AI 扩展计划 / Playbooks
AI Open Banking / Open Finance / Consented Data Sharing Playbook
核心判断:
808 行AI_OPEN_BANKING_OPEN_FINANCE_CONSENTED_DATA_SHARING_PLAYBOOK.md
AI Open Banking / Open Finance / Consented Data Sharing Architecture Playbook
定位: 面向 CBAP+、高级 AI PM、Financial Retail Product Architect、Enterprise Architect、API Platform Owner、Data Product Manager、Fraud Risk、Privacy、Compliance、Model Risk、Third-Party Risk 和 Customer Trust Lead, 把 open banking / open finance / consented data sharing 设计成可上线、可治理、可审计、可撤销、可解释的 AI data-sharing operating system。 适用范围: AI personal financial management、cash-flow assistant、account aggregation、income and affordability verification、SME cash-flow underwriting、subscription optimization、bill reminders、hardship support、fraud/scam monitoring、data portability、embedded finance、customer-facing agent、employee copilot 和 API ecosystem governance。 核心产出: executive framing、source anchors、taxonomy、decision gates、artifact set、RACI、implementation roadmap、evidence pack、release checklists、metrics、anti-patterns、tabletop scenarios、interview answers 和 practical templates。
核心判断:
AI can create value from permissioned financial data only when consent, API access, data lineage, model use, third-party obligations, revocation and evidence are governed as one architecture.
0. Disclaimer
本文是学习、作品集、架构训练和内部治理讨论材料, 不构成法律意见、监管意见、CFPB 1033 适用性判断、合规期限判断、实体义务判断、隐私影响评估结论、模型验证报告、信息安全认证、消费者通知建议、供应商推荐、KYC/KYB 充分性判断、信用/适当性/投资建议结论或上线批准。
正式项目必须由 Legal、Compliance、Privacy、Information Security、Fraud Risk、Financial Crime、Model Risk、Data Governance、API Platform、Third-Party Risk Management、Vendor Management、Customer Experience、Operations、Accessibility、Product Owner、Architecture、Internal Audit 和管理层结合机构类型、产品风险、客户关系、数据类型、司法辖区、rule status、litigation / regulatory developments、contract structure、供应商角色和内部政策确认。
边界原则:
- Consented access 不是无限使用。
- API access 不是模型训练许可。
- Account data 不是全域行为画像许可。
- Data portability 不是数据转售许可。
- Revocation 必须影响 collection、use、cache、features、embeddings、agent sessions 和 downstream sharing。
- CFPB 1033 或其他要求的 exact applicability 取决于 product、entity role、data type、customer relationship、jurisdiction、rule status、litigation/regulatory developments 和 Legal/Compliance interpretation。
1. Executive Framing
高管通常会听到这样的项目叙事:
Customers can connect their bank accounts.
AI will analyze spending and recommend better products.
Open banking APIs make data safe and standardized.
这些说法如果没有 operating model, 会产生四类隐性风险:
| Risk | What goes wrong | Executive concern |
|---|---|---|
| Trust risk | 客户不知道谁拿了什么数据、为什么拿、怎么撤销 | adoption, complaints, brand trust |
| Data-use risk | 数据为预算功能授权, 后续进入 marketing, credit, training 或 unrelated profiling | privacy, consumer harm, regulatory scrutiny |
| Ecosystem risk | aggregator / developer / downstream party 数据质量差、撤销不传播、incident 不透明 | third-party risk, resilience |
| AI risk | 模型把交易数据推断成敏感属性、给出 unsupported advice、触发 agent overreach | model risk, fairness, harm, audit |
Executive one-liner:
Open banking AI is not a connector project.
It is a consent, API, model and third-party risk operating model.
1.1 Steering Committee Questions
- 客户授权的数据是否只服务于 customer-requested product or service?
- API scope、feature store、RAG retrieval、agent tools 和 retention 是否都受 consent registry 控制?
- data recipient、aggregator、developer app、model provider 和 downstream party 的责任是否清楚?
- Revocation 后, 数据、features、embeddings、agent sessions、downstream sharing 和 evidence 如何处理?
- 投诉发生时, 是否能重放 disclosure、consent、API calls、data quality、AI run、decision 和 customer message?
