Minutes - 9 Oct 2019

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 9 October 2019
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 15

Download meeting minutes (PDF 217KB)

 

Attendees

 

Chair Introduction

The Chair of the Data Standards (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 15.

The Chair welcomed Erin Turner from Choice following the departure of Viveka Weiley. It was noted that Erin is an apology for this meeting as well as Mark Perry (Ping) and Andy White (AusPayNet).

The Chair noted that it has been another busy month with version 1.0.0. of the Consumer Data Standard being published on the 30^th September 2019, which are expected to become the binding standards after ACCC’s rules are made formal by the Minister. It was noted that there will also be ongoing updates to the data standards possibly through the testing process but also as we pilot maintenance and other changes. The Chair wanted to acknowledge the role that everyone has had getting us to this point; the Data61 team; the contributions via GitHub which has been from many and various; and members of the Advisory Committee and their teams. The work from everyone has been very much appreciated.

The Chair noted that NAB have now published Product Reference Data (PRD), so now all four banks have PRD APIs. The Chair also noted that ANZ and Westpac have recently held related innovation challenges with NAB due to hold a data exchange hackathon shortly.

The Chair noted he had interactions with some organisations in the data world who haven’t previously worked with consent management, and they are starting to realise that the consent elements of the CDR are a serious thing.

It was noted that in regard to the timing of the energy sector moving closer, we have asked for Expressions of Interest (EOIs) for people to join an energy related Data Standards Body, which closes on Monday 14^th October 2019. The intention is to hold a DSB Energy Advisory Committee Meeting on the morning of the next DSB Banking Advisory Committee meeting.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 September 2019 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

One member asked for an update on Financial Data and Technology Association (FDATA) and their ongoing engagement and whether there is a collective position on this. The Chair noted that he has met with Gavin Littlejohn and the local CEO, but nothing was proposed by them.

Action Items

The Chair noted that the Action Items were either completed or would be covered off in discussion during this meeting or future meetings.

Technical Working Group Update

A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.

A further update was provided on the API & InfoSec Security work streams as follows:

It was noted that Version 1.0.0 has been released and we are now transitioning into the maintenance mode operating model flagged at the last advisory committee meeting. It was noted that we are in the process of setting up the teleconferences which is part of the operating model. It was noted that if any teams want to raise any issues on the maintenance model, now is a good time to do so. Other issues related to the implementation should be raised through the process being run by Ernst & Young (EY). It was noted that the maintenance mode includes evolution of Product Reference Data (PRD) etc.

It was noted that in the standards space, there is a Decision Proposal open for concurrent consent which has been requested by the community. Both recipients and holders have requested a move from single consent to concurrent consent. It was noted that that paper was reviewed by Treasury and the ACCC before being opened for public consultation so there was a degree of agreement that the proposal would align to the Rules. It was noted that the consultation will close by the end of the week. It was also noted this consultation includes a request for feedback on when it would be appropriate for a change of this nature to be made in the standards; would it be preferred now to be as part of the February 2020 implementation, or should it be binding in a later milestone such as June 2020. It was noted that the DSB wants to protect the implementation timeframe but if it’s better for implementors to move to the new concurrent model immediately, we don’t want to prevent that.

One member noted in regard to concurrent consent that they do not want to have concurrent consent not allowed for February 2020 and then to reverse it later. It was noted that they do not mind if concurrent consent is optional or mandatory on February 2020, but do not want to start with one set of mandatory standards and then a few months later change.

It was noted that the API Lead would welcome feedback on GitHub. It was noted that one of the options in the paper was to leave holders open to implement or not to implement as they desire for February 2020. It was noted that this is our preference but would welcome others’ support for that publicly.

One member noted that requiring further changes before February would be bad. Another member noted that unless there is a security issue or some major problem, there should be no more changes. One member noted that as this is a relatively recent decision proposal, it is not clear what “no more changes” means. They noted that they have been building towards concurrent consent.

The API Lead noted that the position on single consent in the standard was ambiguous in that people had interpretations that were different. The decision proposal aims to clarify this, in the direction of concurrent consent. It was noted that if people have been building to concurrent consent, if we allow optionality for February, then no change of course would be required in those builds. The Chair welcomed further feedback on this.

