AA Community Guidelines - FIU Roles and Responsibilities

Conversely, entities that do not carry a certificate of registration from any of the four financial sector regulators cannot participate as an FIU.

Further, it is implicitly understood that the use case/purpose that an FIU is seeking to process the citizen’s data for, is permitted as per the licence charter of the FIU.

It is the FIU’s responsibility to assure itself and the rest of the ecosystem of the permissibility of its use case/purpose.

This also means that the FIU has an obligation to not profit from its fiduciary duty, without knowledge and consent of the data principal.

The direct implication of this, on an FIU’s behaviour, is:

• To use the citizen’s data strictly in accordance with the consent artefact, provided by the citizen through an AA
• To ensure that the citizen’s data is NOT employed for any other purpose, unless with the explicit knowledge and informed consent of the citizen. Such consent has to be taken in addition, if required, to what the citizen has provided for, through the AA.

The key question to be deliberated by the community: The FIU may not have a fiduciary relationship with a citizen, for the regular business that it is chartered to perform. E.g. an insurance web aggregator does not have a fiduciary relationship with an insured party, while an insurance broker has.

Both however can be FIUs since they are registered with a regulator.

Can an insurance web aggregator seek consent from citizens to procure data and discharge its fiduciary obligation towards safe-guarding data, although the larger context of what it offers citizens (a portal to discover offers) is not on the basis of a fiduciary relationship?

Each such gateway may have its own public IP, public keys.

In the current version of the central registry and token service, each such gateway will have its own entry, with its own unique FIU ID.

Any other entity, including parent/holding companies of such an entity are not considered an FIU.

This implies two principles to guide FIU user journeys:

• If a citizen is new-to-AA, i.e. does not declare h/she already has an AA profile, the FIU is free to recommend an AA that the citizen may register with.
• If the citizen however indicates that h/she already has an AA profile, FIUs are obliged, as per community norms, to respect that choice and redirect the citizen to that AA.

It is further therefore necessary that FIUs find out if citizens already have an AA profile or not, to enable implementation of the above principles.

This is being discussed in the AA community.

This would enable FIUs to avoid asking the citizen to recollect his/her VUA or worse, enforce citizens re-registering with a different AA altogether.

This is currently being discussed within the AA community.

FIUs also partner with one or more preferred AAs, for new customer registrations, initiated in the course of their own digital journeys.

FIUs may be interested in ensuring AA handles issued, post-registration, include the brand name of the FIU. This serves as encouragement to FIUs to further use the “AA Handle” as a marketing tool to nudge further usage, within their own products and services.

This needs to be discussed further within the AA community.