2. Source Anchors
| Anchor | Official link | 本 playbook 使用方式 |
|---|---|---|
| CFPB Personal Financial Data Rights final rule | https://www.consumerfinance.gov/rules-policy/final-rules/required-rulemaking-on-personal-financial-data-rights/ | 用作 secure and reliable consumer / authorized third-party access、privacy protections、fair and inclusive standards 的 open banking 官方锚点 |
| CFPB Regulation 1033 / Personal Financial Data Rights | https://www.consumerfinance.gov/rules-policy/regulations/1033/ | 用 covered data、developer interface、authorization disclosure、third-party obligations、accuracy、security、revocation 和 retention 结构化 decision gates |
| CFPB Personal financial data rights compliance resource | https://www.consumerfinance.gov/compliance/compliance-resources/other-applicable-requirements/personal-financial-data-rights/ | 用作 rule status、official interpretations、implementation resources 和 regulatory change watch 的入口, 不推断适用性或期限 |
| CFPB compliance circulars / guidance landing page | https://www.consumerfinance.gov/compliance/circulars/ | 用作 guidance / circulars / supervisory materials 的 horizon scanning source |
| FFIEC Authentication and Access to Financial Institution Services and Systems | https://www.ffiec.gov/press/pr081121.htm | 用 authentication risk assessment、layered controls、MFA/equivalent strength、third-party and customer-permissioned access controls 组织 release gates |
| NIST Privacy Framework | https://www.nist.gov/privacy-framework | 用 privacy risk management、purpose limitation、data minimization、governance 和 customer trust 组织 privacy controls |
| NIST AI RMF | https://www.nist.gov/itl/ai-risk-management-framework | 用 AI risk Govern / Map / Measure / Manage 思路组织 AI eval、monitoring、incident and risk treatment |
| ISO/IEC 42001 overview | https://www.iso.org/standard/42001 | 用 AI management system、roles、policy、operation、performance evaluation、internal audit 和 continual improvement 组织 operating rhythm |
Source-to-control pattern:
source anchor -> policy interpretation -> architecture decision
-> workflow requirement -> technical control
-> evidence artifact -> owner -> metric -> review cadence
3. Taxonomy
3.1 Ecosystem Roles
| Role | Product meaning | Control question |
|---|---|---|
| Customer / consumer | 授权数据分享、使用 AI 服务、撤销、纠错、投诉 | 是否理解 value, data categories, duration, AI use and revocation? |
| Data provider | 持有账户和金融产品数据的一方 | developer interface 是否安全、可靠、标准化、可审计? |
| Authorized data recipient | 为客户请求的服务访问数据的一方 | 是否只收集、使用、保留合理必要的数据? |
| Data aggregator | 代表 provider / recipient 连接数据生态 | revocation, accuracy, security, contract pass-through 是否可证明? |
| Developer app | 面向客户的 app 或 embedded journey | 是否通过 onboarding, certification and monitoring? |
| AI system | RAG、预测、推荐、agent、copilot 或自动化规则 | 是否受 consent-purpose-feature boundary 限制? |
| Downstream processor | 模型供应商、analytics vendor、cloud、subprocessor | 数据是否被约束、隔离、加密、审计和退出? |
| Governance owners | Legal、Compliance、Privacy、Risk、Audit、Product、Architecture | 谁 accountable for interpretation, risk acceptance and CAPA? |
3.2 Data Classes
| Class | Examples | Governance rule |
|---|---|---|
| Raw provider data | transactions, balances, terms, bill data, account verification | consent-bound, source-preserved, minimal access |
| Normalized data | mapped schema, currency/timezone standardized, deduped | preserve source and transformation lineage |
| Enriched data | merchant category, recurring payment, subscription, income pattern | confidence and uncertainty required |
| Derived features | cash-flow volatility, income stability, overdraft risk | allowed/prohibited uses and fairness review |
| AI inference | vulnerability signal, spending persona, scam likelihood | never treated as verified fact |
| Customer-facing output | recommendation, alert, explanation, agent draft | source-grounded and policy-checked |
| Evidence data | consent, API call, model run, reviewer decision | retained under evidence policy, not generic analytics |
3.3 Consent States
| State | System behavior |
|---|---|
| Draft | disclosure prepared, no collection |
| Active | scoped collection and use allowed for purpose |
| Expired | stop collection; reauthorization needed |
| Revoked | stop collection; enforce retention / cache / feature / embedding actions |
| Suspended | temporary hold due to fraud, complaint, provider issue or policy review |
| Disputed | customer questions accuracy or authorization; freeze high-impact use |
| Archived | evidence retained under policy, no operational use |
3.4 AI Use Levels
| Level | Example | Control |
|---|---|---|
| Inform | show balances or transactions | source display and freshness |
| Explain | categorize spend or summarize fees | grounding and quality caveats |
| Predict | cash-flow forecast or income volatility | model eval and drift monitoring |
| Recommend | budget plan or hardship option | suitability/advice boundary and explanation |
| Decide | eligibility, credit, fraud action | formal policy, human oversight, adverse-action/evidence workflow where applicable |
| Act | submit application, initiate payment, change account | separate action authorization and step-up |
4. Decision Gates
Gate 0: Use Case Eligibility
