Data Standards Body Banking Advisory Committee, Meeting Minutes
Date: Wednesday 11 March 2020
Location: Data61, Level 5, 13 Garden Street, Eveleigh
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 19
- Andrew Stevens, DSB Chair
- Kate Crous, CBA (via WebEx)
- Emma Gray, ANZ
- Mark Perry, Ping Identity (via WebEx)
- Lisa Schutz, Verifier (via WebEx)
- Lauren Solomon, CPRC (via WebEx)
- Stuart Stoyan, MoneyPlace
- Jamie Twiss, Westpac
- Mal Webster, Endeavour Bank
- Andy White, AusPayNet
- Barry Thomas, Data61
- James Bligh, Data61 (via WebEx)
- Rob Hanson, Data61 (via WebEx)
- Terri McLachlan, Data61
- Michael Palmyre, Data61
- Mark Staples, Data61
- Mark Verstege, Data61
- Bruce Cooper, ACCC
- Paul Franklin, ACCC (via WebEx)
- Jodi Ross, ACCC (via WebEx)
- Ying Chin, OAIC (via WebEx)
- Scott Farrell
- Kathryn Wardell, Treasury
- Ross Sharrott, MoneyTree
- Erin Turner, Choice
- Patrick Wright, NAB
The Chair of the Data Standards (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 19.
The Chair noted that in light of the developing COVID-19 situation, he will give some thought over the next week or so as to whether we should conduct these meetings virtually.
The Chair noted that there has been a whole range of things happening since the last meeting. Along with Advisory Committee Members Lisa Schutz, Aakash Sembey & Jamie Twiss he was on a panel at the Gartner Data & Analytics summit in February. Barry Thomas and Mark Staples attended the Senate Select Committee on Financial and Regulatory Technology Public Hearing which was chaired by Senator Andrew Bragg on the 28 February 2020.
The Chair noted that his trip to the OECD Expert Workshop on Data Portability in Paris on the 17 April 2020 to participate in the session on “The Scope of different data portability initiatives across jurisdictions and sectors” looks like it will be held remotely due to the developing COVID-19 situation.
The Chair noted that the Data Standards Body (DSB) has engaged the Consumer Policy Research Centre (CPRC) to provide research and engagement services to capture feedback from the community sector and provide the latest advice to the DSB on consumer risks and opportunities associated with the development of the DSB standards.
The Chair noted that we have an Engagement & Support Manager joining us at the end of the month as we transition much more to operations and ongoing maintenance and support of the standards.
The Chair also welcomed Scott Farrell to the meeting and noted that he led the Open Banking inquiry that recommended an economy wide Consumer Data Right. He has also been engaged to do a Version 2.0 of that work which will be looking at future options and advising the government in relation as to how the CDR should progress.
Scott Farrell noted that the first review dealt heavily with the banking industry and this new inquiry focuses on the future of the Consumer Data Right.
Scott Farrell noted that on Friday, the Secretariat published an Issues Paper into the “Inquiry into Future Directions for the Consumer Data Right”. He noted that there are some phrases which are carefully chosen because a large part of it is going to be working out where the CDR fits into our digital economy, who it can be used by, and what does it need to connect to.
Scott Farrell noted that there are concrete issues such as “how would write access work under the CDR”. Importantly he hasn’t been asked “if”, but “how” a combination of read and write access lead to more effective ability to choose alternative service providers and implement them like switching. It was also noted that there are some other broader issues which will be very important to those who've already invested so much, and presumably on the basis that this is not limited to silos around particular sectors and this is supposed to be part of the backbone or framework of our digital economy.
Scott Farrell noted that the TOR are quite broad and include references to connecting to overseas programs of a similar nature. It was noted that he has built connections with a number of countries since his last appointment finished. It was noted that as members and important participants of the digital economy that is supported by the CDR, how do you want that to work for your customers?
Scott Farrell noted that in the TOR there’s a reference to consent management frameworks, and as we have different ways to authenticate ourselves for different services, we are starting automatically to fabricate the means of identifying ourselves digitally. It was noted that these things are not separate from the CDR, and not necessarily an integral part of it, but it results from its operation or who the CDR needs to connect with.
Scott Farrell noted that the DSB is part of the infrastructure that was created for the CDR and another example is the accreditation regime and how could these be used in other parts of a digital economy so they are efficient. He has been asked to make sure that we know why we’ve been asked to implement this, and to make sure that when you want to leverage your investment there is some kind of principle and operation to get there.
Scott Farrell noted that he is not looking backwards or at what sector is next but looking at how we use this as a foundation and that this is our chance to steer that. He also noted that he will need to consider, as someone who creates the fabric and framework, where cyber security fits in relation to standardisation and how that is used in different parts of the digital economy.
