Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 8 July 2020
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 22
- Andrew Stevens, DSB Chair
- Andrew Cresp, Bendigo & Adelaide Bank
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Gareth Gumbley, Frollo
- Rob Hale, Regional Australia Bank
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Marie Steinthaler, TrueLayer
- Stuart Stoyan, MoneyPlace
- Erin Turner, Choice
- Barry Thomas, Data61
- James Bligh, Data61
- Rob Hanson, Data61
- Terri McLachlan, Data61
- Michael Palmyre, Data61
- Mark Staples, Data61
- Mark Verstege, Data61
- Bruce Cooper, ACCC
- Paul Franklin, ACCC
- Ying Chin, OAIC
- Daniel McAuliffe, Treasury
- Lauren Solomon, CPRC
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 22.
The Chair noted that the Advisory Committee membership had been refreshed and he welcomed the new members to the committee and thanked those who signed on again. He acknowledged the great contributions made by members in the service of the nation and noted his appreciation.
The Chair noted that the initial designated sector for banking has gone live and all of the participants, both data recipients and data holders have been involved in successful consumer data transfers since 1 July 2020 which is a very good thing.
The Chair noted that some of the initial media reports and reflections were provided with the papers for the committee’s review. Suffice to say that virtually all of that coverage was positive and recognises the achievement and significance of the implementation of the regime.
The Chair noted that he attended the CDR Board Meeting on Tuesday 16 June 2020, which is Chaired by the Chair of the ACCC Rod Sims and the Deputy Secretary of Treasury. This meeting addressed a number of important governance type issues relating to the regime.
He also met with Ian Gibson from the Australian Business Software Industry Association (ABSIA) and Lisa Schutz from Verifier. He noted that ABSIA members include MYOB and Xero, they are involved in the API economy and work with the tax office on a range of different transactional arrangements like single touch payroll. It was noted that they are putting together a paper for us with some suggestions as to where we could leverage existing arrangements and standards which could well speed the implementation process with the view of adopting potentially some standards.
The Chair acknowledges the great work that the Technical & CX Working Groups have been doing and from the DSB point of view, we wouldn't be here without the work of those Working Groups and the team members. There has also been a solid level of input from the community via GitHub in terms of the inputs to this overall regime.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 27 May 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair also noted for the new members of the committee, that the minutes from the meetings are made public, and in fact everything that the Data Standard Body does, is done in the open and it is important that participants get the benefit of all interactions.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted there has been a lot of activity since the last Advisory Committee. They’ve had a successful “Go Live” and a lot of their work over the last month has been supporting preparations and readiness to “Go Live”. They have also been working on clarification around the transition process for the November concurrent content changes and making sure that the ADR’s have a safe transition for 1 November 2020.
The DSB noted that they have released version 1.3.1 of the data standards which was published on the 26 May 2020 and that incorporated a number of clarifications, errata and change requests in relation to version 1.3.0. They also had the Banking Maintenance Iteration #3 which closed last Friday and are commencing the Banking Maintenance Iteration #4 on the 9 July 2020.
The DSB noted that they are preparing to release v 1.4.0 of the data standards which will include a number of changes. Firstly the changes adopted out of the banking Maintenance Iteration #3, a set of changes that were brought in to support the July “Go Live” release for the majors (mainly to clarify the documentation and make it clear around alignment to the underlying standards that the CDR are leveraging) as well as some minor errata and documentation fixes.
The DSB noted that they have a few consultations open. One is around enhanced error handling in which they are looking at how we drive better robustness and improve the communications between data holders and data recipients going forward. They are taking some of the lessons out of the “Go Live” and the industry testing and making things more robust for the future. They have also been doing a lot of work in the background about preparing a forward roadmap for workshops and community consultation. They will be also be holding a Data Quality Workshop at the beginning of August 2020.
The DSB noted that one of the things they are looking at is to understand how product data is used and some of the issues and considerations we need to take into account around data quality (the accuracy and the consistency of it) to make sure that it becomes useful now but also into the future.
The DSB noted that they are commencing consultation in conjunction with the CX team and the ACCC around the CDR content roadmap to support such aspects as amended consents and fine-grained consent.