| Question | Pass condition |
|---|---|
| What customer-requested product or service justifies data access? | one-sentence value proposition approved |
| Is AI involved in collection, interpretation, recommendation, decision or action? | AI role and impact tier documented |
| Is the use case read-only, recommendation, decision or action? | action boundary defined |
| Does the use case involve regulated advice, credit, eligibility, identity, hardship or fraud? | Legal/Compliance/Model Risk review route defined |
| Can customer value be delivered with less data? | minimization alternatives assessed |
Gate 1: Role and Regulatory Interpretation
| Question | Pass condition |
|---|---|
| Are data provider, recipient, aggregator, service provider and downstream processor roles mapped? | ecosystem role map signed off |
| What data type and customer relationship are involved? | data taxonomy and scope record |
| Which jurisdictions and rule-status dependencies matter? | legal/compliance interpretation record |
| Are compliance dates, stays, litigation or amendments being monitored without making product assumptions? | regulatory horizon watch owner |
| Are contracts aligned to role allocation? | contract checklist completed |
Gate 2: Consent and Data Minimization
| Question | Pass condition |
|---|---|
| Does disclosure show recipient, provider, service, categories, duration, frequency and revocation? | UI copy and consent receipt versioned |
| Are data categories/time windows necessary for the service? | minimization matrix approved |
| Are optional data scopes separated from required scopes? | scope design supports opt-down |
| Is AI use explained at the correct level? | customer-facing AI use statement approved |
| Can revocation be done as easily as authorization? | revocation UX and test evidence |
Gate 3: API and Developer Ecosystem
| Question | Pass condition |
|---|---|
| Is client registration tied to business purpose and scopes? | developer profile and scopes approved |
| Are authentication, token, rate, logging and security controls defined? | API gateway control spec |
| Is schema standardized and machine-readable enough for recipient use? | API contract and test suite |
| Are error, outage, retry and consent-state semantics defined? | integration runbook |
| Has the developer/app passed sandbox and negative scenarios? | certification result |
Gate 4: Third-Party and Vendor Risk
| Question | Pass condition |
|---|---|
| Are aggregator, model provider and subprocessors identified? | third-party inventory |
| Are data-use, retention, training, resale, subprocessing and audit rights contracted? | contract evidence |
| Are security, incident response and breach notification controls reviewed? | TPRM approval |
| Is revocation propagated to all relevant downstream parties? | revocation propagation test |
| Is exit/portability/replacement feasible? | exit plan and data return/destruction control |
Gate 5: Data Quality and Feature Boundary
| Question | Pass condition |
|---|---|
| Are raw, normalized, enriched and derived layers separated? | data lineage design |
| Are freshness, completeness, categorization and confidence available to AI? | quality metadata |
| Are features tied to consent purpose and allowed decisions? | feature boundary registry |
| Are sensitive inferences blocked or reviewed? | sensitive inference policy and test |
| Are customer corrections and disputes handled? | correction workflow |
Gate 6: AI / RAG / Agent Controls
| Question | Pass condition |
|---|---|
| Does every retrieval call check consent and purpose? | entitlement test |
| Are indexes isolated by customer/purpose or equivalent controls? | RAG architecture review |
| Are outputs source-grounded and freshness-aware? | eval result |
| Are advice, credit, eligibility, identity and legal conclusions bounded? | output policy tests |
| Are agent actions separately authorized? | action approval design |
Gate 7: Fraud, Scam and Abuse
| Question | Pass condition |
|---|---|
| Are malicious app, consent phishing, ATO, API exfiltration and scam scenarios covered? | threat model |
| Are high-risk access and actions step-up protected? | authentication policy |
| Are recipient and API anomalies monitored? | fraud dashboard |
| Are customers warned about risky sharing or suspicious recipients? | customer trust UX |
| Is support trained for scam and revocation incidents? | ops training record |
Gate 8: Evidence, Complaints and Audit
| Question | Pass condition |
|---|---|
| Can a case replay consent, API calls, data transforms, AI run and decision? | evidence bundle complete |
| Is customer final communication captured? | message id and content version |
| Can complaints link to consent and AI trace? | complaint schema updated |
| Are logs privacy-safe and retention-bound? | data governance approval |
| Is CAPA ownership clear? | RCA taxonomy and backlog owner |
5. Required Artifacts
| Artifact | What it proves |
|---|---|
| Executive One-Pager | 客户价值、risk posture、AI boundary 和 go/no-go decision |
| Ecosystem Role Map | 明确 provider、recipient、aggregator、developer、model provider 和 downstream processors |