Scott Farrell noted that a key part mentioned in the TOR is around vulnerable customers and noted that he would like to receive submissions in relation to how we get the outcomes for vulnerable customers. He noted that he has been working with the OBIE in the UK, and the UK has progressed their thinking in this particular area.
Scott Farrell noted that when he performs this role, it’s in a personal capacity not as a lawyer/partner of King & Wood Mallesons (KWM).
Scott Farrell noted that the closing date for submissions is 23 April 2020 but noted that he is happy to have informal meetings.
ACTION: DSB to circulate Scott Farrell’s contact details to Committee Members.
One member asked for clarification in regards to vulnerable customers, and the nuance between let’s protect the privacy of customers, but at the same time, not have that as an impediment to serving both those and other customers. Scott Farrell noted that protecting vulnerable customers is not the same as data protection. The outcomes should be the protection of vulnerable customers.
Scott Farrell noted that he expects the discussion of vulnerable customers will come down to the question of digital or data literacy and the ability and the best way of helping them based on their vulnerability.
Scott Farrell noted that there are elements around data ethics and the appropriate use of information, and there's a nuance in his view, because this is an information transfer framework and anything we have around the use of information that we think is a human right in Australia should apply to all of that information that you happen to get rather than just the pipe you got it through.
One member noted that they have just finished a report for the Australian energy regulator which focused on emerging regulatory approaches to vulnerability in a central service market and that it might be worth discussing that with them. From their perspective, and the people that they talk to, it's very clear that there is not an automatic consumer protection for vulnerable customers to the CDR framework. It was noted that it is good that this is being looked at but it is about putting in an appropriate protection framework that actually delivers enhancement and empowerment and reduces the risk for all customers including those who are vulnerable.
One member noted that as a bank, the rule that they have to apply is not just what does the customer expects them to know but what is the customer expecting to know within the context of this conversation. It was noted that they have disciplines in place classifying all of their data and the level which can be viewed. The risk that they have is that other organisations may not have the same disciplines in place and suddenly there could be data out there which is known that is not useful and wouldn't pass the GDPR test and could create harm.
Scott Farrell noted that some other things that they might need to connect to is the existing payment systems of this country in relation to write access, which is beyond just payment initiation and for tiered accreditation should there be some specification of tiering in relation to cyber security standards so that it is intelligible.
The Chair asked in regards to the international context how is the CDR in Australia regarded? Scott Farrell noted that the work that Australia was doing was regarded well.
One member noted that in regards to the already existing framework within the current construct, will part of his role be to help think about prioritization or will that be done subsequently. Scott Farrell noted that the TOR does not says he must set a timeline, but it would be extremely helpful if any submission included an order which this would work in, taking into context of how that works for Australians.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 12 February 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted that the last time we met we were kicking off the consultation around proposed scope for the maintenance cycle. It was noted that the focus over the last month has been addressing clarifications and change requests that are focused on the product reference data, where we can actually support the non-majors going into their first round of implementation. It was noted that there were thirteen change requests which were part of that scope of which half have been adopted as proposed changes.
The DSB noted that three Decision Proposals have also been open around other substantive changes like the “Concurrent Consent Consultation”. The feedback period has now closed and the DSB are reviewing and noted that they had some really good responses from industry groups and banks.
The DSB noted that for the consultation on the “CX Principles”, they will be consolidating the feedback and finalising shortly.
The DSB noted that there has been a pause put on the “Direct to Consumer Consultation” as the results of this consultation were mixed and are being discussed with the ACCC so a combined position can be taken.
The DSB noted that they are working with the ACCC to clarify the timelines particularly in view of November 2020 and when they are going to have reasonably solid standards in place for that. It was noted that they are very conscious that they need to provide these as soon as possible.
One member asked in regards to the “existing refresh token” can the DSB provide a sense on when this issue and final clarification will be provided as it has been open for ten days.
The DSB noted that the existing refresh token issue is coupled into the concurrent consent solution and it is something that they are addressing and the final decision will be provided within the next two weeks. It was noted that this does not relate to July but to the November timeframe.
A further update was provided on the UX work stream by Michael Palmyre as follows:
The DSB noted that recognising the need for ongoing consumer, advocate and community engagement as part of the work to inform the standards and guideline development, they have engaged the Consumer Policy Research Centre (CPRC). CPRC will help the DSB carry out some of the work by conducting research and consultation with consumer and community groups to ensure that the standards and guidelines development process is informed by those community views.
The DSB noted that the first two rounds of consumer research have been completed. It was noted that the second round was focussed on energy but also included joint accounts and de-identification and deletion. It was noted that the report will be published in the next week.