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that they have completed a big milestone which was the Phase 3 CX research. They looked at a number of items, and for those who are new to this committee, it would definitely benefit them to look at the recent report along with previous reports which can be found on the Consumer Data Standards Website.
The DSB noted that the last two rounds of research were focused on amending consent and they have been exploring the problem spaces around proposed rules on the ability to add and remove data sets, uses to existing content, and also extend the duration of existing consents. This is forward looking to understand what it means to actually amend the consent three, six, or twelve months after that original consent was granted.
The DSB noted that there is a specific issue that they’ll be looking at in the next round of research which will be the ability to add or remove accounts to an existing consent, and they are trying to figure out a simple and straightforward flow for that.
The DSB noted that they have some workshops coming up, and a key one is in the energy sector on energy data language which will happen in two weeks’ time.
The DSB noted that they are continuing with amending consent work and also research for the energy sector. They are also doing some background work on the CX artefacts, a key one being conducting an accessibility review of the CX artefacts to help them be compliant with the web content accessibility guidelines. There are quite high-level wireframes in the CX guidelines, but they are looking to have those be accessibility compliant in the future.
The Chair asked that the CX Lead provide a brief presentation at the next meeting on the Phase 3, Round 4 & 5 findings to keep people up to speed and in particular regarding amending consent which is a very important part of this regime. He has also asked that the DSB circulate the links to the Phase 3, Round 4 & 5 reports and the energy Designation Instrument (DI).
ACTION: The CX Lead to present on the Phase 3 Rounds 4 & 5 work at the next meeting.
ACTION: The DSB to circulate to members the links to the CX Round 3 reports and the Energy DI.
Daniel McAuliffe from Treasury provided an update as follows:
Treasury noted that recently the Treasurer signed the Designation Instrument (DI) for the energy sector, which is available on the Federal Register of Legislation website. The DI looks very similar to the banking sector DI which reflects an approach to maintain consistency in the Consumer Data Right (CDR) in multiple sectors. They have received some interesting feedback from people in the energy sector who have their own terminology and legal frameworks, and this has given them an insight on what is likely to happen as they roll out further sectors. It was noted that they would like a consistent approach for the rules, standards and DI, tailoring to the needs of individual sectors only when a case has been established for doing so.
Treasury noted that there has been a Consumer Data Right: Privacy Impact Assessment (PIA) which was prepared for that Designation which may be of interest to banking sector participants. This covers things that are of general CDR relevance as we move to a multi sector approach and there are slight variations on the main theme of how we do things in CDR and different privacy considerations.
Treasury noted that they are unable to provide an update of what's happening with the awareness campaign, although they are moving ahead now at an encouraging pace. It was noted that the goal is to have something later on in the year.
The Chair asked Treasury if they had any reaction from the Prime Minster or the Treasurer in relation to the Consumer Data Right going live on the 1 July 2020.
Treasury noted that both the Treasurer and the Prime Minister, who remain very interested and engaged in this project, have been very happy and welcoming that we have hit the July launch. They also noted that they are looking forward to mortgages and personal loans coming online and are now turning their focus forward to the future direction of the regime. Treasury noted that when the Inquiry into Future Directions for the Consumer Data Right reports back in September/October the Government will be keen to come out with a response quickly.
Treasury noted that on the Inquiry, COVID-19 has presented some challenges in terms of consultations, not just in the way they can consult being restricted, but people have also justifiably been engaged with different priorities, especially in the financial sector. Aside from those challenges, they have received a good range of submissions and they are hoping that they will be up on the website in the next week.
Paul Franklin from ACCC provided an update as follows:
ACCC noted the “Go Live” launch on the 1 July 2020 and that the Prime Minister joined the Press Release with the Treasurer and Senator Hume which was a positive sign. The ACCC noted that credit for readiness for launch goes to everybody involved in the ecosystem, including the major banks, the initial two data recipients who worked through that testing and readiness program despite all the impacts of COVID-19. He also thanked the DSB and the OAIC for their collaboration, it was a genuine team effort.
