consent is the basis for the infor- tection from unlawful or arbitrary interference with privacy mation flow between a consumer, an accredited person, under article 17 of the International Covenant on Civil and and the data holder.129 Political Rights.123 The CDR Rules supplement the privacy safeguards in the CCA and include requirements for how The CDR is designed to place the value and control of consumer consent is obtained and used. consumer data in the hands of the consumer. This is achieved by requiring the consumer’s consent for the col- Consent in the CDR regime differs from consent under the lection and use of their CDR data. Consumer consent for Privacy Act in that the former requires the explicit consent the collection and use of their data is the foundation of of a consumer for the collection and use of CDR data by the CDR regime. Consent enables consumers to be the accredited persons. Consent must meet the requirements decision-makers in the CDR regime, ensuring that they set out in the CDR Rules for the consent processes, includ- can direct where their data goes in order to obtain the ing information that must be presented to consumers most value from it.130 The rules are intended to ensure when they are being asked to give consent and how that that requests for consent to collect and use CDR data are information is to be presented. Without express consent, transparent and that consumers understand the potential which can remain valid for a maximum period of only 12 consequences of what they are consenting to,131 and the months, the accredited person is not able to collect or rules achieve that objective. In addition to covering the use CDR data. As discussed in this paper, consent can be essential elements, the rules include additional practical express or implied, and personal data can be lawfully pro- guidance, including specific examples that are supple- cessed in the absence of consent.124 Under the Australian mented with additional, coordinated guidance from the Privacy Act, an APPs entity, for example, can collect per- OAIC that includes key concepts in bullet-point format sonal information other than sensitive information if the and additional examples of compliant and noncompliant information is reasonably necessary for one or more of the consent practices.132 CDR prohibits an accredited person entity’s functions or activities. from requesting consent from consumers to use, or from disclosing their data for the purpose of selling it, unless The Australian government considers consent to be one such data can no longer be traced back to the consumer. of the key concepts underlying the CDR system. Consent In addition, the data holder (such as the bank) is also pro- must meet the requirements set out in the CDR Rules, hibited from obtaining consent to use a customer’s data, and it underpins how an accredited person or accred- including the aggregation of such data, for the purpose ited data recipient may collect and use CDR data in the of identifying, compiling insights in relation to, or build- CDR regime. Division 4.3 of the CDR Rules is designed ing a profile in relation to a third party. The Australian to “ensure that consent given by a consumer to collect approach coordinates with the general data-protection and use CDR data is voluntary; express; informed; specific legislation but includes specific requirements for con- as to purpose; time limited; and easily withdrawn.”125 In sumer consent and data protection for open-banking data particular, the CDR Rules require that, in obtaining a valid in the open-banking regulation, creating more clarity and request from a consumer, an accredited person must com- certainty on what is required than in countries where the ply with prescribed requirements for asking for consent, separate requirements of open-banking legislation and including information to be presented to the consumer, data-protection laws must be reconciled. restrictions on seeking consent and in providing informa- tion, and in relation to withdrawal and expiry of consent.126 An accredited person may collect and use CDR data only with the consent of the consumer and must ask for that consumer’s consent in accordance with the consumer The Role of Consumer Consent in Open Banking   31 NOTES 41. See Banco Central do Brasil, Regulation on Open Banking, Joint Resolution No. 1 of May 4, 2020, and Circular No. 4.015 of May 4, 2020, which create the rules for the functioning of open banking in Brazil. 42. https://www.bcb.gov.br/detalhenoticia/17261/nota 43. Article 5 sets out the minimum required data sharing. It includes data on (a) service channels that relates to the institution’s offices and branches; domestic correspondents; electronic channels; and other channels available to customers. It also includes data on (b) products and services related to deposit accounts; savings accounts; prepaid payment accounts; post-paid payment accounts (credit cards); credit operations; foreign exchange operations; acquiring services in payment schemes; term deposit accounts and other investment products; insurance; and open pension funds. It also requires sharing of data on (c) registration of customers and their representatives and (d) customer transactions related to deposit accounts; savings accounts; prepaid payment accounts; post-paid payment accounts (credit cards); credit operations; payroll accounts, as disciplined by Resolution No. 3,402, dated September 6, 2006; foreign exchange operations; acquiring services in payment schemes; term deposit account and other investment products; insurance; and open pension funds; and services for initiating payment transactions; and forwarding loan proposals. Consent must be obtained from the customer, pursuant to article 10, for purposes of sharing registration and transac- tional data and services referred to in subitems “c” and “d,” and in the case of data and services related to the customer. 44. See section VI of the joint resolution. 45. Article 3 of the joint resolution. 46. Article 4 of the joint resolution. 