Open Banking consents management

This article sheds light on the process of managing consents as defined in Open Banking specifications. It is to help you understand responsibilities of specific OB players in the context of the consent creation and administration. Finally, you'll find here information on methods for managing consents in accordance with OB standards.

Consents in Open Banking

Open Banking (OB) allows for transparent and controlled financial operations while ensuring the maximum data security and privacy. There are a number of processes and mechanisms behind it with the most evident but perhaps also the most powerful one being the use of consents. The use of consents, which are fundamental for privacy assurance, guarantees that the access to data is always consciously granted by the data owner, with the time and the scope limited as needed. To enable the proper flow of contents in the OB ecosystem, its participants are required to create and manage specific consents types as defined in OB standards. Properly-processed consents are means of communication between different OB parties allowing for the information exchange between them and, ultimately, their integration.

Note

The compatibility with Open Banking standards requires a specific flow and processing of consents. ACP helps to achieve it by providing OB-enabling features, for example, by allowing the Fintech application to register consents.

Consents delivery

As specified in OB standards, consents are created and provided by OB actors to request the users' access to specific scopes of data.

  • Financial application (developer) is responsible for creating and delivering the first consent that the user receives after triggering the Open Banking flow. This consent, as required by OB standards, is to ask the user what data needs to be retrieved from the bank and, thus, shared with the application. With these confirmed with the consent, ACP takes care of all required redirects to proceed with the authentication and authorization of the user.

  • Financial institution (developer), is responsible for creating and delivering the other consent that the user (bank customer) receives. This consent, as defined in OB standards, is to specify what accounts and scopes of data the user wants to share with the Fintech application.

The user can manage their consents themselves in the self-service application. Such as application is usually available from the bank website as a customer portal. The use can visit the portal, log in to the account, and check what applications they share access to their accounts with and can revoke some consents.

Check how ACP supports the user’s consent management

To see how the consent management looks like from the user’s perspective, see Check the customer portal for the sample self-service application that ACP offers in its sandbox.

The bank administrator can manage users' consents granted to the Fintech applications in the admin application. Such as application is usually built and provided to the admins by the bank (developers) as an admin portal. In the portal, the administrator can preview all the users' consents and their statuses. If needed, users' consents can be also revoked by the bank administrator in the portal.

Check how ACP supports the admin’s consent management

To see how the consent management looks like from the admin’s perspective, see Check the bank admin portal for the sample admin application that ACP offers in its sandbox.

ACP provides a set of features that not only allows the maximum privacy and security of financial operations but also enables Open Banking. ACP provides rich APIs both for creating and managing consents in accordance with Open Banking standards.

Note

ACP uses the same APIs that are defined in Open Banking standards, for example, in OB UK API specifications.

Consent pages built for OB authentication and authorization purposes use internal APIs of ACP to accept or reject the consents.

Read more on the custom consent page

For more information on how the custom consent page works and how to build to your own consent page using ACP, see Building the Open-Banking-compliant consent page.

The APIs for creating and managing consents are provided by ACP out-of-the-box along with complete applications serving the same purposes. Installing ACP, you get a set of easily-integrated APIs to create and manage the user consent.

Check how ACP supports the consent management

To find out what applications ACP offers in its sandbox for the consent management, see Check the customer portal and Check the bank admin portal.

Check in the sandbox

You can see how consents are processes in the OB Quickstart that ACP provides on GitHub. Specifically, there are two applications to help you understand the flow and the lifecycle of consents in the Open Banking environment: the admin portal and the customer portal. Exploring the two sample application in the sandbox, you can learn how ACP enables the integration for consent-management purposes.

Another mock application available in the sandbox is the ACP portal itself. It is configured so that its features are in line with OB standards. For example, in the openbanking workspace, the Consent screen function is preconfigured to use the Open Banking consent type.

Get the quickstart

  1. Navigate to cloudentity/openbanking-quickstart in your browser.

  2. Clone the repository by executing git clone git@github.com:cloudentity/openbanking-quickstart.git in the terminal.

  3. Start the OB Quickstart by executing make run-dev in the terminal.

Check the customer portal

Customer portal is an application for the self-service consent management.

  1. In your browser, navigate to https://localhost:8085 to access the customer portal.

  2. Log in to the mock portal with the credentials specified in README of the quickstart.

  3. Explore the portal to check what actions you can take as a user and how the application enables managing consents from the user’s perspective.

ACP enables user’s actions on consents.

As a user, you can

  • Check what application(s) you provided with access to you data and what scope(s) of your data they are allowed to access.

  • Revoke the permissions you’ve already granted.

Note

To manage access using the customer portal in the sandbox, you need to have some account(s) and/or application(s) connected therein.

Check the bank admin portal

Bank admin portal is an application for the administrative consent management.

  1. In your browser, navigate to https://localhost:8086 to access the bank admin portal.

  2. Log in to the mock portal with the credentials specified in README of the quickstart.

  3. Explore the portal to check what actions you can take as an admin and how the application enables managing consents from the administrator’s point of view.

ACP enables admin’s actions on consents.

As a bank admin, you can

  • Check application(s) that specific users provided with access to their data.

  • Check types of permissions that specific users provided to particular applications and verify scopes of data they shared with the apps.

  • Revoke the permissions on behalf of the users.

Note

To manage access using the bank admin portal in the sandbox, you need to have some user account(s) and/or application(s) connected therein.