JamesMBligh
commented
5 years ago Sorry for not responding until now.
As far as I can assess the standards currently comply with this injunction. No KYC related payloads or endpoints have been included in the standards. It should also be noted that the statements regarding identity verification data clearly does not imply the exclusion of data that is designated but is coincidentally used for identity verification.
I consider this issue closed. If there is more feedback on this topic please post it to the holistic feedback thread in the standards repo.
-JB-
Although previously defined as in-scope as part of the API standards, we would like to once again highlight that the ACCC Rules Framework states that customer information used for identity verification assessment purposes is not to be shared with a DR (please refer to ACCC's Rules Framework - September 2018 - Section 5.3.1). Most industries currently use PII data for identity verification e.g. the customer's mobile number or email address is used for 2FA purposes.