47. Article 40 requires the institutions to establish monitoring and control mechanisms to ensure the reliability, availability, integrity, security, and confidentiality that are the subject of articles 31 and 39, as well as the implementation and effectiveness of the requirements that are the subject of this joint resolution, including auditing processes, tests, and audit trails; metrics and compati- ble indicators; and identification and correction of eventual deficiencies. This process includes records of consent, authentication, confirmation, and consent revocation of the sharing, information concerning the shared data and services, including customer identification credentials; notifications received regarding the subcontracting that is the subject of article 38, item VI, adoption of security measures for receiving and archiving by the partner of the data or information about shared services when it applies; and communications received about incidents that are the subject of article 38, section 3, if any have occurred. Monitoring and con- trol mechanisms are subject to periodic testing by internal auditing personnel, when applicable, compatible with the institution’s internal controls; compatible with the institution’s cybersecurity policy, as foreseen by the current regulation; and ensure that the other institutions involved in the sharing do not have access to the credentials used by the customer for identification and authentication purposes. Article 41. The institution’s monitoring and control mechanisms shall encompass indicators pertaining to the performance of the interfaces used for the sharing. The convention that is the subject of article 44 may define additional indicators related to the performance of the interfaces as well as mechanisms of transparency and disclosure of such indicators to the general public. 48. Customer is used in the joint resolution instead of consumer. The scope of open banking is broader in Brazil than in PSD 2 in that customer is defined in article 2, part II, of the joint resolution to include legal entities as well as natural persons. When discussing the Brazilian scheme, customer is used instead of consumer for consistency, but the focus in this paper remains on implications for individuals. 49. Article 5, section 3, of the joint resolution. 50. Article 5, section 4, parts I and II. 51. Article 5, section 5, parts I and II of the joint resolution. 52. The LGPD was passed by the National Congress of Brazil on August 14, 2018, and came into effect on September 18, 2020. Prior to the LGPD, personal data-protection in Brazil was covered by many legal norms at the federal level, the Civil Rights Framework for the Internet (Internet Act), and the Consumer Protection Code. The LGPD provides more clarity. 53. Article 7, part X, of the LGPD. 54. Article 10, section 4, requires that information not be shared with the data-transmitter institution about the purpose but as set out in article 10, section 5. This does not apply to partnership agreements under article 36 or in other cases permitted by the framework. 55. In the case of successive payment transactions, the customer, at his/her discretion, may determine a longer validity period under article 10, section 6. 56. Article 10, section 3, of the joint resolution. 57. Based on a presentation about open banking by Diogo Silva, Banco Central do Brasil, February 2021. 58. The general dispositions issued by the National Banking and Security Commission (Comisión Nacional de Banca y Valores, CNBV) and Banco de México establish the common technical standards to ensure the interoperability of APIs. The Fintech Law also requires the development of secondary regulations by the CNBV for banks and financial institutions, including the new finan- cial technology institutions, and by Banco de México for payment systems, central counterparties, and credit-reporting systems. The secondary regulations also establish the security mechanisms to access, send, and obtain data and information and outline the information considered critical to the APIs. 59. Open financial data does not contain confidential information, such as information on products and services offered to the general public by the regulated entities, the location of their offices and branches, ATMs, or other access points to their products and service. 32   The Role of Consumer Consent in Open Banking 60. Aggregate data is statistical information related to transactions performed by or through regulated entities but not disaggre- gated in a manner that could identify customer’s personal data or transactions 61. On June 4, 2020, the CNBV published in the official federal gazette the regulations governing the APIs referred to in the Fintech Law (API Regulations). Financial institutions, money transmitters, financial technology institutions, and companies authorized by the CNBV are subject to the API Regulations that apply to the transfer of data and information that can be shared through the API. The API Regulations govern the transfer and access of only open data. On March 10, 2020, the Mexican central bank published in the gazette Rule 2/2020 applicable to credit-reporting companies and clearing houses, as required under article 76 of the Fintech Law regarding standardized APIs. 62. The executive branch has also issued the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares, or the Regulations), which entered into force on December 22, 2011; the Privacy Notice Guidelines (the Guidelines), which entered into force on April 18, 2013; the Recommendations on Personal Data Security, issued on November 30, 2013; the Parameters for Self-Regulation regarding personal data, which entered into force on May 30, 2014; and the General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which entered into force on January 27, 2017. 63. The most relevant pieces of legislation addressing personal data protection in Mexico are the Constitution; the Private Data Protection Law; the Governmental Data Protection Law; the Regulations of the Private Data Protection Law; the Guidelines for Privacy Notices; and the Self-Regulation Parameters on Data Protection, which are applicable to the private sector. On Septem- ber 28, 2018, the official federal gazette published the decree issuing the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28, 1981 (Convention 108) and its additional protocol dated November 8, 2001 (ETS 181). Also, on March 21 and 22, 2019, the Ministry of Finance and Public Credit issued several provisions that amend, add, and eliminate different articles of the General Provisions for the Prevention of Money Laundering and Terrorism Financing applicable to the services that may be rendered by financial entities, such as credit institutions and exchange offices. These are services such as opening accounts, entering into agreements. or performing financial operations through the use of the internet or mobile devices. Financial entities will request geolocalization of clients, as well as biometric data, such as voice and image matching, to perform such operations and will, therefore, require express written consent from clients. In May 2019, the National Institute of Transparency, Access to Information and Protection of Personal Data also published nonbinding guidelines in relation to different tools and applications that may be used by parents to supervise or limit access and content in mobile devices used by their children. This is to protect children from disclosing their personal data on unsecured sites. See César G. Cruz Ayala and Marcela Flores González, “The Privacy, Data Protection and Cybersecurity Law Review: Mexico,” The Law Reviews, November 5, 2021, https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-6/1210064/mexico. 