As a data holder, how prescriptive are the Consumer Experience (CX) guidelines, as they apply to consent authorisation flow?
Do participants need to follow the exact process in the guideline or do they have flexibility to order the flow as I see fit and to introduce additional authentication procedures to improve security? Seeking guidance on how precisely participants need to follow the consent flow designs and whether they allowed to materially change it, provided they keep all the key elements or whether it is permissible to change is merely cosmetic in nature (branding, copy, imagery, CTA's, colour etc).
Consumer Data Right (CDR) participants have flexibility in how they implement provided the implementation is compliant with the relevant rules and standards. The Consumer Experience (CX) Guidelines are non-mandatory examples of how to put key rules and standards into practice, as well as leading practice recommendations that are also optional. The CX Guidelines are component based to allow CDR participants to combine and deploy elements as required.
On authentication and authorisation specifically: whilst the delivery channel for the One Time Password (OTP) used for authentication is flexible, it is non-compliant with the standards to add additional authentication. Rule 4.24 also states that the authorisation flow must not include additional requirements, information, services, or documents beyond those specified in the data standards and rules. These parameters in the rules and standards would prohibit the introduction of additional authentication procedures in the authorisation flow.