Skip to main content

Consent is a customer's clear and informed permission for your application to access and use their data for a specific purpose.

In open banking and related data-sharing ecosystems, consent is the legal and operational basis that allows data to be shared. Without valid consent, customer data should not be collected, used or disclosed.

A useful way to think about consent is that it is an agreement between the customer and your application. The customer is not giving unlimited access. They are agreeing to a defined request, for a defined purpose, for a defined period of time.

AU CDRNZ PNZ

Before you start

Before designing or launching a consent journey, make sure you understand:

  • who is requesting access to the data
  • what data is being requested
  • why the data is needed
  • how long access is required
  • how the data will be handled
  • how the customer can revoke consent

These are the core elements of a trustworthy and compliant consent experience.

Consent is the customer's permission for your application to access their data.

That permission must be:

  • explicit
  • informed
  • limited in scope
  • limited in duration
  • able to be withdrawn

This means the customer should always understand what they are agreeing to and should remain in control of that decision.

Consent matters because it:

  • protects customer choice and control
  • ensures data access happens for a known and agreed purpose
  • supports compliance with applicable standards and regulations
  • builds trust between the customer, your application and the data holder

Without valid consent, data sharing cannot proceed.

Detailed overview

Consent is more than a technical step in an integration flow. It is the control mechanism that sits between your application, the customer and the data holder.

When a customer grants consent, they are agreeing to a specific data-sharing arrangement. That arrangement usually includes:

  • the identity of the partner or application requesting access
  • the categories of data being requested
  • the purpose for which the data will be used
  • the period for which access is granted
  • the way the data will be stored, handled and protected
  • the method the customer can use to revoke access

This is important because consent is not intended to be broad or open-ended. It should be tied to a genuine use case and presented in a way the customer can understand.

In practical terms, a valid consent allows your application to begin retrieving the approved data only after the customer has completed the consent journey successfully.

Wych supports two broad approaches to requesting customer consent.

Wych provides an out-of-the-box hosted consent journey.

This is a compliant, brandable connection experience managed by Wych. It is suitable for most businesses that want to move quickly without building and maintaining their own consent interface.

In a hosted journey, you direct the customer to a dedicated connection experience where they can:

  1. select their bank or data provider
  2. review the consent request
  3. redirect to data provider
  4. authenticate with that provider
  5. authorise access
  6. return so the connection can be completed

Embedded or custom journey

Wych can also support a more embedded or customised approach, where your application presents more of the consent experience directly.

This gives you more control over the user experience, but it also places more responsibility on your implementation to align with the relevant standards and customer experience expectations.

What Wych captures during setup

When you configure your application in the Wych Partner Portal, Wych captures key details required for the consent request.

This can include information such as:

  • application identity
  • branding
  • product details
  • privacy policy information
  • consent settings
  • environment configuration

This setup allows you to move more quickly into requesting consent without having to build every part of the compliance and presentation layer from scratch.

Standards alignment

Depending on your market and implementation, consent journeys may need to align with standards and customer experience guidance such as:

Wych helps reduce the implementation burden by providing hosted patterns and configurable application settings that support these journeys.

Once consent has been granted successfully, your application can use the approved connection to retrieve the permitted data.

At that point, you should still ensure that:

  • the consent is active
  • access remains within the granted scope
  • the consent has not expired or been revoked

Next step

Continue to the consent journey guide that matches your implementation, such as a hosted or embedded consent flow.