How should the profile scope be represented in Consent and Authorisation screens? The profile scope isn't addressed in any of the CX Standards or Guidelines. Should it be dependent on the
For example, if
bank:accounts.basic:read are requested, the ADR has access to Personally Identifiable Information (PII) for the user. If the profile scope is not displayed, the user may be unaware that PII is available to the ADR.
It is true that the consumer may be misled regarding PII if the profile scope is not displayed. The DSB is aware of a gap in CX and technical guidance with respect to the profile scope. The DSB will consult on this in 2021.
Under current guidelines, the profile scope should be included only where the consumer also consents to the basic customer data cluster (
common:customer.basic:read) or detail customer data cluster (
Note also that the ADR has a responsibility to request the essential claims they wish to receive via
UserInfo, such as
given_name, otherwise they must not be returned.