Consent Management Agent AI

Invoked when: onboarding reaches a stage that requires personal data processing for a specific purpose, or a new processing purpose is introduced post-onboarding

• –Presents the consent module for each purpose separately — credit assessment (processing application data to assess creditworthiness), bureau pull (sharing national ID number and date of birth with credit bureaus to retrieve credit report), open banking / PSD2 aggregator consent (accessing bank statement data via AA framework), marketing communications (sending product offers and news), and any other purpose for which personal data is processed. Each module states the purpose in plain language, the data that will be processed, and the duration for which the consent applies.
• –Records every consent event — grant or decline — with the borrower identifier, the specific purpose, the consent text version presented, the timestamp, and the channel through which consent was given (in-app, WhatsApp, web). The record is append-only: a subsequent consent grant for a purpose that was previously declined creates a new record, it does not overwrite the prior decline. The full consent history is preserved.
• –Handles conditional consent flows: where a purpose is mandatory for the loan product (credit assessment consent is required to process a loan application; it cannot be declined without preventing the application from proceeding), the consent module explains this clearly and provides the borrower with the option to withdraw the application rather than coercing consent. GDPR's validity requirement means consent given under compulsion is not valid consent — the distinction between mandatory processing and optional processing must be communicated clearly.

Invoked when: a borrower submits a consent withdrawal request through any channel — app, email, WhatsApp, or customer service

• –Processes the withdrawal request immediately — identifies all purposes for which the borrower had active consent, confirms which purpose(s) the withdrawal covers, and initiates the cascade: sends a withdrawal instruction to every agent and system that was processing the borrower's data under that consent, confirming that processing for the withdrawn purpose must stop with immediate effect.
• –Where a withdrawal covers a purpose that is required for ongoing loan servicing — for example, a borrower withdrawing consent for account statement monitoring that the Early Warning Agent AI uses to detect financial stress — flags the withdrawal to the DPO AI and the human DPO before completing the cascade. The borrower has the right to withdraw; the DPO needs to assess whether the withdrawal affects LendingIQ's ability to service the active loan and what, if any, action is required under the loan agreement.
• –Sends a withdrawal confirmation to the borrower — a clear acknowledgement that the withdrawal has been received, which purposes have been affected, and the effective date (which is the withdrawal request date, not a future date). The confirmation is sent within 24 hours of the withdrawal request.

Invoked when: DPO AI or human DPO requests the consent history for a specific borrower or for the portfolio

• –Produces a complete consent audit extract for any borrower — every consent event in chronological order: what was consented to, when, in what version of the consent text, through which channel, and whether it was subsequently withdrawn. The extract is the documentary evidence that LendingIQ processed this borrower's data with valid consent at every point in the relationship.
• –Produces portfolio-level consent coverage reports for the DPO's GDPR programme review: what percentage of active borrowers have active consent for each processing purpose, how many withdrawals have been processed in the period, and the average time from withdrawal request to cascade completion. These metrics tell the DPO whether the consent programme is operating effectively.
• –Tracks consent text versions: when the consent language is updated (due to a regulatory change, a new processing purpose, or a legal review), the agent records which version of the consent text each borrower consented to. A borrower who consented under version 1.0 of the credit assessment consent and has not been re-consented under version 2.0 (where version 2.0 materially expanded the scope of processing) is flagged for re-consent before the expanded processing begins.