| Expand | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
|
1. Description
This insurance service request enables TPPs to retrieve a User’s insurance data (with the User’s consent) held with an LFI. The TPP agrees the boundaries of the data sharing consent with the User, and the TPP then sends this data sharing consent to the LFI where it is approved by the User. TPPs are then further able to retrieve the status of the data sharing consent.
This User journey requires either a short-lived consent or a long-lived consent, depending on the use case.
An LFI may request a data transfer from another LFI on behalf of a User with the User’s consent. In the instance where an LFI is providing a service as a TPP, the LFI is subjected to the same rules and guidelines as a TPP would be, as specified in the Standard.
LFIs are required to respond to data sharing requests from licensed TPPs with the requested data regardless of whether there is a pre-existing commercial agreement.
1.1 Scope
The scope of the Insurance Data Sharing service is as follows:
1.1.1 Sectors
The insurance industry sectors covered by the service are:
Motor Insurance: Vehicle coverage against losses due to accidents, theft, or damage.
Travel Insurance: Financial protection against travel-related risks. These may include trip cancellations, medical emergencies, lost or delayed luggage, and other unexpected events that could disrupt travel arrangements.
Life Insurance: Benefits to beneficiaries of insured persons upon their death. It serves as financial protection for the insured's dependents.
Renter Insurance: Tenant protection against financial losses due to theft, fire, or other perils affecting their personal belongings within a rented residence.
Health Insurance: Cover for medical expenses incurred by the insured due to illness or injury.
Home Insurance: Homeowners' financial protection against damage to their property and liability for injuries on their property.
Employment Insurance: Provides financial assistance against involuntary unemployment of insured persons.
1.1.2 Customer Segments
The scope of the Insurance Data Sharing service related to customer segments is below:
Insurance Industry Sectors | ||
|---|---|---|
ID | Insurance Type | In Scope (Y/N) |
1 | Motor Insurance |
|
2 | Travel Insurance |
|
3 | Life Insurance |
|
4 | Renter Insurance |
|
5 | Health Insurance |
|
6 | Home Insurance |
|
7 | Employment Insurance |
|
Customer Segments | ||
|---|---|---|
Consumer | SME | Corporate |
|
|
|
1.2 Customer Data Sharing - Example User Stories
1.2.1 Generic user story
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
User StoryAs a User (Consumer), I want to provide my consent to a TPP to retrieve data about my insurance policies, so that I can use my insurance details to initiate other insurance service requests. |
1.2.2 Data sharing for aggregation
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
User StoryAs a User (Consumer), I want to provide my ongoing consent to a TPP to retrieve data about my insurance policies, so that I can view all of my insurance policies in a single dashboard. |
1.2.3 Data sharing to support quote request
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
User StoryAs a User (Consumer), I want to provide a TPP with my insurance requirements together with my explicit consent to acquire all the necessary historical insurance data from my previous insurer LFIs, and share this information with one or more insurer LFIs when requesting their Quotes, so that I can effortlessly view and compare a number of insurance quotes from a variety of insurer LFIs for my next insurance policy. |
1.2.4 Data sharing when redirecting to an LFI to support the acceptance of a quote
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
User StoryAs a User (Consumer), I want to provide a TPP with my insurance requirements together with my explicit consent to acquire all the necessary historical insurance data from my previous insurer LFIs, and share this information with the LFI I have selected to purchase a policy from, so that I can effortlessly accept and purchase a policy at the LFI. |
2. User Journey
2.1 User shares data with TPP
Users can share data held with an LFI, by providing their data sharing consent to a TPP.
3. Customer Experience
4. Rules & Guidelines
# | Step | Rules & Guidelines |
ICS-1 | Initiate User Set-up (Conditional) | Depending on the use case, the User may have to be onboarded with the TPP by agreeing to any relevant terms and conditions (e.g. regarding sharing and storage of personal data) and setting up an account with them if required. TPPs MUST: 1.1 Provide the User with a Terms & Conditions, and Privacy Notice outlining applicable rights and responsibilities in the context of relevant regulation and legal principles. This may need to include any onward sharing of personal data, recipients or categories of recipients who receive that data, and the lawful basis for processing personal data as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210796838/Consent+Setup#2.-Consent-Codification 1.2 Obtain the User's agreement to the above before setting them up and be able to request User consent as per the next step in the process 1.3 Provide an option to cancel the flow |
ICS-2 | Data Sharing Consent | Basic Consent Parameters TPPs MUST: 2.1 Request only data required to perform their service (or use case). 2.2 Use the data language standards to describe the data clusters and data permissions in user-facing interactions so that the User clearly understands the data that will be requested from their LFI to provide the service requested
2.3 Depending on the use case, confirm the duration of the data access or allow the user to select how long the TPP can access their data.
