10.1 Key Principles
Overview
Open Finance is built on trust. Consent is the mechanism that places users in control of how their financial data is shared – ensuring that data flows only happen with explicit, informed, and auditable user approval. Therefore it must be secure, user-friendly, and enforceable across all participants.
Importance of a Consent Framework
Security: Consent ensures that only authorised parties can access sensitive financial data.
Trust & Transparency: Users know who is accessing their data, for what purpose, and for how long.
Interoperability: Standardized consent flows create a common trust foundation between Data Providers (DPs) and Data Consumers (DCs).
Key Actors in the Ecosystem Towards Building Trust
Key Actors | What They Do | Responsibilities Related to Consent Framework |
|---|---|---|
Data Owner | Grants, manages, or revokes consent for data sharing. | Users retain full transparency and control over their data sharing, with the ability to view and revoke consents at any time |
Data Consumer | Third-party app/service requesting access to user's data for the approved purposes. | Provides innovative open finance use cases, acquires end user, initiates consent, displays customer financial data, enables customer to revoke consent |
Data Provider | Financial institution holding user data; validates consent request and shares data. | Holds end user financial data, authenticate & authorize user, shares encrypted data based on consent scopes, |
PayNet Open Finance Platform | Central operator owning and managing the Open Finance platform and operating model |
|
Key Principles Guiding the Consent Framework
The consent framework is critical for Open Finance to ensure it is built from a position of Trust from Day 1 by adhering to the key principles below.
Key Principles | Description |
|---|---|
User-Centric Control | Consent must be voluntary, informed, and revocable at any time, governed through defined user journey flows. |
Purpose Limitation | Data can only be used for the specific, clearly stated purpose consented to by the user. |
Data Minimisation | Only the minimum necessary data should be requested and shared. |
Granularity | Users should be able to choose which specific accounts to consent to. |
Transparency | Consent flows must clearly explain what data is shared, with whom, for what purpose, and for how long. |
Time-Bound Validity | All consents must have a defined expiry period. Any extensions will require fresh consent to be given. |
Auditability | A tamper-proof record of all consent actions (granted, updated, revoked) must be maintained. |
Security & Authentication | Consent must be authenticated using secure methods (e.g. multi-factor), leveraging DP’s app per BNM RMIT guidelines. |
Interoperability | Consent flows should work across DPs and DCs, enabled by the PayNet Open Finance Platform to support cross-platform sharing. |
Regulatory Compliance | Framework must comply with national regulations and standards (e.g. BNM MCIPD, RMIT, PDPA). |
Not finding the help you need?