Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 9 September 2020
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 24
Download meeting minutes (PDF 208KB)
Attendees
- Andrew Stevens, DSB Chair
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Gareth Gumbley, Frollo
- Rob Hale, Regional Australia Bank
- John Harries, Westpac
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Lauren Solomon, CPRC
- Marie Steinthaler, TrueLayer
- Stuart Stoyan, MoneyPlace
- Barry Thomas, DSB
- James Bligh, DSB
- Rob Hanson, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Staples, Data61
- Mark Verstege, DSB
- Bruce Cooper, ACCC
- Paul Franklin, ACCC
- Ying Chin, OAIC
- Daniel McAuliffe, Treasury
- Scott Farrell
- Andrew Cresp, Bendigo & Adelaide Bank
- Erin Turner, Choice
Chair Introduction
The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 24.
The Chair wanted to send his best wishes to those in Victoria, our thoughts and empathy are with you all. The elongation of the lock down is certainly not what you wanted, and our feelings go to you. Hope you’re keeping safe and together under the pressures.
The Chair noted that one of the Action Items raised at the last meeting was to look at the “Key Issues” moving forward. After further discussion, and as this is an Advisory Committee, the DSB will reach out to members after each meeting to identify issues of relevance and important priorities that could inform our work over the next 1 to 2 months. Any issues raised will be brought back to the Advisory Committee at the next meeting for discussion. This is consistent with our open approach.
The Chair noted that there is a list of Stakeholder Engagements in Agenda Item 4 which is very vibrant, and as we are seeing in the weekly Implementation Calls and getting towards a new compliance date for some aspects of rules and standards, the level of interest and attendees is increasing.
The Chair welcomed Neale Morison to the DSB. Neale is a technical writer and has previously been involved in documenting API’s for Atlassian. His role will span content creation and editing as well as higher-level information architecture work required to establish a reader-friendly knowledge base published via our online portal (Zendesk).
The Chair noted that Bruce Cooper from the Australian Competition & Consumer Commission (ACCC) has been seconded to the Office of the Australian Information Commissioner (OAIC) office for a 12-month period (not CDR related). He noted that Bruce has worked on the Consumer Data Right (CDR) since its inception and he has personally worked very closely with him since May 2018. On behalf of everyone he would like to thank Bruce for his contributions and wishes him well on the secondment and hopes that we have the opportunity to work with him again.
The Chair noted that Andrew Cresp (Bendigo and Adelaide Bank) and Erin Turner (Choice) are apologies for this meeting. Observer Michael Murphy (APRA) was also an apology.
Minutes
Minutes
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 12 August 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
Action Items
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
He noted that the Action Item of Westpac (WBC) to present their perspective of lessons learnt coming into the regime will be carried forward to the next meeting.
ACTION: Westpac to present on their lessons learnt coming into the regime at the next meeting
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
Data Quality Update
A further update was provided on Data Quality by Barry Thomas from the DSB as follows:
The DSB noted that data quality is a useful shorthand but, in many respects, it is a misleading term as it covers a very wide range. Broadly speaking, we are talking about data recipients (DRs) perceiving that, in some sense, there is something wrong with the data they are receiving. The reason it can be wrong can be varied. For example, it may be that a data holder (DH) chooses not to send compliant data or it could be due to ambiguity in the standards.
The DSB noted that the various categories of wrongness are going to depend on your point of view – what DRs want may not align with what DHs want, for example. The resolution to a lot of these questions is often not obvious.
The DSB noted that this presentation highlights something that is an increasing focus for them. They have had a lot of input via workshops, the weekly ACCC & DSB CDR Implementation Calls, submissions via GitHub and the Support Portal which they are digesting to form a list of initial things to address. They are still at an early stage and they encourage everyone to review the slide deck (included in the papers) and to reach out if they have any feedback.