2.4 Define the start and end dates for the period needed for historical data, if required for a specific use case. The end date of the period of historical data that can be requested by TPPs and which MUST be returned by LFIs for a Data sharing Request is as per the End Date of historical data for Data Sharing Request https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850897/Limits+and+Constants#A.-Limits. 2.5 When a ‘long-lived’ consent, confirm to the User that they can withdraw their consent at any time before the consent expires 2.6 Provide to the User, the OFP and the LFI their trading/brand name clearly and the name of any other parties they are supporting (if applicable). 2.7 Allow the User to identify and select the LFIs for the Consent
|
Additional Consent Parameters TPPs MUST: 2.5 Set the Accepted Authorization Type (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#7.-Accepted-Authorization-Type). 2.6 Set the Authorization Time Window (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#8.-Authorization-Time-Window) if there are specific timing requirements that must be met for the Consent authorization. This is also relevant to cases where multiple authorizers are required to authorize the payment consent. 2.7 Obtain the Users' explicit consent to access information from insurance products held at LFIs (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210796838/Consent+Setup#2.1--Data-Sharing-Consent). | ||
ICS-3 | Consent Staging | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#10.-Consent-Staging |
ICS-4 | Hand-off to LFI | TPPs MUST: 4.1 Notify the User that they will be transferred to the selected LFI to undertake their authentication and consent authorization (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#11.-Hand-off-to-LFI)
|
ICS-5 | Authentication | LFIs MUST: 5.1 Enable Users to perform authentication with their LFIs, as per the following sections: 5.2 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if User Authentication has failed or Users opted to cancel the authentication/authorization process. |
ICS-6 | Disclosure Consent | LFIs MUST: 6.1 Enable Users to authenticate using Multi-Factor Authentication (MFA) in order to review and authorize the data sharing Consent. 6.2 Retrieve from the OFP the data sharing Consent details staged by the TPP using the unique Consent Identifier. 6.3 Display details of data that will be shared and the duration of how long it will be shared for 6.4 Use the data language standards to describe data clusters and permissions in user-facing interactions so that the same information is displayed to the User |
ICS-7 | Confirmation/ Authorization | LFIs MUST: 7.1 Present to Users all the details in relation to data sharing Consent. 7.2 NOT allow Users to change any of the Consent parameters (e.g. permissions) staged by the TPP. 7.3 Request Users to authorize the data sharing Consent. 7.4 Enable Users to cancel the data sharing Consent request from within the authorization journey. 7.5 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if Users opt to cancel the Consent authorization process before final authorization.
7.6 Check the Authorization Time window is valid as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#20.-Check-Authorization-Time-Window 7.7 Change the state of the data sharing Consent from Awaiting Authorization to Authorized, when all Authorizers (one or more) have authorized the data sharing Consent. 7.8 Update the data sharing Consent details stored in the OFP with all the information included in the data sharing Consent authorized by the User. |
OFP MUST: 7.9 Confirm back to the LFIs that the data sharing Consent details have been updated successfully. | ||
ICS-8 | Hand-off back to the TPP | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#14.-Hand-off-back-to-the-TPP |
ICS-9 | Confirmation to User | As perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#16.-Confirmation-to-User |
5. Data Sharing Requests
# | Step | Rules & Guidelines |
|---|---|---|
ISR-1 | Data Sharing Request | TPPs MUST: 1.1 Only request specific data in the scope of their service (or use case). 1.2 Only submit to OFP data sharing requests for the data clusters and permissions consented by the User as per the data sharing Consent authorized by the User. |
ISR-2 | Processing of Data Sharing Requests | OFP MUST: 2.1 Allow TPPs to submit data sharing requests in relation to a data sharing Consent authorized by Users, without any additional MFA or authorization by the Users. 2.2 Check that the received data sharing request relates to a valid data sharing Consent authorized by the User. The Consent MUST be in the Authorized state. The OFP MUST reject any data sharing requests related to a data sharing Consent in a different state (e.g. expired) and respond back to the TPP with the appropriate error message/code. 2.3 Reject the data sharing request and provide the necessary error message to the TPP, if any checks on the data sharing request fail against the authorized data sharing Consent.
