Step 1: Small Business Bank Account

The owner of a small business starts an application (e.g. a web-based form) that supports account opening at the bank. The small business owner enters the data requested by the form.

The bank completes a due diligence process on the data entered by the small business owner, confirming the identity of both her and the business, and assessing their qualifications (i.e. suitability to have a bank account). The bank relies on the outcome of its own due diligence process, and opens an account for the small business.

The bank’s application stores the small business’s data securely on a bank server, and - because it acts as its own Metadata Service Provider (MSP) - uses MDMP to publish the data location, and the permissioning model that governs access to it, to the Fact Table, where it is discoverable by other applications.

The bank is motivated to do this because it has agreed to share KYC data with other banks and finance providers, having been encouraged to do so by the Payment Services Regulator, which is trialling a trusted KYC solution for SMEs based on data sharing.

Step 2: Data Management Service ('Digital Passport')

As well as opening a bank account, the bank opens a second application (a ‘digital passport’) for the small business, whose scope of action is limited to data management – i.e. it does not have any account processing functionality (such as making payments), and it also does not have any functionality to view data. It purpose is to provide a point of control for the business owner.

The limited functionality of the ‘digital passport’ is a deliberate security feature that the bank has implemented, so that the small business's employees who operate the app can neither access (i.e. view, copy, read or print) an aggregated view of the business, nor move any money around. However, they can share data about the business with third party service providers.

The bank is motivated to do this by self-interest: the bank’s strategy team has recognised that the bank has a brand that is both trusted by their customers on issues like data security, and is trusted by other market actors as a provider of strong customer authentication procedures.

Step 3: Energy Supplier

The small business owner starts a second application, this time to open an account with a major utility to supply her (energy intensive) manufacturing business.

Instead of entering data manually, the small business owner uses her credentials to authenticate to the bank’s digital passport and gives permission for the utility to access the data about her business which was collected during the bank account opening process.

The utility application also uses the bank's MSP to read the location of the data from the Fact Table, requests access and – because the small business has given its consent – is permitted to copy the data on a non-reliance basis (i.e. it is treated as if the small business had entered data into the utility’s application manually).

The utility application also requests access (again via the bank's MSP) to the bank’s attestation service which is also discoverable via metadata held on the Fact Table. Because the utility is a contracted relying party to the bank for this service, the bank confirms the accuracy of some data attributes, for a fee. The utility completes its own due diligence process on the data, relying in part on the attestation service provided by the bank, and opens an account for the small business.

The utility pays the MSP to place a 'watch' on the Fact Table for changes in the small business’s trading address, to minimise its credit risk. The MSP also publishes the location of the new utility account information to the Fact Table, where it is discoverable by utility switching services, as well as other applications connected to MDMP-compliant MSPs, including the digital passport.

The energy utility is motivated to do this by Ofgem, the energy market regulator, which has asked the industry to test alternative mechanisms to the “marketing database” remedy imposed by the CMA in its 2016 market review.

Step 4: Aggregation Service

The small business owner signs up to an aggregation service provided by a well-known credit reference agency. The aggregation service includes a cash flow analysis with forecasting functionality, as well as a ‘real time’ credit score. The aggregation service is presented as a dashboard which can be viewed or printed by the account holder, but it does not include functionality to share the data.

Having set up the account (again using the bank’s digital passport to streamline the process), the owner is asked to give permission to the aggregation service to call its MSP to read metadata held on the Fact Table that relates to her small business. She gives her consent.

The Open Banking Directory service operates an MSP that manages the metadata associated with the small business's bank account. The MSP used by the aggregation service communicates with both the Open Banking MSP and the bank MSP, references all of this metadata and sends it to the aggregation service.

As a result of a single API call, the aggregation service now knows which bank and energy utility the small business uses. It also needs data from the firm’s accounting package, and presents the owner with a drop-down list of popular cloud-based providers. She selects her provider.

The aggregation service asks the small business owner for her consent to access the data that it needs to deliver its service. The data will be sourced from the bank, utility and accounting package. The aggregation service can see from the metadata sent from the MSP that data from the bank and utility can be accessed using a single authentication step (the digital passport). It therefore prompts the business owner to authenticate herself to the digital passport and - separately - the accounting package.

The aggregation service is motivated to use its MSP to query the Fact Table because it provides a streamlined customer journey to the small business during the set up and authentication process. 

However, the aggregation service is not required to publish the availability of its own output (such as the credit score) to Fact Table. Motivated by competitive reasons, it chooses not to. It does not want to make it easy for customers to switch to another aggregation service.

Step 5: Insurance

Over the course of its first year of operation, the small business successfully bids to become part of the supply chain for three separate large corporates.

The onboarding process is rigorous, requiring slightly different but heavily overlapping data about the business, its finances, operations and insurance cover. Two of the three corporates use the same supply chain platform. Unfortunately, the third insists on using its own, bespoke platform.

The small business owner hires an employee to help her with general administration, including the onboarding process. She creates a new user account for him on the digital passport app, and gives him her own user name and password so that he can also log onto the CRA's aggregation service.

Before onboarding onto the first platform, the administrator asks the owner to log onto digital passport herself, authenticate herself to the business’s insurance website, and give her consent for insurance data to be added to the scope of digital passport app. 

The insurance company is motivated publish the availability of the small business’s insurance data because it has already been found in breach of GDPR, having failed to respond quickly enough to a previous portability request. The insurance company trusts the customer authentication process that the bank has implemented in the digital passport, and strikes a commercial agreement to rely on it during the consent management process. This creates a revenue stream for the bank, in return for the liability transfer.

