Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 6 September 2018
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 3
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Martin Granell, AGL (via WebEx)
- Emma Gray, ANZ
- Lisa Schutz, Verifier (via WebEx)
- Ross Sharrott, MoneyTree
- Lauren Solomon, CPRC (via WebEx)
- John Stanton, Comms Alliance (via WebEx)
- Stuart Stoyan, MoneyPlace
- Gary Thursby, Westpac
- Luis Uguina Carrion, Macquarie
- Mal Webster, Endeavour
- Viveka Weiley, Choice
- Andy White, AusPayNet (via WebEx)
- Patrick Wright, NAB (via WebEx)
- Warren Bradey, Data61
- James Bligh, Data61
- Ellen Broad, Data61
- Seyit Camtepe, Data61
- Terri McLachlan, Data61
- Mark Staples, Data61
- Stephen Bordignon, ACCC
- Bruce Cooper, ACCC
- Jodi Ross, ACCC
- Angelica Paul, OAIC (via WebEx)
- Daniel McAuliffe, Treasury
- Mark Perry, Ping Identity
The Chair of the Data Standards Body opened the meeting and thanked all committee members and observers for attending.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 15 August 2018 Advisory Committee Meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the status of the Action Items were either completed or will be covered off in this meeting or next meeting in October and the outcomes noted.
Technical Working Group Update
API Standards Working Group
The Lead of the API Standards Working Group provided a summary of the progress since the last committee meeting.
It was noted the API Working Group is making good progress and three key decisions have closed. They are:
- Decision Proposal 001 - API Principles;
- Decision Proposal 002 - URI Structure; and
- Decision Proposal 003 - Extensibility Model.
It was noted that one additional proposal will close within the next 24 hours which is “Decision Proposal 004 – Versioning Strategy”.
There are seven proposals that are open for feedback; they are:
- Decision Proposal 005 –Authorising Granularity;
- Decision Proposal 006 – KYC Status;
- Decision Proposal 007 – Purpose of Product Info;
- Decision Proposal 008 – Use of Pluralisation;
- Decision Proposal 009 – ID Permanence;
- Decision Proposal 010 – Standard HTTP Headers; and
- Decision Proposal 011 – Error Handling.
A discussion was held on cadence. A need to both move forward with decisions quickly, but provide some regularity of decisions, was considered. It was agreed that from a planning perspective cadence is important and that it should be incorporated in our planning and release of future decisions. Decision alerts for the Advisory Committee should, for example, try to be paced e.g. released on an agreed specific day for review within a standard period. It was agreed some cadence should be applied across all of the working groups.
Information Security Working Group
Seyit Camtepe, who is currently leading the Information Security Working Group (ISTWG) introduced himself and provided some details on his background and experience.
The first step for this working group is to investigate the UK standards and identify the initial direction to follow towards establishing security profiles for Australian banking.
The first decision posted, “Decision Proposal 020 - Initial directions towards establishing security profiles for Australian Banking” was shared with the Advisory Committee on 29 August 2018 and aims to determine the way to use the UK standards towards establishing applicable security profiles for Australian Banking and broader CDR implementation.
The working group has identified three options which are:
- Option 1 – Adopt UK profile as it is with minimal change;
- Option 2 – Adopt UK profile fundamentals and change for Australian context; and
- Option 3 – Develop a new profile from scratch.
The recommendation from the working group is Option 2, given time limitations, and the opportunity to use well established protocols as a starting point. The timeline for this would be 7 weeks to produce a separate minimum viable Australian version.
It was discussed that Option 2 is a good way forward as we can strip out UK items not applicable (e.g. payment initiation) and make changes for the Australian context. As part of the discussion it was noted that the UK Profile was developed 4 years ago and new approaches (for example to cryptography) should be taken into account where appropriate. It was noted the UK is updating its information security profile to wholesale adopt the Financial-Grade API Working Group Information Security Profile and this will be taken into account for the Australian standards.
It was discussed that “Option 3 - Develop a new profile from scratch” would take a year and would need to be tested in the financial sectors and as such was not a viable option.
It was noted the ACCC Rules Framework will not include a Write Access to the regime and as such these issues have not been included in the standards. Rather they will be added back at the time it is agreed to extend the framework in the future.