64. Article 3 of the Mexican PPD defines consent as “[E]xpression of the will of the data owner by which data processing is enabled.” Personal data is “[A]ny information concerning an identified or identifiable individual,” and sensitive personal data is “[P]ersonal data touching on the most private areas of the data owner’s life, or whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin, pres- ent and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views, sexual preference.” Like the GDPR, financial information is not specifically included in this definition. Like the GDPR, consent to processing of sensitive data must be express. Article 9 of the Mexican PPD states that “in the case of sensitive personal data, the data controller must obtain express written consent from the data owner for processing, through said data owner’s signature, electronic signature, or any authentication mechanism established for such a purpose. Databases containing sensitive personal data may not be created without justification of their creation for purposes that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.” Data processor is “[T]he individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller,” and the data processor is “[T]he individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller.” See parts IV, V, VI, IX, and XIV of article 3, Mexican PPD. 65. Article 3, part XVII, defines data owner as the “individual to whom personal data relates.” 66. Chapter III, Mexican PPD. 67. Article 3, part XVIII, Mexican PPD. 68. Article 3, part XIX, Mexican PPD. 69. The Mexican PPD applies to data processors not located in Mexico that process personal data on behalf of data controllers located in Mexico; data controllers that are not located in Mexico, but that are subject to Mexican laws as a result of an agree- ment or in terms of international laws; and data controllers using a processing means located in Mexico (even if they are not established in Mexico), except if those means are merely for transit purposes, without involving the processing of personal data. César G. Cruz Ayala and Marcela Flores González, “The Privacy, Data Protection and Cybersecurity Law Review: Mexico,” The Law Reviews, November 5, 2021, https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-re- view-edition-6/1210064/mexico. 70. Article 6, Mexican PPD. The Role of Consumer Consent in Open Banking   33 71. Article 17 states that “the privacy notice must be made available to data owners through print, digital, visual or audio formats or any other technology, as follows: I. Where personal data has been obtained personally from the data owner, the privacy notice must be provided at the time the data is collected, clearly and unequivocally, through the format by which collection is carried out, unless the notice has been provided prior; II. Where personal data are obtained directly from the data owner by any electronic, optical, audio or visual means, or through any other technology, the data controller must immediately provide the data owner with at least the information referred to in sections I and II of the preceding article, as well as provide the mechanisms for the data owner to obtain the full text of the privacy notice. Where data has not been obtained directly from the data owner, the data controller must notify him of the change in the privacy notice.” Article 17 contains the following proviso: “Where it is impossible to provide the privacy notice to the data owner or where disproportionate effort is involved considering the number of data owners, or the age of the data, with the authorization of the Institute, the data controller may implement compensatory measures.” 72. “Financial or asset data” is not defined in the Mexican PPD. 73. Article 37 states that domestic or international transfers of data may be carried out without the consent of the data owner in the following cases: “I. Where the transfer is pursuant to a Law or Treaty to which Mexico is party; II. Where the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management; III. Where the transfer is made to holding companies, subsidiaries or affiliates under common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies; IV. Where the transfer is necessary by virtue of a contract executed or to be executed in the interest of the data owner between the data controller and a third party; V. Where the transfer is necessary or legally required to safeguard public interest or for the administration of justice; VI. Where the transfer is necessary for the recognition, exercise or defense of a right in a judicial proceeding, and VII. Where the transfer is necessary to maintain or fulfill a legal relationship between the data controller and the data owner.” 74. See parts IV and also III, article 37, Mexican PPD. The Mexican PPD generally follows the GDPR in relation to individual rights, but there is a single article that contains overall limitations. Article 4 provides that “[T]he principles and rights under this Law will have, as a limit with regard to their observance and exercise, protection of national security, public order, health and safety as well as the rights of third parties.” A third party is defined in, part XVI of article 3 as a “Mexican or foreign individual or legal entity other than the data owner or data controller,” which in application can be less limiting to the rights of the data owner than the GDPR. However, this is tempered by articles 10 and 37. 