Minutes - 12 Feb 2020

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 12 February 2020
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 18

Download meeting minutes (PDF 192KB)

 

Attendees

 

Chair Introduction

The Chair of the Data Standards (DSB) opened the meeting and thanked all committee members and observers for attending the first meeting of the year, meeting no 18.

The Chair noted that the Christmas period was difficult for the nation and a lot of people had fire, water inundation or other extreme weather conditions and our thoughts go out those that were affected.

It was noted that on the 20 December 2019, the ACCC announced a change to the timetable which would allow additional time for testing. The four major banks will now share consumer data from 1 July 2020 rather than from February 2020.

It was noted that Treasury have responded to a range of recommendations from the Department of Finance in regards to the implementation of the CDR and established a CDR Governance Board which includes heads from the major agencies - Treasury, ACCC, DSB & OAIC. It was noted that the first meeting was held on the 3 February 2020 in Canberra.

It was noted that v 1.2.0 of the Consumer Data Standards was published on 31 January 2020 which is considered to be the binding baseline for the Phase 2 implementation of the Standards for the Consumer Data Right regime.

It was noted that there has been a number of changes within the DSB team. The Chair introduced Mark Verstege who is the Lead Architect for InfoSec and Open Banking.

Mark Verstege noted that he was previously with Suncorp as Lead Program Architect, Open Banking and prior to that Principal Architect and Manager of Architecture for Digital Identity API Platforms & Integration Platforms. It was noted that he was encouraged to see how much buy-in there was from the participants into getting the right outcomes for the consumers, particularly as we start to look at cross sectors.

The Chair noted that there have also been some additional changes in the CX stream with Minh Nguyen & Monica Pen joining the team. They both have experience in banking and energy working with Services NSW and CBA with expertise in prototyping, design and research backgrounds.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 December 2019 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.

Working Group Update

A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.

A further update was provided on the Technical Working Group by Mark Verstege as follows:

DSB noted that version 1.2.0 was released on 31 January 2020 and they are moving into the second maintenance iteration and have commenced consultation on what will be in scope. It was noted that the DSB is scheduled to talk to participants on Thursday (13 February 2020) and based on the discussion, will make recommendations to the Chair as to what changes should be considered in this eight-week maintenance cycle.

It was noted that the DSB have a draft consultation on concurrent consent open which will be applicable after July 2020 go live and a consultation open on updated principles.

One member noted that there were some changes in v1.2.0 which they were not expecting and out of scope. They would like to very strongly encourage all of us to resist the urge to make changes for the sake of it. It was noted that minor changes can be a big deal for them.

The Chair noted that unless the DSB see something really significant in the testing and conformance regime between now and May or June, version 1.2.0 will be the baseline. It was noted that the DSB envision that version 1.3.0 will be released around August 2020 which will be the main step forward for November 2020.

ACCC noted that for the registry design, the same principle will apply for v1.1.0 which was published on 3 February 2020. It was noted that no further changes will be made unless significant issues arise.

A further update was provided on the UX work stream by Michael Palmyre as follows:

It was noted that version 1.2.0 of the CX Standards and Guidelines have been published to provide clarity to CDR participants and facilitate Phase 2 implementation. It was noted that the DSB have also proposed the CX Principles for inclusion into the overall standards.

It was noted that the DSB have welcomed two new CX team members (Monica Pen & Minh Nguyen) who will assist with the ongoing research activities. It was noted that they have a general design background which will help the DSB moving forward.

It was noted that the DSB have published a forward plan for Phase 3 research which includes energy standards and guidelines; joint accounts; re-authorisation; fine grained control; de-identification and deletion; ADR becoming a DH; and simplification of consent. It was noted that the forward plan in detail can be found on the Consumer Data Standards website.

The Chair noted that in the Energy Advisory Committee meeting this morning, the area of joint accounts was very interesting from an energy perspective, because they have a different take on joint accounts where there are multiple users. For example, one person leaves a contract where there is one connection but there’s a share of the energy costs across different apartment owners. It was noted that the CX team will be looking at a whole range of use cases for joint accounts.

One member noted that it will be very pertinent to align those to our complex business customers for execution because they don’t think that a use case exists for complex businesses.

One member noted that they need to get clarity on joint accounts in the context of the November deadline.

The DSB noted the team is aligned to that and they are thinking about it more strategically rather than introducing something that’s going to interrupt implementation. It was noted that outputs are expected to be at a guideline level.

The ACCC noted that some of the issues being explored for the CX guidelines potentially raise a rules issue, but an amendment could be possible for version 2 of the rules provided that the approach is clear for November.

One member noted that in order for them to make a build decision, a decision of the DSB Chair published on GitHub is not sufficient and they will only act on published standards. They asked us to be mindful of that.