User Experience Working Group
An update was provided on the Use Case Workshop and the user experience participants.
It was noted the Use Case Workshop Report has been finalised and a copy of the report has been provided to the committee members. A user experience mailing list has been set up with 18 participants registered to date.
It was noted that the DSB is holding discussions with a potential working group lead and that the roadmap for the group will be released shortly after the meeting.
It was noted that across the eco-system some new research is planned around consumer expectations and behaviour and that the DSB should tap into that research as much as possible.
It was agreed the output of the working group is to provide guidelines and have the opportunity to generate some powerful deliverables. In order to advance the next phase. It was noted it will be important to review the ACCC’s Rules Framework and incorporate those directions in our further work in the space.
A discussion was held on the proposed rules on authorisation (9.3 in the Rules Framework) and the recommendation that consumer authorisation not be longer than 3 months (90 days), but with an ability to renew that authorisation.
It was raised that in terms of customer adoption, customers haven’t done this before and early clarity is required. ACCC advised that in their view it is reasonably clear they will run with a consent time of 3 months unless the consultation process, including end-customer evaluations, shows a better approach.
In respect of the User Experience Report it was suggested that the following edits be made to the Use Case report:
- On page 4 “Summary of insights”, change “Banks” and “FinTech’s and other intermediaries” to “Product Providers” and “Services and Insights providers” to be more indicative of the broader CDR focus.
- On page 5 under the consumer segments “Applying for credit” use case re: responsible lending, it would be helpful to make clear that the workshop wasn’t concluding that use cases such as responsible lending were “out of scope” or “deferred”. If the data is available on 1 July 2019 and consumers consent to providing it, responsible lending could well be a use case offered.
Further discussion was held on rules, and it was noted that the Advisory Committee does not set the Rules: they are an ACCC responsibility. It was noted the ACCC will brief the Committee on the Rules Framework proposed to be released for public consultation as the next item of the agenda.
It was noted that the DSB are going to gather momentum and pace in seeking feedback in order to meet the timetable. It was noted the DSB will need to make fast decisions and raise complex issues back up to the committee for strategic input. The current timeline is for a draft set of Standards and the Rules Framework to be released by the end of October.
It was noted that the key is early involvement of the eco-system participants who should bring any issues forward as early as possible so that the DSB can deal with them flexibly.
It was requested that additional technical iterations be included on future decision proposals.
ACTION: Send out the UX Roadmap to Committee Members
ACTION: Make changes to the Summary of insights section (P4) on the Use Case Report
ACTION: Make changes to the Applying for credit use point (P5) on the Use Case Report
ACCC draft Rules Framework
Bruce Cooper from the ACCC outlined the Rules Framework document that will be released for public consultation. A summary of the comments are provided below.
There will be a four week consultation period, with forums on 24 & 25 September in Sydney & Melbourne. The draft rules are proposed to be published in December 2018 with legislation expected to be introduced to Parliament in December 2018 and passed in early 2019.
The core obligations are that:
- At a consumer’s direction a data holder must share data with
- an accredited recipient to who the consumer has given consent and/or
- to the consumer themselves; and
- A data holder must make generic product data publicly available via API in the format to be specified by the standards.
ACCC proposes that in the first version of the rules that the sharing of core data will not be subject to fees.
In terms of “Scope” and in regards to customer data/account data, ACCC does not plan to include rules relating to KYC (Know Your Customer) in v1. In respect to transactional data, ACCC is seeking feedback to understand the extent to which metadata can be incorporated in the initial release.
In terms of “Accreditation”, the rules will include a general tier of accreditation in v1 but at this stage ACCC are not sure there will be additional levels of accreditation in v1. The rules will have a fit and proper test for participants to receive the CDR data and require that appropriate insurance is in place. The initial rules are not looking to provide foreign entities with pre-approved access where they are accredited in other jurisdictions.
In terms of “Consent”, consent is critical and must be freely given, informed, specific as to a use etc. How granular the authority can be for consumers to grant access to data is recognised as being more challenging. The proposal is for the data standards process to develop more granular authorisation over time.