The bank MSP (which serves the digital passport app) uses MDMP to record all of this activity on the Fact Table.

Step 6: Supply Chains

The administrator then uses the digital passport app to share data via API with the first supply chain platform, fulfilling 40-50% of their data requirements. He then prints off the dashboard from the aggregation service, and types key financial details from it into the platform’s application. He also manually adds the key details about the small business’s operations.

Like the utility, the first supply chain platform pays to rely on the bank’s confirmation service for some data elements, providing more revenue to the bank. In addition, the platform also contracts a supply chain services firm to undertake a formal due diligence of the small business’s operations and insurance cover. Under the terms of its contract, the supply chain services firm has permission to resell its due diligence work on the small business to other supply chain platforms. It therefore uses the bank's MSP to publish the availability of the report, and the availability of details describing the small business operations, to the Fact Table, where they are discoverable by other applications.

When the small business’s administrator uses the digital passport to share data with the second platform, he fulfils 60-70% of their data requirements straight away because the operations data is now also available via the digital passport. However, he is frustrated to have to type in the same financial details from another print-off of the aggregation service’s dashboard.

The small business owner is pleased to find that second onboarding process is shortened by 2 weeks – and is much less burdensome on her than the first – because the second platform chooses to rely on the recent due diligence report instead of engaging another supply chain management firm to repeat the process. 

However, the second platform provider also requires a credit rating of the small business to complete its due diligence. This delays the completion of the process by a couple of days while the platform buys a credit rating via an ‘offline’ process. It is from a different credit reference agency than the one that supplies the small business with its aggregation service (including credit rating!).

Step 7: Payments

Having onboarded onto the first supply chain, the small business owner starts work with a new supplier, based in Ireland. The supplier uses a PSD2 compliant payment initiation service to request payment, and the small business owner authenticates to her bank to confirm each payment.

As part of the secure customer authentication process, the small business owner also consents for the bank to share her trading address (as captured during account opening) with the supplier, so the latter knows where to deliver the goods. Every time she orders new supplies – which is regularly – the bank MSP records that her trading address was accessed and used to the Fact Table.

The bank is motivated to do this both to comply with PSD2, and to offer a value adding service to its customers during the strong customer authentication process step.

Having onboarded onto the first supply chain, the small business owner starts work with a new supplier, based in Ireland. The supplier uses a PSD2 compliant payment initiation service to request payment, and the small business owner authenticates to her bank to confirm each payment.

As part of the secure customer authentication process, the small business owner also consents for the bank to share her trading address (as captured during account opening) with the supplier, so the latter knows where to deliver the goods. Every time she orders new supplies – which is regularly – the Fact Table records that her trading address was accessed and used.

The bank is motivated to do this both to comply with PSD2, and to offer a value adding service to its customers during the strong customer authentication process step

Step 8: Change of Address

When the business is successfully supplying all three large corporates, the owner decides that it is time to move into bigger premises.  

In the hectic period that follows, she forgets to close her account with the utility, which continues to supply the previous (and now empty) premises, and she therefore goes overdue on her energy bill. However, as soon as she makes a payment to her Irish supplier, she updates her trading address, as held by the bank, so that the supplies will be delivered to the correct address.

Because the utility had asked its MSP to placed a 'watch' the Fact Table for changes in the trading address field, it is alerted to the change. The debt collection team stops sending ‘red letters’ to the previous address, and contacts the small business owner by phone. The situation is quickly rectified.

Step 9: Financing

The small business owner now approaches her bank Relationship Manager (RM) to ask for a loan to finance her expansion, but the RM quickly realises that the small business does not meet the bank’s standard lending criteria. 

Rather than reject the customer, the RM refers the owner to a specialist supply chain finance provider, based in the US, who already works closely with both the supply chain platforms.

As part of the deal, the US finance provider requires that the small business’s sales pipeline is closely monitored. The small business owner therefore logs onto the digital passport, authenticates herself to each of her accounts on the two platforms, and gives consent for them to share data directly with the finance provider on an ongoing basis.

The supply chain platforms are motivated to do this because they recognise the value to their supplier base of them collaborating closely with a supply chain finance provider.

Step 10: Bad Actor

After more than a year of successful trading, the small business owner gets a call from the alternative finance provider (who continues to support the growth of the business).

The financer provider tells the owner that she is in breach of her contract, because the business is no longer making the data available that is necessary to monitor its trading position.

The owner logs onto the digital passport and sees that the business’s consent that enabled the supply chain platforms to pass the data needed has been withdrawn. She reinstates quickly it.

The small business owner remembers the problems she was having with the administrator before she had been forced to let him go. She calls the police to file a ‘suspicious activity report’ and gives them her consent to review all of the data sharing activity associated with her business. She is motivated to do this because she is concerned about what else the administrator may have done while he was her employee (and an employee elsewhere).

The police use the audit log from the Fact Table to show that the administrator’s account been used on the digital passport to withdraw the business’s consent. Furthermore, the audit log also showed that – when the business owner was on holiday – her account on the aggregation service had been used to print off several copies of the dashboard without her knowledge, and that there were several failed attempts to log into the business bank account during the same period.

After making further enquiries, the police identify similarly suspicious activity (also recorded on the Fact Table) at two other businesses that had previously employed the administrator.