Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 27 May 2020
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 21
- Andrew Stevens, DSB Chair
- Kate Crous, CBA
- Emma Gray, ANZ
- Mark Perry, Ping Identity
- Lisa Schutz, Verifier
- Ross Sharrott, Moneytree
- Lauren Solomon, CPRC
- Stuart Stoyan, MoneyPlace
- Erin Turner, Choice
- Les Vance, Westpac
- Andy White, AusPayNet
- Barry Thomas, Data61
- James Bligh, Data61
- Eunice Ching, Data61
- Rob Hanson, Data61
- Terri McLachlan, Data61
- Mark Staples, Data61
- Mark Verstege, Data61
- Bruce Cooper, ACCC
- Michael Murphy, APRA
- Ying Chin, OAIC
- Daniel McAuliffe, Treasury
- Scott Farrell
- Mal Webster, Endeavour Bank
- Patrick Wright, NAB
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 21.
The Chair noted that there has been a lot of progress since the last meeting. It was noted that from July, consumers will be able to exercise their consumer data right. He is also reconsidering the composition of the Advisory Committee and advised there will be significant changes to the group, which will reflect the forward-looking requirements as we need to increase the emphasis on second tier and other banks and potential data recipients into the process. It was noted that we have reached an important milestone as we have set up the regime to give effect to the recommendations of Scott Farrell and the policies of the Commonwealth Government.
The Chair noted that whilst the November Phase 2 obligations are on everybody’s mind, we should also reflect on what we have achieved and he would like to personally thank every member of the Advisory Committee including those who did not carry on after the first year - thank you for your contributions and input.
The Chair noted that Mal Webster (Endeavour) and Patrick Wright (NAB) are apologies for the meeting. He also welcomed Scott Farrell who is attending the meeting as an observer.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 8 April 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted that version 1.3.1 of the standards was published which was a release to provide clarifications around documentation fixes for v.1.3.0. It was noted that they are also well underway with the banking Maintenance Iteration # 3 which will provide clarity before the July go-live. They have focussed on enhanced error handling and are consulting on that at the moment.
DSB noted that work has continued on the consultation in the energy sector with the publishing of the decision proposal on NMI Standing Data and continued with the weekly data holder meeting which is held jointly with the ACCC.
The DSB noted that at the coordinated working groups meetings, they have seen a boost in participation from 10-20 participants to consistently over 100 participants which is pleasing to see. At the recent Introduction to the Consumer Data Standards Workshop, which was a session to walk through the premise of the Consumer Data Right (CDR) and some of the general concepts, they had 240 registered and a considerable number of those participated on the day. A range of organisations including second tier banks and potential data recipients joined the call to understand the regime and the level of interest is encouraging in relation to the implementation of this regime.
One member noted that there are currently 130 open issues on GitHub with 19 related to standards, 71 to standards maintenance and 40 to the registry. Whilst they appreciate we have a lot on, it is taking a sizeable amount of time to respond. It was noted that they raised two issues (220 and 221), which if raised internally would have been a 15-minute decision, but it has taken over 6 days to respond to both. It was noted that given where we are in the regime, they would like to understand what processes the Chair might be able to put in place to get faster responses because the slow responses are impacting their defect closure rate with the testing that is going through.
The Chair noted that they have prioritised issues relating to July, then November and then thereafter and if some of those issues are related to November or beyond they would not be getting the same priority. The member noted that issue 221 is seeking clarification about ID tokens and it is impacting their defect closure rate for 1 July 2020.
The DSB noted that they can’t talk to the individual issues but they were not aware of any current issues with the speed of response in the context of readiness for July and they would need to investigate this further. However, in regards to issue 221, they are currently working through that and also looking at a couple of other related issues which they have provided comments on.
The DSB noted that there is a concern that if things are done too quickly, that can have unintended consequences as they are not talking about one data holder at a time they are talking regime wide. It does inherently require some time to really make sure you don’t have unintended consequences.
The DSB noted that they will look into the issues and check the status and see if they can speed things up. They asked that when posting an urgent issue, if you can flag it as urgent in GitHub that can help the team to prioritise as sometimes it is hard to tell the relative urgency.
ACTION: DSB to review the open issues in GitHub.
The Chair noted that Michael Palmyre is an apology and no further update on the CX Working Group will be provided at today’s meeting.
ACCC Update - November Phase 2 Obligations
Bruce Cooper from ACCC provided an update on the November Phase 2 obligations as follows:
ACCC noted that there are two issues around the November Phase 2, one is what’s in scope (e.g. joint accounts, mortgages and requirements and obligations) and the second one is what, if any, rules / standards changes are there? ACCC have been liaising with government and industry to work through whether any of the existing scope in Phase 2 should be delayed from November and noted that Government is not minded to do that. The ACCC is having ongoing discussions with the Treasurer’s Office about what November actually looks like and whether it is possible, for instance, to prioritise some of the items in scope or is the Government keen to see all items progressed which are currently in scope?
