Versions Compared

Version Old Version 5 New Version 6
Changes made by

Ahmed-Tijani Umar (Unlicensed)

Ahmed-Tijani Umar (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleOverview

What is consent management?

Consent management is a simple maker-checker* flow that authorizes Moniepoint staff to take sensitive actions (e.g., profile updates) on behalf of customers allows internal and external services to access account details and carry out sensitive actions on customer account with their consent.

*Maker-checker: One party initiates a request, and the other party approves the request.

Example scenario: Updating the business name on a Moniepoint account

  • A user walks into a Moniepoint Kiosk to get help updating the business name on their Moniepoint account.

  • This means Moniepoint Kiosk agent must take sensitive action on behalf of the customer.

  • With the consent management system, the Kiosk agent can initiate a consent request for the customer to approve.

  • Once this request is approved by the customer, the agent can then proceed to update the user's business name.

This ensures maximum security on the user’s account and ensures the user is always informed of all changes made to their Moniepoint account.

We can also see a detailed activity log of all the changes made to a customer's account.

What channels will this run on?

  1. Moniedesk

  2. Back office

  3. BRM dashboard

  4. PRM dashboard

  5. USSD

  6. Moniepoint banking app.

Expand
titleProblem Statement

Why do we need a consent management system?

  1. Improved compliance and security: This would mean we are compliant and in line with GDPR, by ensuring all actions are taken with customer’s consent.

  2. This also significantly reduces the chance of sensitive actions being taken by bad actors and adds an extra layer of security at physical locations as well.

  3. Audit logs: There is now a clear trail of who performed what actions on a customer's account and a clear record of who approved the actions to be taken.

  4. Automated consent processes: By automating the process of getting consent, we can make the process of getting customers approval for consent simpler especially for physical interactions.

How do we manage consent today?

Today when a user requires a change on their account, we manually collect their personal details as a way to confirm their consent. This means we use the submission of voters card, BVN information, account information

Why doesn’t it work?

  1. This means that the Moniepoint staff who is engaging with the customer has direct access to sensitive customer data and also can be very cumbersome for a customer to gather some of the information.

  2. Also as a customer why am I sharing my PII because I want to make a simple change?

What solution do we propose?

  • Consent management APIs: A suite of APIs integrated into existing customer channels to give staff the ability to request users' consent and for the users to approve the request in turn. With these APIs customers and staff should be able to carry out the following actions:

    1. Initiate consent request

    2. Approve consent request

    3. Reject consent request

    4. Revoke consent request

    5. Get all consent requests

    6. Get all approvals

    7. Bulk approve and reject

    • Consent management dashboard: A platform for compliance and support leaders to monitor and audit consent management.
    Expand
    titleProblems and Proposed Solutions
    Expand
    titleProblem Statement

    Why do we need a consent management system?

    1. Enhanced financial transparency and trust

    2. Improved customer experience

    3. Improved compliance and security

    Expand
    titleProblems and Proposed Solutions

    How do we manage consent today?

    [Clarify here]

    What solution do we propose?

    1. Consent Management APIs: APIs to allow clients to get customer consent before carrying out sensitive actions

    2. [Phase 2]Consent management dashboard: A platform for compliance and support leaders to monitor and audit consent management.

    Consent Management APIs

    Overview

    Two types of actions can be carried out on a customer account by a client:

    1. Account Operations

    2. Payment Operations

    Types of clients

    Internal

    1. Moniedesk

    2. Backoffice

    3. BRM dashboard

    4. PRM dashboard

    External (Third-party providers)

    1. Bill payment for standing orders

    2. Lending companies

    3. NIBSS

    Process for getting consent

    1. Register a client

    2. Create an access token

    3. Create a consent

    4. User Flow

    5. Exchange Authorization Token

    6. Query the API

    Step 0: Register a client

    To register a client we need the following information.