Treasury Update

Kathryn Wardell from Treasury provided an update as follows:

Treasury noted that the rules and standards now have legal effect and they congratulated the ACCC and the Data Standards Body. They noted that they have established a Consumer Data Right Board which is essentially an internal government equivalent of the Implementation Committee. It is comprised of the implementation agencies, the digital transformation agencies, Finance and Prime Minister & Cabinet.

Treasury noted that they have announced a new inquiry into the future directions for the Consumer Data Right and the Terms of Reference are available online. It was noted that they are hoping to get the issues paper out by the end of the month, or the start of next month.

Treasury noted that Scott Farrell has offered to attend a committee meeting in order to answer any questions that the committee may have. The Chair noted that this would be a good idea.

ACTION: Treasury to arrange for Scott Farrell to attend an upcoming Advisory Committee meeting for the banking and energy sector

One member noted that “we are not out of the start gate for the first version, and we are already thinking about future versions without even knowing the uptake and consumer safety”. The member asked if Treasury can provide some indication of timing of the second issues paper.

Treasury noted that there are a couple of reasons, in part because of what they have seen in terms of the amount of time it takes to start implementing from the design phase, and because they want to make decisions for future directions now and have an idea of what organisational elements they need to have in place in order to get to the endpoint they want in 10 years’ time.

The Chair noted that some of the issues are “write rather than read” and “switching” e.g. initiate via CDR to switch my account.  It was noted that it would be helpful for everyone to know that earlier rather than later.

Treasury noted that the review is due to report back in September 2020. It was noted that the review hasn’t be tasked with setting a particular timeline but rather what should be prioritised, where do the reforms need to fit in, and what is everyone’s capacity to undertake future reforms?

One member asked about the decisions that come out of the secondary process, are they likely to impact the standards or the rules work that is currently underway for banking or energy, or is it all future facing? Treasury noted that it is all future facing.

Treasury noted that in principle, the energy data sets position have been published and they are hoping to publish the draft version of the Designation Instrument for energy in late March/April 2020.

ACCC Update

The Chair introduced Paul Franklin from the ACCC to the committee.

Paul Franklin noted that he has worked previously at Commonwealth Bank, National Australia Bank and many years ago Westpac Bank. He noted that he is very excited to be at the ACCC and that it’s a great time to be joining the CDR. It was noted that he was attracted to this role because he sees the CDR potentially transforming the Australian economy and he is very excited to be a part of it.

Paul Franklin from ACCC provided an update as follows:

ACCC noted that with Commissioner Sarah Court, they had completed one-on-one meetings with each of the big four banks and are keen to engage with the fintech sector in the near future.

ACCC noted that following the Treasurer’s consent, the rules were made on the 4 February which came into effect as at 6 February 2020.

ACCC noted that there are a couple of consultations currently open. The first is the consultation on the revised timetable for non-major ADI’s which includes the subsidiary brands for the major banks. It was noted that they are undertaking a survey to obtain industry views on the timetable for sharing by the non-major ADI’s, including subsidiary brands of the majors, when it will become mandatory, and what should entities be able to share voluntary in the intervening period. It was noted that also included is sharing of the Phase 3 data by the major banks and sharing of data direct with consumers.

ACCC noted that the proposal is that non major ADI’s will be required to share from the 1 July 2021 for all product phases i.e. Phase 1, 2 and 3. It was noted that the rationale is that many of the non-major banks have a simpler product set and environment and it might be attractive for them to do everything in one go. It was also noted that they would like to set an ambitious but realistic timeframe to get as much reach for the Consumer Data Right as possible.

One member noted that there is a range of maturity in the non-major banks and some will want to go earlier. They asked ACCC to clarify whether they are looking at a voluntary, and then a definitive period, where some could opt in earlier if they wanted to.

ACCC noted that they are looking to explore that and also what is a realistic start date for the next wave of financial institutions and how long does the transition period need to be.

ACCC noted that they have recently had conversations internally about exemptions. It was noted that once there is a regulatory obligation, they will not give exemptions just because someone is late. It was noted that if there is a good reason why an organisation thinks they should not start the work, they will look at those individual cases.

One member asked in regards to the Phase 3 for non-majors, the proposed date has moved earlier by eight months, and is there anything behind that? ACCC noted that this is only a consultation but there is a desire to get as much scale as we can in Open Banking and as soon as we can. It was noted that they are generally interested in what the nature of the constraints are and whilst the three phases might have been very sensible for the major banks, it is not necessarily the right way to arrange the implementation timetable for the smaller banks.

The Chair asked ACCC if in the consultation about implementation considerations, are they also consulting on the perceived impacts on competition to the majors who would be exposed because of the timing and there may be a competitive disadvantage for being exposed when others are not required to comply as a data holder. ACCC noted that they are open to all of the issues that anyone wants to raise with them in the consultation.