In relation to joint account or business accounts the rules are proposing that these types of accounts will be included in v1 but appreciate what level of consent is appropriate is not straightforward. This issue will be explored further in the consultation process as to a practical implementation.
In terms of “Authentication”, the rules are proposing strong customer authentication will be required and dashboards made available for customers to easily manage consents and authorisation.
In terms of “Use”, when permitted uses expire, it is intended for the rules to support the data being de-identified or deleted at the consumer’s election. The intention was also noted that rules not permit use of data for direct marketing or on-sale.
In terms of “Sharing with other parties”, a consumer may consent to the data recipient sharing data with a non-accredited recipient and an accredited participant may share the data with a non-accredited third party service provider provided clear consent has been given by the consumer. An intermediary recipient is recognised as another organisation which may receive and hold data. In these cases it is considered the rules will require such intermediary participants to be accredited. These proposals will be subject to consultation.
A discussion was held on what coverage the Privacy Act provides where data is shared with a non-accredited recipient. It was noted that where data is transferred to a non-accredited recipient that is an SME that is not covered by the existing Privacy Principles, then the data would not be covered under either the privacy safeguards or the Privacy Principles. This is noted as an obvious gap which needs to be addressed.
A discussion was held on providing data to a third party, such as a Fintech company, the ability to consolidate accounts as an intermediary and whether they would need to be accredited as a recipient or a holder. Treasury advised that this was an issue that had come up in consultation on the legislation and consideration was being given to dealing expressly with this situation in the legislation. The ACCC indicated it was unlikely reciprocity would be included in the first version of the rules. It was noted that the Farrell report supported consumers being able to request a data recipient share their data in these circumstances.
It was agreed further consideration will be given to the treatment of intermediaries and how they will be covered under the regime.
A concern was raised in relation to the prospect of sharing certain ‘customer data’ (as defined in section 5.3.1: Customer Data (P17) of the Framework) where the information is not owned by the customers or the data holder and may be problematic to share.
An example given was of payee information, which could be considered personal information of the payees. While a customer may have a list of payees on their account, these may include information about identifiable consumers. It was suggested that a customer could not share this information without the payees’ consent. It was also suggested that the customer should be able to enter these payee details with the bank (or the bank store them) without the payees’ consent. ACCC noted that the inability to share details of Direct Debit recipients is currently a disincentive to switching and that the ACCC would support payee lists being transferrable and noted this needs to be considered during the consultation period.
In regards to Product Data (P18) as proposed in the Framework, discussion considered whether pricing (specifically interest rates), fees and other charges on products and services should be disclosed separately or whether it is something which data recipients should calculate themselves from the transaction data provided. ACCC noted this would be considered further.
A discussion was held on the reference in section 8.1.1 of the Framework where it is proposed that if minors can transact on their account they should be able to share their account data as part of the CDR regime.
It was noted that minors over a certain age are able to transact on an account without parental / guardian consent. In discussion it was noted that there has been a lot of research around comprehension and vulnerability of minors and this should be considered when ACCC determines an appropriate rule to apply.
It was also suggested that where cognitive impairment exists in elderly consumers this should be covered by the rules. ACCC undertook to consider whether existing “agent” processes are sufficient to address these issues.
It was noted that the CDR Rules Framework document is seeking input from all participants in the eco-system and the Chair encouraged all Advisory Committee representatives to make submissions to the ACCC.
ACTION: ACCC to provide a summary document highlighting key areas they would like feedback on to circulate to the Committee.
Daniel McAuliffe provided an update on the draft Legislation and the consultation process and how it is developing.
Final submissions for the draft Consumer Data Right Legislation are due to be lodged with the Treasury by 7th September.
Treasury advised it is likely it will create another draft bill for a 2nd round of consultation around the 20th September.
The Designation Instrument (which nominates what is within scope for the sector covered) is likely to be released by mid-September.
The Chair thanked everyone for their input on the Rules Framework and to the ACCC for the early opportunity to see the draft Rules Framework. The Chair again encouraged members to provide formal input to ACCC on the issues highlighted once they have had the opportunity to review the document in more detail.
The Chair advised that the next meeting will be held on Wednesday 10 October from 2pm at the Data61 offices at Eveleigh.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 16:00