Consent architecture for the bank
Consent for data use as a structured object. Especially critical for the bank with regulatory exposure and biometric data.
Discuss Your ChallengeWhy the bank needs a consent layer
Banking has multiple data use cases with different consent requirements: marketing communication, credit scoring, partner sharing, biometric processing, AI training, data partnerships.
Without structured consent — bank cannot answer the regulator on what legal basis a specific data use was lawful.
cbu.uz biometric requirements from April 2026 significantly tighten the consent regime for biometric data.
Structural elements
Consent collector. Capture points: onboarding, app, web, branch.
Consent registry. Centralised. Each record: subject, purpose, data scope, channel, validity period, source, version.
Purpose taxonomy. Controlled list: marketing, credit scoring, fraud prevention, partner sharing, AI training, biometric processing, etc.
Consent enforcement layer. Every data use goes through a check.
Withdrawal mechanism. Customer can withdraw per-purpose.
Audit trail. Every consent event and every data use — logged.
Banking-specific scenarios
Onboarding. Granular consent: marketing channels, partner sharing, profile-based personalisation, biometric processing.
Re-consent. On consent text change or new purpose.
Per-purpose withdrawal flow in the app.
Subject access request. Customer asks “what you know about me”.
Biometric special handling. cbu.uz mandates explicit biometric consent with specific text.
Cross-product profiling. Consent for combining customer view across products.
Where it usually breaks
Consent in one system (CRM as “marketing consent”), other systems unaware.
Purpose taxonomy undefined.
Consent text changes, registry stores only the latest version — past compliance unprovable.
Granular consent impossible — only “agree to all or nothing”.
Partner sharing under generic consent — claim cannot be defended.
Biometric data processed without specific consent — regulator violation.
Operating model
Owner — DPO with tech mandate.
Teams: platform engineering, compliance, channel integration, customer experience.
Routine — quarterly consent audit.
Related
- /en/architecture/banking-cdp-architecture/ — CDP with consent enforcement
- /en/insights/banking-data-protection/ — data protection
- /en/insights/banking-biometrics-april-2026/ — biometrics
- /en/architecture/banking-ekyc-architecture/ — eKYC
What else is worth exploring
Topics from the same area we usually explore together
CRM
Not an off-the-shelf CRM, but a properly built customer management contour — from first contact to loyalty.
→SolutionBI
Analytics is not pretty charts on the wall. It's the answer to 'why?' before the problem becomes a loss.
→SolutionContact Center
The contact center is not a phone station — it's the point where a client decides: stay with you or leave. The question is how it's built…
→SolutionOnboarding
Onboarding is your company's first impression. If it takes 5 days and 12 paper forms, there won't be a second impression.
→I do not just write about this. I can come in, examine your situation and design a solution for your specific landscape.
Discuss applying this →Ready to discuss your challenge?
Tell me what's not working or what needs to be built. First conversation — no obligations.
Usually respond within a few hours