Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 10 April 2019
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 9
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree
- Lauren Solomon, CPRC (via WebEx)
- John Stanton, Comms Alliance (via WebEx)
- Jamie Twiss, Westpac
- Luis Uguina Carrion, Macquarie Bank (via WebEx)
- Viveka Weiley, Choice
- Andy White, AusPayNet
- Warren Bradey, Data61
- Rob Hanson, Data61 (via WebEx)
- Stuart Low, Data61
- Terri McLachlan, Data61
- Michael Palmyre, Data61
- Louis Taborda, Data61
- Stephen Bordignon, ACCC (via WebEx)
- Bruce Cooper, ACCC
- Anjelica Paul, OAIC (via WebEx)
- Daniel McAuliffe, Treasury (via WebEx)
- Emma Gray, ANZ
- Stuart Stoyan, MoneyPlace
- Mal Webster, Endeavour Bank
- Patrick Wright, NAB
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending Meeting No 9.
The Chair noted that Emma Gray (ANZ), Stuart Stoyan (MoneyPlace), Mal Webster (Endeavour) & Patrick Wright (NAB) were apologies for this meeting.
The Chair advised that the legislation would not be passed before the election.
It was noted that in light of that, ACCC and the DSB/D61 has met with each of the big four banks to discuss the potential for maintaining the momentum until such time as the legislation is re-introduced.
The Chair noted that two areas of focus at these meetings had been: voluntary publication of Product Reference Data; and testing, conformance and market acceptance testing. The Chair noted in terms of the discussion regarding pilot testing of data the banks had expressed views that this would not be feasible without underpinning legislation, rules and standards being settled.
In respect of the discussion of the potential implementation of the Product Reference Data some views were expressed suggesting that early implementation would have limited utility if it was introduced significantly in advance of the broader implementation of the CDR regime.
The Chair wanted to put on record the DSB’s appreciation of the big four banks for their involvement and acceptance of those meetings and the approach to the discussion which was very helpful.
The Chair noted that notwithstanding the legislation not passing in the current sitting of parliament, the DSB & ACCC are committed to maintaining as much momentum as possible to the development of the Standards and the Rules.
One member suggested that rather than proceeding to pilot testing and implementation we should use the time through to re-introduction of the legislation to address the five or six stand out issues that would benefit from detailed consideration by the Advisory Committee. It was noted one of these could be the consent model flows.
A discussion was held on the impact arising from delay in passage of the legislation prior to the election being announced. ACCC advised that Oakton is building the register and the platform for accreditation and will continue unaffected by caretaker conventions and that ACCC anticipates Oakton will consult industry in relation to the access to the register and how it will operate in the coming weeks.
ACCC noted that some technical testing around the design will continue but that it had heard bank concerns about the utility of detailed testing when the legislation, rules and standards were not settled and liability concerns arising from detailed consumer testing, even using synthetic data, without legislation. It was noted that the DSB will work with the ACCC to map out a schedule for further discussion with eco-system participants.
The ACCC also noted that some of the big four banks had expressed concerns about voluntary publication of Product Reference Data by 1 July 2019. Some banks had also suggested that it would be helpful to have a test environment to check the responses and queries. The ACCC noted that it was continuing to consider both these issues.
A discussion was held on whether Oakton could attend a future meeting of the Advisory Committee to outline their work. The Chair asked the ACCC, if appropriate, to extend the invitation to Oakton to attend a future committee meeting to talk about their brief and their understanding of it.
ACTION: ACCC to invite Oakton to a future Advisory Committee Meeting
A discussion was held on the preference for a dynamic registry to facilitate real time checking by data holders of the accreditation status of data recipients. ACCC and Data61 advised that the registry did not need to be “always on”. Instead, data holders could periodically download the full list of accredited data recipients and have constant access to a revocation list. This design intention will be further clarified as part of the planned ACCC/Data61/Oakton stakeholder consultation referred to above.
The Chair also noted that the DSB will be publishing the updated Data Standards by the end of April 2019.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 13 March 2019 Advisory Committee Meeting and noted a slight edit on page 4 to read “although the results noted some areas for refinement and improvement”.
ACTION: Minor edit to minutes to be made
The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in discussion during this meeting.
A discussion was held on the Committee composition and if it is changing after June 2019. The Chair advised that the committee terms will be reviewed but he can’t see any reason for wholesale change. He was hoping to have more clarity on the designation of energy at this time, but at this stage he will be keeping the Advisory Committee largely as it is but will finalise this before 30 June 2019.
Technical Working Group Update
A summary of the progress from the last committee meeting on the Working Groups was provided in the Committee Papers.
The progress update was taken as read.
A further update was provided at the meeting by Warren Bradey as follows:
Louis Taborda was noted to have joined the team as Head of Technical Delivery, replacing John Brøndum. It was noted that Louis has a history in API architecture and operations management and he is coming in at the right time for the next phase of the DSB work. The Chair welcomed Louis aboard.