75. On June 4, 2020, the Mexican Banking and Securities Commission published in the official federal gazette the Regulations Gov- erning the Applications Programming Interfaces Referred to in the Fintech Law (API Regulations). Financial institutions, money transmitters, financial technology institutions, and companies authorized by the CNBV are subject to the API Regulations, which apply to the transfer of data and information that can be shared through the API. The API Regulations govern the transfer and access of only open data, not transactional data. Similarly, on March 10, 2020, the Mexican central bank published in the gazette Rule 2/2020 applicable to credit-reporting companies and clearing houses, as required under article 76 of the Fintech Law regarding standardized application programming interfaces (Rule 2/2020). Rule 2/2020 does not govern the requirements for the transfer and access of transactional data and provides only that, upon the respective clearing house or credit-reporting com- pany obtaining its authorization to create an API for aggregate data and open data (as applicable), it must submit an additional application for the authorization to transfer transactional data, in accordance with the requirements set forth by the Mexican central bank through secondary regulation. The Fourth Transitory Article of Rule 2/2020 provides that, prior to the submission of the referred application, the entity must submit, no later than March 5, 2021, its proposal of the type of data and information that must be included in this category, as well as the mechanisms for the authentication, identification, and obtaining of data, in addition to the express consent of the respective customers. Rule 2/2020 will become effective on March 5, 2021. Clearing houses and credit-reporting companies will have a period of 360 days from the date of effectiveness of Rule 2/2020 to obtain the authorization from the Mexican central bank to create APIs for open data and aggregate data. 76. The Unified Payment Interface is an instant real-time payment system that allows users to perform interbank money transfers and pay retail merchants directly from a bank account through mobile applications such as Google Pay, PhonePe, Paytm, and BHIM. 77. RBI/DNBR/2016-17/46. Master Direction DNBR.PD.009/03.10.119/2016-17. 78. See section 3(xi), Master Direction, 79. Bill No. 373 of 2019. The Indian DPA and the report A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, https://www.meity.gov.in/writereaddata/files/Data_Pro- tection_Committee_Report.pdf) resulted from the landmark case of K.S. Puttaswamy v. Union of India (2017), in which the Full Court of the Supreme Court of India affirmed the right to privacy as a fundamental right. The bill’s preamble reflects this: “[T]he right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy”; “[T]he growth of the digital economy has expanded the use of data as a critical means of communication between persons”; and “[I]t is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.” 34   The Role of Consumer Consent in Open Banking 80. Clause 3 (14), Indian DPA. 81. Clause 3 (13), Indian DPA. There are also local storage requirements. “Critical personal data” must be stored and processed only in India. “Critical personal data” is defined to mean “such personal data as may be notified by the Central Government to be the critical personal data.” See clause 33, DPA. “Sensitive personal information” must also be stored within India’s geographi- cal borders but can be copied elsewhere provided certain conditions are met. This includes a provision that closely follows the GDPR’s adequacy requirement—that is, for data to be copied into another country, the destination country must have sufficient privacy protections and not impede Indian law enforcement access to the data. The local storage requirement is in line with the requirement of the Reserve Bank of India for local storage of payment data. 82. Clause 2, Indian DPA. 83. Section 6 provides that: “6.1 No financial information of the customer shall be retrieved, shared or transferred by the Account Aggregator without the explicit consent of the customer. 6.2 An Account Aggregator shall perform the function of obtaining, submitting and managing the customer’s consent in accor- dance with these directions.” 84. Section 6.4 states that the consent artefact can also be obtained in electronic form. Section 6.7 adds that an electronic consent artefact shall be capable of being logged, audited, and verified. 85. Section 6.6. Financial Information providers shall share financial information of a customer with an Account Aggregator on being pre- 86. “7.1  sented a valid consent artefact by an Account Aggregator in accordance with Clause 6. 7.2 Upon being presented the consent artefact, the Financial Information provider shall verify: (a) validity of consent (b) specified dates and usage; and (c) the credentials of the Account Aggregator through appropriate means. Upon due verification, the Financial Information providers shall digitally sign the financial information and securely transmit 7.3  the same to the Account Aggregator in accordance with the terms contained in the consent artefact. All responses of the Financial Information provider shall be in real time. 7.4  7.5 To enable these data flows, the Financial Information providers shall: a. implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and would enable secure flow of financial information to the Account Aggregator; b. adopt means to verify the consent including digital signatures, if any, contained in the consent artefact; c. implement means to digitally sign the financial information that is shared by them about the customers; d. maintain a log of all information sharing requests and the actions performed by them pursuant to such requests, and submit the same to the Account Aggregator. 7.6 Use of information by Account Aggregator and Financial Information user 7.6.1 Where financial information has been provided by a Financial Information provider to an Account Aggregator for transfer- ring to a Financial Information user with the customer’s explicit consent, the Account Aggregator shall: i.  verify the identity of the Financial Information user; and, if verified, securely transfer the customer’s information to the intended recipient in accordance with the terms of the consent arte- ii.  fact. 7.6.2 Where financial information has been provided by a Financial Information provider to an Account Aggregator for trans- ferring to the customer or to a Financial Information user, it shall not be used or disclosed by an Account Aggregator or the Financial Information user except as may be specified in the consent artefact.” 