ACCC noted that in regards to any changes in the rules and standards there are a couple of things that are in play. One is changes to the “outsourced service provider” (OSP) provisions that would allow a data recipient to use the services of a technology company as a third party to collect data. The second is changes to joint accounts which have been requested by banks to increase optionality. If there is no change on these issues, the rules as published in February will apply.
ACCC noted that they have been working with industry to be very clear on what the build implications are, if any, for some of those changes and again to continue to work with Treasury and the Treasurer’s office to get clarity on what rule changes they will contemplate. The ACCC was hoping to go out with a consultation draft on new rules this week but that has not been possible. They will do as quickly as they can.
The DSB noted that broadly speaking, they put in place version 1.3.0 of the standards which is necessary in the context for November timeframe and they are having active discussions with the ACCC on what might be varied in that timeframe so that, should any changes be required, they are ready to consult on and roll out new standards changes very quickly based on that consultation draft. It was noted that none of the possible changes amount to a great deal compared to the broader issue of what is in or out for November at a rules level.
The Chair noted that the most likely scenario is the rules as at February 2020 will be the rules that apply in November 2020. He would encourage the ecosystem to build to those standards and rules that have been established in the case of rules in February and standards on the 17 April.
The DSB noted it is their understanding that there will be no standard changes required to support the model they are proposing for concurrent consent that was in version 1.3.0 of the standards and noted there is ongoing work but that will only apply post November. For joint accounts, there is an optionality issue which is well discussed and understood and this could be put in place quite readily should that be required by the ACCC.
The Chair reiterated that in the CX area, the standards are standards (mandatory) and guidelines are guidelines (recommended). The Chair’s view is that you should continue your build for November as per the rules that were established by the ACCC in February 2020 and the standards that the DSB established v.1.3.0 (now updated to v.1.3.1) and build to those.
The DSB noted that the ABA have flagged what they believe are some areas of ambiguity in the CX guidelines, which they are happy to look at. It was likely that this would just require clarification on GitHub. It was noted that there is an ongoing issue with the whole idea of CX Standards and the CX Guidelines and that a guideline is indeed “recommended” but not weightless and not without consequence when ignored.
One member asked if the DSB are saying that a guideline is “recommended”, what consequences are there for not following the guidelines? The DSB noted that people ask for guidelines because they want there to be a consistent user experience, and if you don’t follow a guideline and everyone else does, you’re making a decision to be a bit different and not as user friendly - that is a commercial choice. It was noted that it is not a consequence in a compliance sense, it may have a different commercial outcome if you have the choice not to follow, but it may or may not be a good idea.
One member noted that the concurrent consent standard for November draws on some future industry OAuth standards which are still in draft and they are very reliant on vendors to help them. The nuance of how do they start to build that before the final standards are set and at risk of change (not the standards that gets set here but industry wide standards)?
The DSB noted that in regards to concurrent consent there are aspects that are specific to the CDR but also the reliance of the underlying OAuth standards that are authored by the Open ID Foundation. It was noted that those have been in a draft development form for many months and were recommended to us by the Open ID Foundation. It was noted that they looked at those standards and those that applied particularly for the requirements of current consent, as opposed to looking at going down a bespoke approach.
The Chair recognised that the OAuth standards have some draft elements, which has been pointed out to him, and asked what should developers be developing to now? Should they be developing to the draft standards because we think they will be adopted by November and drive a compliance obligation or the current standards which are yet to be updated or some hybrid?
The DSB noted that the standards that apply for July are pre concurrent consent so Data Holders will be developing to the standards as they apply for their obligations for July. For November, the introduction of the draft industry standards has reference to push authorisation requests (PARs) which is a mechanism to be able to transfer the details of the authorisation request in a slightly different fashion to what is currently noted.
One member noted that generally speaking they are okay using a draft standard however in this case it is the timeframe that is the problem. November is really difficult for a commercial enterprise to turn around an addition of that sort of functionality given the exiting product roadmap and customer commitments.
Another member noted that they have some nervousness in terms of wasted spend if there is a change to the standards before they build which incurs more expense. They also noted that this is something the Committee has looked at many times before, which is the interaction between the rules and the standards, when they are set and the release schedule which we still don’t have, and they feel like they are starting to run into the same set of issues for November as they had in July. It was noted that one’s ability to execute the build for November is very different from July.
They would like to ask formally, between the ACCC and D61, that they get a very clear idea about when a standard gets developed, what is the timeline between that and when the next release is.