2.4 Send the data sharing requests to the LFI for the data clusters and permissions consented by the User as per the data sharing Consent authorized by the User. |
LFIs MUST: 2.5 Allow the OFP to submit the data sharing requests without any additional MFA or authorization from the User. 2.6 Reject the data sharing request received by the OFP in the case there are valid reasons for the data sharing Consent to be suspended as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210796838/Consent+Setup#4.-Consent-States or due to any other BAU checks failure. 2.7 Share data requested by the OFP in relation to the authorized data sharing Consent. | ||
OFP MUST: 2.8 Send an appropriate error response to the TPPs in the case the data sharing request is rejected due to violating any of the LFIs BAU checks. 2.9 Provide the TPP with all the available data for the data clusters and permissions requested in relation to the data sharing Consent authorized by the User. |
6. Data Clusters
In the Insurance Data Sharing API design, data elements will be logically grouped together into “permissions”. Grouping permissions together as clusters adds another layer of logical grouping and the description helps Users' understanding of the data they are being asked to consent to share. These groupings also ensure TPPs are requesting data relevant to the service that they are providing in language that is easy to understand for the user.
The following table describes how permissions MUSTbe grouped into Data Clusters and the language that MUST be used to describe the data at each of these clusters. Both TPPs and LFIs MUST describe the data being shared at a Data Cluster level and allow Users to “drill-down” to see the detail at the Permission level using the permission language set-out in the table below.
Permissions are specific to each insurance type, however the table below uses motor insurance as an example for illustrative purposes.
Where both Basic and Detail permissions are available for a set of data elements, the Detail permission contains all data elements of the Basic permission plus the additional elements described in the table. These clusters are further replicated across each insurance type. For more details about the information in the Data Clusters and permissions, please refer to the Insurance API Specifications.
6.1 Generic Clusters
Data Cluster language | Permissions Language | Permissions Language | Examples of Information available | |
|---|---|---|---|---|
Your Insurance Policies | Motor Insurance Policies | (ReadMotorInsurancePolices)Any other name by which you refer to these policies | Provide policy identifiers to facilitate retrieval of other policy details. No other policy data is provided unless explicitly requested. | |
Your Customer Details | Customer Basic(ReadMotorInsuranceCustomerBasic) Your basic information | Provides basic customer information, including full name and short name. | Customer Detail||
Your detailed information | Provides full customer details, including address, employment information, and emergency contact details. | |||
Your Payment Details | Bank Account Information (ReadMotorInsuranceCustomerPaymentDetails) | Your bank account details | Provides customer bank account information. | |
Your Product Information | Policy and Vehicle Information | (ReadMotorInsuranceProduct) Your policy and vehicle information | Provides all policy data including policy number and vehicle information. | |
Your Transaction Information | Premium and Claim Information | (ReadMotorInsuranceTransactions)Your premiums and claims | Provides premium and claim information. |
Note
With respect to the Data Clusters and Permissions language, LFIs SHOULD consider whether the language that is displayed to Users is appropriate when the information being accessed relates to6.2 Additional Clusters
Data Cluster language | Insurance Type | Permissions Language | Examples of Information available |
|---|---|---|---|
Your Add-ons | Motor Insurance | Your add-ons | Add-ons to a motor insurance policy such as additional coverage. |
Your Dependents | Health Insurance | Your dependents | Provides relevant information on dependents included in a health insurance policy. |
Note
With respect to the Data Clusters and Permissions language, LFIs SHOULD consider whether the language that is displayed to Users is appropriate when the information being accessed relates to more than one party. For example, “Your data” may need to be adapted to just “data” to indicate to Users that the account information being displayed may not be solely specific to them. For example, in cases of joint accounts, when the account information of both parties is requested.account information being displayed may not be solely specific to them. For example, in cases of joint accounts, when the account information of both parties is requested.
7. Consent Lifecycle States
| Panel | ||
|---|---|---|
| ||
7.1 The consent lifecycle states are in line with https://openfinanceuae.atlassian.net/wiki/spaces/standardsv2draft1/pages/244220212/Consent+Setup#4.-Consent-States
|