Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 6 February 2019
Location: CBA, Level 19, 727 Collins Street, Melbourne
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 7
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Emma Gray, ANZ
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree
- Lauren Solomon, CPRC (via WebEx)
- John Stanton, Comms Alliance (via WebEx)
- Jamie Twiss, Westpac
- Luis Uguina Carrion, Macquarie Bank (via WebEx)
- Mal Webster, Endeavour Bank
- Viveka Weiley, Choice
- Andy White, AusPayNet (via WebEx)
- Patrick Wright, NAB (via WebEx)
- Warren Bradey, Data61
- James Bligh, Data61
- John Brøndum, Data61
- Terri McLachlan, Data61
- Stephen Bordignon, ACCC
- Angelica Paul, OAIC (via WebEx)
- Daniel McAuliffe, Treasury
- Mark Perry, Ping Identity
- Stuart Stoyan, MoneyPlace
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending the first meeting of 2019 - meeting No 7.
The Chair thanked Kate Crous and Commonwealth Bank of Australia (CBA) for hosting the committee meeting at their offices in Melbourne.
The Chair advised that Martin Granell has left AGL and submitted his resignation from the Advisory Committee. The Chair noted that a replacement hasn’t been appointed as the timing for implementing CDR for the energy sector is being discussed by the Government and may be brought forward. Once this is clearer the Chair will consider how best to include the energy sector in Advisory Committee meetings.
The Chair advised that he has been recently appointed the Chair of Innovation Science Australia (ISA) and it was his duty to advise the committee of his appointment so as to avoid potential or perceived conflicts of interest.
The Chair introduced the committee to John Brøndum who has joined the Consumer Data Standards Team as the Head of Technical Delivery whilst Ellen Broad is on parental leave. John Brøndum provided a summary of his experience advising that he has worked in banking for the last 6 years most recently with Volt Bank as Principal Architect and with Westpac as Enterprise Architect. Prior to that he worked at IBM as a Senior IT architect and in numerous consulting services roles.
The Chair advised that Daniel McAuliffe from Treasury will be providing the committee with an update on the legislation and Stephen Bordignon from ACCC will be providing an update on the rules at this meeting.
The Chair noted that Mark Perry from Ping Identity and Stuart Stoyan from MoneyPlace were apologies for this meeting. He also re-confirmed that we have a no delegate policy at the Advisory Committee.
Warren Bradey advised that since the last Advisory Committee meeting we have established an Engineering Working Group and Stuart Low has joined the team to lead this initiative. The Engineering Working Group will focus on delivering usable software components (Reference Implementations) and system artefacts (Sandbox). It was noted the team will be built out further to accommodate new work evaluating the application of the CDR to the energy sector.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 12 December 2018 Advisory Committee Meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in discussion during this meeting. Further discussion followed.
Warren Bradey advised that the action item for the Use Case Review of how the standards will operate was included in the December 2018 papers and was taken as read at that time. He advised that if the committee would like to revisit this, he would be happy to include it as an agenda item in the March 2019 or April 2019 Advisory Committee meetings.
Stephen Bordignon advised that in regards to “ACCC reviewing the delayed entry into the regime for smaller banks” that the start date for non-big four ADIs is still 1 July 2020, although some smaller banks have expressed an interest in participating earlier. The ACCC recognises that having more people in the system initially would be beneficial, as this would generate more competition, but that the issue is still under consideration.
Stephen also provided an update on “ACCC’s review on whether the ISO 2700 standard will be accepted as part of accreditation from day one”. He advised that, as per the Rules Outline, the ACCC intends to allow accredited recipients to leverage existing information security certifications. The Rules Outline notes though that existing certifications may not demonstrate compliance with all the controls required under the CDR, and it is the responsibility of the applicant to provide adequate evidence of these controls. The ACCC is aiming to provide an ‘audit template’ along with draft rules to provide further guidance on what will need to be demonstrated at the time of applying for accreditation.
Technical Working Group Update
A summary of the progress from the last committee meeting on the Technical Working Groups was provided by John Brøndum.
He advised that the API Standards Working Group has delivered v 0.2.0 version of the standards and that within this version most end points and payloads are relatively stable. The Working Group is now focussed on Scheduled Payments.
He advised that the final report for the User Experience Working Group being developed by Tobias, CHOICE & Data61 will be published within the next couple of weeks.
He advised that the newly established Engineering Working Group will be focussed on the production of software requirement specifications for Reference Implementation and the Sandbox along with infrastructure specifications.
A discussion was held on the standards and how it is important to draw a line in the sand on version 0.2.0 and move to version 1.0. It was indicated by members that it would be especially helpful to the implementation teams to know that there was not going to be any new fields in version 0.2.0 so that can get it up and running.
A discussion was held on customer payloads and a request for further details on the purpose of the payloads and whether data recipients would already hold or collect this data. It was noted the API Standards Lead has been discussing this with industry participants and has already made some adjustments to the payload details.
ACTION: Data61 to provide further details on the use cases selected for customer data.
A summary of the progress since the last committee meeting on each Working Group – including the establishment of the Engineering Working Group - was provided in the Committee Papers and was taken as read.
Daniel McAuliffe from Treasury provided the following update on the Consumer Data Right Legislation.
It was indicated that the Bill will be introduced next Wednesday (13/2/19) or Thursday (14/2/19) to be passed by the Lower House and referred to the Senate. There is an existing resolution by the Senate to refer the Bill to the Standing Committee on Economics for review. The hearing is due to be on 18 March 2019 which will give limited time to report back before Parliament sits again in the 1st week of April 2019.
