The Age of Consent – The Case for Federated Bank ID
Treasury and Trade Solutions 2 The purposeful act of granting consent will become commonplace in the digital economy, including the banking domain. The need to provide digital consent will be embedded in signing up for new online services, authorising a banking transaction and granting permission for a third- party to access your data. The ability to provide digital consent is a basic function in the digital economy for both individuals and legal entities. The European General Data Protection Regulation (GDPR) is a comprehensive framework to address data privacy in the emerging digital age. GDPR asserts the rights of individuals (data subjects) to exert a greater degree of control over their personal data, including rights of access, erasure and data portability. GDPR brings the act of consent to the forefront as a deliberate act by the individual: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement. 2 Consents are not just about granting access to data: they are also about granting permission for transactions, such as the permission for a merchant to take one or a series of payments over time. In the banking space, consents will be increasingly expressed through Strong Customer Authentication (SCA): The Age of Consent “Strong customer authentication” means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent. 3 In practice, the methods employed by banks to obtain SCA consents from individuals in open banking are unacceptable to merchants who are otherwise looking for simpler, safer ways to collect payments from consumers. Merchants do not find it acceptable that consumers are redirected from online checkouts to go through the elaborate and proprietary SCA methods deployed by each individual bank. PSD2 rules to obtain consents through SCA apply to card transactions and Payment Initiation through open banking APIs. A report commissioned by Stripe forecast that Europe’s online economy would lose EUR57 billion of sales in the year following SCA implementation. 4 Regulators want to reduce fraud and increase competition in payment services by opening bank infrastructures to third parties, but one of the foundations of the digital pyramid is missing: a frictionless way to achieve customer consent through SCA.