87. “10. Rights of the customer a) An Account Aggregator shall enable the customer to access a record of the consents provided by him and the Financial Information users with whom the information has been shared. b) An Account Aggregator shall not use or access any customer information other than for performing the business of account aggregator explicitly requested by the customer. 88. “11. Customer Grievance 11.1 An account aggregator shall have in place a Board approved policy for handling/disposal of customer grievances/com- plaints. It shall have a dedicated set-up to address customer grievances/complaints. 11.2 Customer complaints shall be handled/disposed of by the Account Aggregator within such time and in such manner as provided for in its Board approved policy, but in any case, not beyond a period of one month from its receipt. 11.3 At the operational level, Account Aggregator shall display the following information prominently, for the benefit of custom- ers, on the website and at the place/s of business: the name and contact details (Telephone/Mobile nos. as also email address) of the Grievance Redressal Officer who can (a)  be approached by the public for resolution of complaints against the company. (b) that if the complaint/dispute is not redressed within a period of one month, the customer may appeal to the Bank.” The Role of Consumer Consent in Open Banking   35 89. Clause 36 specifies that the consent requirements do not apply where: “(a) personal data is processed in the interests of preven- tion, detection, investigation and prosecution of any offence or any other contravention of any law for the time being in force; (b) disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge, opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding.” 90. There are also local storage requirements. “Critical personal data” must be stored and processed only in India. “Critical personal data” is defined to mean “such personal data as may be notified by the Central Government to be the critical personal data.” See clause 33, DPA. “Sensitive personal information” must also be stored within India’s geographical borders but can be copied elsewhere provided certain conditions are met. This includes a provision that closely follows the GDPR’s adequacy requirement— that is, for data to be copied into another country, the destination country must have sufficient privacy protections and not impede Indian law enforcement access to the data. See clauses 33 and 34, Indian DPA. The local storage requirement is in line with the requirement of the Reserve Bank of India for local storage of payment data. See clauses 33 and 34, Indian DPA. 91. See clause 21 and clause 23(3), (4), and (5). 92. Clause 16, Indian DPA. 93. See National Bank of Rwanda, Laws and Regulations, https://www.bnr.rw/laws-and-regulations/payment-system/laws-regulations. 94. Article 1, Rwanda PSD. 95. Article 2, Rwanda PSD. 96. Defined in article 2 as “a contract for a single payment transaction not covered by a framework contract.” 97. Defined in article 2 as “a payment service contract which governs the future execution of individual and successive payment transactions and which may contain the obligation and conditions for setting up a payment account to execute such transaction.” 98. Chapter III, Rwanda PSD. 99. Articles 17–20, Rwanda PSD. 100. Article 1, Rwanda DPP. 101. Article 2(17), Rwanda DPP. The right to privacy is enshrined in article 22 of the Constitution of Rwanda as follows: “The private life, family, home or correspondence of a person shall not be subjected to arbitrary interference; his or her honour and good reputation shall be respected. A person’s home is inviolable. No search of or entry into a home may be carried out without the consent of the owner, except in circumstances and in accordance with procedures determined by law. Confidentiality of correspondence and communication shall not be subject to waiver except in circumstances and in accordance with procedures determined by law.” This article is clearly adopted from similar articles in international treaties, including those that are the foundation for the GDPR. 102. There are some significant differences, though, including the inclusion of several new concepts. These include “confiden- tial data,” which is defined in article 2(3) as “data that might be less restrictive within the entity but might cause damage if disclosed.” Confidential data is classified as nonpersonal data pursuant to article 4. The DPP also introduces the concept of “data embassies,” which are defined as “a physical or virtual data center in an allied foreign country that stores data of critical government information systems and mirrors critical service applications.” See article 2(7) and chapter VII regarding data sharing, transfer storage, and retention. 103. See article 5, Rwanda DPP. 104. See article 2, which states: “This law shall apply to any person who processes data whether: i. Done by electronic or other means using data through an automated or non-automated platform, forming or intending to form part of a filing system; ii. Established or ordinarily resident in Rwanda that processes data while in Rwanda; or iii. Not established or not ordinarily resident in Rwanda, but processing personal data of data subjects located in Rwanda. iv. Non-personal data is provided as a service to users residing or having an establishment in Rwanda.” 105. See article 30, which states that “[A]ny person who intends to act as controller or processor shall first register with the authority in charge of personal data protection and privacy. The Authority in charge of data protection and privacy shall prescribe thresholds required for mandatory registration by considering the nature of industry, volumes of data processed, whether it is a sensitive personal data and any other criteria as the Authority in charge of data protection and privacy under this article may specify.” See also article 31 for the information that must be supplied to register: “Every application under paragraph (1) shall be accompanied by the following particulars regarding the applicant: (a) name and address; (b) if he/she or it has nominated a representative for the purposes of this Law, the name and address of the representative; (c) a description of the personal data to be processed by the controller or processor, and of the category of data subjects, to which the personal data relate; (d) a statement as to whether or not he/she or it holds, or is likely to hold, special categories of personal data; (e) a description