Operating Model Update

An update on the Operating Model was provided in the Committee Papers and was taken as read. A further update was provided as follows:

It was noted that there are no updates regarding the Operating Model and what was launched was as presented at last month’s committee meeting.

One member noted that when we last discussed the operating model, a member raised good points on the philosophy and principles for the whole regime. It was noted that they did not see anything regarding that in this update. The member also noted that another thing that was discussed was greater transparency in how decisions are made and more feedback about how comments on GitHub inform decisions, and that neither of those are reflected in the notes.

The API Lead noted that he has updated the Operating Model Noting paper and the intention was to publish before this meeting but did not manage it. It is hoped that the changes to the Operating Model noting paper will clarify that.

ACTION:  Circulate the updated Operating Model Noting paper to committee members

One member noted that they weren’t clear on how it would all evolve. The Chair noted that there is an operating model for the standards as they are, and then the implications of what happens as energy evolves. It was noted that there is also the testing regime and the issues arising from the testing regime. It was noted that the maintenance model does not attempt to solve those questions and how that works.

ACCC Update

Stephen Bordignon from the ACCC provided an update on the Rules and the Directory status as follows:

ACCC noted that the locked down version of the Rules was published on the 31 August 2019 and the next step is to send the rules to the Treasurer to be formally made. It was noted that some minor tidy up amendments are expected but no substantive changes. It was noted that the aim is to have the rules to the Treasurer by mid to late October 2019.

One member requested a separate session for their team and lawyers with the ACCC to help interpret some of the rules. Another member requested that those clarifying questions be published so everyone is on the same page. ACCC noted that they are alive to the interpretation point and are figuring out and implementing a process so that the questions being asked are answered.

One member requested clarification on the impact of the testing regime and the role of service providers. It was noted that an email from the ACCC today on testing asked whether recipients are using their own APIs or third-party components, and that there is a general confusion as to whether after receiving data service partners can work on the data, and whether, and to what extent, third party components can be used to collect the data.

The ACCC noted that the rules as drafted don’t accommodate intermediaries for February 2020. It was recognised that the business model is significant in the context of CDR and they are looking at ways to accommodate that within the rules. The plan is to communicate a proposal within the next few weeks with a view to bring intermediaries into scope of the rules by the second half of next year. It was noted that this also goes to not wanting to introduce changes before February 2020.

A member stated that they think a confusion is that everyone knows that the intermediaries are not allowed but that some people interpret service providers differently, so it is a nuance. The Chair noted that decision making on this needs to be shared in the ecosystem.

One member noted that there are two or more types of intermediaries. One is where data would be received, held, and shared later, and it is understood that is out for the moment. But what about using a white labelled service, for example using a categoriser service, is that an intermediary service or not? More clarity was requested regarding that.

One member noted that this raised a question on whether intermediaries or service providers need to be accredited as well? It was noted that if it is an intermediary it wouldn’t be accredited for now, but what about service providers who are not intermediaries.

One member asked how the regime would protect intermediaries as well as the data holders and recipients from a privacy perspective, and what are the obligations of each.

One member noted from a data holder point of view, the moment the data leaves their control, every step of that chain should meet standards for accreditation in terms of security and privacy. It was noted that as a data holder, they don’t really care whether that’s considered as one recipient who is accredited from end to end or whether there is an intermediary, if every part of that chain is accredited and meets the standards.

The Chair noted that the rules currently exclude intermediaries and the question is what the dividing line between them and service providers. It was noted that the recipients need to be accredited including the standards they meet after any outsourcing.

One member noted if a service provider receives the data before you and translates it before passing it to you as the data recipient, does that make the service data provider the data recipient or do you need to receive the data first and then hand it over and then take it back. Another member noted that this sounds like an intermediary if they are processing and manipulating the data. It was noted that an intermediary could also be a service provider.

The Chair noted that this needs to be solved bottom up from the data and the flows, and that in the Energy sector we will have this issue for authorisation and authentication. The Chair noted that he will work with the ACCC and Treasury on how this will work in various use cases and user flows with Energy on the basis that this is an economy wide reform.

