Understanding User Consent and Non-Consent Data in Fintech Businesses
The rise of fintech and digital finance transformation comes along with massive data sharing between parties. Data sharing is not a new thing within the fintech business, but the implementation itself has always been an interest of its own. When talking about data sharing, user or customer consent has always been a top concern. This is due to how the data itself is being treated and questions like “did the user agree to this?” or “what is my data being used for” came to mind.
Quoting from EU’s General Data Protection Regulation (GDPR) article 4, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Additionally, taking another example and continuing from the previous article about regulators in Indonesia, we take a look from their Information and Transaction Bill. It is concluded that those who purposely and without the rights to distribute certain electronic documents of other parties shall be fined accordingly.
Without getting too much of a detail for the interpretation for both bills, it clearly explains how consent and affirmation is given by the data owner, which in fintech context, the user themselves. Not covering too deep into topics like illusionary consent, or perhaps data leaks, this article will try to cover more on the outer layer of data consent in fintech, starting from implementation examples, type of consent for data sharing, and important things that we probably should pay attention to.
How Fintech Implement Data Consent
Consent relates closely with data privacy. Westin, with his book titled Privacy and Freedom, defines privacy as “a claim of individuals or groups to determine themselves when, how, and to what extent information about them is communicated to others”. While the definition of privacy is fairly broad, In fintech businesses, data sharing for personal financial information enables an action related to a certain digital financial service to be completed.
Take a look on the user onboarding process, for example. For the first direct touch point between the user and a fintech app, important personal documents such as identity card, bank account information, and others are typically retrieved by the fintech app by asking it directly to the user. In accordance with consent, the fintech app would then ask whether the user has agreed to all privacy policies before submitting all of the KYC documents.
Fintech also serves their users as third-party-providers (TPP) whereas fintech are authorized to retrieve users data from financial institutions, like banks, when the user agrees to do so. Examples on how it looks like in different fintech verticals are when a user initiates direct payment from their bank account to an e-commerce merchant, or when a user agrees for their historical transaction to be read by a robo-advisory platform in order to analyze their financial health.
Compliance with data sharing regulations and giving assurance to users are the main reasons for consent to be so important within the fintech businesses. Taking another example from Indonesia’s regulatory body, Otoritas Jasa Keuangan (OJK), in their POJK Number 1/POJK.07/2013 and SEOJK Number 14/SEOJK.07/2014 stipulates that all business players in the financial sector are prohibited from providing personal data and/or information on their consumers to third parties. The prohibition against providing personal data and/or information by such business actors are exempted in certain conditions as follows; consumer provides its written consent, and/or obligated by the laws and regulations. Moreover, initiatives like Open Banking also curate new protection bills specifically for open and financial data API, such as the first regulation related to Open Banking, the Payment Service Directive 2 (PSD2).
Existence of Non-Consent Data
With rapid digital finance transformation across regions, more advanced innovation like Open Banking — open API, financial data API, transaction API etc. enables data sharing for TPP, like fintech, for instant verification and authentication process. What may not be noticeable is how some of these processes do not require users to perform an end-user consent each time the process happens, which then is what we called: non-consent data.
Imagine this scenario when a user tries to register for a certain fintech app. The fintech app then asks for the user phone number for authentication purposes. Without explicitly appearing in the interface, the fintech app would then do an instant checking whether the phone number is registered or not with the help of an API. During the API call and authentication process, the fintech app retrieves data from the data source, in this scenario its telco, for validating the user’s phone number authenticity.
“How is this made possible?” “Does this mean it overrides the consent?”. With data sharing made possible between institutions and fintech, of course, require more time to regulate how non-consent data sharing operates. While the concept helps the idea of financial transformation with respect to customer consent, the data itself needs to be treated responsibly by TPP. Taking from Brick page, types of non-consent data may become available for non-banking institutions as well, such as telco, fiscal, and others. One other thing to highlight, It may be called non-consent data, but that does not mean it has zero user consent to it.
Things to Pay Attention to: A Conclusion
To wrap this article, these are some Important points that shall be addressed for users, fintech, and perhaps regulators about consent, privacy, and data sharing within the financial ecosystem.
- Consent in data sharing is something that is given by the owner of the data themselves (users)
- TPP or fintech needs to inform users transparently about when, how, and to what extent their personal information will be used. Stewardship and responsibility is something TPP should take accountable for
- While most data consent are being informed, users also need to take extra steps to acknowledge their rights and needs in the context of personal data sharing
- With the rise of innovation and digital transformation, regulators are expected to accommodate the changes by issuing specific data protection bills specifically for financial services.