    1. ClientID: This is a unique identifier for the client

    2. Scope: This can be account or payments or both

    3. RedirectURL: This allows us to redirect the user after they have given client consent.


    Step 1: Create an Access Token

    Code Block
    languagenone
    Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "client_credentials",
 scope: [account], // can be accounts or payments or both
 clientID: "109130" // client that is requesting access
}
    Code Block
    languagenone
    Response
{
    status: "successful"
    "access_token": "xxx-sdffs-ffsfsf",
    "expires_in": "6000",
    "scope": "accounts"
}

    Step 2: Create a Consent

    Consent management for Account operations

    This allows a client to access user account information. The client must also have permission to access the information based on the list below:

    Permission

    Who can access

    ReadAccountsBasic

    ReadAccountsDetail

    ReadBalances

    ReadBeneficiariesBasic

    ReadBeneficiariesDetail

    ReadDirectDebits

    ReadScheduledPaymentsBasic

    ReadScheduledPaymentsDetail

    ReadStandingOrdersBasic

    ReadStandingOrdersDetail

    ReadTransactionsBasic

    ReadTransactionsCredits

    ReadTransactionsDebits

    ReadTransactionsDetail

    UpdateAccountDetail

    UpdateAccountStatus

    Code Block
    languagenone
    Endpoint: /request-consent
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
Permissions: [ReadAccountsDetail, ReadBalances]
}
    Code Block
    languagenone
    Response
{
 status: "pending" //waiting for user consent,
 consentID: "65f82acd00000003aa9028d"
}

    Step 3: User Flow

    Generate user flow with the consent ID

    Code Block
    languagenone
    Endpoint: /consent/initiate
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
ConsentID: "65f82acd00000003aa9028d", // to identify consent
scope: "accounts", //or payments
redirect_url: "https://reddit.com/redirect",
clientID: "109130",
meta: {
},
customerID: 188292 // Moniepoint user ID

}
    Code Block
    languagenone
    Response
{
status: "successful"
ConsentID: "65f82acd00000003aa9028d",
code: "code_jsdnjsbfssfissj",

}


    We can map the consent request to the user using the “customerID”.

    For users with the mobile app:

    1. Push notification requesting their consent

    2. Redirect them to a screen in the app that brings up 2FA (OTP + face verification)

    3. On successful verification, the following will be displayed for the user to review:

      1. Details of the client requesting consent

      2. Permissions granted to the client

    4. The user can click a button to approve the consent request

    5. Unhappy path: The user can also reject a consent request

    For users with USSD

    1. Dial a shortcode to grant approval for pending consent request

    2. Enter your passcode to confirm consent

    For users without access to digital channel

    Generate a consent link for the users

    1. Enter username and password

    2. Redirect them to a widget that brings up 2FA (OTP or face verification)

    3. On successful verification, the following will be displayed for the user to review:

      1. Details of the client requesting consent

      2. Permissions granted to the client

    4. The user can click a button to approve the consent request

    5. Unhappy path: The user can also reject a consent request

    Step 4: Exchange Authorization Token

    Get a permanent token for customer consent

    Code Block
    languagenone
    Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "auth_code",
 expires_in: "60000"// in ms
 code: "code_jsdnjsbfssfissj", // code from user consent step
 clientID: "109130" // client that is requesting access
}

    Step 5: Query the API

    Use the authorization token gotten for the user’s account from previous step to call the API, to either update or return customer information

    Consent management for payments

    What does success look like?

    ...

    Expand
    titleBusiness Impact

    What is the value delivered when we introduce consent management?

  • Improved security

  • Speed

    • A seamless way to carry out sensitive action for support team

    Do we currently have any metrics to support this?

    [In progress: What is the current experience for compliance and how does this affect the user experience? Do people drop off from support if they’re unable to get required compliance information to carry out sensitive actions? How many?]

    Key stakeholders

    Compliance
    Customer success
    Operations team

    Expand
    titleUser Personas

    Who will use this consent management?

    Users

    1. Moniepoint users with banking app

    2. Moniepoint users with digital channelsfeature phones

    3. Moniepoint users without access to digital channels (at Kiosks or via their PRM/BRM)

    Clients

    Internal

    1. Moniedesk

    2. Backoffice

    3. BRM Moniepoint staffdashboard

    4. PRM dashboard

    External (Third-party providers)

    1. Bill payment for standing orders

    2. Lending companies

    3. NIBSS

    Expand
    titleUser Stories

    Clearly define the features that will answer user questions about consent management

    APIs

    1. Initiate consent request

    2. Approve consent request

    3. Reject consent request

    4. Revoke consent request

    5. Get all consent requests

    6. Get all approvals

    7. Bulk approve and reject

    8. RBAC

    Dashboard

    1. RBAC

    2. Audit logs

    3. UI for APIs

    4. View consent data

    ...