Versions Compared

Version Old Version 12 New Version Current
Changes made by

Ahmed-Tijani Umar (Unlicensed)

Ahmed-Tijani Umar (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProblems and Proposed Solutions

How do we manage consent today?

Proposed solution

  1. Consent Management APIs: APIs to allow clients to get customer consent before carrying out actions on their account

  2. [Phase 2]Consent management dashboard: A platform for compliance and support leaders to monitor and audit consent management.

Consent Management APIs

Overview

Two types of actions can be carried out on a customer account by a client:

  1. Account Operations

  2. Payment Operations

Types of clients

Internal

  1. Moniedesk

  2. Backoffice

  3. BRM dashboard

  4. PRM dashboard

External (Third-party providers)

  1. Bill payment for standing orders

  2. Lending companies

  3. NIBSS

Process for getting consent

  1. Register a client

  2. Create an access token

  3. Create a consent

  4. User Flow

  5. Exchange Authorization Token

  6. Query the API

Step 0: Register a client

To register a client we need the following information.

  1. ClientID: This is a unique identifier for the client

  2. Scope: This can be account or payments or both

  3. RedirectURL: This allows us to redirect the user after they have given client consent.


Step 1: Create an Access Token

Code Block
languagenone
Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "client_credentials",
 scope: [account], // can be accounts or payments or both
 clientID: "109130" // client that is requesting access
}
Code Block
languagenone
Response
{
    status: "successful"
    "access_token": "xxx-sdffs-ffsfsf",
    "expires_in": "6000",
    "scope": "accounts"
}

Step 2: Create a Consent

Consent management for Account operations

This allows a client to access user account information. The client must also have permission to access the information based on the list below:

Permission

Who can access

ReadAccountsBasic

ReadAccountsDetail

ReadBalances

ReadBeneficiariesBasic

ReadBeneficiariesDetail

ReadDirectDebits

ReadScheduledPaymentsBasic

ReadScheduledPaymentsDetail

ReadStandingOrdersBasic

ReadStandingOrdersDetail

ReadTransactionsBasic

ReadTransactionsCredits

ReadTransactionsDebits

ReadTransactionsDetail

UpdateAccountDetail

UpdateAccountStatus

Code Block
languagenone
Endpoint: /request-consent
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
Permissions: [ReadAccountsDetail, ReadBalances]
}
Code Block
languagenone
Response
{
 status: "pending" //waiting for user consent,
 consentID: "65f82acd00000003aa9028d"
}

Step 3: User Flow

Trigger user flow with the consent ID

Code Block
languagenone
Endpoint: /consent/initiate
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
ConsentID: "65f82acd00000003aa9028d", // to identify consent
scope: "accounts", //or payments
redirect_url: "https://reddit.com/redirect",
clientID: "109130",
meta: {
},
customerID: ahmedtijaniumar@gmail.com // Moniepoint user ID

}
Code Block
languagenone
Response when user completes flow. We can attach this to redirect_url or send as webhooks
{
status: "successful"
ConsentID: "65f82acd00000003aa9028d",
code: "code_jsdnjsbfssfissj",

}


We can map the consent request to the user using the “customerID”.

For users with the mobile app:

  1. Push notification requesting their consent

  2. Redirect them to a screen in the app that brings up 2FA (OTP + face verification)

  3. On successful verification, the following will be displayed for the user to review:

    1. Details of the client requesting consent

    2. Permissions granted to the client

  4. The user can click a button to approve the consent request

  5. Unhappy path: The user can also reject a consent request

For users with USSD

  1. Dial a shortcode to grant approval for approve the pending consent request

  2. Enter your passcode to confirm consent

For users without access to digital channel

Generate a consent link for the users

  1. Redirect them to a widget that brings up 2FA (OTP or face verification)

  2. On successful verification, the following will be displayed for the user to review:

    1. Details of the client requesting consent

    2. Permissions granted to the client

  3. The user can click a button to approve the consent request

  4. Unhappy path: The user can also reject a consent request

Step 4: Exchange Authorization Token

Get a permanent token for customer consent

Code Block
languagenone
Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "auth_code",
 expires_in: "60000"// in ms
 code: "code_jsdnjsbfssfissj", // code from user consent step
 clientID: "109130" // client that is requesting access
}

Step 5: Query the API

Use the authorization token gotten for the user’s account from previous step to call the API, to either update or return customer information

Consent management for payments

What does success look like?

...