Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 15 August 2018
Location: NAB, 700 Bourke Street, Melbourne
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 2
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Martin Granell, AGL
- Emma Gray, ANZ (via WebEx)
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree (via WebEx)
- Lauren Solomon, CPRC
- John Stanton, Comms Alliance (via WebEx)
- Stuart Stoyan, MoneyPlace
- Mal Webster, Endeavour Mutual Bank
- Viveka Weiley, Choice
- Andy White, AusPayNet (via WebEx)
- Patrick Wright, NAB
- Warren Bradey, Data61
- James Bligh, Data61
- Ellen Broad, Data61
- Terri McLachlan, Data61
- Stephen Bordignon, ACCC
- Bruce Cooper, ACCC
- Daniel McAuliffe, Treasury
- Gary Thursby, Westpac
- Luis Uguina Carrion, Macquarie
The Chair of the Data Standards Body opened the meeting and thanked all committee members and observers for attending. He also extended his thanks to Patrick Wright and NAB for hosting the meeting at their offices.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 July 2018 Advisory Committee Meeting. The Minutes were taken as read and formally accepted.
The Action Items status was provided to the committee and items noted were as follows:
- The TOR have been revised with regards to broadening the Terms of Reference from Open Banking to CDR
- New dates and venues have been included in the papers and circulated to the Advisory Committee
- “Security & Privacy” has been included as a new Principle
- “Extensibility” as a principle has been reviewed and updated
- “Valuable & Useful” addition made to valuable Principle, and useful left to be determined by consumers
- “Usability” will be added to the Principles to include that consumers must be able to both comprehend and control what is happening to their data
- ACCC to have 30-45 minutes on the agenda for the September meeting to discuss the draft rules
- Item 9 added to the TOR (Chair) and Item 4 added to TOR (Committee) to incorporate new sectors as they emerge
The Chair noted he has met with the Treasurer since the last meeting and he re-iterated the Government’s commitment to the timetable for introduction of the CDR regime. The Treasurer also confirmed the Council of Australian Governments (COAG) would consider the early application for Consumer Data Right to the energy sector.
It was noted that the Energy Minister and COAG Energy Ministers endorsed the adoption of the CDR regime for the energy sector and indicated a preferred standards implementation target date of end of 1 Jan 2020. A proposal to formally consider this timetable will be discussed at the next COAG meeting in November. It was agreed the DSB would provide supporting material to the Australian Competition & Consumer Commission (ACCC) on the development of banking standards so far, to assist COAG determining a proposal for the energy industry.
An update from Treasury was provided in regards to the status of the drafting of the Consumer Data Right legislation noting a draft had been released for public consultation that week and submissions close on 7 September.
ACTION: Provide link to Committee Members for the Treasury Laws Amendment (Consumer Data Right) Bill 2018.
ACTION: Data61 to prepare a briefing/information package on how technical standards may be implemented across the energy ecosystem given the experience with the banking sector implementation.
Technical Working Group Update
It was noted that as part of the development of the standards the DSB will work with industry through 3 Technical Working groups:
- API Standards Working Group;
- Information Security Working Group; and
- User Experience Working Group
The intention is that these will be open to all interested parties to participate, and to facilitate that broad engagement the process will be run through GitHub in the main and then through group meetings where that will be more effective in discussing some key issues that surface.
The working groups will run in parallel and we will be as flexible and adaptable as we can. Leads of each working group will sit across decisions made by the other working groups, to ensure consistency.
API Standards Working Group
The Lead of the API Standards Working Group took the Committee through the Noting Paper on the Operating Model previously distributed to the Advisory Committee.
The API Standards Working Group Operating Model paper outlines how the working group will operate. The goal through this operating model is to be transparent and consultative. The membership will be open to any individual that would like to participate.
With the tight timeframes for implementation, the Data Standards Body needs to consult widely and quickly. The initial phase is “Forming” where it will focus on the establishment of the process in parallel to the development of content. The working group is using GitHub for online feedback and comments. All decision proposals and final decisions are published on GitHub.
The first decision proposal was “Proposal 001 – API Principles”. This outlined a recommendation for the guiding principles for the development of API Standards.
The second decision proposal was “Proposal 002 – URI Structure”. This was a technical point to determine the overall URI structure to be used for the API standards.
The Committee discussed the process adopted for the Decision Proposals and it was agreed more contentious issues would be specifically circulated to Committee Members to provide higher level policy input and to ensure they have the opportunity for their teams to provide technical input to the proposal considerations. The Data Standards Body noted that the working group is still the appropriate forum for all technical considerations, and any feedback from the Advisory Committee received re contentious decisions would be added to the decision proposal and shared with working group members as well.
As part of the discussion the Committee considered what weighting should be given to different comments provided to proposals: e.g. weighing contributions from individual’s vs institutions vs industry groups. It was noted where there are obvious groupings of comments, such as provided by the ABA and COBA, reflecting their own consultations with members, then serious consideration should be given to those responses given they reflect the consensus view of a range of stakeholders. However, the Standards Body noted that feedback from individual organisations and experts still has weight and is taken seriously too. It is trying to ensure a diverse range of views are heard and considered. Part of the API Working Group Lead’s role is to balance technical/policy proposals and come up with a practical recommendation for the Chair to consider.
