TransUnion - Open Banking Solutions
Reduce manual data gathering and help deliver a better consumer experience. TransUnion’s Open Banking Platform makes it easier to onboard consumers in the digital age. This end-to-end product developed entirely in-house enables consumers to share financial data through a secure, seamless screen flow — hosted in a safe, agile environment.
Features
- Co-branded hosted screen flow to gather consent
- Simple integration to existing screen flow
- API exchange to banks; data source going back multiple years
- Categorisation of open banking data – 97%+ categorisation accuracy
- Affordability, income, expenditure and creditworthiness insight
- Verification of ID through optional account verification ID check
- Real-time data delivery via API and new Dashboard
- Multiple bank selection via UK’s Open Banking APIs
- Dashboard for interactive bank statement/case management
- Ongoing and transparent consent management
Benefits
- Seamless Integration into existing services, potentially reducing IT costs
- Improve customer confidence for data via a trusted provider
- Improve efficiencies by reducing manual processing and cost to serve
- Customer management improve relationships with your customer with new insights
- Identify consumer behaviours and improve insight through accurate financial data
- Quality consumer consented data exchange, reducing fraudulent information provision
- Help identify vulnerable customers, ensuring responsible and fair treatment
- Data categorisation enriches insight into consumer behaviours
- Facilitating financial inclusion, support those with an underdeveloped credit file
- API data configuration available so only return required data
Pricing
£0.27 to £5.00 a unit
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
1 3 5 1 4 4 6 2 6 2 2 5 6 5 8
Contact
TRANSUNION INTERNATIONAL UK LIMITED
Mark Pestereff
Telephone: 07773 212093
Email: mark.pestereff@transunion.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- TruValidate Modules can be linked into customer journey
- Cloud deployment model
- Hybrid cloud
- Service constraints
- Please refer to the Service Definition
- System requirements
-
- Integrates into an existing web journey
- Statement data is transmitted via API
- Non-integration Web Portal access
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- We have a range of SLA's depending on the nature and criticality of the ticket; full details can be agreed as part of any contract.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- N/A
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
- You will be provided full supporting documentation and have access to our team of experts who will be available to help with the initial integration and setup.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- N/A
- End-of-contract process
- Service is decommissioned
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Screens render based on device
- Service interface
- No
- User support accessibility
- None or don’t know
- API
- Yes
- What users can and can't do using the API
- Screen flow and data exchange is via API
- API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- Screen flow wording and logos can be customised
Scaling
- Independence of resources
- Effective performance management of the solution, capacity planning and monitoring of service use.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Service and Technical Performance and MI in place
- Reporting types
-
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- European Economic Area (EEA)
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
-
- Encryption of all physical media
- Other
- Other data at rest protection approach
-
• Strong logical access control. Access is given based on least privilege and a need to know basis.
• Protective monitoring and event management using LogRhythm as a SIEM.
• Sourcefire & Palo Alto IDS.
• Checkpoint firewalls.
• Monthly vulnerability scanning programme of work.
• ISO27001 and PCI DSS compliant. - Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- N/A
- Data export formats
- Other
- Other data export formats
-
- Excel
- Data import formats
- Other
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- Other
- Other protection between networks
- Web Application Firewall, IP Safe Listing, SSH key Pairs (for automation), complex password policy, Threat Detection Service team
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- Other
- Other protection within supplier network
- Data Loss Prevention, Privelleged Access Management, Data Encryption at Rest, SIEM Alerts and Monitoring, Anti-Virus and EDR, Firewalls and VPN's
Availability and resilience
- Guaranteed availability
- Our standard availability is 98.5%. We would be happy to discuss any specific availability requirements as appropriate.
- Approach to resilience
- The service has a full DR failover capability in case of service outage. The system has been designed with telematics and monitoring so we can monitor resilience.
- Outage reporting
- The Client Support Team and/or Client Manager would notify affected clients via email as appropriate.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- Other
- Other user authentication
- Each user will have a unique username and password provided along with company name. TransUnion also utilises the control of IP white listing and 24/7 security monitoring.
- Access restrictions in management interfaces and support channels
- A policy of least privilege access is applied across the group to ensure employees only have access to what is required - this is regularly reviewed. Any privileged accounts are rigorously checked both prior to granting access, during use and on termination of permissions. Users come under multiple levels of policy regarding accounts and device usage. Networks are highly segmented with monitoring for inter-segment violations. Any sensitive systems are housed in dedicated secure environments.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- Username or password
- Other
- Description of management access authentication
- All management accounts must go through TU privileged access management, which limits access based on security groups and only provides the required access. Usernames and Passwords are domain managed and follow the Transunion Password Policy.
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- BSI
- ISO/IEC 27001 accreditation date
- 29/05/2021
- What the ISO/IEC 27001 doesn’t cover
- A.14.1.3, A.14.1.2
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- Yes
- Who accredited the PCI DSS certification
- Payment Software Company, Inc. (DBAPSC)
- PCI DSS accreditation date
- 02/08/2021
- What the PCI DSS doesn’t cover
- Full Report on Compliance (ROC) can be screen shared upon request
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
-
Cyber Essentials Plus
PCI DSS - Information security policies and processes
- TU follows a dedicated Information Security Policy, as well as other processes such as data encryption and key management, secure application development etc.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- TU defined product development lifecycle, which includes various gates including budget, security and IT infrastructure. Small changes are captured within our internal ticketing system.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- Internal scans are completed on a regular basis (Daily, Weekly, Monthly depending on the endpoint). All Critical findings must be addressed within 30 days, High/Medium 60 days and Moderate to low 90 days. Any findings that cannot meet these deadlines must have a risk acceptance review and a deadline agreed by the business.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Threat Detection Service, Data Loss Prevention team, Incident Management team - All monitoring 24/7/365
- Incident management type
- Supplier-defined controls
- Incident management approach
- NIST 800-61 and SANS PICERL
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
WellbeingWellbeing
TransUnion is a global information and insights company that makes trust possible in the modern economy. We do this by providing an actionable picture of each person so they can be reliably represented in the marketplace. As a result, businesses and consumers can transact with confidence and achieve great things. We call this Information for Good®.
A leading presence in more than 30 countries across five continents, TransUnion provides solutions that help create economic opportunity, great experiences, and personal empowerment for hundreds of millions of people:
Economic Opportunity – We help businesses find their best customers and determine the right ways to serve and keep them—through access to products and services that help them achieve their goals.
Great Experiences – We enable our customers to deliver friction-right experiences and relevant offers tailored to specific consumer needs, preferences, and patterns, while reducing risks posed by fraud.
Personal Empowerment – By extending tools, offers, and opportunities directly through businesses, we help more people understand and manage their financial situations, driving loyalty and cross-sell opportunities for our customers.
Pricing
- Price
- £0.27 to £5.00 a unit
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- Proof of concept trial may be available by agreement