One member noted from a rules perspective, logic and consistency should mean that anybody in a position to access secure customer data and able to reidentify consumers, should be part of the regime.

One member noted that every service provider that they use, is vetted to a high level of security and as a result they are quite comfortable bringing them under their liability shield. It was asked whether within the rules, do they need to go through ACCC’s accreditation.

One member noted that the Treasury team have taken a lot of feedback over the last month specifically around intermediaries and it might be worth an update on this by Treasury. Treasury noted that agencies have been looking at possible future functionality including intermediates, tiered accreditation, and communicating information products out to non-accredited parties. It was noted that ACCC is working on the timeline so hopefully, there will be more certainty on resolving some of these issues soon. It was noted that on the issue of the outsourced service providers, some will only hold or process data for an ADR, but some wish to do the transmission of the data. It was noted that this is something that Treasury and ACCC have been discussing in respect to adjustments to the rules and hopefully that will be resolved reasonably shortly.

The Chair noted that regarding the Energy Data Standards Advisory Committee (EDSAC), he imagines the preferred access model for Energy that the status of Australian Energy Market Operator (AEMO) as a gateway will become clear in this context. It was noted that a gateway is not a service provider but could be an intermediary which would be currently excluded by the rules.

ACCC noted that in regard to accreditation, they ran a process of Expressions of Interest (EOI) for entities to apply for accreditation as Data Recipients to assist with testing and have 10 participants, although one has dropped out. The Chair asked ACCC for details of why the participant dropped out.

ACTION: ACCC to provide an update on what the 1 x participant dropped out of the testing

It was noted that 40 expressed interest, 10 were selected and 9 are left. One member asked whether ACCC were considering of the 30 left where they eligible for selection and are they looking at subbing someone in. ACCC noted that the view is to keep it to the initial group.

ACCC noted they are working to see if they can accept applications in draft for accreditation. It was noted that the rules need to be made formally before ACCC can accept applications for accreditation. It was noted that the rules might not be made formally until November 2019, but ACCC is working to engage before then to accept applications in draft. It was noted that accreditation decisions are reviewable by the Administrative Appeals Tribunal (AAT) so accepting applications in draft may create complexity and this is being worked through with lawyers.

One member asked about implications for reviews by the AAT. ACCC noted that the decision to accredit or not accredit is subject to a merits review.

One member noted that some accreditation criteria are quite technical and asked whether the AAT has the expertise to assess cybersecurity. The ACCC noted that the AAT is very good at arbitrating on all types of matters, and that subsequent appeal to the federal court is also possible.

One member asked how denying accreditation is different from the allowance in the rules for data holders to stop sending data if there is consumer harm, and whether that is a different avenue for the same outcome. ACCC noted that this is different to “stop sending data”, as harm has occurred or there needs to be reasonable belief that harm will occur, and the data recipient has already been accredited.

Treasury noted that one issue we should look at is the requirements for standing to bring a matter to the AAT. It was noted that competitors may not have sufficient standing to challenge someone else’s licensing.

One member asked whether there is an internal review process, so if someone is unsuccessful on their accreditation, do they ask for a review through ACCC or go straight to the AAT. ACCC noted that they are not planning an internal review process, so the avenue is via the AAT.

The Chair noted that there is interest in the accreditation process and review by AAT and that we would make time to discuss this in the next committee meeting.

ACTION: ACCC to provide an update on the accreditation process and the review by AAT.

One member noted accreditation is one of the areas that can harm uptake in the regime and noted that in the UK they had 100 application just waiting with no one to look at them.

One member noted that for information security, many people will get an external review, and none of the external audit firms are geared up for that yet. It was noted that work needs to be done on this like the insurance piece.

One member asked about the estimated time and effort to process an application. The ACCC noted that with the 4 weeks break over Christmas they are looking at a 3-week window to approve all the applications. ACCC noted that this is top of mind for the accreditation team, and they are considering how much time it will take, what resources will be required and how many applications that they might get. It was noted that ACCC are not expecting applications to be assessed and approved in one or two weeks, and that in the accreditation process, there can be a period of back and forth for clarification, and what will help is the responsiveness of the party seeking accreditation.