The Chair noted that as per his statement earlier, they should be building to the rules and standards as of February and April respectively for exactly that reason. He also noted the comment the DSB made earlier regarding OAuth standards and the position with the commitment to use open standards when they only have a draft standard (that is why he recommends building to the February and April versions). He also noted that he has been speaking with ACCC in regards to the cut-off date for adjustments ahead of the compliance date and whether it aligns with November or whenever the compliance date is set. He understands the frustration.
One member applauds the Chairs for his statement, but what happens if there are changes that incur cost? The Chair noted that all CDR participants can do is to develop to the standards and rules which have been made - there really is no alternative.
The ACCC noted that they are completely committed to having a release schedule that is set out in advance but there are real challenges in getting agreement with both industry and government. They understand the need and are working hard to specify the forward dates and cadence.
The Chair noted that the DSB will relook at the concurrent consent and OAuth standards specifically to ensure any timing confusions are resolved.
ACTION: DSB to provide clarification on concurrent consent and OAuth Standards.
One member asked if the ACCC can confirm that they are not looking towards an agent UK style ASP as a data intermediary, certainly not for November, but in 2021?
ACCC noted that they are still in discussion with the outsource service provider, and that collection of data is actively under consideration for November and other models that would allow intermediary participation are probably after that.
ACCC Update – RAAP and other Accreditation matters
Bruce Cooper from ACCC provided an update as follows:
The ACCC noted that on Monday 25 May 2020 they opened the register and the accreditation application platform (RAAP) and the consequence of that is that once they have data holders and data recipients registered on the platform, live data sharing can happen which is a pre-requisite for 1 July. This allows prospective data recipients who register and apply to become accredited which is necessary if we want to expand the ecosystem. In regards to the conformance test suite, they have engaged with a number of industry players to help them to develop and test the data recipients side and will do the same with the data holder side. The intention is to have the conformance test suite available in September, and assuming a data recipient makes a valid application shortly, they will be able to use the conformance test suite after this prior to commencing live data sharing.
The ACCC noted that as part of the information for prospective data recipients, they released the final version of the accreditation guidelines. These include general guidelines and two supplementary specific guidelines in relation to “insurance” and “information technology”. One of the changes from the draft to final version of the information technology specific guidelines is that they would allow, in certain circumstances, instead of the specific Australian standards audit report, allow firms to use a comparable standard to the extent it satisfies relevant Australian controls. The intention is to reduce the cost of compliance for firms that meet comparable standards.
The ACCC noted that they have been trying to reset the timing for non-majors but there is still work to do in terms of getting agreement to reset those. The ACCC will decide to do this by a rule change or via exemptions (like the change for the product reference data for non-majors). The ACCC noted that they are minded to restoring the 12-month gap in the obligation imposed on the major banks and the equivalent obligation being imposed on the minor banks.
One member noted in regards to clients of intermediaries and the consideration being given there. They have heard mixed messages from people that clients of an intermediary would require some accreditation standard.
One member noted that a failure point is when you are at a credit union where a company needs to get data from a customer who is part of a small credit union and not part of the CDR as yet. You have to go direct to that institution via screen scraping technology because they are not part of the CDR. It was noted that an efficient way to deal with that is to enable intermediaries to pass data through to companies that sit below them under their authorisation as an ADR.
Another member noted that they thought under the CDR was to ensure that consumers had protection and insurance and claims to recourse. For the regimes that that don’t give consumers protection and control over their data that seems insufficient, so providing everyone in the chain is liable for the privacy and insurance protections that consumers are responsible for you have a path forward. It is where you have a player trying to circumvent that is where you would have a problem.
Another member noted that in the UK they have an established model where other companies that want to use data can become an agent for accredited data recipients. The point is to reduce the regulatory and other overheads to make use of the system. It is their understanding that this would not be allowed for November.
ACCC noted that the consultation paper they did presented a number of models for this and the simplest version as the outsource provider collecting data and that is the one they could deal with for November. The other models have broader implications including privacy implications with mixing data, the inability to delete, and other implications that they can’t do for November.
The Chair noted that the implication is that screen scraping will survive and be the go-to solution for longer until we sort this out.
Daniel McAuliffe from Treasury provided an update as follows:
Treasury noted that there are some ongoing discussions regarding phasing. In particular they are looking at November and whether or not there might be scope for adjusting what's in the November phase in order to facilitate people hitting November. They noted that they don’t think the Government is inclined to push back November as it stands - it looks like there will be a November phase, it’s just what’s in it. They appreciate the need to get an urgent call on that and they are working towards that as quickly as we can.
Treasury noted in regards to the awareness campaign, this was delayed due to COVID-19 related demands on the department and push back of things like the budget. There is no further update on this for this meeting.