of the purpose for which the personal data are to be processed; (f) a description of any recipient to whom the controller intends or may wish to disclose the personal data; (g) the name, or a description of, any country to which the proposed controller intends or may wish, directly or indirectly, to transfer the data; (h) a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data; and (i) Any other requirement as may be determined by the authority in charge of data protection and privacy.” Chapter V specifies the obligations and duties of controllers and processors, and generally follows the GDPR. 36   The Role of Consumer Consent in Open Banking 106. Article 3 (14), Rwanda DPP. 107. Article 9, Rwanda DPP. The data subject must be informed of this right prior to giving consent, and “withdrawal shall be as easy as giving consent.” See article 9, Rwanda DPP. 108. Article 43, entitled “Lawful processing,” the equivalent of article 6(1) of the GDPR, states that: “Personal data shall be processed only when: (a) the data subject consents to the processing for one or more specified purposes; (b) the processing is necessary: (i) for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract; (ii) for compliance with any legal obligation to which the controller is subject; (iii) in order to protect the vital interests of the data subject or another person; (iv) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (v) the performance of any task carried out by a public entity; (vi) the exercise, by any person in the public interest, of any other functions of a public nature; (vii) for the legitimate interests pursued by the controller or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or (viii) for the purpose of historical, statistical or scientific research upon authorization by relevant institution.” (Emphasis added.) 109. Article 12 specifies required safeguards when sensitive information is processed. 110. The wording used in article 27 is “based on the data subject’s explicit consent” (emphasis added), which opens the range of possibilities as to exactly how this can apply in practice. 111. These rules are the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) pursuant to section 56B, CCA. 112. CCA, https://www.legislation.gov.au/Details/C2019A00063/Html/Text. 113. The “CDR regime” was enacted by the Treasury Laws Amendment (Consumer Data Right) Act 2019 to insert a new part IVD into the CCA. The CDR regime includes the CDR Rules, privacy safeguards, data standards, designation instruments, and any regula- tions made in respect of the provisions in the CCA. See OAIC, “Chapter B: Key Concepts,” February 24, 2020, https://www.oaic. gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-b-key-concepts/#ftn12. 114. These rules are the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) pursuant to section 56B, CCA. 115. Under section 56CA(1), an “accredited person” is a person who has been granted accreditation by the Data Recipient Accreditor of the ACCC, in accordance with part 5 of the CDR Rules. There is some change in terminology depending on whether data has been collected. For example, where an accredited person seeks consent from a consumer to collect and use CDR data, and subsequently seeks to collect that data, they do so as an accredited person because they are yet to collect the data. When an accredited person has disclosed CDR data, under the CDR Rules they are both an accredited data recipient and an accredited person. See OAIC, “Chapter B: Key Concepts,” February 24, 2020, https://www.oaic.gov.au/consumer-data-right/cdr-privacy safeguard-guidelines/chapter-b-key-concepts/#ftn12. 116. Rule 4.3 (3), CDR Rules. 117. Rule 4.3 (5), CDR Rules. 118. Product data is data for which there are no CDR consumers. Product data requests can be made in respect of required product data and voluntary product data. Required product data include eligibility criteria, terms and conditions, price, availability or performance of a product (if publicly available), and product-specific data. 119. Consumer data requests can be made in respect of required consumer data and voluntary consumer data. Required consumer data includes customer data identifying or about a particular person; account data about the operation of an account; transaction data identifying or describing a transaction; and product-specific data in relation to a particular product that a particular person uses. Consumer data is most relevant to the discussion in this paper. 120. “CDR consumer” is defined in section 56AI(3), CCA: A person is a CDR consumer for CDR data if (a) the CDR data relates to the person because (i) of the supply of a good or service to the person or to one or more of the person’s associates (within the mean- ing of section 318 of the Income Tax Assessment Act of 1936) or (ii) of circumstances of a kind prescribed by the regulations; and (b) the CDR data is held by another person who (i) is a data holder of the CDR data, (ii) is an accredited data recipient of the CDR data, or (iii) is holding the CDR data on behalf of a person mentioned in subparagraph (i) or (ii); and (c) the person is identifiable, or reasonably identifiable, from (i) the CDR data or (ii) other information held by the other person referred to in paragraph (b); and (d) none of the conditions (if any) prescribed by the regulations apply to the first-mentioned person in relation to the CDR data. Only “eligible” CDR consumers are able to make consumer data requests under the rules. Schedule 3, clause 2.1, provides, among other things, that a CDR consumer for the banking sector is eligible “if the consumer: a. is 18 years or older (if the person is an individual as opposed to a business); and b. has at least one account with the data holder (receiving the request) that is an open account and set up in such a way that it can be accessed online.” See ACCC (2020), 14. 121. See also Competition and Consumer (Consumer Data Right) Rules 2020, https://www.legislation.gov.au/Details/F2020C00554. 122. CDR Rules, https://www.legislation.gov.au/Details/F2020C00554. The Role of Consumer Consent in Open Banking   37 123. “The rules invoke the right to protection from unlawful or arbitrary interference with privacy under Article 17 of the International Covenant on Civil and Political Rights because they enable consumers to authorise data sharing and use in a regulated manner that is subject to the Privacy Safeguards. The rules provide individuals and businesses with a right to access data relating to them, and to consent to secure access to their data by accredited third parties.” The rules are compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011. See ACCC (2020), 12. 