Interview: (Left-right) FDX’s Don Cardinal and Kantara’s Colin Wallis talk about recent collaborating agreement
What is the Financial Data Exchange/Kantara Initiative and their respective missions?
Colin Wallis (CW): Kantara Initiative’s mission is to improve the trustworthy use of identity and personal data through innovation, standardization and good practice in the domain of digital identity management and data privacy. It achieves this by nurturing innovative ideas through grant fund facilitation, developing specifications needed by industry where there is currently a blank canvas, and operating conformity assessment and trust framework programs against requirements in well-known standards such as NIST’s Digital Identity Guidelines (800-63-3).
Don Cardinal (DC): We established FDX on the idea that businesses and consumers should have easier, more secure access to their financial data. Simply because we believe that access to this data can help consumers manage their finances better and improve their financial health. With the increasing popularity of financial technology services, we’ve been seeing a complex patchwork of data sharing methods develop, which has proven to be cost-intensive for financial institutions, fintechs and other financial services firms alike. Through the FDX API and technical frameworks, we’re aiming to unify the entire financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. We hope that the standardization will further drive innovation in this space.
What is Kantara’s Consent-Receipt framework? How do consumers benefit from this framework, and where is it used?
CW: It’s an emerging suite of best practice around exercising data subject rights, for example with the Consent Receipt Specification, which is gaining rapid adoption as industry news spreads that a sample of it is currently annexed into a draft ISO standard. The suite includes the notion of a personal Privacy Control Panel (Kantara PCP) to give the person tools to take action with the receipts including view, validity check, request the data, revoke consent, change permissions, or erase the data.
In the Kantara vision, whenever an individual is asked for their personal data, or whenever their personal data is acquired, a ‘data processing receipt’ is created by the data controller. The receipt includes details about the conditions under which the data was obtained: the privacy notices provided, the lawful basis and purposes for collecting and processing data, the terms of the agreement and other metadata related to the interaction. These data processing receipts could be offered by the data controller’s system to the individual for storage in their personal Privacy Control Panel (PCP) application. On the consent management platform and data controller side, standard data processing receipt APIs could be offered. The PCP utilizes these APIs.
Can you describe the FDX API standard for interoperable open banking?
DC: We are essentially a standards body. The FDX API framework defines standards for financial data sharing, standards for secure authentication and authorization, and includes recommendations on user experience and consent. In the future, we also intend to launch a certification program that aims to ensure a common implementation and interoperability of these standards.
Besides our work on the FDX API standard itself, we also recently published industry guidelines on – what we believe – are the essential elements of a secure, transparent consumer-first approach to data sharing. We call these the Five Principles of Data Sharing: Control, Access, Transparency, Traceability, and Security. What that means is that account owners should have access to their data, be in control of which aspects they want to share and be able to modify or revoke such access freely, know for what purposes their data is used and what parties will have access to it, and have confidence in the security and privacy of their information.
What role will Kantara’s consent receipt play in the FDX API standard?
DC: Capturing the user’s informed consent to sharing their data is crucial to support the FDX principles of Control, Access, Traceability, Transparency, and Security, and we believe that the Kantara Consent Receipt framework, as an international standard, is a natural and complementary addition to our framework. Interoperability and standardization are key to lowering entry barriers, as well as facilitating the scalability of any solution, so we’re happy to give our members access to this framework.
What impact will this collaboration have on consumers?
CW: Early adopters of the Consent Receipt have been personal data/consent management platform providers. While that’s great, FDX’s collaboration and investment is expected to take Consent Receipt into mainstream Financial Services and Fintech applications.
DC: As Consent Receipts are technical pieces that happen behind the scenes in our world, consumers won’t really notice any difference. I think the benefits will manifest themselves in services and capabilities that become possible from having a common Consent Receipt format.
How else will Kantara/FDX promote the FDX API standard/Kantara’s consent-receipt framework?
CW: There’s high mutual respect of the role the other has played in the digital economy – FDX contributing the Financial-grade API (FAPI) to the OpenID Foundation* and Kantara contributing Consent Receipt to international standardization efforts. Conferences, webinars and ingraining the work of the other in our respective communities across the world will cement the collaboration into a long-term strategic relationship.
DC: Our agreement is to work on areas of joint interest. The obvious areas are informing each other’s member organizations about our respective frameworks, exchanging news and information between our organizations, conducting mutual outreaches, collaborating on specific projects, and publishing joint artifacts as the opportunity arises.
*The predecessor of the FDX API, the Durable Data API (DDA), is the underlying specification of OpenID Foundation’s Financial-grade API (FAPI)