ACCC noted that the new Consumer Data Right website went live for 1 July 2020 and includes a range of consumer focused content including videos that explain the Consumer Data Right.
ACCC noted that so far sharing data in the CDR has worked effectively. The first data sharing occurred on the 20 June 2020 between a data holder and a data recipient, and by launch date all four major banks and the two data recipients were able to connect and share data. Sharing has continued effectively after launch. As expected, small issues and incidents have been identified and addressed. This early period will be used to shake down any operational incidents in the environment before they ramp up.
ACCC noted they have a steady pipeline of FinTech’s and other prospective data recipients applying for accreditation. There are more than forty entities who've been granted access to the accreditation portal for the purpose of submitting an application. Prospective data recipients should allow three months for the process to apply and gain accreditation. The ACCC noted that this estimate is based on the applications handled to date, and experience that it has been necessary to seek further information from applicants, sometimes on a number of occasions. Accredited data recipients should expect to get access to the conformance test suite from the 1 September after which the ACCC expects an increase in the number of data recipients. By the end of the year there should be enough data recipients with suitable customer value propositions to do the consumer education campaign mentioned earlier by Treasury.
ACCC noted that they published an update today about the energy Rules Framework consultation and are seeking stakeholder views on preliminary positions taken in the Rules Framework. The consultation document can be found on their website and submissions are due by close of business on 28 August 2020.
ACCC noted that they are also continuing to work on some amendments in relation to tiered accreditation of data recipients and complex accounts on which some further consultation can be expected in, or around, August.
The Chair noted for new members, the way that the regime is structured is that Treasury is responsible for the legislation, the designation of the sectors and data sets, the ACCC is responsible for the rules, the Data Standards Body develops the technical standards to give effect in a technical sense to the rules and the Office of the Australian Information Commissioner (OAIC) is responsible for all privacy matters and will run any privacy related complaints that emerge in the implementation and operation of the CDR.
The Chair asked if the DSB can ensure that all new members are subscribed to the ACCC mailing list to ensure they receive their updates.
ACTION: DSB to ensure new members are subscribed to the ACCC mailing list.
One member noted that they came out publicly and more strongly than they have in the past in reference to the rules draft that came out recently. They wanted to provide some additional context on this as they recognise that the ACCC & Treasury have been working very hard on it. They are very concerned that the rules are not proceeding at a pace that will reach the critical mass to make the system a success. The data intermediaries not being available and unlikely to be available until the next round of rules is a problem. Additionally, they think that the lack of any changes to how restrictive the usage of CDR data is will continue to make the number of use cases that are supporting the regime narrow. Those two risks can lead to primarily banks and relatively well funded Fintech’s and others participating and some of the innovation that we're really trying to encourage and hoping to encourage as a regime will be at best delayed. Potentially those innovations will continue to occur outside the regime, either via bilateral agreements for data gathering, screen scraping or other mechanisms.
The member also wanted to highlight the risk that the unavailability of even some common sense use cases that they believe Australian consumers would expect when we say this is your data and you have a right to it (e.g. you cannot share it with your accountant) could lead to a failure to launch.
The member noted that their comments to the media represent the urgency of these risks. They have been supportive of the CDR and the process for over three years and are happy the regime went live and they understand and agree with the need for a controlled rollout, but we should be really accelerating the values of what the regime can bring to Australia. They noted that the Japan Open Banking roll out was a great example of the power intermediaries can play in the system, when they were able to move 1.7 million consumers onto open banking for over sixty recipients in one month.
The Chair thanked the member for providing some richness to the media report.
ACCC agreed that all of those things are important and have some urgency to them. In regards to intermediaries, they have a consultation open at the moment on rules to permit passing of data between data recipients and recognise that some stakeholders would like them to go further and allow data to be shared through non accredited intermediaries. The view they’ve reached with the OAIC is that the current legislation doesn't permit the sharing of data through non accredited intermediaries. Rather than go through the process of changing the legislation or working at ways around that challenge, they have chosen to press ahead as quickly as possible with the easier use case, which is where each intermediary is accredited and they’ll come back to the other issues later. They welcome direct feedback and noted that there is healthy public debate about the scope and ambition of the CDR.
