Consent API and definition

[NationalAustraliaBank]

NAB is concerned with the lack of definition for consent management, including:

·        Create, view and revoke consents APIs
·        Data structures and claims made within the consent requests
·        Notification that consent has been revoked endpoints (called by DH to DR). This is done to notify the DR that consent has been revoked; that API calls for this customers’ data should cease; and that currently held data for that customer should be discarded safely.
 
The consent management process appears to have overlapping concerns with the UX, Security and Data Standards streams. Without clear guidelines at this stage this is likely to impact the July 2019 rollout.

[lukepopp]

Thanks @NationalAustraliaBank

[dpostnikov]

UK reference could be used as a possible starting point?

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/937558092/Account+Access+Consents+v3.1

[JamesMBligh]

The current position, based on CX testing results and a review of the ACCC draft rules, is that low level permissions are not required. As a result v1 of the standards will be limited to OIDC scopes rendering a consent API unnecessary. If the regime requires this at a later date this decision may be revisited.

Note that the the implication of this position are as follows:

• There will be no consent API in v1 to construct a low resolution model of consent
• There will be no consent APIs to modify consent post authorisation. Consent will be considered immutable until a revocation or reauthorisation event occurs
• There will be no ability to programatically retrieve consent for an authorisation once the authorisation flows is completed. A customer will still be able to see this via their dashboards
• Consent is not a shareable data set
• A mechanism for revocation and bi-directional notification will be created

-JB-