One member asked if there is a date when it will be decided upon. ACCC noted the feedback is due by 21 February 2020. It was noted that they are keen to provide long lead times for any implementation and similarly any rule or standards changes.

ACCC noted that they are aiming to do the consultation and have a view by March 2020 and to then make it public. It was noted that the Treasurer will need to approve any changes to the rules.

One member noted that this has a direct impact in terms of screen scraping. It was noted that you can’t actually prevent or ban screen scraping until there is a viable alternative and you need the majority of institutions participating in the Open Banking regime.

ACCC noted that the paper does recognise that it’s a relatively ambitious timeframe and they have no fixed view about what the answer is going to be.

ACCC noted that they have a consultation open on the role of intermediaries and that they are committed to allowing intermediaries to participate in the CDR, which was not possible in version 1 of the rules, and they intend to provide provisions in version 2. The consultation was released in December 2019 and they are hoping to finalise submissions by next week. The preferred approach for intermediaries will be announced by late March 2020.

ACCC noted that version 1.1 of the register has been released and they are not anticipating any further changes unless something unforeseen comes up.

ACCC noted that they are preparing for two releases of the register. One in March 2020, which they are opening for accreditation, and the other in April 2020, which will be a version to support the managed roll out process and enabling real time consumer data to be transacted.

ACCC noted that the major banks have approached them about whether they are considering what regulatory regime applies to data before 1 July 2020.

One member sought further clarification about the position on liability that will apply prior to 1 July 2020, i.e. in relation to the managed roll out.

ACCC noted that the consumer protections relate to consumer data once they are shared. It was noted that once managed roll out starts happening, the protections that are provided in the rules and the legislation operate in the same way they will when sharing is mandatory from July 2020. It was noted that the only difference is that rules are authorising the disclosure of that data which can be contrasted with the requirement to share data in response to a consumer request from the 1^st July 2020. It was noted that this is rule 6.5 in Schedule 3.

The Chair asked in relation to the earlier discussion on the second-tier banks for Phase 1, 2 & 3, ACCC talked about wanting to be able to make the rules and standards applicable. Are you saying there would be different rules and standards outside of the rules which define when things become mandatory?

ACCC noted that there are two issues, one being the timeframe for those organisations and the second is a general principle that for any new rule or standards that are defined for future releases, they will aim to give as much lead time as possible.

One member noted that their assumption is that before the mandatory period, as they are doing this on a voluntary basis, what would be a violation post July 2020 is not a violation pre-July 2020.

ACCC noted that the rules and the standards apply in the same way prior to 1 July, but the ACCC’s enforcement discretion will apply differently in the managed roll out period. Where participants are endeavouring to comply with the rules and standards, we are unlikely to take enforcement action but our position would be different if no regard is being had to compliance. It was noted that the purpose of the managed roll out is not about testing but is to check whether there any issues as the system starts through throttling consumer numbers at the data recipient side.

The Chair noted that it would be worth ACCC providing some guidelines and they confirmed they are working on some enforcement guidelines around this.

ACCC noted that in regards to testing, they have performance and stress testing to ensure the platform and register are able to handle capacity and there is high availability and disaster recovery capabilities. It was noted that additional penetration testing will be done in production prior to the managed roll out activities and they have completed initial penetration testing activities with no critical or high issues identified. It was noted that there were three medium or minor issues that were identified which have been resolved.

ACCC noted that they are implementing and integrating a security assessment and incident management system to the platform. The product they are using is Splunk.

ACCC noted that with the reset from February 2020 to July 2020, they’ve taken the opportunity to revise the strategy, which is currently being consulted on with the participants. It was noted that they are proposing a multi-lateral test phase, which was requested by the data recipients to allow them to pair with more than one data holder which provides for richer testing and greater potential to detect defects. It was noted that the most significant change is the introduction of the managed roll out phase in May/June.

ACCC noted that they have been asked by one of the major banks to allow them to become a data recipient in the test environment for the purpose of testing with themselves. It was noted that they intend to make this available to any major bank who requests it.

One member noted that on the registry, penetration testing is a point in time test and given the criticality of the registry to the whole ecosystem, is there an ongoing plan for regular penetration security and cyber testing? ACCC noted that they will be doing ongoing testing and are currently engaging resources to do that. They have received funding in the MYEFO budget round for cyber security work.

ACCC provided some guidance that if there is reasonable belief that there is an attack under way in the middle of the night, and a major bank believes that their customers data is at risk, they believe it is reasonable to not provide data in those circumstances. The ACCC will provide guidance that in that situation, a major bank may take the steps that are necessary to secure the data.