One member noted that people should be skilled enough from an engineering and security perspective to appropriately assess, not just the presence of controls but also the operating effect and proper configuration. It was noted that they are curious to see if ACCC have the right staffing to ensure the safety of the ecosystem.

One member noted that ACCC has asked for an assurance report and that there is a reliance on external people to do the checking. One member noted that we should not assume that the big accounting firms have those people. One member noted that from a FinTech point of view, big accounting firms would also charge a lot, so they want a broader group that can audit.

Treasury noted that they recently had conversations with the FCA in the UK about licencing and they don’t have this requirement for an external testing and assurance for AISPs as part of the licensing process. It was noted that FinTech’s navigating the IT portions of the licencing process well but where struggling with other legal and regulatory aspects. This meant the processing licenses was initially slower because the regulators had to keep asking for further information. It was noted that in the UK there is an emerging market of ‘compliance consultants’ who help people comply with their licensing requirements and navigate licensing processes, and as a result licenses are now being processed in half the time.

One member asked if the accreditation team works for the ACCC or are contractors. ACCC confirmed the core team will work for the ACCC and that they are expanding but will get external expertise as needed.

One observer asked for February 2020, will there be accredited recipients that are not in the initial 9. ACCC confirmed that being in the initial 9 is no guarantee of accreditation, and that applies in both directions. Accreditation is a separate process to the testing and assurance process.

ACCC noted that Commissioner Court has been meeting with each of the big 4 banks to discuss progress to date, and that the Implementation Advisory Ccommittee meeting is in the calendar for Monday 21^st October 2019. It was noted that the agenda for this is still to be determined, but as the program moves towards implementation, it makes sense to have a forum where issues around implementation can be discussed and that the ACCC should chair and convene that meeting. It was noted that the attendees are being determined, but will initially be the big 4 banks, the DSB Chair and a representative from Ernst & Young (EY) given their involvement in testing. It was noted that ACCC have not decided on data recipient or observer participation.

The Chair noted that Bruce Cooper passed on the feedback from the last meeting of the Advisory Committee that there was not an appetite amongst members for another forum and that it needed to add value, and that was clearly understood by Commissioner Court. It was noted that the issues in the meeting will include testing, emerging issues and progress on the register.

One member noted that the committee won’t be perfect from day one but should start and augment over time. It was noted that a key point is that testing is collaborative. It was noted that one principle should be when in doubt get the right people on the phone rather than wait and ponder.

ACCC noted they have issued the final version of the assurance strategy. It was noted that the first testing working group meeting has taken place and work continues developing the detailed test plan and scenarios, and the next working group meeting is Friday. ACCC noted that they are very conscious of the testing window getting shorter.

One member noted that they understand that ACCC is under a lot of pressure but would like clarity on what day one looks like, and also on the impact of the Privacy Assessment and whether that impacts timing, what the process for responding to that is, and whether it will have implications for data holders and recipients in testing. The member noted that their team has some concern around how much time they are going to take for testing things together, and that robust intra bank testing is something they do not want to comprise.

ACCC noted that they are working through as a matter of priority the testing plan scope and the implication of that for February 2020. It was noted that questions on overall program timing would involve discussion with Treasury and the Treasurer’s office. It was noted that feedback on timing is coming from the meetings that Commissioner Court is holding with each of the big 4, and at the workshop on Friday.

One member noted that from a recipient’s point of view, that culture paradigm may be the biggest issue for the right outcome in February 2020, and that February go live with real data is under threat unless there is a cultural shift. It was noted that the paradigm is that feedback is reviewed by ACCC and EY, but testers have different skills and capabilities. It was noted that interaction will make the difference, and that detailed feedback does not always get through in an email.

One member noted concern about EY’s preparedness to run the process. It was noted that multiple emails are sent to participants with requests for information at short notice. It was noted that those information requests need to be in a cadence and clarity that makes sense. The member also noted that the registry is not being tested because it is not there yet, and whenever the registry is ready is when the real regime testing will begin.