The member noted that given the consultation and a rules change is about a three to six-month process, if they don’t push for acceleration in this round, it would have to be in a following round, which would push them deep into 2021.
The Chair noted that certainly all of the DSB would like to see this moving with pace to establish the network and scale effects. In this regime cross sector will be an important part of creating the network wide value and so the more that we can do to bring more functionality, more scope, more sectors or use cases, more data recipients more quickly is going to be a good thing.
Another member noted that two things stand out that will make or break the success of this. One is the consumer uptake and the other is the data recipient uptake and the lack of support for intermediaries is 100% limiting interest from the Fintech’s and the broader ADI’s. Why would you go to the same extent (liability, insurance, security protocols) required to become accredited as opposed to going through an intermediary? Most FinTech’s are connected via an intermediary, and that's why it’s important. It was noted that if that level up is decided that you need to meet the same hurdles and requirements that are required of the intermediary to be a client of the intermediary, then that commercially may not make sense for a bunch of businesses, particularly early stage businesses.
The Chair asked how important to the value proposition of seeking entry as an ADR is the tiered accreditation versus saving on the build side. The member noted that the saving on the build side is more important because if you already have connections with an intermediary, that connectivity already exists, and that means from a broader ecosystem perspective it is more efficient.
Another member noted in regards to the cost, they have just done all the work on the Australian Standard on Assurance Engagements (ASAE) 3150 and they think it is about 50:50. They noted that from their analysis, the tiered accreditation is as much of a cost driver as the economics of the pipes, and if anything the accreditation costs are probably a little bit higher.
The ACCC noted that the uptake is critical and intermediaries are a good way to do that quickly but noted there are some really complex considerations that need also to be weighed. One is that the CDR is being sold as a secure way to exchange data with an emphasis on being able to trust the system because those who are entitled to receive data are accredited by the ACCC. We need to be careful when introducing mechanisms that allow data to flow from an accredited data recipient out of the system. It was noted that if the regime allows an accredited intermediary to provide CDR data with limited restrictions to unaccredited apps that plug into the intermediary’s platform, it will disincentivise accreditation and undermine this security message. Tiering offers one way of broadening regime while keeping faith with this principle.
ACCC also noted that data recipients can use outsourced software providers (OSP’s) now, which isn't the current way that intermediaries work and would require some consideration being given to changing business models and perhaps accepting some sort of responsibility for the use of the information. This is perhaps a way you can protect the data recipient security model and start scaling up.
The ACCC noted that further discussion is needed to ensure the regime design protects the security and the overarching policy approach while allowing it to scale up quickly.
One member noted that the balance is between innovation and security and they think one of the things that they encourage the committee to look at is to see intermediaries as the champions for security and to help make sure it is enforced. They noted that intermediaries play a pivotal role in being able to not only provide access to the data but also provide insights into the data itself. They can provide an affordability assessment using someone's financial data to identify assets, liabilities, income expenses and so forth which is worth a lot more to customers than just providing them with the raw feeds.
One member noted that this is 100% the reason why companies will use an intermediary - the translation of the data, its categorisation, its analysis which is the service being procured. The model of having the intermediary responsible for its related parties and its clients does make sense because the intermediaries are going to act in the best interest of the ecosystem as they have broader economic incentives which they are trying to protect.
One member noted that they were hoping to originally use third party affordability assessment services but when interpreting the rules, they realised that that wasn’t permitted. They ended up building the capability to receive CDR data from data holders, de-identify it and then send to a third party for processing. It is the intermediaries job to interpret the rules, standards and build to those standards and as they evolve, and they will very quickly accommodate changes to those standards into their capability and tooling. Smaller data recipients may take longer to accommodate changes to the standards and deploy them.
Another member noted that based on their experience from abroad, if we enable some sort of tiered accreditation or sharing of data with unaccredited parties, they would challenge the assumption that nobody would have an incentive to get accredited, as certain companies always want the ability to tell their customers they’re “regulated”. They have found that it’s not just smaller FinTech’s who use their agency model, which is equivalent of a lower tiered accreditation model, it’s also larger institutions who have very complex governance set ups already in place and are well versed in managing their technology but may not want to go through an additional process.