One member asked for clarification around language. It was mentioned that the goal is to get to full usage by the Australian public as soon as possible and can ACCC confirm what “full usage” means?

ACCC noted that on the supply side, they would like to have as much data available to the public as possible. On the demand side, they are dependent on the data recipients putting out value propositions that are useful to members of the public. That is related to the supply side in terms of account, product and data set coverage. It was noted that they would like to have open banking data as widely available as soon as possible.

The member noted that there also needs to be awareness and demand generated for the system. The reform may fail if we are not effective in communicating with customers, the public or potential new entrants as this is a customer focussed reform.

Another member noted that there is supply and demand in terms of education but the other side is demand by use case. It was noted that one demand for the use of this data is for loan assessments that has the potential that someone will share their data and get an adverse outcome. It was noted that we will have look at how different use cases get resolved and not be left up to the individual.

One member noted that there is another parallel process that will impact this which is the Digital Platform inquiry. It was noted that we need to think about how this reform will actually be experienced by consumers, how do we ensure that they have the information they need to access the reforms, and how they can exercise their rights?

Treasury noted that the awareness campaign lays with them. They noted that there is a plan to have an official launch event 4-6 weeks after the legal commencement which is partly because they think it is important there is a number of good products available to the consumers. It was noted that their communications team are working on the awareness campaign.

Treasury noted that there are a number of support activities for example, website responses to consumer enquiries that the ACCC are responsible for, OAIC on the privacy aspects, and there is work underway in terms of engineer and developer responses and communications in relation to the standards from the DSB.

One member asked whether there will be further stakeholder engagement on the communications outreach as there is greater impact to communication campaigns if there is alignment across the business sector, the community sector and the government sector? Treasury noted this and will take this back to their comms team.

One member noted that more clarity on the November rules and standards, joint accounts, the consultation paper on consent, and direct to consumer would be useful.

ACCC noted that in the consultation, they are suggesting that “direct to consumer” is put off until July 2021. It was noted that in regards to joint accounts and more complex business accounts, ACCC would like to discuss this further with the big four banks.

The Chair noted that the DSB has a consultation on concurrent consent currently open.

One member noted that in terms of how we are solving concurrent consent, it appears that the DSB are going for a bespoke solution again when there is an off-the-shelf solution. A question was asked as to why are we choosing a bespoke solution when there are existing solutions which have controls and security protocols in place.

Another member agreed that we need to revisit consent, not only in terms of concurrent consent but also when we move to the write aspect of this regime. The consent mechanism the DSB have is quite bespoke and not easy to be modified. The Chair asked that they provide this feedback via GitHub.

ACCC noted that for write access, any issues relating to consent should be included in the submissions to the Farrell review.

ACCC noted that joint accounts are critical for November and noted that the timing of the introduction has always been well understood, and that the rules have been clear about how joint accounts are treated.

One member noted that their teams don’t have enough clarity on how joint accounts will actually work to do the bulk of the build and that their understanding from previous discussions is that there is still a far bit of CX definition that needs to come through.

ACCC noted that they thought they had a base version which we were all working to, but people needed extra time to get there and that might be where we could do the CX work and refinement. It was noted that it was their understanding that some banks are looking at slightly different things and we are happy to work that in if that is going to get us the ultimate solution.

One member noted that it is there understanding that it is not set enough to actually work and that they will discuss this further with ACCC.

Other Business

One member noted the Action Item for the DSB to reach out to the Committee Member about joining a small working group on identity. The Chair noted that this item is still outstanding.

The Chair noted that this came up at the CDR Governance Board and the DTA mentioned they have a Working Group and wanted to engage with us on it.

One member noted that one recommendation from the Farrell Report that didn’t get taken up was the ‘reuse of identity”. It was noted that we need to look at the overall Digital Trust Framework in the context for the CDR and make sure that we work the two out holistically.

The Chair noted that he will ask the DSB Director to convene a small group to tease this out.

ACTION: DSB Director to convene a small group to work on identity

The ACCC noted that because of the degree of digital penetration in banking, it was not an issue that needed to be solved, but it is a problem that needs to be solved for energy and other sectors.

One member asked whether there has been any material change to the timeframe regarding the data intermediary’s rules? ACCC noted that they are going to consult on those intermediaries with a view to making a public announcement about what will be included in relation to version 1.2 of the rules in April 2020.

The Chair noted that there is an edit required in the papers in section “3.1 Technical Working Group Update”. It reads “James Bligh has been training Mark and handing over the operational accountability for the banking standards so that he can focus on the emerging standards for electricity.” It should read “operational accountability for the baseline standards”.

 ACTION: DSB to update paper with edit to section 3.1

Meeting Schedule

The Chair advised that the next meeting will be held on Wednesday 11 March 2020 from 2pm to 4pm at Data61’s office in Sydney.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 3:25