Experian

Experian Decision Management Solutions with Affordability Check (Open Banking)

Affordability Check allows consumers to utilise their bank statement data to prove their income, expenditure and overall disposable income. The solution allows consumers to securely connect to their banks and allow data to provide to Experian, who categorise each transaction to provide insight into the consumer's income and expenditure.

Features

  • Co-branded solution with Experian and organisation brand visible
  • Consent management
  • Consumer redirection to online banking to authenticate themselves to bank
  • Account access permission management
  • Bank account connectivity and account statement data retrieval
  • Data categorisation
  • ID&V of consumer
  • Anti-fraud checks on bank account usage
  • Data supply to client of transaction, categorised an aggregated data
  • Integrated help features to simplify consumer adoption

Benefits

  • Insight into a consumer’s financial position
  • Establish what consumers can afford
  • Insight into the affordability of a product/service of a consumer
  • Insight into hardship or vulnerability
  • Consumer friendly solution
  • Access to consumer's bank statement data for previous 12 months
  • Provision of data categorisation for each transaction
  • Risk-averse approach to data management

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Planned maintenance windows, which are:
-Each Tuesday of the month from 22:00 to 01:00 for breaking fixes
None expected
System requirements Experian issued access control

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard support is 09.00-17.00 Monday to Friday; enhanced packages offer up to 24/7 support availability.
Response times are dependent on the scale of the issue (P1 within 1 hour to P4 within a business day)
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Standard support is 09.00-17.00,
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Technical support during service integration
User documentation
On-site training
Service documentation Yes
Documentation formats Other
Other documentation formats Word
End-of-contract data extraction Data is retained by Experian for six years .
End-of-contract process Contracts are tailored to client specific requirements including end of contract terms,

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Available on request
API Yes
What users can and can't do using the API • Create accounts
• Retrieve categorised data
• Retrieve
API documentation Yes
API documentation formats Other
API sandbox or test environment Yes
Customisation available No

Scaling

Scaling
Independence of resources Regular monitoring of usage and performance.
System is scalable when appropriate.

Analytics

Analytics
Service usage metrics Yes
Metrics types Available on request
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Clients have the ability to download data via Excel or PDF ( alongside the JSON API set )
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats Other
Other data import formats N/A

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Available on request
Data protection within supplier network Other
Other protection within supplier network Available on request

Availability and resilience

Availability and resilience
Guaranteed availability Available on request
Approach to resilience Experian backs up all data that has an on-going business value for operational recovery purposes and to comply with business continuity plans. Backups are regularly tested for reliability and integrity, and restoration procedures are tested for effectiveness and acceptable performance. The confidentiality, integrity and availability of backup media is protected in storage using physical, environmental and technical controls, such as secure storage and encryption.

The primary data resides in Fairham House datacentre and backup data is transferred over dedicated dark fibre links to Experian’s DR site in Bulwell. This is a very secure transfer method and the data cannot be intercepted. This data then resides on tapes in robotic silo’s and NEVER leaves this location physically, if the data is needed, it will be recalled over the same dedicated dark fibre links to Fairham.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Other
Other user authentication Available on request
Access restrictions in management interfaces and support channels Yes. Available on request
Access restriction testing frequency At least once a year
Management access authentication Other
Description of management access authentication Available on request

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL Business Assurance Limited
ISO/IEC 27001 accreditation date 20/12/2016
What the ISO/IEC 27001 doesn’t cover The following is covered by the scope of the certificate; the delivery and support of Experian IT infrastructure, operations, architecture and associated compliance and facilities management undertaken within the UK data centres.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Trustwave
PCI DSS accreditation date 28/10/2016
What the PCI DSS doesn’t cover N/A - everything is covered
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Experian has a comprehensive global security policy based on the ISO27001 standard which covers: Organisation and Management, information security, asset classification, physical and environmental security, communications and operations management, system access, systems development and maintenance, compliance, personnel and provisioning, business continuity management, third party management. The policy is owned by Experian's executive risk management committee which is an executive level body, and which assumes ultimate responsibility for Experian's risk position. Information security is a key component of the risk management framework. Experian management supports security through leadership statements, actions and endorsement of the security policy and implementing/improving the controls specified in the policy. The policy is available to all Experian employees and contractors on the intranet. Changes to the policy are announced on the company's intranet computer based information security and data protection training, and this is repeated on at least an annual basis. Compliance to policy is overseen by internal audit.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Experian has a change management policy which is underpinned by processes and procedures based on ITIL best practice. This is a mature process. We use a service management tool that integrates change management, incident management, problem management, configuration management and knowledge management. Our change management policy, processes, and procedures are regularly audited by independent auditors. Formal risk analysis is employed using an approved information risk analysis phase for developments/changes. Security requirements for the system are identified and continue to be considered throughout the life of the product.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Servers and PCs are built to a documented secure standard, which includes anti-virus and malware defences. Information assets have a defined patching schedule, determined by the system's criticality and the level of threat the patch is mitigating. Experian actively monitors threat environment and checks the effectiveness of security controls by reviewing both free and paid for sources of threat information, including, public information, major vendor feeds and also receiving information from specialist closed group mailing lists. The overall process is also plugged into an automated patch and fix strategy, underpinned with a technology infrastructure to deliver corrective updates.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Monitoring processes and tools are in place to manage alarms generated by security related alerts and these are fed into the incident management process. Experian has a formally documented risk based incident management process to respond to security violations, unusual or suspicious events and incidents. In the event an incident occurs a team of experts from all relevant areas of Experian is gathered to form an incident response team, who manage activities until resolution. The incident response team are available 24/7 to resolve any incident. Out of core hours the dedicated incident hotline is routed to the command centre.
Incident management type Supplier-defined controls
Incident management approach The incident management process incorporates a number of participants and contributors, including: Global Security Office - who facilitate and coordinate activities under the business security coordinator's guidance; Business Security Coordinator - a representative of the impacted business area, responsible for coordinating resolution activities; Incident Response Team (IRT) - IRT is made up of a membership that are empowered to make key decisions surrounding the actions to be taken to reduce impact, control actions, and impose corrective activities. A client report would be created, including: high level overview; facts; overview of events; actions taken.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.55 to £2.00 per unit
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