One member noted that they don’t think that EY is running a testing program, they are running a testing email regime. It was noted that it feels very disorganised at this point and asked how do we get a far more rigorous, far more disciplined, far tighter cadence. It was noted that it is not being run at the moment to guarantee success.

One member noted that daily stand up meetings would be needed to get through some issues. It was noted that with current resourcing, that kind of rigour can’t be achieved without a radical simplification of what is in scope.

The Chair noted that we asked EY at the August committee meeting, what the exit criteria was, and it sounds like this is still unclear. It was noted that testing across a regime is different to testing in an enterprise. The Chair noted that he would bring this exposure of the regime up with Commissioner Court.

One member noted that it also goes to ACCC’s capability, which has been raised as a potential issue in consistent feedback and directly to Commissioner Court 12 months ago. One member applauded ACCC for responding to feedback to get a testing partner and recognising the need for that expertise. It was noted that clarity is needed on whether EY have the right resources on this activity or are an appropriate partner. Another member noted that the testing partner needs to be highly irritating, pushing, combative and drag the regime over the line. One member noted that the goal is a safe and secure regime, and for February we need exit criteria for both. One member noted that they do not think EY understands the regime.

One member noted for the regime testing phase, their teams have been asked to sign an NDA by ACCC. It was noted that if the 9 data recipients are testing, why can’t we accelerate their accreditation so we can all be protected at the same regime, versus possibly having the liability of a data breach.

One member asked who owns the implementation and key decision rights. It was noted that it would be the ACCC Commissioner.

ACCC noted that they have heard all the points and will take back to the team.

One member noted that we had this conversation two months ago and gave feedback on what needs to happen and the dates which a lot have been missed. It was noted that there needs to be urgent action on how we are going to achieve February 2020.

ACCC noted that in regards to the registry there has been some delays but that it will be ready for testing for February 2020. One member noted that it needs to be ready for next month and the biggest challenge will be around registry integration and if that is not ready in time to integrate and test that integration, we will miss February 2020.

Treasury Update

Daniel McAuliffe from Treasury provided an update as follows:

Treasury noted that the bill with the right of deletion condition has been adjourned in Parliament and not yet debated, and we don’t know if it will be referred to a Senate committee. It was noted that it is unclear whether it will be passed before the end of the year and might not be passed before February 2020. It requires the ACCC rules to include rights of deletion. The current Act allows them to do so and the draft rules contain deletion rights. The ACCC have indicated that the rules will not require substantive changes, although there might need to be some drafting adjustments to reflect the proposed amendments when they come into effect.

[Treasury: Subsequent to the Data Standards Body Advisory Committee meeting the amendment has been passed and received Royal Assent. The ACCC is settling the changes to the rules at this time.]

It was noted that the Designation Instrument has been signed off for banking and is now in effect.

Treasury noted that they have been working with ACCC on fine tuning the draft rules to formally make them as soon as possible. Treasury reiterated that the changes are mainly clarifying and not changing the intent of what the rules say. It was noted that the issues of outsourcing and service providers (can an ADR act an outsource provider for transmission) is one of the substantive things being looked at. It was noted that they are not aware of changes that would affect, even in a minor way, the substance of what everyone is building now.

It was noted that the consultation has closed on the data sets for CDR for the energy sector, and Treasury is now setting its position. It was noted that Treasury is looking at account level data, electricity metering data, standing data, the distributed energy register, billing data, and product data. It was noted that Treasury is hoping to have an interim position on data sets out in the next couple of months and with ACCC’s outline on the rules for energy. It was noted that consulting on the draft text of the Designation Instrument for energy is expected early in the New Year.

It was noted in regards to the Privacy Impact Assessment (PIA), Maddocks have just released their analysis of the Privacy Risk and mitigants on Friday and they are seeking comments by 21 October 2019. It was noted they have done an Expression of Interest (EOI) previously on people wanting to be more involved with closer engagement like workshops. It was noted that they will be holding some upcoming workshops with some key stakeholders. Treasury noted that this is an independent PIA process and that if anyone has any comments or concerns on the analysis or draft conclusions, they should respond directly to Maddocks. It was noted that Treasury and the regulators are involved in terms of answering questions, providing information and giving comments upon request.