A discussion was held on the upcoming election and what would happen when the House of Representatives is dissolved by the Governor General and the government of Australia goes into caretaker government mode. It was noted that after legislation passes the Senate, it will need to receive royal assent before Parliament is prorogued. The Designation Instrument for the Consumer Data Right will then need to be signed off by the Treasurer and the Data Standards Body formally created.
It was noted that all indications show that there is support for the CDR scheme, but there may be particular issues that could come up in the inquiry that may require refinement for implementation. Treasury is hopeful we will secure that agreement in the next sitting of Parliament.
A discussion was held on what could happen if all the elements are not fully signed into law before Parliament rises for the election. It was noted that Government and Opposition approval would be required to advance significant matters during caretaker mode.
Concerns were raised if the Bill does not pass in April 2019 as to whether the pilot program will still occur on 1 July 2019 and whether the Directory would be completed on time. The Chair advised that the Treasurer’s announcement in December 2018 covered Product Reference Data where CDR data is generic product data (e.g. product types, names, prices, features and eligibility) to be made available on 1 July 2019. He noted that such data does not need the Directory component nor the transfer of private customer data.
A discussion was held on the risk associated with product reference data being lower than customer data, and the fact that such product reference data is currently completely open. It was noted that this would be a very useful way to start testing. It was also noted that other jurisdictions, such as the UK, launched early testing this way.
A discussion was held on the timing for finalising the rules and standards and the need for assurances that there would be a focussed timetable so that the banks could ensure their teams are appropriately resourced at the right time to meet the implementation schedule.
It was also noted that a “pilot program” would be launched on 1 July 2019 to test performance, reliability and security of the CDR system with the four major banks. It was noted it is envisaged that consumers and FinTechs would be invited to participate as well as other banks as the pilot trial progresses. A discussion was held on the need to test to minimise the risk that unintended consequences arise and to ensure that we do not damage confidence in the system.
It was noted that the Treasurer’s announcement has indicated that both the initial product set plus mortgages (previously Phase 2 products) are scheduled to go live by 1 February 2020. It was suggested there will need to be some flexibility on which products are included in a full implementation on 1 February 2020 based on the outcomes of the pilot trial.
A discussion was held on Consumer Data relating to direct debits and the importance of the four major banks being able to deliver the information in a common format. It was noted the API Standards Lead is working with the banks to determine the best way to achieve this outcome.
Discussion was held on system testing using synthetic data in the sandbox and the need to get the sandbox up and running at an early stage. It was agreed testing will need to cover the Directory as well and how participants access information.
A discussion was held on joint accounts and both parties needing to consent and the need to initially build in options that ACCC has identified will be triggered in subsequent versions.
It was noted that any participants playing in the sandbox as data recipients may need to pass the ACCC accreditation process and that it should open up to people who want to be accredited. ACCC noted it will need to consider how it approaches access to the pilot.
A discussion was held on user testing and the requirements that need to be incorporated into the API and Information Security designs. It was advised that it is expected that the CX findings and preliminary recommendations will be made available to committee members within 2-3 weeks. The CX research undertaken by Data61 for the project should inform the ACCC as to what other issues it needs to consider in respect of CX in finalising the rules.
A discussion was held on Decision Proposal 35 – Customer Authentication Flow and the various issues. It was noted the recommendation was to adopt a Redirect with Known Channels approach. It was also noted that there was a request that this issue be re-visited with the community to ensure security risks are effectively addressed.
A discussion was held on consent and the UX experience noting that further UX testing will be required in subsequent rounds and will need to be revisited regularly.
A discussion was held on the change in the live implementation of the CDR regime to 1 February 2020 and the risk of the effect of further changes that could arise from the parliamentary review. It was noted that if the Bill was passed in April 2019 the government could get the detail through for a July 2019 implementation. It was noted that we should know more detail of any suggested changes from the Economics Committee by the 13 March 2019 Advisory Committee Meeting but if there is any update on the timetable in the meantime, our intention is to advise members out of session. It was noted that all groups are committed to ensuring the CDR regime sticks to a tight timetable and all options will be considered to keep the programme to an agreed timetable.
ACTION: Include CX testing findings as an agenda item for the March 2019 meeting.
ACTION: Include findings on consent as an agenda item for the March 2019 meeting.
ACTION: Provide details on the Sandbox testing and scope at a future meeting.
Stephen Bordignon from the ACCC provided an update on the Rules Framework and address book.
It was noted that in regards to the address book, the ACCC has progressed negotiations with the vendor throughout January 2019 and is very close to finalising the contract. At this stage, they are not able to advise who the vendor is but they are at the contract negotiation stage and hoping to finalise and be able to advise by the next Advisory Committee Meeting.
It was noted that the ACCC released the Consumer Data Right Rules Outline setting out proposed rules positions for the CDR regime on Friday 21 December 2018. The draft rules are being progressed and ACCC aims to get a complete set out by the end of March or early April 2019.
A discussion was held on the timing of the Rules and the level of consultation possible prior to being passage of the legislation and prior to an election. It was noted that, in line of the timetable advised by Treasury, there was limited time for consultation on rules, though the bill allows for a truncated consultation. The ACCC is considering how best to approach the consultation process, noting a strong desire to ensure effective consultation with relevant stakeholders.
A discussion was held on ACCC accreditation requirements and the timing for opening access for potential participants. It was noted that it will be a large investment for the small businesses becoming Data Recipients and they want to ensure that they are ready to go. ACCC agreed to take this point on notice and provide guidance as early as possible.
A discussion was held on the tenure of the committee being 12 months which is up on the 1 July 2019. It was agreed this would be considered further by the Chair once the progress of the legislation becomes clearer.
The Chair advised that the next meeting will be held on Wednesday 13 March 2019 from 2pm to 4pm at the Data61 offices in Eveleigh.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 15:50