| Regulatory Interpretation Card | 记录 Legal/Compliance 对 role、data、jurisdiction、rule status 的解释边界 |
| Consent and Disclosure Pack | 证明客户看见了 scope、purpose、duration、frequency、revocation 和 AI use |
| Data Minimization Matrix | 证明每个 data category 都有业务目的 |
| API Contract and Scope Catalog | 证明 technical interface 可执行 purpose-bound access |
| Developer Onboarding Checklist | 证明第三方 app 通过 security/privacy/ops/model/fraud gates |
| Third-Party Risk File | 证明 aggregator/vendor/subprocessor obligations and exit controls |
| Data Quality and Lineage Spec | 证明 AI 能理解 freshness、quality、source and uncertainty |
| Feature Boundary Registry | 证明 derived features 有 allowed/prohibited uses |
| RAG Control Spec | 证明检索隔离、source grounding、revocation lifecycle |
| Agent Authorization Matrix | 证明 read/reason/recommend/act 分级授权 |
| Fraud Threat Model | 证明 malicious app、ATO、API exfiltration、APP scam 等场景被覆盖 |
| Evidence Bundle Schema | 证明每个 AI answer/decision/action 可审计 |
| QA/Eval Scenario Suite | 证明上线前跑过 positive, negative, revocation, fraud and accessibility cases |
| Operating Model RACI | 证明跨 Product、Architecture、Risk、Legal、Compliance、Ops 的 accountability |
5.1 Data Minimization Matrix
| Customer value | Bad request | Better request |
|---|---|---|
| Budget summary | all accounts, all history, all fields | selected accounts, 3-6 month transactions, categories required for budget |
| Account ownership | bank statement PDF and full account number | account verification signal or truncated/tokenized identifier |
| Cash-flow alert | continuous full transaction feed forever | time-bound balance and recurring obligations |
| Subscription cancellation | all transaction history and merchant identities | recurring merchant transactions in selected categories |
| Income verification | all spending plus employer inference | income/payroll deposits or approved income data source |
| Hardship support | full profile and behavioral history | income drop, missed payments and customer-selected supporting data |
5.2 AI Boundary Matrix
| AI task | Allowed | Block or review |
|---|---|---|
| Summarize spending | source-grounded summary for authorized account/time window | unsupported statement about full financial health |
| Detect recurring bills | explain candidate recurring transactions with confidence | cancel or contact biller without approval |
| Forecast cash flow | provide estimate with freshness caveat | guarantee affordability or credit outcome |
| Identify scam risk | route to warning/human review | reveal fraud rules or accuse customer |
| Prefill application | prefill from authorized source rows | submit without review |
| Recommend product | show customer-requested comparison if allowed | targeted cross-sell from unrelated consent |
| Train model | only under separately approved policy and consent basis | default training on connected-account data |
6. RACI / Operating Model
| Activity | Accountable | Responsible | Consulted | Informed |
|---|---|---|---|---|
| Use case selection | Product Owner | AI PM / Senior BA | CX, Risk, Architecture | Steering Committee |
| Regulatory interpretation | Legal / Compliance | Compliance Product Advisor | Privacy, Product, Architecture | Executive Sponsor |
| Consent and disclosure | Privacy / Product Owner | BA / Content / Design | Legal, Compliance, Accessibility | Operations |
| Data minimization | Privacy / Data Governance | Data Product Owner | Product, Model Risk, Legal | Audit |
| API scope and contract | API Platform Owner | API Architect / Engineering | Security, Product, Developer Relations | Operations |
| Developer onboarding | Third-Party Risk / API Platform | Developer Relations / Vendor Mgmt | Security, Privacy, Compliance, Fraud | Product |
| Aggregator/vendor oversight | TPRM Owner | Vendor Management | Legal, Security, Data Governance | Risk Committee |
| Data quality and lineage | Data Governance | Data Engineering / Data Product | Product, Model Risk | Operations |
| AI feature boundary | Model Risk / AI Governance | AI PM / ML Platform | Privacy, Compliance, Product | Audit |
| RAG controls | Architecture / AI Platform | Engineering / ML Platform | Security, Data Governance | Product |
| Agent action controls | Product Risk Owner | AI Platform / Workflow Engineering | Fraud, Legal, CX | Operations |
| Fraud threat model | Fraud Risk | Fraud Analytics / Security | API Platform, Product, Legal | Executive Risk |
| Evidence ledger | Architecture / Data Governance | Platform Engineering | Audit, Privacy, Compliance | Operations |
| Complaint linkage | Complaint Operations | Case Management / Data | Product, Compliance, Model Risk | Audit |
| Independent assurance | Internal Audit | Audit Team | Risk, Legal, Technology | Board Committee |
Governance cadence:
| Cadence | Forum | Output |
|---|---|---|
| Weekly | Pilot risk standup | consent defects, API errors, AI eval failures, fraud signals |
| Biweekly | Developer/app review | onboarding decisions, scope changes, rejected apps |
| Monthly | Open banking performance review | API SLO, data quality, revocation, complaints |
| Monthly | AI use and feature review | feature boundary, RAG grounding, inference incidents |
