|To clarify the mapping between FIU use cases and the purpose codes to be used, for each “Type” of use case
|As of V 1.1.2 of the specification, there are 5 purpose codes defined in the specification. The mapping between these and “types” of use cases is as follows:101 – Wealth Management – to be used by SEBI RIAs and Portfolio Managers (and similar licensees) seeking consent for data that enables them to facilitate investment transactions, either on a one-time or recurring basis102 – Customer spending patterns, budget or other reportings – to be used by SEBI RIAs, (and similar licensees) seeking consent for data that enables financial advisory use cases, typically on a recurring basis
103 – Aggregated Statement – to be used by lenders, insurers, insurance brokers (and similar licensees) seeking consent for data that enables underwriting and/or verification of income, typically one-time
104 – Explicit consent for monitoring of the accounts – to be used by lenders (and similar licensees) seeking consent for data enabling continuous monitoring of accounts to assess repayment health, typically on a recurring basis
105 – Explicit one-time consent for accounts – to be used by stock brokers (and similar licensees) seeking consent for data enabling verifying the presence and activity of a financial account, while onboarding users or modifying user profiles, typically on a one-time basis
Note: The above descriptions are indicative. If new use cases are discovered, the most appropriate purpose code is expected to be used, based on judgement and aligned with the descriptions above, to the best extent possible.
|To clarify if multiple financial services or processes can be tied to one purpose and one consent artefact
|The intent behind the concept of “purpose-limitation” is to ensure there is a one-to-one mapping between the customer’s understanding of the purpose for which the FIU is seeking the financial information and legal basis for the FIU to process such information. The purpose can be for a financial service and/or a process to avail a financial service.Financial services refer to loans, insurance, financial advisory etc, while processes include the process of loan underwriting, loan monitoring, assessing risk for advisory, etc.For instance, consider a financial service such as a loan. It involves two separate processes: a) one for assessing the customer’s eligibility for the loan, and b) another for monitoring the repayment risk of the loan. Even though it’s the same financial service (the loan), there are two distinct purposes, and two data sets are required for the two different purposes – So, two different consents are needed. Accordingly, an FIU should not bundle two purposes into one consent request.If a financial service involves the opening of multiple accounts as part of a single transaction (e.g., often, opening of a loan account also involves opening of a deposit account simultaneously), the “purpose” is deemed to be the same. In such a situation, the citizen is aware that the data shared will be used for purposes that are intrinsically linked and –conjoined.However, the converse – where data is taken for one specific financial service or process but used, additionally or in its place, for another financial service or process, that the customer is not explicitly seeking – is not in compliance with applicable laws.