124. Depending on whether the data is “sensitive” as defined in the section 6(1) of the Privacy Act and the circumstances requiring its processing. The act does not specifically include the legitimate-interests ground like the GDPR but sets out general situations where processing without consent is lawful. Permitted general situations include the following: • When it is unreasonable or impracticable to obtain the individual’s consent to the collection, use, or disclosure • The entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities, has been, is being or may be engaged in • The entity reasonably believes that the collection, use, or disclosure is reasonably necessary to assist an entity, body, or person to locate a person who has been reported as missing • The collection, use, or disclosure is reasonably necessary for the purposes of a confidential alternative dispute-resolution process See section 16A, Privacy Act. Health situations are set out in section 16B. 125. See ACCC (2020), 94. 126. Rules 4.10–4.14, CDR Rules. 127. See rule 4.10, CDR Rules. The guidelines are also discussed in OAIC, “Chapter B: Key Concepts,” February 24, 2020, https:// www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-b-key-concepts/#ftn12. 128. See OAIC, “Chapter B: Key Concepts,” February 24, 2020, https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safe- guard-guidelines/chapter-b-key-concepts/#ftn12. 129. See OAIC, “Chapter C: Consent—The Basis for Collecting and Using CDR Data,” February 24, 2020, https://www.oaic.gov.au/ consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data/. 130. See OAIC, “Chapter C: Consent—The Basis for Collecting and Using CDR Data,” February 24, 2020, https://www.oaic.gov.au/ consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data/. 131. See ACCC (2020), 93–114. 132. OAIC, “Chapter C: Consent—The Basis for Collecting and Using CDR Data,” February 24, 2020, https://www.oaic.gov.au/ consumer-data-right/cdr-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data/. 6 CONCLUSIONS AND EMERGING GOOD PRACTICES The combination of rigorous consent and other comple- Although consent forms in the past were considered mentary approaches can provide greater control for con- lengthy and difficult to read and understand by con- sumers and help reduce the likelihood that they may be sumers, technology can enable the design of consent harmed by innovations such as open banking through the mechanisms that allow consumers broader control over sharing of their personal data. Table 1 provides further their data than was permitted by paper forms or boxes information on policies and interventions discussed in this ticked on a website. The consent platforms that are cur- paper that can be used together to strengthen consumer rently being designed allow consumers to keep track of data protection and privacy. While each of the policies the consents they provide, to make a one-time choice or and interventions has pros and cons, in combination they choose throughout the provision of the service, to choose can improve consumers’ data security and privacy. the type of accounts that are accessed, and to withdraw consent within some limits. Questions such as which policies work in which regulatory environments, which is more effective in different popula- The approach taken by the CDR in Australia aims at tions with varying levels of literacy and connectivity, and increasing the control of consumers over their own data what the costs are—to consumers, providers, and regula- while also including additional safeguards to the data-flow tors—of different approaches are all areas where further process through an accreditation process. This approach research is needed. is similar to the one taken in the United Kingdom, which restricts participation in the open banking to a limited All open-banking schemes that involve access to cus- number of institutions, all of which are under the regu- tomer account data require consumer consent to access latory perimeter of the financial authority and subject to data, as open banking is based on access to permissioned data-protection safeguards. account data. This is also a means of enabling data porta- bility and allowing consumers to make use of their infor- mation to acquire additional services that may be more convenient or even less costly from a broader range of service providers. 38 The Role of Consumer Consent in Open Banking   39 TABLE 1: Strengthening Consumer Data Protection and Privacy in Open Banking POLICY / INTERVENTION KEY ELEMENTS PROS CONS Legal framework for Data protection and privacy Necessary foundation for regulation, Necessary but not sufficient—first of consumer data protection addressed clearly in open-banking supervision, enforcement, litigation many steps for effective consumer and privacy in open banking law data protection and privacy134 Strengthening consent— No preticked boxes or implied Customers involved in decision on Consumer control may be illusory if explicit consent elements: consent from scrolling on a data sharing; provides opportunity consent is required to obtain financial website; consent separate from to inform and educate consumers on services; may not be effective in – Freely given other contract terms; withdrawal data-protection issues when consent practical terms if consumers don’t – Unambiguous as easy as providing consent is solicited read or can’t understand consent – Informed – Time bound – Specific purpose – Ability to withdraw – Clear language Platforms for consumers to Accessible, easy to navigate, Increases transparency on use of Consumers who are most vulnerable follow their data and where potential for alerts data; enables consumers to identify may be less likely to use these tools; they have provided consent misuse uneven access to technology creates gaps in protection Legitimate purpose Focused in areas where benefits Provides clarity for both providers May result in less innovation if to consumers are clear; allowance and consumers on use cases purposes are narrowly defined; relies for use of anonymized data for on providers following rules, so innovation may not work in a weak institutional environment Notification of adverse Timely communication to Focuses attention on instances Reactive policy, so problems not action consumers via preferred channels; of