| Quarterly | Third-party risk committee | aggregator/vendor findings, exit readiness, incidents |
| Quarterly | Regulatory horizon review | CFPB/guidance/standard-setting/jurisdiction updates |
| Semiannual | Tabletop exercise | malicious app, revocation failure, model misuse, provider outage |
| Annual | AI management system / internal audit | policy effectiveness, evidence completeness, CAPA aging |
7. Implementation Roadmap
Days 1-30: Strategy and Control Baseline
| Day range | Work | Artifact |
|---|---|---|
| 1-3 | Pick one bounded journey, such as cash-flow assistant or account verification | Executive One-Pager |
| 4-6 | Map ecosystem roles and Legal/Compliance interpretation boundaries | Ecosystem Role Map, Interpretation Card |
| 7-10 | Define customer value, purpose, data categories, time window and AI role | Use Case Boundary Card |
| 11-14 | Build data minimization matrix and consent disclosure draft | Minimization Matrix, Consent Pack v1 |
| 15-18 | Define API scopes, schema, error, freshness and revocation semantics | API Contract v1 |
| 19-21 | Identify aggregator/vendor/model provider/subprocessors | Third-Party Inventory |
| 22-24 | Design data quality, lineage and feature boundary model | Data Lineage Spec, Feature Registry v1 |
| 25-27 | Threat model AI/RAG/agent/fraud/scam scenarios | Threat Model |
| 28-30 | Define evidence schema, metrics and release gates | Evidence Bundle Schema, Dashboard Spec |
Days 31-60: Controlled Pilot
| Day range | Work | Artifact |
|---|---|---|
| 31-35 | Build consent registry, API scope enforcement and entitlement checks | Control Test Report |
| 36-40 | Integrate provider/aggregator APIs with quality and lineage tags | Data Quality Report |
| 41-44 | Implement RAG isolation, source citations and freshness-aware answers | RAG Eval Report |
| 45-48 | Configure AI output policies and prohibited-use controls | AI Guardrail Report |
| 49-52 | Implement revocation propagation across tokens, cache, features and embeddings | Revocation Test Evidence |
| 53-55 | Run developer/third-party onboarding and contract controls | TPRM Approval Pack |
| 56-58 | Train operations, fraud and complaints teams | Training Record |
| 59-60 | Launch pilot with manual review sampling and kill switch | Pilot Launch Decision |
Days 61-90: Scale and Assurance
| Day range | Work | Artifact |
|---|---|---|
| 61-65 | Analyze consent drop-off, value, data quality, AI defects and complaints | Outcome Review |
| 66-70 | Tune scopes, prompts, feature boundaries and fraud thresholds | Change Record |
| 71-74 | Test malicious app, ATO, consent phishing and provider outage scenarios | Tabletop Report |
| 75-78 | Validate complaint replay and evidence completeness | Audit Replay Sample |
| 79-82 | Complete Model Risk, Privacy, Security and Compliance review | Governance Review Pack |
| 83-86 | Validate exit plan and vendor/subprocessor controls | Exit Readiness Evidence |
| 87-90 | Decide scale, restrict, redesign or retire | Go/No-Go Decision Record |
8. Evidence Pack
Minimum evidence fields:
| Field | Purpose |
|---|---|
case_id | customer journey reference |
use_case_id | product/service and purpose |
customer_ref | controlled reference, not raw PII in general logs |
data_provider_id | provider of account/financial data |
data_recipient_id | party receiving data |
aggregator_id | aggregator if used |
developer_app_id | app / client registration |
consent_id | authorization record |
disclosure_version | what the customer saw |
data_categories | categories requested and actually collected |
scope_ids | API scopes |
duration | authorization period |
frequency | collection frequency |
revocation_method | how customer can revoke |
api_request_ids | provider/aggregator/API calls |
api_response_hashes | integrity without over-logging sensitive payloads |
data_quality_score | freshness, completeness, confidence |
lineage_refs | raw, normalized, enriched, feature layers |
feature_ids | derived features used |
retrieval_run_id | RAG retrieval trace |
source_record_refs | rows/documents used for answer |
model_id | model/version |
prompt_policy_id | prompt/tool/output policy |
ai_run_id | AI trace |
human_review_id | reviewer and rationale if applicable |
action_approval_id | separate approval for submit/payment/account change |
fraud_risk_result | risk score and reason codes |
customer_final_message_id | final answer/notice/alert |
complaint_id | linked complaint if any |
retention_rule | retention and deletion/archival policy |
revocation_event_id | revocation and propagation evidence |
capa_id | corrective action if defect |
Evidence rules:
- Store consent, operational data, model traces and raw financial payloads with separate access controls.
- Do not log customer credentials, private keys, raw tokens or full account numbers in generic observability.
- Treat missing consent id, missing source refs or missing revocation evidence as control defects.
- Keep customer-facing text versions, not only backend decisions.
- Record what the AI saw and what it did not see.
- Preserve data quality and freshness at answer time.
- Make complaint replay possible without exposing unnecessary raw data to support teams.
