# Consent
source: https://developer.mastercard.com/open-finance-au/documentation/consent/index.md

#### What is Consent? {#what-is-consent}

Consent is a crucial part of getting access to the consumer's financial data. Any information received from the Financial Institution (FI) in Australia is protected by CDR regulation and *"an accredited person may only collect, use and disclose CDR data with the consent of the consumer"* (see [Chapter C: Consent -- The basis for collecting and using CDR data](https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data) in the Consumer Data Right Privacy Guidelines published by the Australian Information Commissioner).

Under CDR regulation, consent must be given by a consumer (further in this document we will refer to them as **Customers** of your product) separately for each FI that they want to share data from (also known as "arrangement"). To simplify the management of consent arrangements with several FIs obtained for a single purpose, Mastercard aggregates these arrangements under a single consent record.

![Consumer consent](https://static.developer.mastercard.com/content/open-finance-au/uploads/consumer-consent_v5.png)

Mastercard provides a user experience that allows you to obtain consent from customers to access their banking data for the purpose of providing your service. For more information, see [Connect Application](https://developer.mastercard.com/open-finance-au/documentation/connect/index.md).

#### Consent attributes {#consent-attributes}

Every consent must contain clear information about:

* Who will access the data (the data recipient)
* The purpose of accessing the data
* The FI to be accessed
* The type of data to be accessed
* How long the data recipient will have access to the data
* How many days of historical data the data recipient will fetch

#### Consent Lifecycle {#consent-lifecycle}

![Consent lifecycle](https://static.developer.mastercard.com/content/open-finance-au/uploads/consent-lifecycle_v5.png)

1. **Customer initiates the consent** , for example, by starting the [Connect](https://developer.mastercard.com/open-finance-au/documentation/connect/index.md) journey. This creates a definition of consent including a purpose, type of data, and access duration. At this point, the consent is in a draft state and cannot be used to obtain any of your customer's financial data.
2. **Customer submits consent/arrangement with the 1st FI** to allow accessing their financial accounts with this institution. The arrangement is added to the overall Mastercard consent. From this moment on the data recipient has permission to fetch the data from the consented accounts.
3. **Customer may add more arrangements with other FIs** for the same purpose of use. The customer creates separate arrangements to access each FI they choose.
4. **Customer may revoke** arrangements with one institution under the Mastercard consent or the whole consent altogether. From this moment on the data recipient does not have permission to fetch data from the revoked institutions.
5. When the duration specified in a consent arrangement has elapsed, the consent expires which means that:  

* Mastercard will cease collecting the customer's data that was dependent on that consent and will delete all existing data and reports based on that data.
* You will no longer be able to fetch any data or reports that are based on that data. Note: The data recipient is also obligated to follow CDR rules related to data redundancy. See [Managing Consent](https://developer.mastercard.com/open-finance-au/documentation/consent/manage-consent/index.md).

Note: **Email notifications to consumer**

CDR regulation requires a consumer (also known as customer) to be notified when data sharing has been started, stopped, or expired. Refer to [Notifications for consumers](https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data) for details.

To satisfy this requirement, Mastercard sends an email to your customers when:

* They add a new arrangement with an FI.
* They revoke the arrangement.
* The arrangement expires.

Additionally, Mastercard sends a reminder about data shared.

The email contains the same consent content that the customer gives during Connect journey.

**If you would prefer to send these notifications to your customers directly, so they receive emails from your organisation (instead of from Mastercard), contact your sales representative for more information. They will be able to advise on the correct approach for your situation.**

#### Resources {#resources}

* Refer to [Managing Consent](https://developer.mastercard.com/open-finance-au/documentation/consent/manage-consent/index.md) for information about providing the user with a way to manage their consents.
* Refer to [Consent Notifications](https://developer.mastercard.com/open-finance-au/documentation/consent/consent-notifications/index.md) for information about consent notification event types.
* Refer to [Consent APIs](https://developer.mastercard.com/open-finance-au/documentation/consent/consent-apis/index.md) for information about APIs for managing and obtaining consent.