The member also asked what sort of timeline are we looking at between the consultation on the current rules to actually having them provided as rules that can be used in commercial contracts.
The ACCC noted that the timeframe to adopt the rule changes will be influenced by what they find during the consultation process but it’s a high priority for them because they are aware of a strong interest from many organisations for whom intermediary relationships are an important way of sharing the data.
The ACCC noted that there are probably four closely related issues. The first one is about enabling intermediaries and there is a consultation under way for proposed rule changes that will allow that to happen. The second one is tiered accreditation and they think it is realistic to expect that a lower tier of accreditation is only appropriate where there is a lower risk. The third one is the cost of accreditation and there are a number of things that even if you don't change the standards, you can materially reduce the cost of accreditation by automating the testing tools etc. The fourth one is that there are genuinely cases where it will be appropriate to move data outside of the consumer data right system. They would also like to make a general observation that rather than lowering the security standards around the consumer data right they would be more inclined to expect increasing data security standards for everyone in the economy.
The Chair asked ACCC when do they think it's reasonable that that they will resolve and make rules on these four issues? The ACCC noted that they are working through the intermediary process right now, and it will depend on the outcome of that consultation process. For the tiered accreditation they don't think that's a priority for banking data, given that banking data is relatively sensitive. The cost of accreditation is a question outside of the rules and it's the practical measures of how do prospective data recipients engage with audit firms and what measures can they introduce to make it easier to get low cost audit certificates?
The Chair noted that the second and third issues are related, because if you have a lower hurdle and you don't need the same audit and other clearances potentially, then it would lower the cost. The ACCC noted that they can be related, but only if you identify a less sensitive data set.
A member noted that the challenge is that we say that there's no situation in which we would contemplate moving sensitive banking data outside of the ecosystem but that's actually already happening. You can start up a new company and become a client of a Fintech and get customer banking information immediately or you can go through the process of a new start up accreditation and endure the costs of that.
Another member noted that they expect and hope that the standards will lift and in respect of some of those practices, particularly screen scraping (which the consumer movement has very consistently pointed out the harms and risks of) we will see some tightening up of those practices rather than lower standards. We need to be looking at higher standards and acknowledging that there is a debate about some of those practices.
Another member noted that screen scraping is not the only method - you can already do a bilateral API arrangement with a bank. There are plenty of legal and protected ways that companies share data, which is regulated under the Privacy Act and various other methods, whereby the company is required to treat their customer as the terms of service and other rules dictate. They noted that sharing bilaterally between two parties has existed for a very long time and will continue to exist and is allowed under the laws of Australia. We're trying to build a system that is superior to those methodologies and if the rules to use that system are too onerous and nobody wants to do it, they'll continue to use the other mechanisms.
One member noted that there is an implicit assumption around intermediaries that de-risking and protecting the data is only possible with accreditation which needs to be explored. For example, there is SuperStream, which is just as sensitive, and the gateway handles the flow of data for the ecosystem. There are many different models of how this could work and we need to challenge the concept that anyone outside of accreditation is innately higher risk.
ACCC noted that they would be very interested in ways in which intermediaries could adapt their business models to take some responsibility for people hanging off their ecosystems and asked for this to be included in submissions in relation to the current consultation.
The Chair asked the ACCC to provide the DSB with the link to the draft rules on the CAP paper, the timing of the workshop and the particular issues they are interested in, informed by this discussion for circulation to the committee.
ACTION: ACCC to provide link to paper, timing for workshop and issues of interest for circulation to the committee by the DSB.
One member noted to the Chair, at what point do we need to direct the group to say, let's take the top down approach instead of the bottom up approach? This might be the burning platform that’s needed.
The ACCC noted that setting the rules is a task that’s given to the ACCC by legislation in consultation with the Treasurer and Treasury.
One member asked if DSAC is a forum for consultation on the standards, what is the forum for changing the rules?