9. Checklists
9.1 Release Checklist
| Check | Passing evidence |
|---|---|
| Customer-requested service defined | Use Case Boundary Card |
| Legal/Compliance interpretation boundary recorded | Interpretation Card |
| Data minimization approved | Minimization Matrix |
| Consent disclosure tested | Consent Pack and UI evidence |
| API scopes configured | Scope Catalog |
| Runtime entitlement checks pass | Control Test Report |
| Developer/app onboarding completed | Developer Certification |
| Aggregator/vendor review completed | TPRM Approval |
| Data quality and lineage available | Data Quality Report |
| Feature boundaries approved | Feature Registry |
| RAG source grounding passes | RAG Eval |
| Revocation propagation tested | Revocation Evidence |
| AI prohibited-use tests pass | Guardrail Eval |
| Fraud threat model complete | Threat Model |
| Complaint replay tested | Audit Replay Sample |
| Operations trained | Training Record |
9.2 Consent UX Checklist
| Check | Passing evidence |
|---|---|
| Data recipient name visible and understandable | UI screenshot/spec |
| Data provider name visible | UI screenshot/spec |
| Requested product/service described | content approval |
| Data categories listed with useful specificity | disclosure text |
| Duration and frequency shown | consent receipt |
| Revocation method shown | consent receipt and test |
| AI use explained without overclaiming | AI use statement |
| Optional scopes separated | UX test |
| Language and accessibility reviewed | accessibility evidence |
| Copy avoids blanket waiver language | content/legal review |
9.3 API and Developer Checklist
| Check | Passing evidence |
|---|---|
| Client registered and owned | developer profile |
| Business purpose approved | onboarding decision |
| Scopes match minimization matrix | scope review |
| Authentication and token controls configured | security test |
| No customer credential collection | architecture review |
| Error and outage behavior tested | integration test |
| Rate limits and anomaly monitoring active | gateway dashboard |
| Revocation notification path tested | revocation test |
| Sandbox negative cases passed | certification record |
| Incident contact and support path available | ops runbook |
9.4 AI / RAG Checklist
| Check | Passing evidence |
|---|---|
| Retrieval checks active consent and purpose | entitlement test |
| Customer/purpose isolation enforced | architecture review |
| Source rows captured | retrieval trace |
| Freshness shown or used in policy | answer evidence |
| Prompt-injection controls tested | red-team result |
| Sensitive inference policy applied | eval result |
| Advice/eligibility/credit boundaries enforced | output policy test |
| Revoked data not retrieved | revocation regression |
| Embedding lifecycle defined | data governance record |
| Human escalation triggers work | case test |
9.5 Revocation Checklist
| Check | Passing evidence |
|---|---|
| Revocation is easy to find and operate | UX test |
| API tokens stopped | gateway log |
| Provider/aggregator/downstream notified | propagation log |
| New collection stopped | data ingestion log |
| Cache action executed | cache record |
| Feature action executed | feature registry event |
| Embedding action executed | vector lifecycle record |
| Agent sessions stopped or downgraded | workflow event |
| Customer receipt issued | message id |
| Exceptions documented | risk acceptance or remediation |
9.6 Fraud and Scam Checklist
| Check | Passing evidence |
|---|---|
| Malicious recipient scenario tested | tabletop result |
| Consent phishing warning patterns defined | UX/risk rule |
| ATO-linked authorization monitored | fraud dashboard |
| High-risk access step-up active | auth policy |
| API exfiltration anomaly controls active | SIEM/gateway alerts |
| APP scam intervention defined | fraud playbook |
| Support can revoke and escalate | ops test |
| Third-party incident drill completed | exercise record |
10. Metrics and KRIs
| Metric | Why it matters |
|---|---|
| Connection completion rate | friction and customer value |
| Time to first useful insight | value realization |
| Consent drop-off by disclosure step | trust and clarity |
| Average data categories requested | minimization |
| Unused data ratio | overcollection |
| Revocation success time | customer control |
| Reauthorization completion | ongoing trust |
| API response success and latency | ecosystem reliability |
| Provider/aggregator error rate | operational risk |
| Data freshness defect rate | answer quality |
| Categorization correction rate | enrichment quality |
| RAG grounded-answer rate | AI reliability |
| Unsupported conclusion rate | model risk |
| Sensitive inference defect rate | privacy/fairness risk |
| Feature-without-consent-lineage count | governance gap |
| Revoked-data retrieval attempts | lifecycle control |
| Malicious/deceptive app alerts | ecosystem risk |
| ATO-linked authorization rate | fraud risk |
| Scam escalation conversion | customer protection |
| Third-party review overdue rate | vendor risk |
| Complaint trace completeness | audit readiness |
| CAPA aging | governance follow-through |
Balanced scorecard:
Value: customers receive clear, useful financial outcomes.
Consent: data sharing is understood, scoped and revocable.
Data: quality, lineage and minimization are measurable.
AI: outputs are grounded, bounded and monitored.
Ecosystem: APIs and third parties are secure and reliable.
Fraud: malicious access and scams are detected.
Evidence: decisions and actions are replayable.
