/
Moniepoint Consent Management [WIP]

Moniepoint Consent Management [WIP]

Owned by Ahmed-Tijani Umar (Unlicensed)
Last updated: Nov 27, 2024
4 min read

What is consent management?

Consent management allows internal and external services to access user's accounts to carry out actions with their consent.

*Maker-checker: One party initiates a request, and the other party approves the request.

 

Why do we need a consent management system?

  1. Enhanced financial transparency and trust

  2. Improved customer experience

  3. Improved compliance and security

How do we manage consent today?

Proposed solution

  1. Consent Management APIs: APIs to allow clients to get customer consent before carrying out actions on their account

  2. [Phase 2]Consent management dashboard: A platform for compliance and support leaders to monitor and audit consent management.

Consent Management APIs

Overview

Two types of actions can be carried out on a customer account by a client:

  1. Account Operations

  2. Payment Operations

Types of clients

Internal

  1. Moniedesk

  2. Backoffice

  3. BRM dashboard

  4. PRM dashboard

External (Third-party providers)

  1. Bill payment for standing orders

  2. Lending companies

  3. NIBSS

 

 

Process for getting consent

  1. Register a client

  2. Create an access token

  3. Create a consent

  4. User Flow

  5. Exchange Authorization Token

  6. Query the API

Step 0: Register a client

To register a client we need the following information.

  1. ClientID: This is a unique identifier for the client

  2. Scope: This can be account or payments or both

  3. RedirectURL: This allows us to redirect the user after they have given client consent.

 


Step 1: Create an Access Token

Endpoint: /auth/token Method: POST Payload: { grant_type: "client_credentials", scope: [account], // can be accounts or payments or both clientID: "109130" // client that is requesting access }
Response { status: "successful" "access_token": "xxx-sdffs-ffsfsf", "expires_in": "6000", "scope": "accounts" }

Step 2: Create a Consent

Consent management for Account operations

This allows a client to access user account information. The client must also have permission to access the information based on the list below:

Permission

Who can access

Permission

Who can access

ReadAccountsBasic

 

ReadAccountsDetail

 

ReadBalances

 

ReadBeneficiariesBasic

 

ReadBeneficiariesDetail

 

ReadDirectDebits

 

ReadScheduledPaymentsBasic

 

ReadScheduledPaymentsDetail

 

ReadStandingOrdersBasic

 

ReadStandingOrdersDetail

 

ReadTransactionsBasic

 

ReadTransactionsCredits

 

ReadTransactionsDebits

 

ReadTransactionsDetail

 

UpdateAccountDetail

 

UpdateAccountStatus

 

Endpoint: /request-consent Method: POST Authorization: Bearer xxx-sdffs-ffsfsf //token from previous step Payload: { Permissions: [ReadAccountsDetail, ReadBalances] }

Step 3: User Flow

Trigger user flow with the consent ID


We can map the consent request to the user using the “customerID”.

For users with the mobile app:

  1. Push notification requesting their consent

  2. Redirect them to a screen in the app that brings up 2FA (OTP + face verification)

  3. On successful verification, the following will be displayed for the user to review:

    1. Details of the client requesting consent

    2. Permissions granted to the client

  4. The user can click a button to approve the consent request

  5. Unhappy path: The user can also reject a consent request

 

For users with USSD

  1. Dial a shortcode to approve the pending consent request

  2. Enter your passcode to confirm consent

 

For users without access to digital channel

Generate a consent link for the users

  1. Redirect them to a widget that brings up 2FA (OTP or face verification)

  2. On successful verification, the following will be displayed for the user to review:

    1. Details of the client requesting consent

    2. Permissions granted to the client

  3. The user can click a button to approve the consent request

  4. Unhappy path: The user can also reject a consent request

 

Step 4: Exchange Authorization Token

Get a permanent token for customer consent

 

 

Step 5: Query the API

Use the authorization token gotten for the user’s account from previous step to call the API, to either update or return customer information

 

 

Consent management for payments

 

 

 

What does success look like?

Business Case & Justification

What is the value delivered when we introduce consent management?

 

Do we currently have any metrics to support this?

[In progress: What is the current experience for compliance and how does this affect the user experience? Do people drop off from support if they’re unable to get required compliance information to carry out sensitive actions? How many?]

 

Who will use this consent management?

Users

  1. Moniepoint users with banking app

  2. Moniepoint users with feature phones

  3. Moniepoint users without access to digital channels (at Kiosks or via their PRM/BRM)

Clients

Internal

  1. Moniedesk

  2. Backoffice

  3. BRM dashboard

  4. PRM dashboard

External (Third-party providers)

  1. Bill payment for standing orders

  2. Lending companies

  3. NIBSS

 

 

Related content

Consent Management
Consent Management
Moniepoint Channels
More like this
PRD Template [Duplicate this]
PRD Template [Duplicate this]
Moniepoint Channels
Read with this