In terms of the API Standards, the Product Reference Data Standards have been finalised and published (the previous evening). This is now in a final v1.0. format that Data Holders can pick up and implement and is available in the event that we go with either a full release of Product Reference Data or if we move into a testing phase.
It was noted that the DSB have spoken to the big four banks to confirm the adequacy of the detail of the Product Reference Data standard and that it was agreed there is sufficient detail to work with. It was noted that further review is proposed on complex products, bundles and mandatory versus optional fields.
It was confirmed that an updated version of the API Standards will be released in the week commencing the 29 April 2019.
It was also noted that we are in the process of re-publishing the information security protocol in a format that is consistent with the API format. This will be re-published the week commencing 29 April 2019.
It was also suggested that the best way to continue to evolve the standards and keep the momentum with everyone whilst the legislation is re-introduced to parliament, is if as a group we focus on the five or six key issues that would benefit from more granularity. One member put forward their five issues:
- consent flows;
- joint accounts;
- dealing with closed accounts, and
- agreed test plan for when we do move into a test phase.
The Chair asked that everyone advise the team of any other key issues they consider valuable to consider. It was agreed these would be considered at the next meeting and a short-list of issues determined.
ACTION: Committee members to submit key areas for consideration
A discussion was held on the Phase 2 & 3 implementation dates noting as it stands we are working on the 1 February 2020 deadline for Phase 1 & 2, with Phase 3 following shortly after (1 July 2020). It was noted by most members that this would be a difficult implementation timetable and that the government should re-consider returning to a more staggered introduction of various products.
It was noted that there are three further API decision proposals out for discussion in the community at the moment which are seeking feedback by the end of April 2019.
It was noted that in regards to the Engineering Working Group, which Stuart Low has been leading, the first two Sprints have now been completed.
It was noted that in Sprint #0 the focus was to define the scope for the next 10 Sprints which were published, along with the key deliverables for the first four sprints.
It was noted that in Sprint #1 we are taking the standards and creating a rigid model in java that we are using as the seed point for all our outputs.
It was noted in Sprint #2 the focus is Product API’s and the intention is to produce a server and client example.
In was noted that for the User Experience Working Stream, Phase 1 has been completed and feedback was provided at the last committee meeting. Expressions of Interest for Phase 2 have been issued and cover joint input from Treasury, ACCC, OAIC and the DSB.
It was noted that the Phase 2 work we will be looking at the continuation of consent flows, revocation, consent authorisation management and re-authorisation. High levels flows have been sketched out and are ready to send out to the wider community to get feedback on what is feasible. It is scheduled for this work to commence by 29 April 2019 and finish by 30 June 2019. It is intended that we will publish incremental updates to ensure transparency in what we are doing and knowing that there will be plenty of collaboration points along the way for on-going eco-system input.
It was also noted that a lot of pressure is being applied on the consent flows to reflect everything in the Rules and that we have started a Journey Map to show where things can be pulled up into other areas. This will show the full extent of the consumer journey. It was noted that this is not a key remit, but is clearly required as a communication piece and will be released as soon as it has been undertaken. CPRC noted they are happy to contribute over the next few months to this work.
It was noted that one member’s team wished to note that the work on the process of the model bank that the DSB engineering team has been going through has been very collaborative and they have really appreciated the publishing of tasks ahead of time for comment and recommendations where possible that other streams could follow that approach it would be helpful to the wider community.
A discussion was held on what the DSB is proposing in regards to the cloud based solution. It was noted that in regards to the conformance suite it will not be cloud based, it is essentially a desk top base which will be able to target API’s and provide a list of results of what has failed and/or passed.
It was also discussed how the ACCC can check on API up-time and performance. ACCC noted that at present it is not factored in, but it was something that has come out of the meetings with some of the banks and a number of people have said it would be helpful. It was noted that no decision has been made on this as yet.
It was noted that the UK experience said that this was a gap, and this was filled by third parties.
It was noted that the Chair spoke to Gavin Littlejohn from Financial Data and Technology Association (FDATA) about the UK data holder API’s noting FDATA figures showed there was only a 96% uptime after 14 months and less than 50% compliance after 22 months. It was noted that the fines in the UK regime are pretty heavy and the reason for the non-conformance is because it is hard rather than a lack of will.
The Chair has asked Gavin Littlejohn for a copy of the monitoring data which he has not received as yet. ACCC have also asked for a copy. It was agreed that we should develop a view of what success looks like in terms of system delivery.
A discussion was held on non-functional requirements and customer tokens and how screen scraping is not a long-term viable option. It was noted however, there should be a limit on how many times an API can be hit as this will create a security concern. One member expressed its view that the current proposed length of session time has been extended beyond what is reasonable and that member agreed to provide more detailed feedback again via GitHub.
A discussion was held on the decisions and lack of clarity around whether community feedback has been considered and/or rejected and the visibility of the decision process. The Chair has advised that we will take that as feedback and seek to make the consideration of issues easier to follow.