harm, so effort is expended by detected until harm has been caused mechanism for resolution/ consumers where most needed (such as denial of credit) rectification Regulatory oversight Leverage technology (regtech, Regulators have greater skills and Regulators may lack resources for suptech); utilize investigative tools resources than consumers to hold effective oversight; regulators may (for example, mystery shopping); providers accountable; can intervene be slow to recognize new abuses, ability to levy penalties, legal to stop systematic abuses providing limited relief to consumers action Privacy by design Data minimalization; use of Reduces risk of misuse of personal May give a false sense of security; secure technologies (encryption, data starting with the product design technology may evolve in ways that multifactor authentication); and functionality; may reduce risks to reduces privacy protections over time avoiding unnecessary data consumers and need for regulation if archives done well Privacy by design Data minimalization; use of Reduces risk of misuse of personal May give a false sense of security; secure technologies (encryption, data starting with the product design technology may evolve in ways that multifactor authentication); and functionality; may reduce risks to reduces privacy protections over time avoiding unnecessary data consumers and need for regulation if archives done well NOTE 134. Other critical elements, once the legal framework is in place, include a strong regulatory framework, resources for adequate oversight and supervision by regulators, consumer awareness of their rights in law and regulation, industry standards to maintain secure and appropriate use of personal data, and mechanisms to facilitate consumer access to relevant information on data use. REFERENCES ACCC (Australian Competition and Consumer Commission). ing?” FlagPost Blog, July 17, 2019, https://www.aph.gov.au/ 2020. Explanatory Statement: Competition and Consumer About_Parliament/Parliamentary_Departments/Parliamen- (Consumer Data Right) Rules 2020, https://www.legislation. tary_Library/FlagPost/2019/July/Open_Banking. gov.au/Details/F2020L00094/Explanatory%20Statement/Text. Jaffee, Dwight, and Thomas Russell. 1976. “Imperfect Informa- Barron, John M., and Michael E. Staten. 2003. “The Value tion, Uncertainty, and Credit Rationing.” Quarterly Journal of of Comprehensive Credit Reports: Lessons from the US Economics 90, no. 4 (November 1976), 651–66. Experience.” In Miller, Margaret, Credit Reporting Systems Leong, Emma. 2020. “Open Banking: The Changing Nature of and the International Economy, edited by Margaret J. Miller, Regulating Banking Data—A Case Study of Australia and 273–310. MIT Press, Cambridge, Massachusetts. Singapore.” Banking & Finance Law Review, no. 35.3 (July BCBS (Basel Committee on Banking Supervision). 2019. Report 2020), 443–69. on Open Banking and Application Programming Interfaces. Madrigal, Alexis C. 2012. “Reading the Privacy Policies You Bank for International Settlements, Basel, Switzerland. Encounter in a Year Would Take 76 Work Days.” The Atlantic, Berg, Gunhild, and Bilal Zia. 2017. “Harnessing Emotional March 1, 2012. Connections to Improve Financial Decisions: Evaluating the McDonald, Aleecia M., Robert W. Reeder, Patrick Gage Kelley, Impact of Financial Education in Mainstream Media.” Journal and Lorrie Faith Cranor. 2009. “A Comparative Study of of the European Economic Association 15, no. 5 (October Online Privacy Policies and Formats.” In Privacy Enhancing 2017), 1025–55. Technologies: 9th International Symposium, PETS 2009, Boeddu, Gian, Jennifer Chien, Ivor Istuk, and Ros Grady. 2021. Seattle, WA, USA, August 2009, Proceedings, edited by Ian Consumer Risks in Fintech: New Manifestations of Consumer Goldberg and Mikhail J. Atallah, 37–55. Springer. Risks and Emerging Regulatory Approaches. Policy Research Medine, David, and Gayatri Murthy. 2019. “Three Data Protec- Paper, April 2021. World Bank Group, Washington, DC. tion Approaches That Go Beyond Consent.” CGAP Blog, Boyd, Mark, and Michel Hanouch. 2020. “Customers Want Data January 7, 2019. Protection: How Can Open API Providers Deliver?” CGAP Miller, Margaret J., Ed. 2003. Credit Reporting Systems and the Blog, April 21, 2020. International Economy. MIT Press, Cambridge, Massachusetts. EDPB (European Data Protection Board). 2020a. “Guidelines Montes, Fredes, and Maldonado Luis. 2020. Comparative Open 06/2020 on the Interplay of the Second Payment Services Banking Frameworks; Financial Inclusion Global Initiative Directive and the GDPR.” Version 2.0, adopted on Decem- Symposium, World Bank. ber 15, 2020. Murthy, Gayatri, and David Medine. 2018. “Data Protection and EDPB (European Data Protection Board). 2020b. “Guidelines Financial Inclusion: Why Consent Is Not Enough.” CGAP 05/2020 on Consent under Regulation 2016/679.” Version Blog, December 20, 2018. 1.1, adopted on May 4, 2020, https://edpb.europa.eu/ ODI (Open Data Institute) and Fingleton. 2019. Open Banking, sites/edpb/files/files/file1/edpb_guidelines_202005_con- Preparing for Lift Off: Purpose, Progress & Potential, https:// sent_en.pdf. www.openbanking.org.uk/wp-content/uploads/open-bank- European Union. 2015. Directive (EU) 2015/2366 of the Euro- ing-report-150719.pdf. pean Parliament and of the Council of 25 November 2015 Plaitakis, Ariadne, and Stefan Staschen. 2020. “Open Banking: on Payment Services in the Internal Market, Amending How to Design for Financial Inclusion.” Working Paper. Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and CGAP, Washington, DC. Regulation (EU) No 1093/2010, and Repealing Directive 2007/64/EC, https://www.eumonitor.eu/9353000/1/j9vvik- Stiglitz, Joseph E., and Andrew Weiss. 1981. “Credit Rationing 7m1c3gyxp/vk0vn25mntsj. in Markets with Imperfect Information.” The American Eco- nomic Review 71, no. 3 (June 1981), 393–410. Gill, Sanjivan, and Onkar Sumant. 2020. Open Banking Mar- ket: Global Opportunity Analysis and Industry Forecast, WP29 (Article 29 Working Party). 2018. “Guidelines on Consent 2019–2016. Allied Market Research, March 2020. under Regulation 2016/679 Adopted on 28 November 2017 as last Revised and Adopted on 10 April 2018,” https:// Hamilton, Philip. 2019. “‘You’re More Likely to Divorce Than edpb.europa.eu/sites/default/files/files/file1/edpb_guide- Switch Banks’: Will Open Banking Encourage More Switch- lines_202005_consent_en.pdf. 40 Building a Financial Education Approach: A Starting Point for Financial Sector Authorities   41