The DSB noted that on joint accounts, one of the issues that that came up was around the requirement for a joint account to be pre-elected before being available for authorisation in the authorization flow. It was noted that they have sought some views and this is currently with ACCC who are considering whether to amend the rules to accommodate a joint account election being offered in the authorisation flow. It was noted that this is not adding a requirement but lifting a constraint so that there are more options to make that account available.
ACCC noted that this would not be for the July implementation but for November. It was noted that this has been requested by the banks to accommodate one particular product which has been adopted and that they wouldn’t mandate this approach.
Kathryn Wardell from Treasury provided an update as follows:
Treasury noted that the Issues Paper for the Inquiry is now publicly available and they are still working towards the end of March early April to get the draft Designation Instrument for the energy sector out for consultation.
ACTION: DSB to send out the link to the Issues paper to Committee members.
Bruce Cooper from ACCC provided an update as follows:
ACCC noted that the consultation on intermediaries and direct ADR to ADR transfer has now closed. It was noted that the ACCC is still aiming to provide a view and make it public by end of March or early April. It was noted that some of the solutions might be easier to implement than others so there might be different times for implementation.
One member asked whether this will help some of the participants in July / November as to where they stand with the current outsourced providers to actually see what this business model looks like if you want to set up as an intermediary.
ACCC noted that they carefully selected data recipients from the expression of interest last year, who we understood would comply with the current rules as they stand.
ACCC noted that some of the options under consideration are going to be easier to implement than others, and where they can they will publish the draft rule for those simpler options and otherwise indicate the likely pathway forward for the more complicated options.
ACCC noted that the consultation has also closed in relation to the phasing for both phase 3 data for major ADI’s and the implementation for non-major ADIs. It was noted that the ACCC is aiming to have a recommendation to the Minister in a week to two but will not be able to go public until they have got at least in principle agreement from the Treasurer to the phasing the proposed. It was noted that there wasn’t a lot of support for the suggestion that all three phases be implemented together for the small ADI’s even if the date for implementation was delayed.
ACCC noted that it had offered to clarify 2 issues in relation to managed rollout, which was discussed at the last DSAC meeting and also in the Implementation Advisory Committee. The first issue was the application of the law during managed roll out (before sharing consumer data becomes mandatory). The second was the ACCC’s intended approach to compliance and enforcement during managed rollout.
ACCC noted in relation to application of the law that all the standards and rules will apply during the managed rollout as they would if consumer data sharing was mandatory. It was noted that in order to participate in the managed rollout data recipients will need to be formally accredited.
It was agreed that the secretariat would circulate on behalf of the ACCC the following more detailed statement of the legal basis for managed rollout to members: Following completion of testing to the threshold level of capability, the Registrar will issue a request to each data holder under rule 5.31(1) requesting participation in the managed rollout. Rule 5.31(2) obliges a data holder to comply with such a request. The scope of the managed rollout is limited to disclosure of consumer data by data holders to accredited persons under Part 4 of the Rules. Disclosure of consumer data prior to 1 July 2020 is authorised by clause 6.5 of Schedule 3 of the Rules. Any such disclosure as part of the managed rollout must comply with the Act, Rules and Standards. For accredited persons who intend to participate in the CDR regime as of 1 July 2020, the Registrar similarly will issue a request under Rule 5.31(1) to participate in the managed rollout.
ACTION: DSB to circulate the legal basis of managed rollout to committee members.
In relation to compliance and enforcement, the ACCC advised that their primary focus would be to ensure consumers have the confidence in the security and integrity of the system. The ACCC recognises that the CDR is a new and complex regime that involves CDR participants introducing a range of new processes and systems. The ACCC will continue to work closely with initial CDR participants during managed rollout to identify potential threats to the security and integrity of the CDR regime. Where issues of potential non-compliance with the Rules or Standards are identified, the ACCC will liaise with the relevant participants to learn the nature of the issue and discuss possible mitigation approaches.
ACCC noted that during managed rollout, the ACCC’s priority will be to inform participants of conduct it considers to be potentially non-compliant with the Rules or Standards, with a view to ensuring the prompt resolution of issues and to encourage compliance. The ACCC does not propose to use formal enforcement approaches during this phase, unless reckless or negligent conduct by a CDR participant directly impacts the welfare of consumers. In this regard, the ACCC noted that they will always consider the information security requirements as critical to protecting consumers at any stage of the implementation of the CDR regime.
One member asked hypothetically, if something happens with consumer data during that test phase and a bad actor intervenes, who will the consumer successfully sue? ACCC noted that the provisions in the legislation describe liability in various circumstances and how they will operate.
ACCC noted that in regards to implementation and testing, all four data holders have completed connectivity testing (i.e. focus is to establish technical connectivity between participants in preparation for functional, process and workflow testing during the industry testing). They have also all entered industry testing. It was noted that the success rates in testing are pleasing.
