What is consent management?

Consent management allows internal and external services to access user's accounts to carry out actions with their consent.

^{*Maker-checker: One party initiates a request, and the other party approves the request.}

Why do we need a consent management system?

1. Enhanced financial transparency and trust

2. Improved customer experience

3. Improved compliance and security

How do we manage consent today?

What solution do we propose?

1. Consent Management APIs: APIs to allow clients to get customer consent before carrying out actions on their account

2. [Phase 2]Consent management dashboard: A platform for compliance and support leaders to monitor and audit consent management.

Consent Management APIs

Overview

Two types of actions can be carried out on a customer account by a client:

1. Account Operations

2. Payment Operations

Types of clients

Internal

1. Moniedesk

2. Backoffice

3. BRM dashboard

4. PRM dashboard

External (Third-party providers)

1. Bill payment for standing orders

2. Lending companies

3. NIBSS

Process for getting consent

0. Register a client

1. Create an access token

2. Create a consent

3. User Flow

4. Exchange Authorization Token

5. Query the API

Step 0: Register a client

To register a client we need the following information.

1. ClientID: This is a unique identifier for the client

2. Scope: This can be account or payments or both

3. RedirectURL: This allows us to redirect the user after they have given client consent.

Step 1: Create an Access Token

Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "client_credentials",
 scope: [account], // can be accounts or payments or both
 clientID: "109130" // client that is requesting access
}

Response
{
    status: "successful"
    "access_token": "xxx-sdffs-ffsfsf",
    "expires_in": "6000",
    "scope": "accounts"
}

Step 2: Create a Consent

Consent management for Account operations

This allows a client to access user account information. The client must also have permission to access the information based on the list below:

Endpoint: /request-consent
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
Permissions: [ReadAccountsDetail, ReadBalances]
}

Response
{
 status: "pending" //waiting for user consent,
 consentID: "65f82acd00000003aa9028d"
}

Step 3: User Flow

Generate user flow with the consent ID

Endpoint: /consent/initiate
Method: POST
Authorization: Bearer xxx-sdffs-ffsfsf  //token from previous step
Payload: 
{
ConsentID: "65f82acd00000003aa9028d", // to identify consent
scope: "accounts", //or payments
redirect_url: "https://reddit.com/redirect",
clientID: "109130",
meta: {
},
customerID: 188292 // Moniepoint user ID

}

Response
{
status: "successful"
ConsentID: "65f82acd00000003aa9028d",
code: "code_jsdnjsbfssfissj",

}

We can map the consent request to the user using the “customerID”.

For users with the mobile app:

1. Push notification requesting their consent

2. Redirect them to a screen in the app that brings up 2FA (OTP + face verification)

3. On successful verification, the following will be displayed for the user to review:

   1. Details of the client requesting consent

   2. Permissions granted to the client

4. The user can click a button to approve the consent request

5. Unhappy path: The user can also reject a consent request

For users with USSD

1. Dial a shortcode to grant approval for pending consent request

2. Enter your passcode to confirm consent

For users without access to digital channel

Generate a consent link for the users

1. Enter username and password

2. Redirect them to a widget that brings up 2FA (OTP or face verification)

3. On successful verification, the following will be displayed for the user to review:

   1. Details of the client requesting consent

   2. Permissions granted to the client

4. The user can click a button to approve the consent request

5. Unhappy path: The user can also reject a consent request

Step 4: Exchange Authorization Token

Get a permanent token for customer consent

Endpoint: /auth/token
Method: POST
Payload: 
{
 grant_type: "auth_code",
 expires_in: "60000"// in ms
 code: "code_jsdnjsbfssfissj", // code from user consent step
 clientID: "109130" // client that is requesting access
}

Step 5: Query the API

Use the authorization token gotten for the user’s account from previous step to call the API, to either update or return customer information

Consent management for payments

What does success look like?

What is the value delivered when we introduce consent management?

Do we currently have any metrics to support this?

[In progress: What is the current experience for compliance and how does this affect the user experience? Do people drop off from support if they’re unable to get required compliance information to carry out sensitive actions? How many?]

Who will use this consent management?

Users

1. Moniepoint users with banking app

2. Moniepoint users with feature phones

3. Moniepoint users without access to digital channels (at Kiosks or via their PRM/BRM)

Clients

Internal

1. Moniedesk

2. Backoffice

3. BRM dashboard

4. PRM dashboard

External (Third-party providers)

1. Bill payment for standing orders

2. Lending companies

3. NIBSS

Clearly define the features that will answer user questions about consent management

APIs

1. Initiate consent request

2. Approve consent request

3. Reject consent request

4. Revoke consent request

5. Get all consent requests

6. Get all approvals

7. Bulk approve and reject

8. RBAC

Dashboard

1. RBAC

2. Audit logs

3. UI for APIs

4. View consent data

Figma and any other design artefacts go here

When does this ship and what milestones?

ETA: Q4 2024?

JTBD

1. Confirm all platforms that need access to Consent management

2. Confirm all users that will have access to consent management

   1. Break this down by authority

External

Internal