Question
We wanted to confirm whether the following scenario is supported by CDR where a Provider with a registered Software Product with CDR can collect data on behalf of a Principal for a consent that was not established by the Provider’s Software Product (e.g. by the Principal's own Software) but is provided with the CDR arrangement ID and access token in order to perform the data retrieval?
Answer
The model you have proposed does not align with the collection arrangement model.
The collection arrangement has the Provider managing the Provider's software product. The Provider uses their own platform and services, but the registration, keys, certificates, consent arrangements and collected data must be tied to that software product.
Question
The Provider's product manages everything on the backend (i.e. registration with CDR, managing consent arrangements, data collection, etc) but it can expose API endpoints (i.e. details on the consent arrangment to be provided) to the Principal such as they can then build their own customer facing front-end on top of this?
Answer
Rule 1.10 states that an accredited person or a CDR representative (OSP principal) may engage outsourced service providers (OSPs) under a CDR outsourcing arrangement to do one or both of the following:
- collect CDR data from a CDR participant in accordance with the CDR Rules on behalf of the principal (for an OSP chain principal with unrestricted accreditation);
- provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal.
The article on collection arrangements takes a technical lens to the rules and provides further detail on CDR outsourcing arrangements.
It seems logical though that the Provider will offer all services required for data collection, leaving the Principal confident that all the security artefacts and collection logic are handled by an expert and they can focus on their own customer value propositions.
The Provider can then provide an integration layer to allow Principals to build there apps on top of this, in what-ever form is appropriate to their use-case.
Comments
0 comments
Please sign in to leave a comment.