Authorisation and consent are central to the Consumer Data Right (CDR). Accredited Data Recipients (ADRs) and Data Holders (DHs) must obtain consent from the consumer before sharing consumer data. 

Data Holder (DH), Accredited Data Recipient (ADR) and Customer (consumer) are defined as part of the Consumer Data Standards (CDS). See CDS CDR federation. 

Strict standards apply for authentication of all parties involved in sharing of consumer data. There are stringent requirements for maintaining the security of transactions. 

CDR information security builds upon the foundations of the Financial-grade API Read Write Profile (FAPI-RW) and other standards relating to Open ID Connect 1.0 (OIDC). The proposed authentication flow is the redirect with one-time password (OTP) model. See CDS Security Profile, Authentication flows.

CDR authentication, consent and transaction security all depend on OIDC standards. The authorisation request object, scopes and claims referred to in the CDS are defined in the OIDC standards. 

For details of the consent sequence, see Consent sequence diagrams.

For DSB videos on consent, See Consent Flow Part 1 and Consent Flow Part 2.

Authentication

The DH authenticates a Customer as part of an authorisation process initiated by an ADR, and issues an authorisation for that ADR to access the Customer's data via published APIs. The DH must maintain an Authorisation end point for this purpose. 

When DHs call ADR APIs, the DH authenticates itself with a signed JWT. 

When ADRs call DH APIs, the ADR authenticates itself with a signed JWT. 

See:

• CDS Security Profile, Request object
• CDS Security Profile, Client authentication.
  
  

Transaction security

Digital certificates required for DH and ADR authentication are issued and managed by the CDR Register Certificate Authority.  See CDS Transaction security.

Authorisation

When an authenticated Customer provides a specific consent, the ADR is authorised to receive the specified Customer data from the DH. 

Consent

To obtain consent to share data, both ADRs and DHs must provide a dashboard that allows the Customer to provide consent for specific data to be shared. See CDR Rules subdivision 1.4.3, sections 1.14 and 1.15.

A Customer consent applies to specific Customer data. The CDR Rules require that the Customer must be fully informed regarding the data that is shared according to the consent. 

Consent details are communicated between the ADR and DH via the OIDC authorisation request object. Consent details are specified in the form of OIDC scopes and claims.

See the CX Guidelines Consent chapter for guidelines on the customer dashboard consent interface.

A customer can provide multiple consents, each related to sharing a different set of data. See Concurrent consent below. 

Changing or amending consent

A consent cannot be changed.  To achieve the effect of changing a consent, a consent is revoked, and a new consent created, linked to the previous revoked consent, via a common arrangement ID. This process is often referred to as 'amending consent' in CDR discussions.

The CX guidelines provide for a consent edit button on the ADR dashboard. 

See CDS Identifiers and Types, CDR Arrangement ID.

Because it is technically a new OAuth consent, the amended consent can be completely different.  All aspects can be changed, or a single attribute can be changed. For example, a consumer may simply change the duration of the consent. 

When a consent is amended, the method of signifying the change is at the Data Holder's discretion. See CDS Amending Authorisation Standards. 

For the new consent to be associated with the existing arrangement, a PAR (Pushed Authorisation Request) is used and the arrangement ID is passed.

Withdrawing consent

A Customer can withdraw consent, using either the DH or ADR dashboard. See CDR Rules subdivision 4.3.2, section 4.11(3)(g).

When a consumer withdraws consent at the DH dashboard, the DH should attempt to inform the ADR.

When a consumer withdraws consent at the ADR dashboard, the ADR should attempt to inform the DH. 

In some cases an outage or other event may prevent an ADR or DH communicating withdrawal of consent. It is the responsibility of the ADR and the DH to ensure that consent is current before sharing data. See Maintaining synchronisation of consents after outages. 

The DH maintains records of withdrawals of authorisations in accordance with CDR Rules, Part 9, subdivision 9.3.1 - Reporting and record keeping, section 9.3(1)(b).  

Concurrent consent

Concurrent consent refers to an ADR establishing multiple active consents with a DH on behalf of a consumer. The consents may have different scopes, related to different sets of data. The consents are related by a common Arrangement ID.

See:

• Concurrent consent
• CDS Identifiers and Types, CDR Arrangement ID

Joint accounts

When two or more Customers have joint authority over an account, one of the account holders can withdraw consent for sharing of data related to the account, even if consent is authorised by another of the account holders. 

See Removal of consent on joint accounts.

References

See:

• CDR Rules (Competition and Consumer (Consumer Data Right) Rules 2020)
• CX Guidelines, Consent
• Maintaining synchronisation of consents after outages
• Concurrent consent
• CDS authorisation scopes
• Security Profile, End Points
  • Requirements for Data Recipient implementations
  • Revoking Consent
  • Updating Register Meta Data and Client Registration
  • Pushed Authorisation End Point
• CDS CDR arrangement ID
• Consumer Experience Standards
  • Accessibility Standards
  • Consent, Authenticate, and Authorise Standards
  • Withdrawal Standards
• Get Balances For Specific Accounts, Responses
• Get Scheduled Payments For Specific Accounts

Sub pages