Daniel McAuliffe from Treasury provided an update on the Consumer Data Right Legislation and the Privacy Impact Assessment.
It was noted that as we did not see the bill being introduced into the Senate prior to parliament rising the legislation will now lapse and depending on any decision of the incoming government the legislation will need to be reintroduced post the election. If the Coalition is returned, it is possible the bill will be reintroduced reasonably promptly at the June sitting. If this is the case the legislation could then be passed at the spring sitting later in the year.
It was noted that if that happens, we may still be on track for the February 2020 launch of the consumer data right regime. In the event of a Labor government being formed it was noted that indications are that they are in-principle supportive of the regime but it is unclear of when they would bring new legislation forward to the parliament.
It was noted that Treasury has been speaking to some stakeholders, and in the coming weeks they will be having further conversations (including with ACCC, OAIC and the DSB) about what would be the appropriate recommendations to any new government in terms of an appropriate timetable.
It was noted that in the Senate References Committee the Labor members did provide a dissenting report. Whilst it didn’t actually recommend against passage of the legislation, it did note that there was insufficient time to consider some of the issues that were raised so there is a possibility that when the legislation is introduced again it would be referred back to the Senate Economics Committee, and if that does happen, it would impact on the timetable for the passage of the legislation.
It was noted that of most of the issues that were raised by Labor members of the Committee relate to obligations that would be imposed upon a data recipient, and the bulk of the remaining issues relate to the consent processes. It was noted that some of the concerns raised in relation to consent actually align with the approach we are taking in the pilot testing phase, plus the additional CX research.
Bruce Cooper from the ACCC provided an update on the Rules and the Directory status.
It was noted that the draft rules have been published and further consultation is sought over the next month. Another version of the draft rules are expected to be published before they are finalised, taking into account the current consultation phase. Consideration would need to be given to whether any changes to the legislation introduced by a new government required amendments to the draft rules.
In was also noted that as part of the ACCC’s work to build the registry, the ACCC, Oakton and Data61 have commenced co–design meetings as a precursor to industry consultation. ACCC noted it is also considering using GitHub to facilitate this broader consultation.
It was noted that in regards to accreditation, the ACCC’s focus is getting guidance notes issued, particularly on and around IT security and insurance and getting that out sooner rather than later.
A discussion was held on whether fintechs would use open banking on Day 1 and it was noted that views expressed by participants at a forum held by Fintech Australia indicated, based on their current (limited) understanding of what elements will be included on day 1 of the CDR implementation, a majority would not opt in immediately as screen scraping was considered to provide superior data access and will be for quite some time until broader data sets become available under the regime.
It was noted that a key issue in driving this response was the lack of clarity yet on the accreditation process required for fintechs.
The ACCC advised that it had undertaken a survey to determine the level of interest in becoming an accredited data recipient. It was noted that of 60 respondents, 56 wanted to be accredited and 34 indicated a preference to be early participants.
A discussion was held on the liability framework from a data holder point of view and how it sits. It was noted that there continued to be some lack of clarity on the liability regime and this may benefit from further clarification to the community.
Treasury confirmed that there is a specific provision in the bill that if a data holder is obliged to transfer data in accordance with the rules, then there is no liability back to the data holder if there is a breach at the data recipient end.
A member of the committee suggested that we have a gap in dealing with data recipients and that in the UK the regime had dealt with it explicitly. It was indicated that in the UK regime there were certain types of damages that were identified, valued and published so that insurance could properly price the probability of the consequence. It was noted that we haven’t dealt with this issue at present outside normal principles of common law liability and it would be beneficial to address this at an early stage to ensure insurance cover can be offered.
The Chair queried which agency has responsibility for liability issues. ACCC advised that while the liability regime isn’t provided for in the bill, the accreditation provides the requirement for insurance.
The Chair requested a short presentation on liability issues at a future meeting. The ACCC agreed to lead this. The Chair also noted that further clarification on screen scraping and bi-lateral agreements is required to ensure that everyone is clear on these matters.
ACTION: ACCC to present on liability issues at a future meeting
Joint AU & NZ Productivity Commission report on growing the Digital Economy
It was noted the proposal in this agenda item is that the DSB reach out to our NZ counterpart (Payments NZ) and suggest they join the working group streams. It was noted that as the legislation has not passed it is difficult to determine whether there is value in inviting them to become observers at the Advisory Committee.
The Chair advised that once we have a clearer implementation path we will consider extending an invite to the AU & NZ Productivity Commission to join the DSB Committee as an observer.
ACTION: Andy White to reach out to Payments NZ to provide an introduction to the DSB.
No other business raised.
The Chair advised that the next meeting will be held on Wednesday 8 May 2019 from 2pm to 4pm at the ANZ offices in Melbourne.
It was noted that CBA have offered their office space in Sydney for an upcoming meeting. The Chair extended his thanks.
It was noted that the schedule for the remainder of 2019 be noted.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:32