A prevailing principle of the CDR Rules and Consumer Data Standards is that data holders align the experience and capability of their CDR implementation with their customers' expectations through their existing digital channels. This principle covers expectations such as customer experience, data currency/latency, data quality, availability and performance.
By offering a consumer experience that is secure, familiar and consistent with existing digital channels the intention is that the performance and experience of the CDR channel is on par with the performance and experience the consumer receives through the data holder's other digital channels.
For example, if a bank-issued Customer ID is used to log into internet banking, there is an expectation that the consumer can use this Customer ID for authenticating within the CDR. Creating bespoke experiences for the CDR that are unfamiliar to the customer in their other banking contexts creates confusion and lowers trust.
This is important because the CDR is considered to be an additional digital channel for each data holder within their designated sector. From the context of banking, CDR is considered to be another digital banking channel adjacent to internet and mobile banking.
Aligning the CDR User Identifier with exisiting digital channels
The user identifier should be consistently offered across the data holder's digital channels. The user identifier should also be familiar to existing customers.
Because the CDR authentication experience is managed and controlled within the boundary of the data holder's control, no part of their digital credential, including their user identifier, is ever shared with the ADR. This makes it safer and more secure for consumers and data holders alike.
Consistency and familiarity is important because customers can trust that the user identifier they are authenticating within the data holder's CDR channel is recognisable and expected since it is required for login and authentication services elsewhere across the data holder's digital channels. The purpose of this convention is to ensure consumers feel safe and trust that the experience they receive in the CDR is aligned to how they normally go about accessing their existing digital services.
If a data holder offers a different user identifier only for CDR purposes this is not preferred unless there is a broader intention for the data holder to align their other digital channels to the CDR channel.
CDR User Identifiers need to uniquely identify a single customer of the data holder
Data Holders must use a User Identifier within the CDR authentication flow that uniquely identifies a single eligible CDR consumer.
This supports the data standard under the CDS Authentication Flows heading:
Data Holders MUST request a user identifier that can uniquely identify the customer and that is already known by the customer in the redirected page.
Importantly, uniqueness applies in the context of an eligible CDR consumer which has specific meaning defined in CDR Rules Schedule 3 clause 2.1.
This means that data holders must select a user identifier that can guarantee uniqueness and data access for all eligible CDR consumers in their customer base. This user identifier might be different based on the customer segment (e.g. corporate banking customers vs retail customers) however it must be familiar and already known to the customer as a user identifier requested by the data holder in their existing digital channels.
From an authentication perspective, uniqueness is critical. If the user identifier does not uniquely resolve to a single eligible CDR consumer, the data holder cannot differentiate between the two users. This has implications to the sharing of consumer data with the ADR: worst case, account data unrelated to the person completing authentication is shared with the ADR.
Sharing of user identifiers even in situations where the two people are related is not permitted under the CDR because the concept of an eligible CDR consumer empowers both consumers to provide express and informed consent. For joint accounts both account holders must provide consent (either through the consent flow or via the Joint Account Management Service or consent election).
Data holders considering suitable user identifiers should exclude any identity attributes that are shared across two or more people or cannot be registered as a verified claim for only one person.
Uniqueness provides a level of security and ensures that each individual is banking under their own context. This is why many banks issue a Customer ID and provide clear language that sharing of internet banking logins is against their terms and conditions of use. Email addresses and mobile phone numbers are valid user identifiers provided they are unique to a single person as well as verified and consistently used by data holders.
Verifying Mobile Phone Numbers for use as CDR User Identifiers
Data Holders using mobile phone numbers for use as a CDR user identifier should verify that the eligible CDR consumer has ownership of the mobile phone before using within the data holder's CDR channel.
Using mobile phone numbers as a user identifier, like email address, is becoming more common. However both mobile phone numbers and email addresses represent something more than a unique identifier: they represent a claim of ownership to a device or service used by the customer.
As such, it is considered good practice to ensure that consumers authenticating with a mobile phone number have previously verified they have access to the phone number (e.g. via a call centre verification process or digital self-service tool). This way, the data holder can be sure the consumer has access to the device associated with the phone number and hasn't incorrectly entered the phone number. This is especially important when the OTP is delivered by SMS to the consumer's mobile phone.
This registration service should be external to the CDR authentication flow.
Where data holders allow consumers to register multiple valid phone numbers (e.g. personal and business phone numbers), it is reasonable to expect each phone number can be used within the CDR authentication flow provided each is independently verified. In this situation, the mobile phone number or another such user identifier may act as a proxy for the profile selection step (refer to CX Guidelines "Account selection").
Mobile Phone Number as a CDR User Identifier
Mobile phone numbers may be used as CDR user identifiers but only if they are uniquely registered and verified to a single eligible CDR consumer.
Mobile phone numbers are ubiquitous and people generally retain the same number for a long period of time, perhaps a decade or more. People can retain the same phone number regardless of the mobile phone plan they choose.
Compared to other user identifiers (such as customer IDs issued and controlled by the data holder) recall is also higher and they tend to be easier to type. This means that mobile phone numbers are an increasingly popular option as a user identifier.
A mobile phone number can be considered a valid user identifier if it uniquely identifies a single eligible CDR consumer and has universal application to the data holder's customer base. Further, the mobile phone number needs to be verified and use within the CDR is reasonable so long as the customer can use their mobile phone number in the data holder's existing digital channels for login and authentication services.