Treasury noted that they have a consultation open on the Consumer Data Right – energy sector designation instrument with the consultation period closing on the 31 May 2020. They are intending to make that DI by the 30 June 2020, in order to avail themselves from some transitional provisions in the CDR bill to rely upon previous consultations (such as the HoustonKemp Report, and the Treasury energy datasets consultation) rather than conducting a full sectoral assessment.
Treasury noted that they have done a Privacy Impact Assessment (PIA) process for the DI and that is being finalised and will be published at the time of the making of the DI, together with agency responses to the recommendations made.
The ACCC noted that as part of releasing the register, they needed a website to hang the platform on. The ACCC is currently using an interim website but are developing a full functionality site that will have more information for consumers with video’s and FAQ’s as well as the information that is currently sitting on the ACCC website.
ACCC noted that in regards to the draft Rules Framework that will apply to energy, this will set out the issues and their direction of travel on each of those issues which will be done by the end of June 2020. There will be a six to eight week consultation period for the framework.
The Chair noted that we have had six Advisory Committee meetings in energy and some substantial workshop progress in relation to various data elements and technical standards. He noted that he thinks the rules framework and the DI will kick that along yet another step.
One member noted that last year in July the DSB conducted a security review of the CDR Standards – and this highlighted a number of different issues that were worked through. Since then, there have been significant change to the ecosystem. The member asked who is intending to conduct the end to end security review of the ecosystem before we go live? They understand that ACCC have engaged CyberCX which has produced a report which has assessed the ACCC ecosystem. It was noted that each of the data holders they know are conducting their own assessments of their security and that the ecosystem as a whole needs to be to assessed to make sure when the data leaves a secure ecosystem on route to a data recipient, that there is no ability to interfere, redirect, malicious activity or any of those other components. In a bilateral supplier agreement that would be standard practice that would occur between a bank, and whichever supplier or other partner they were engaging within that space. Do we have clarity on who is responsible for security of the ecosystem as a whole, who is responsible for providing the security review, and when it will be conducted so we can all be comfortable that when we go live we can say to consumers that this is good and you can trust it?
ACCC noted that as part of the report (a version of which was made available to the members), there was a review of what the ACCC would be responsible for and what the data recipient and data holder would be responsible for. There is no plan to do an end to end ecosystem wide cyber report but there is an intention to do regular incident management and things like that but not a cyber report in the same way we have done for the RAAP. It was noted that in terms of data transfer security this will not be reviewed.
The member noted that given the design is so critical for the success, are we comfortable as a committee that when we go-live on 1 July there will be no security assessment of the design of the ecosystem and given how bespoke the standards are, that we're all going to stand behind and say we are comfortable even though, no one has independently assessed the collective?
The ACCC noted that in regards to the cyber assessment of the register and how that's been assessed for security by design perspective, members have some visibility over what the report on that was.
The DSB noted that if we are talking about standards specifically, we have done independent security reviews in the past at a detailed level. It was noted that it’s a valid question on how frequently these things need to occur and there is an active conversation going on between the DSB and the new person in charge of the security in ACCC about how we integrate a future review of the standards with the broader ACCC security reviews but this is not seen in the context of July. It was noted that it comes down to a risk assessment. The things that have changed are relatively fine grained and the view at the moment is that the review last July is still valid. This does not mean that we don't need ongoing reviews, but the assessment at this point is that the existing review is sufficient and adequate in context of July.
The member asked that this position be noted in the minutes of this meeting.
The Chair brought the discussion back to the requests for greater certainty terms for the November Phase and asked if we brought the draft OAuth standards or the relevant elements into the standards, and therefore mandated the elements that had to be followed for concurrent consent, or simply said you should adopt the draft standard as at this date, would that help?
The Chair noted that sometimes these Industry standards sit in draft for years not months, and if we're looking at providing some certainty to regime participants so they can build then we've got to find a way to do that, either adopt the old standard which again has a lot of problems or adopt the draft (new) standard. Alternatively, we could encourage the finalisation of the draft standard but he is not sure any of us has enough leverage to change this.
The DSB noted that there is no perfect solution and it’s a judgement call. If we were extremely conservative in adopting draft international standards we would be, and have been in the past, criticised for locking the regime or requiring people to implement solutions which are clearly going to become obsolete in the future. If we have a choice between a draft standard, which is quite stable versus creating our own bespoke solution, there's no perfect answer. You've just got to choose the “least worst” option.
The Chair noted that he will, with the DSB, evaluate this as a priority and if any committee members have any further thoughts on this point the Chair would be glad to receive them.
No other business.
The Chair advised that the next meeting will be held remotely on Wednesday 8 July 2020 from 2pm to 4pm.
Closing and Next Steps
Meeting closed at 15:15