List of accounts to show in the Consent Flow

[bmangalaganesh]

Request For Clarification

I am trying to better understand an edge case scenario - "list of accounts" to display during the consent flow.

Both the accounts listed below are Transaction account(s) which makes them an eligible account (available in the current phase of products that are supported by CDR)

1. I have an account -123456789 with a Data Holder which is available via their digital channels (Mobile/Internet banking)
2. I have another account -222333444 with the Data Holder however it is not accessible via any digital channel. If I want to operate on this account - I prefer to work with the bank (in-person or via their call center).

There are a couple of variants in which account 222333444 has been set up at the data holder?

• (2a) It is not associated with any internet banking identifier (or)
• (2b) Associated with an Internet Banking Identifier. However, a preference has been set up to not show this account in their digital channel(s)

There is no ambiguity about displaying the account 123456789 during the consent flow.

What about the account - 222333444?

Should that be displayed in the list of accounts in consent flow in both (2a) and (2b) variants?

Appreciate any help.

[bmangalaganesh]

An additional question in this space based on how the data holders may have done the account association(s) with their channel identifiers.

John is a customer of Data Holder and he has two internet banking credentials - 10099999 & 99911111 each of these are associated with the 000999101 and 000888101 and 999888101 and 999888102 (represented in the picture below)

When John enters the User Identifier - 10099999 during the DH authentication flow what is the expectation on the list of accounts returned?

All 4 accounts:

1. 000999101
2. 000888101
3. 999888101
4. 999888102

or just the two accounts that the User Identifier 10099999 is associated with.

My reading is that John is the customer and he is using an identifier that he knows with the Data holder to identify himself. The preferences and other semantics that the Data holder channel (Internet Banking in this case) should not influence the list of accounts returned - i.e all eligible accounts associated with John should be returned

Will appreciate the viewpoints and interpretations of the experts here.

[nils-work]

Hi @bmangalaganesh

I'm not the expert here, but I can share my thoughts to see if they help.

Re: your point (2a) above, you mentioned -

(2a) It is not associated with any internet banking identifier

In that case I guess it couldn't appear in the list, unless you have another way to match it to the customer credential?

Re: (2b), my first thought was this part of the rules, the last line here -

Part 2—Eligible CDR consumers—banking sector
2.1 Meaning of eligible—banking sector
(1) This clause is made for the purposes of the definition of eligible in subrule 1.7(1) of these rules.
(2) For the banking sector, in relation to a particular data holder at a particular time, a CDR
consumer is eligible if, at that time, the CDR consumer:
(a) is an individual who is 18 years of age or older; and
(b) is the account holder for an account with the data holder that:
(i) is open; and
(ii) is set up in such a way that it can be accessed online.

But that is about eligibility for consumers, not specific accounts.

In your example the customer would be 'eligible' because they have at least one online account.

Whether the other account should be included may be up to you if you are aiming to match online banking and the customer has chosen not to "set up in such a way that it can be accessed online".

As you have stated it is the customer preference - I'm guessing the customer could change their preference and attempt sharing again if they really wanted to share that account?

There may be another aspect to this in the below rule and I'm not sure if this is where your concern came from?
Last line here -

Note 3: So long as the CDR consumer is eligible to make a consumer data request in relation to a particular data holder, they will be able to make or cause to be made a consumer data request that relates to any account they have with the data holder, including closed or accounts that cannot be accessed online.

I'm not sure if there's any more clarity available on the "cannot be accessed online" part of that note.

(extracts from rules)

I think the key to your additional question is that you are allowed to show some kind of profile selection screen where necessary and also with concurrent consent, the customer could create a different consent for each identifier they normally use.

If the customer has different credentials for different reasons, they may not want/expect all their accounts to be grouped together in CDR if they are not normally like that in their online banking view.

Are any of these points helpful or incorrect to your understanding?

[CDR-API-Stream]

Hi @bmangalaganesh thanks for your patience. Please see below the response from the ACCC.

The rules require an ‘eligible consumer’ (see clause 2.1 of Schedule 3) to be able to share CDR data on all of their products in scope (see clauses 1.4, 3.2 and 6.6 of Schedule 3). Where a consumer is eligible, all of their products in scope, including products that are closed or otherwise offline, must be available for sharing (see clause 3.2 of Schedule 3, and in particular Note 3 to that clause). A consumer may have to navigate between profiles in order to access all products/accounts (see CX Standard 1.4 – Authorisation, Account selection). To address your specific queries:

• (2a): Assuming the consumer is over 18, and account 123456789 is open (noting the example says it is accessible in mobile/internet banking too), the consumer is eligible and Account 222333444 must be available for sharing. Data holders are encouraged to attach offline accounts to existing internet banking identifiers. That is, accounts 123456789 and accounts 222333444 are encouraged to be both available through the one profile, where practicable.
• (2b): Again, Account 222333444 must be available for sharing (for the same reasons as above), despite the consumer having set up a preference not to display this account in their digital channels. While it must be available for sharing, the consumer can choose not to share CDR data from that account.
• Additional question: The data holder may choose to present all four accounts, or the two accounts attached to that user identifier (10099999). We consider both to be compliant with the rules and CX standards, with implementation being a matter for data holders to determine. For completeness, we note that if John is an ‘eligible consumer’ and all accounts are for products in scope, all accounts must be available for CDR sharing. That is, regardless of whether data holders implement by presenting John with two accounts or four accounts, John must be able to share CDR data on all four accounts.