11. Anti-Patterns
| Anti-pattern | Why it fails | Better pattern |
|---|---|---|
| “Connect bank” as blanket consent | hides data categories and purposes | scoped authorization disclosure and receipt |
| Collect all data for future AI | violates minimization and trust | purpose-specific data selection |
| Generic lake before governance | loses consent and revocation metadata | consent-bound data zones |
| RAG index shared across purposes | leakage and prohibited use | customer/purpose-isolated retrieval |
| Model training by default | customer did not authorize training | separate approved training policy and consent basis |
| AI turns spend into sensitive labels | privacy and fairness harm | sensitive inference controls |
| Revocation only disables token | old features and embeddings continue | full lifecycle revocation |
| Aggregator chosen only by coverage | ignores security, quality, revocation, exit | TPRM and architecture review |
| API error becomes AI fact | false customer advice | error-aware and freshness-aware responses |
| Agent acts under data consent | unauthorized payments or submissions | separate action approval |
| Developer onboarding is sales-led | weak third-party control | security/privacy/fraud/model certification |
| Success measured only by engagement | incentivizes surveillance | balanced value, trust and risk metrics |
12. Tabletop Scenarios
Scenario 1: Consent Phishing
A customer is coached by a scammer to authorize a budgeting app that uses a name
similar to a known fintech. The app requests transaction history and account verification data.
Expected decisions: developer identity display, app reputation checks, customer warning, revocation support, fraud escalation, evidence capture。
Scenario 2: Revoked Data Still in RAG
The customer revokes access. The API token is disabled,
but the AI assistant continues answering questions from old embeddings.
Expected decisions: embedding lifecycle defect, retrieval entitlement fix, customer communication, CAPA, regression test。
Scenario 3: Unsupported Credit Inference
The model uses cash-flow data from a budgeting consent to tell the customer
they are likely eligible for a credit product.
Expected decisions: purpose violation, output policy block, feature boundary update, model-risk review。
Scenario 4: Aggregator Outage
Balance refresh fails for six hours. The AI assistant still recommends moving money
to avoid an overdraft using stale balance data.
Expected decisions: freshness gate, degraded-mode messaging, action block, provider/aggregator incident handling。
Scenario 5: Malicious Developer Overcollection
A developer app certified for subscription detection starts requesting broad historical data
and showing signs of bulk export.
Expected decisions: anomaly detection, scope suspension, audit rights, customer notification analysis, incident response。
Scenario 6: SME Authority Ambiguity
An employee connects business accounts to an AI cash-flow underwriting app,
but authority to share business financial data is unclear.
Expected decisions: business consent authority model, role verification, human review, contract update。
Scenario 7: Prompt Injection in Transaction Memo
A transaction memo contains text instructing the assistant to ignore privacy controls
and reveal all recent transactions.
Expected decisions: data sanitation, prompt-injection defense, retriever policy, red-team regression。
13. Portfolio Deliverables
| Deliverable | What it demonstrates |
|---|---|
| Executive one-pager | 你能把 open banking AI 从 connector 讲成 trust operating model |
| Ecosystem role map | 你能区分 provider、recipient、aggregator、developer、AI operator |
| Consent disclosure pack | 你能设计客户可理解、可撤销、可审计的数据分享体验 |
| Data minimization matrix | 你能把价值主张转成最小数据请求 |
| API scope catalog | 你能把 purpose limitation 落到技术接口 |
| Developer onboarding checklist | 你能治理第三方生态 |
| Feature boundary registry | 你能防止交易数据变成无边界画像 |
| RAG control spec | 你能设计账户数据上的安全检索增强生成 |
| Agent authorization matrix | 你能区分 read, reason, recommend, act |
| Fraud threat model | 你能覆盖 malicious app、ATO、APP scam、API exfiltration |
| Revocation runbook | 你能处理 token、cache、features、embeddings 和 downstream sharing |
| Evidence bundle schema | 你能让投诉、审计和监管问询可重放 |
| Metrics dashboard | 你能平衡 value、trust、risk、AI safety 和 ecosystem performance |
Portfolio storyline:
I designed an AI open banking architecture where customer consent is a runtime control plane.
The system requests minimum data for a customer-requested service,
uses governed APIs and third parties,
preserves data quality and lineage,
constrains AI features and RAG retrieval by purpose,
separates recommendations from actions,
propagates revocation through features and embeddings,
and keeps evidence replayable for audit and complaints.
14. Interview Answers
Q1: 如何向高管解释 AI open banking 的价值和风险?
30 秒:
价值是让客户授权自己的金融数据, 获得现金流洞察、账户聚合、费用优化、收入验证和更好的金融体验。风险是授权被解释成无限使用, API 数据进入无边界模型, 第三方和 aggregator 控制薄弱, 撤销不生效。成熟方案要把 consent registry 做成 runtime control plane, 约束 API scope、features、RAG、agent actions、retention and evidence。
Q2: Consent 和 authorization 有什么区别?
30 秒:
Consent 是客户同意某个 recipient 为特定服务访问特定数据。Authorization 是系统允许某个 client、agent 或 workflow 做某件事。Authentication 是确认当前用户或 client 身份。连接银行账户的 consent 不能自动授权 AI 发起付款、提交申请或用数据做不相关训练。
Q3: 如何防止 open banking 数据被 AI 滥用?