It was suggested that “Security” should be listed as Principle 1 under the Driving Principles section of the Noting Paper and that it be explicitly incorporated into the API Standards Working Group assessment of decisions. The Data Standards Body noted that security is already part of the overarching principles for the Standards and is a core component of all decisions made by the Chair.
The Committee discussed whether the use of GitHub as the primary input to engage with the Working Group excluded any major participants. It was agreed that GitHub provides a good transparent mechanism to facilitate input and that the Data61 team will utilise other avenues for encouraging engagement, such as through formal meetings, where it is more appropriate.
The Chair advised that if there were any contentious issues he would be happy to meet face-to- face to discuss and he would not be averse to meeting any major stakeholder.
The Lead advised that the regular telephone calls for the working group engagement had not been set up as yet but would be in due course.
The ACCC advised that they were in the middle of setting the draft Rules Framework and the approach they will take. They will circulate the paper in advance and bring to the next AC meeting on 6 September. The draft rules will be transparent and be open to public consolidation.
ACTION: ACCC to circulate the draft Rules Framework prior to the next committee meeting.
ACTION: API Standards Working Group Operating Model to be updated to reflect role of Advisory Committee in reviewing contentious decision proposals.
Information Security Working Group
It was noted the Information Security Working Group will follow the same principles and model as the API Working group and is due to publish on GitHub by end of August.
Data61 has advertised 3 x positions on the CSIRO website for Information Security Lead (job ref: 55129), API Architect (job ref: 58130) & API Architect Support (job ref: 58128). These can be found at the following link: https://jobs.csiro.au/. It is looking for experts in the field and would welcome any contacts. It was suggested that Data61 look towards overseas experts in the security field.
A discussion was held on the appropriateness of GitHub when discussing sensitive security topics and whether we should be looking at alternate options e.g. private sharing forums. It was agreed that the roadmap would be in the open forum and a closed forum would be created for discussion of sensitive security topics if required.
User Experience Working Group
An update was provided on the Use Case Workshop that Data61 hosted in July. 32 people attended including representation from banks, FinTechs, consumer organisations, non-profit and industry associations. The workshop was a necessary starting point, but we have a lot of work to do.
The agenda was adapted on the day to allow further discussion around privacy. The draft report has been circulated to the attendees for input and the final Use Case Workshop report will go out this week (cob 17/8/18).
Similar to the other Working Groups it was noted the User Experience Working Group will largely publish discussions via GitHub, although it was agreed there will need to be workshops and customer feedback sessions held to ensure customer needs are appropriately accommodated.
Areas of Divergence from the UK Standards
The Lead of the API working Group talked to this Noting Paper.
The Farrell Report on Open Banking stated that the DSB should design the Standards using the UK’s technical specifications as a starting point. The UK got a lot of things right and it is a good place to start from. Divergence is to be expected but minimised.
Due to the scope of the Australian regime some divergence will be necessary. In the Australian context, the mandate is for an economy wide Consumer Data Right, and so technical standards developed and processes followed will need to be extended to other industries.
There are also areas of the UK model that the UK OBIE has noted they would do differently if they had the opportunity again, and their views might also inform changes for adoption in Australia, as will feedback from Australian stakeholders.
The Committee noted that the UK model also made several choices which would not be considered to be best practice, but reflect the complex regulatory ecosystem (EU and UK) within which they’re operating. The Data Standards Body should ensure Australia does not inherit any such weaknesses.
It was also noted that the UK Open Banking technical specification is 4 years old and there have been technology improvements since then which should be taken into account in the Australian standards design.
The ACCC stated that they are considering versioning as part of the rules.
Given the staged nature of Australia’s rollout, both within sectors and across sectors, the standards will need to start simple and support extensibility. The UK model tends towards complexity.
It was noted that the UK has released a number of videos that run through the process flows and user experience which could be useful in considering what is adopted for the Australian regime. It was agreed that a link to these videos would be distributed to Committee members as an example of one approach that can be taken.
It was noted at a future meeting of the Advisory Committee we will review other jurisdictions in which open data has been implemented to provide an opportunity to consider lessons learned.
ACTION: API Standards Lead to provide a further working group update at the September meeting.
ACTION: Provide a link to relevant UK videos of Open Banking User flows.
A discussion was held in regards to the timeline and whether it is achievable. The Chair stated that he is suitably uncomfortable. There’s a need to keep the pressure on and there is a lot to do. All parties have the same intent at heart.
The ACCC advised that before providing the draft Rules Framework to the Committee it would continue consulting with Fintech Australia, the ABA and consumer groups.
The Chair advised that the next meeting will be held on Wednesday 6 September from 2pm at the Data61 offices at Eveleigh.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:45pm