Colleagues,
I am opening this issue in order to address the topic of how we can better protect the KYC Match/Fill-in APIs against misuse targeting to information phishing. Applying the data minimization principle, as described in EU GDPR and other relative regulations, can be of help to this direction.
A first idea/proposal is to establish a process during the onboarding of new Service Providers and/or New Services, where it will be agreed which KYC data fields are allowed to be exchanged, depending on the specific User Case requirements. This is already happening in many markets.
Then a mechanism that will enforce such agreement needs to be implemented. As discussed, such mechanism(s) are already in place in some "local" implementations. Whether such mechanism should be defined within our specifications needs to be discussed and decided. If yes, scopes can be used to define specific sub-sets of data fields allowed per scope, and SP access to KYC info can be limited to the specific scopes that will be allowed for each UC as required.
As mentioned in our call, this topic is under discussion also in ID & Consent sub-group, thus we should ensure that we are aligned with this discussion as well. However we also need to distinguish the topics of end-user consent for providing specific personal data and the "general" eligibility of an aggregator/service provider to request and get the specific kind of data.
Your feedback and comments are welcome.
Efthymis Isaakidis
Colleagues,
I am opening this issue in order to address the topic of how we can better protect the KYC Match/Fill-in APIs against misuse targeting to information phishing. Applying the data minimization principle, as described in EU GDPR and other relative regulations, can be of help to this direction.
A first idea/proposal is to establish a process during the onboarding of new Service Providers and/or New Services, where it will be agreed which KYC data fields are allowed to be exchanged, depending on the specific User Case requirements. This is already happening in many markets.
Then a mechanism that will enforce such agreement needs to be implemented. As discussed, such mechanism(s) are already in place in some "local" implementations. Whether such mechanism should be defined within our specifications needs to be discussed and decided. If yes, scopes can be used to define specific sub-sets of data fields allowed per scope, and SP access to KYC info can be limited to the specific scopes that will be allowed for each UC as required.
As mentioned in our call, this topic is under discussion also in ID & Consent sub-group, thus we should ensure that we are aligned with this discussion as well. However we also need to distinguish the topics of end-user consent for providing specific personal data and the "general" eligibility of an aggregator/service provider to request and get the specific kind of data.
Your feedback and comments are welcome.
Efthymis Isaakidis