The DSB proposes the following convention:
Data Holders must use a User Identifier within the CDR authentication flow that uniquely identifies a single eligible CDR consumer.
This convention supports the following data standard:
Data Holders MUST request a user identifier that can uniquely identify the customer and that is already known by the customer in the redirected page.
Importantly, uniqueness applies in the context of an eligible CDR consumer which has specific meaning defined in CDR Rules Schedule 3 clause 2.1.
This means that data holders must select a user identifier that can guarantee uniqueness and data access for all eligible CDR consumers in their customer base. This user identifier might be different based on the customer segment (e.g. corporate banking customers vs retail customers) however it must be familiar and already known to the customer as a user identifier requested by the data holder in their existing digital channels.
From an authentication perspective, uniqueness is critical. If the user identifier does not uniquely resolve to a single eligible CDR consumer, the data holder cannot differentiate between the two users. This has implications to the sharing of consumer data with the ADR: worst case, account data unrelated to the person completing authentication is shared with the ADR.
Sharing of user identifiers even in situations where the two people are related is not permitted under the CDR because the concept of an eligible CDR consumer empowers both consumers to provide express and informed consent. For joint accounts both account holders must provide consent (either through the consent flow or via the Joint Account Management Service or consent election).
Data holders considering suitable user identifiers should exclude any identity attributes that are shared across two or more people or cannot be registered as a verified claim for only one person.
Uniqueness provides a level of security and ensures that each individual is banking under their own context. This is why many banks issue a Customer ID and provide clear language that sharing of internet banking logins is against their terms and conditions of use. Email addresses and mobile phone numbers are valid user identifiers provided they are unique to a single person as well as verified and consistently used by data holders.