The ACCC noted that the rule setting is quite a structured process and the feedback and conversation here is very helpful, but it doesn't necessarily feed directly into rule making. When it comes to making the rules, the ACCC has a process in legislation that they must follow and indicated a willingness to provide a roadmap for future planned consultations on the rules which will give some indicative timings.
Useful Information for New Members
The Chair noted that Agenda Item 6 provides new members with useful information on guiding principles, the rules of engagement, the publication of minutes and our working groups.
This section also provides useful resource links and contacts details for all committee members.
The Chair advised that the next meeting will be held remotely on Wednesday 12 August 2020 from 2pm to 4pm.
The Chair asked if members had any items as other business.
One member noted that as a participant in the process to date, they’ve developed a range of digital assets and artefacts and a consumer facing application as a data recipient. They have also gone through the CX guidelines and developed compliance cross reference documents as an ADI and gone through an internal compliance review. They have created a wealth of documentation that they believe could be a huge value to other prospective recipients who are embarking on a similar journey.
The member noted that they have already created some open source software which they are sharing publicly but in terms of actual assets, mock-ups and wireframes etc. they feel that others could benefit from them. Without advocating any particular design or service, they asked is there a public location where people can put these types of resources which allows others to consume them at will?
The DSB noted that this is consistent with their strategy and they are hoping to go live next week with their first instance of a knowledge base (Zendesk) which will be a single point of reference for stakeholder support. Beyond that, they are looking to building a community around that resource and this would be a fantastic way to kick this off.
Another member noted they have done some work with Amazon Web Services (AWS) and Cloud Conformity on the automation of the accreditation (ASAE 3150) and if someone wanted to talk to them about their experience with ASAE 3150 they would be happy to do so.
ACTION: The DSB will follow up with both members in regards to the sharing of resources.
Another member noted that a key use case, particularly in the financial service sector, is using open banking API’s for the purpose of affordability assessments and evaluating an individual's financial position. Because of the ruling and the way it has evolved it is a little prohibitive to implement that use case in the best intended way. What is the notion for when decisions are made, is there a set of use cases that get evaluated against the ruling and whether it works or doesn’t?
The DSB noted that use cases was addressed very early in the process (back in 2018) and they ran some consultations and workshops and came up with a set of use cases to use as a benchmark. They have taken the approach of trying to do the design and build in the generic sense, trying to facilitate the unknown use case.
The DSB noted in regards to the affordability assessment and the ability for customers to use accounts, this goes to the intent of the regime, which from a principles perspective starts with consumer control. On the standards side, they have had to make a trade-off between what is a clear use case, and maybe even generates customer benefit, that actually undermines customer control or vice versa. They noted that they provide public incremental consultations to give people who are very interested in specific use cases the maximum opportunity to have their say and to ensure their use cases are supported.
One member noted that they believe that part of the problem with responsible lending is ASIC driving demand for bank statements, as opposed to allowing other options for it. They suggest that this is a consumer right not a lender right.
The Chair has asked some members at the next meeting to share their experience from their perspective of getting ready to come into the regime, their insights, consumer experience feedback etc.
ACTION: Members to present at next meeting their experience of coming into the regime.
One member noted that in regards to Agenda Item 2.2 “DSB to provide clarification on concurrent consent and OAuth Standards” being complete, it that the right classification? The Chair noted that we will check to see if this has been completed.
ACTION: the DSB to check to see if the Agenda Item 2.2 has been completed or whether it is still ongoing.
One member asked if there has been any negative media feedback in regards to “Go Live”. The ACCC noted that the only slightly negative feedback has been the “CDR has gone live after a delay” comment but the press has been mostly positive.
The ACCC noted that in terms of expectations for the future, what is important to them is the take up by data recipients in the first instance, and they are focused on September as the time when they’re expecting large numbers of data recipients to be joining the ecosystem.
The Chair noted that the more we can encourage data recipients into the game ahead of the second tier banks, that is going to be really important in the next wave and we have to continue our work because this is a cross sector regime, it’s not a banking or energy regime, it’s a cross sector economy-wide regime.
Closing and Next Steps
Meeting closed at 15:50