The ACCC anticipates that three data holders will complete the industry testing in time for the managed rollout. It was noted that one data holder expects not to have all products ready for the commencement of managed rollout, but still expects to be ready for launch.
ACCC noted that the data recipients continue to progress through testing. It was noted that six have completed connectivity testing and commenced industry testing. No data recipients have been accredited as yet and it is difficult to say how many will enter managed rollout or launch on 1 July. The ACCC noted that they are working closely with data recipients to provide information and assistance on accreditation and testing. ACCC noted however, this will depend in part of the data recipient’s business decisions and use cases.
ACCC noted in regards to RAAP that at the last meeting they advised that there would be 2 release dates for the production version of the RAAP in March and April. They have decided that it will be more efficient to have a single release because it is such an integrated system. It was reported that RAAP remains on track for mid-April launch. A further round of penetration testing is planned before the launch.
The Chair noted that in regards to the comment on the refresh token and concurrent consent timing, the Decision Proposal will be approx. 2 weeks which will be in line with ACCC’s recommendation to the Minister. The ACCC noted that they have a workshop next week with the DSB to go through some of the issues for November including concurrent consent. It is their intention to make a public statement prior to the next Implementation Advisory Committee meeting.
The ACCC noted that direct to consumer data transfer is one of the issues that is being considered as part of the phasing and a number of people have queried the value of the use case and whether or not it might be better to focus on the delivering some of the consumer data and product reference data first.
One member noted that obviously the sooner they get clarification on this the better.
One member asked in regards to conformance testing, are their plans to publish a test harness / test suite that can be used by the software industry to test their products and then be able to market their software product as CDR compliant?
ACCC noted that they are starting to develop a conformance test suite and the expectation is that the first version will be available in May with a fully functional suite ready by the end of the year. The ACCC acknowledged how important this is for onboarding new data holders and data recipients.
One member asked whether there'll be something available for software solutions to test more generally for compliance in the situation, for example where you're not applying to be accredited. They noted that they are seeing a large number of tier two data holders making technology decisions. They think that industry needs a confidence level that some solutions that are being marketed in this space are actually compliant now that they have a specification that's been mostly finalized. It was noted that it is similar to what the UK have done, and it would useful for people that are not data holders or data recipients but supply CDR compliance solutions to be tested.
ACCC indicated that it is considering this issue but that they have previously only contemplated making the conformance test suite available to data holders or data recipients as part of the accreditation process. It was noted that ACCC have not endorsed any software providers in the market, and they are aware that this has become a bit of an issue recently.
The Chair noted that he raised this issue at the CDR Board and noted that he would like to work closely with ACCC on this point.
One member noted that they have put in a request that all the November rules be finalised by the end of March which would give them a six-month period to make sure everything is locked down. It was noted that they don’t know how feasible that is for everything, and they suspect from the FinTech’s who are working as data recipients, it would be helpful for them to get to the point where they are confident that everything is locked down which would allow for six months of testing.
The member also noted that they suspect that we will all go into a bit of crisis management mode with the current COVID-19 situation, and budgets will be impacted. They asked at what point should we be discussing a contingency plan around everything that we're doing in light of what's going on.
ACCC noted that they recognise the desire to get clarity about the rules as soon as possible. They noted that in regards to the category of potential rules changes, there are some that are just clarifications that have been requested by data holders and there are some that might impose a cost or new complexity on data holders.
ACCC noted that there are a couple of rule changes that are being prepared for consideration at the moment and as far as possible, they are trying to limit anything that imposes additional work on the data holders. They expect to be able to provide a further update on this by the time of Monday's Implementation Advisory Committee Meeting.
ACCC noted in regards to the crisis management mode question that they have just started thinking about this and they expected further discussions would be required.
One member noted that in regards to the Register one of the pieces they don’t have clarity on is how to handle extended registry outages, i.e. outages to the point where the data holder metadata expires and what needs to occur.
The ACCC took this question on notice.
One member noted that they have a random question around the technical capabilities of this regime of negative interest rates and can the regime handle negative interest rates?
The DSB noted that they believe that this is already technically supported. The Chair asked the DSB to confirm and get back to him so he could advise the Implementation Committee on Monday.
ACTION: The DSB to advise the Chair if negative interest rates are supported by this regime.
The Chair advised that the next meeting will be held on Wednesday 8 April 2020 from 2pm to 4pm and is due to be held at Westpac’s office in Melbourne. It was noted that he will consider the best way to hold this meeting, and we will advise back.
The Chair asked the members to review the proposed committee meeting dates and advise the DSB if not suitable.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 15:15