One member asked whether Treasury is obliged to take their final recommendation into account or is it just an independent review. It was noted that Treasury is not obliged. It was noted that there has been a lot of privacy considerations involved in the design in this process, and all the rules, standards and the bill have been based on a lot of consultation and privacy analysis.

It was noted that (from the draft PIA being consulted upon) it looks like Maddocks are not going to recommend anything that would require substantive changes to the design for February. It was noted that from now until when the consultation period closes on 21 October, if matters are raised, they will need to respond. It was noted that there is no obligation for Treasury to adopt the recommendation or a set of requirements.

One member noted that there are areas where we need to communicate more effectively but there are nuances in terms of whether the data recipient can become a holder and parts of that need to be included in the clarification of the rules. The Chair asked that of those clarification questions, if members provided a list it would be useful to have them all in one submission from data holders and publish the answers. One member noted that submissions to Maddox were being made for the PIA, but the Chair noted that this was not a matter for the PIA but a clarification on a service providers and intermediaries.

One member noted that for recommendation no. 7 in the draft Maddox report, which is around third parties, this may have implications on how some of the rules are interpreted in the short term.

One observer asked, in terms of the PIA, whether the Data Standards Body (DSB) is considering providing recommendations to the Chair around the public communication from the PIA. It was noted that Maddock are asking for submissions by 21 October and can submissions be private or public. The Treasury noted that submissions can specify this, but unless a submission is specified as being submitted as private and in confidence, the intention is that submissions will be published.

One member asked after Energy and telecommunications, is there any thinking in Treasury to cover more of the finance sector. Treasury noted that there was a Productivity Commission report that recommended superannuation, and the government is still considering that. Treasury noted that some of their work is on next steps for future sectors. It was noted that there has been a push for superannuation and, from some quarters, for insurance. It was noted that the Government is likely to indicate the next steps for a third sector. It was noted that there might be a process put in place to consider the future roll out of sectors.

One member noted that CDR is not necessary for data sharing, and in many use cases, data sharing can emerge without the overhead of CDR, and this has to be considered for scale. The member also noted that for protection of data sharing at scale, the regime needs robust identity at some point.

One member asked about the education programme to ensure consumers are aware and educated about the CDR and noted this will be a significant challenge and require investment and careful thought. The member asked what the process was for developing that campaign and engaging consumer organisations.

Treasury noted that the ACCC & OAIC will have their education materials and noted that in terms of the awareness campaign, that will run out of Treasury and it will involve an external consultant. ACCC noted that they will come back with an update on the communication campaign. ACCC noted that for an integrated approach, there are regular discussions with DSB, Treasury, OAIC & ACCC. It was noted that there is an integrated plan, a narrative that has been developed and a range of materials and it would be good to report back with details to this group. The Chair noted that it would good if ACCC, Treasury & OAIC came back with details of what are the elements, the scope, the procurement and the timing for the communication campaign.

ACTION: ACCC, Treasury & OAIC to provide update on their communication campaigns

One member noted that the greatest loss for small banks is users divulging access codes, and that the communication piece needs to focus on that particular aspects of fraud.

Other Business

The Chair noted APRA have requested that Matt Clifford be able to attend as an observer in relation to the API standards.

It was noted that APRA are very aware that there could be sensitivities if it was viewed that they were performing a supervisory function, and noted that the attendee would be from IT. It noted that there is considerable interest in API based solutions to transform the way regulators work and APRA are considering an API based regime. The Chair noted that APRA have been working in the background with ACCC on the resilience of the banking system in light of the CDR work on InfoSec and they want to make sure they are up to speed with us.

The Chair noted that there was some concern because some members of the advisory committee may not understand what APRA’s objectives are. The Chair confirmed that he met 3 members of APRA and asked them to put it in writing so he can raise it with committee members. The Chair asked for the committees input on this.

There was consensus for Matt Clifford from APRA to be able to attend the meeting as an observer.

Meeting Schedule

The Chair advised that the next meeting will be held on Wednesday 13 November 2019 from 2pm to 4pm at the Data61’s offices in Eveleigh.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 16:02