search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Commercial Credit Card Structure under Get Account Details call #630

Open NationalAustraliaBank opened 9 months ago

NationalAustraliaBank commented 9 months ago

Description

At NAB, we have a variety of credit cards offered to customers, including personal credit card, business credit card, and corporate credit card.

For personal credit cards, repayment info is visible to the individual Account owner. However, for business credit cards, the business account owners and facility authorised personnel are allowed to view the facility account level information (repayment amount, repayment due date, etc). For Business card holders who are not business account owners or facility authorised personnel, they are not able to view facility account level repayment information as the repayment information fields are applicable at facility account level. Hence, we suggest that the following fields should be changed to "Optional":

BankingAccountDetailV3 - BankingCreditCardAccount

"minPaymentAmount" "paymentDueAmount" "paymentCurrency" "paymentDueDate"

Area Affected

BankingAccountDetailV3 under GetAccountDetail

Change Proposed

Option 1: "creditCard" object to be made optional even if specificAccountUType is creditCard Option 2: Fields under "creditCard" object to be made optional.

nils-work commented 1 month ago

Hi @NationalAustraliaBank

Making fields optional at a schema level may not be the best solution to an issue that seems to relate to sharing permissions (entitlements/scopes).

Two options to explore may be:

  1. If the "business card holders" are "not able to view facility account level repayment information" perhaps they should not be designated as a Nominated Representative (NR) for that account.
  2. In the NR service, provide the ability for "business account owners" to specify NRs that are only "business card holders" as not being allowed to authorise certain accounts in consents requiring the Detailed Bank Account Data scope which authorises the Get Account Detail endpoint containing those fields. Use-cases requiring only Bank Transaction Data (which requires Basic Bank Account Data) could remain unaffected and still be available for sharing.

These options could make any accounts that the NR is not allowed to share (depending on their NR status(1) and possibly the scopes required by, and consented to, at the ADR(2) appear in the "Unavailable for sharing" section of the account selection screen in the authorisation flow, potentially with details about why they are unavailable and how to make them available.

Without restrictions such as these, all accounts of the non-individual consumer could be expected to be available to a designated NR, and all endpoints and fields should be available for disclosure according to the scopes authorised.

Would something like above solve this issue?