30 秒:
从数据入口就绑定 consent_id、purpose、data category、duration、allowed uses、prohibited uses 和 revocation action。Feature store、RAG retriever、model serving 和 agent tools 每次使用都检查 entitlement。敏感推断、交叉销售、训练和高影响决策需要单独政策审批、eval、人审和证据。
Q4: RAG over account data 的核心设计是什么?
30 秒:
它必须是 customer/purpose isolated retrieval, 不是通用知识库。每次检索先查 consent and entitlement, 再按 time window、data category、freshness、quality 取 source rows。回答要带 source grounding 和 caveat, 禁止越界 advice/action, revocation 后要停止检索并处理 embeddings lifecycle。
Q5: Revocation 为什么是架构问题而不是 UI 功能?
30 秒:
因为撤销不只是隐藏连接状态。它要停止 provider/aggregator API collection, 通知 downstream parties, 禁用或限制 derived features, 处理 cache and embeddings, 停止 agent workflows, 更新 retention 状态, 给客户 receipt, 并保留审计证据。做不到这些, 撤销只是前端按钮。
15. Practical Templates
15.1 Use Case Boundary Card
Use case:
Customer-requested product/service:
Customer segment:
Jurisdiction / policy scope:
Data provider(s):
Data recipient:
Aggregator / vendor:
AI role:
Decision/action impact:
Required data categories:
Optional data categories:
Time window:
Refresh frequency:
Allowed AI uses:
Prohibited AI uses:
Human review triggers:
Revocation behavior:
Evidence requirements:
Accountable owner:
Risk owner:
15.2 Consent Disclosure Checklist
Recipient name:
Provider name:
Aggregator name if visible/applicable:
Requested product/service:
Data categories:
Required vs optional data:
Duration:
Collection frequency:
How data will be used:
How AI will be used:
Uses not permitted:
Downstream sharing:
Revocation method:
Customer support route:
Language:
Accessibility evidence:
Disclosure version:
15.3 Developer Onboarding Record
| Field | Example |
|---|---|
| developer_app_id | cashflow-assistant-prod |
| legal_entity | Example Fintech Inc. |
| product_service | AI cash-flow insights |
| requested_scopes | transactions.read.6m, balances.read, bills.read |
| rejected_scopes | account_verification.full, transactions.all_history |
| security_status | approved with annual review |
| privacy_status | approved, no targeted advertising or resale |
| AI_status | RAG only, no model training on customer data |
| fraud_controls | anomaly monitoring, high-risk warning, support escalation |
| revocation_test | passed |
| incident_contact | named operational contact |
| exit_plan | data return/destruction and token termination |
15.4 Feature Boundary Register
Feature name:
Business purpose:
Source data categories:
Consent purpose:
Transformation:
Confidence / quality dependency:
Allowed model use:
Allowed customer outputs:
Allowed decisions:
Prohibited decisions:
Sensitive inference review:
Fairness review:
Human review triggers:
Retention:
Revocation action:
Monitoring metric:
Owner:
15.5 RAG Control Record
RAG use case:
Retriever policy:
Consent check:
Customer/account isolation:
Purpose isolation:
Data categories:
Time window:
Freshness requirement:
Quality filters:
Prompt injection controls:
Source citation rule:
Output policy:
Human escalation:
Revocation behavior:
Eval scenarios:
Evidence fields:
15.6 Revocation Evidence Record
Revocation event id:
Customer ref:
Consent id:
Data recipient:
Data provider:
Aggregator:
Developer app:
Revoked at:
Customer channel:
API token action:
Provider notification:
Aggregator notification:
Downstream notification:
Collection stop confirmed:
Cache action:
Feature action:
Embedding action:
Agent workflow action:
Retention exception:
Customer receipt:
Evidence bundle:
Owner:
Closure time:
15.7 Complaint RCA Template
Complaint id:
Customer issue:
Consent id:
Disclosure version:
Data categories:
API request ids:
Data quality status:
Feature ids:
AI run id:
RAG source refs:
Human review:
Final customer message:
Alleged harm:
Root cause category:
Immediate remediation:
Customer remediation:
CAPA owner:
CAPA due date:
Closure evidence:
16. Final Operating Principle
这套 playbook 的成熟度可以用一个问题检验:
When an AI-enabled financial product uses customer-authorized open banking or open finance data,
can the institution prove the customer understood the value and scope,
the API enforced the consent,
the data stayed minimized and lineage-preserved,
the model used only permitted features and retrieval sources,
third parties honored purpose, retention and revocation,
fraud/scam controls monitored abuse,
agent actions required separate approval,
and every outcome can be replayed for customer trust, audit and remediation?
如果答案不清楚, 不是缺一个 bank-connection SDK。问题是 consented data sharing、API platform、data governance、AI governance、third-party risk、fraud controls、revocation lifecycle 和 evidence architecture 还没有成为同一套 operating system。