The DSB noted that in regard to the compliance aspects of data quality, they are working in conjunction with the ACCC who will be responsible for any required compliance and enforcement actions. Where there is ambiguity or incompleteness in the standards there will be a number of perceived ways on how you can correct it. The DSB are instituting a new category which is called “conventions” which is analogous to the CX guidelines. These are intended to be suggestive and clarifying but not mandatory.
The DSB noted that there will always be a tension between desire for prescriptive standards, which are less ambiguous to work with, and the flexibility offered by less prescriptive standards. At the moment, the standards are broadly designed to be quite permissive and one of the things that they need to work on over time is to what degree is it necessary and appropriate to tighten the standards.
One member asked would the quality of error messaging and error handling be discussed as this is one area they have seen unexpected issues within the European experience.
The DSB noted that this is one area where it can overlap. They have recently been running error handling workshops to find out how to tighten up error handling so that it is better defined.
One member asked if any of the discussions touch on the provision of rich data sets from DH’s into the ecosystem as an ongoing source for prospective recipients to trial their applications with.
The DSB noted that this has been raised a number of times and this is on the table for further investigation and it will be one of the first cabs off the rank to address.
The Chair asked the DSB when would be a good time to provide a further update to the committee on data quality.
The DSB noted that one of Neale Morison’s first tasks will be to synthesis this activity and they may have something to report back on at the committee meeting.
ACTION: The DSB to provide an update on data quality at the next meeting
Technical Working Group Update
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted that they closed the fourth Maintenance Iteration which had 14 change requests within that iteration. They adopted a number of those (6 changes in total) which looked at product data, information security and metrics reporting.
The DSB noted that they also published two Decision Proposals; the maintenance iteration and the November consent changes. The changes will be incorporated into v.1.5.0 which will be released shortly.
The DSB noted that they held a number of workshops over the last month. They have a follow up meeting on data quality to look at product reference data (PRD) as well as conducting a workshop on enhanced error handling which has given them a good basis of community feedback.
One member raised a question in regards to Decision Proposal 135 - November 2020 Consent Obligations: fixes and clarifications and whether it should be consistently included within the November build as a requirement or should they wait for the standards be set.
The DSB noted that the changes made in that Decision Proposal were to address additional feedback from the community, it wasn’t significant changes, it was just amending and clarifying and those changes should be included in the November build.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that the first report from the engagement with Consumer Policy Research Centre (CPRC) is available on our website. The report assesses the standards and guidelines to understand how well they deliver on consumer needs and expectations.
The DSB noted that the Phase 3 CX Round 6 Report on adding and removing accounts from an existing consent is also available on our website. This was ongoing work and part of the amending consent series.
The DSB noted that the CX team have held three workshops over the last month. The first one was around energy data language. They have analysed the outputs and will put forward some recommendations on language in groupings on GitHub shortly. Another workshop was on error handling which was around broader error states. The workshop identified a number of things that they hadn’t thought about, while other things they were familiar with, but it was worth clarifying.
The DSB noted that the last CX workshop was held yesterday and was on amending consent, which was a high-level workshop. The workshop was fantastic with a high level of attendance and a lot of great feedback on the concepts. They noted that they have a duplication of the public Miro board for those who were unable to attend the workshop. This board is open till the 15 September 2020.
Stakeholder Engagement
A summary of stakeholder engagement including upcoming workshops, weekly meetings and maintenance iteration cycle was provided in the Committee Papers and was taken as read.
The DSB also wanted to provide an update on the way they consult. At the beginning of August, the consultation requirements in the Rules tightened and the DSB took this as an opportunity to revisit the overall consultation process.
The DSB noted that they broadly consider two types of changes, those that they consult on via their primary standards repository on GitHub which tend to be the larger structural changes, and changes that arise from the regular maintenance iterations that are typically clarifications and minor amendments. The prioritisation of change requests is also determined via extensive community consultation. They then recommend to the Advisory Committee and then to the Chair for adoption.
The DSB noted that the benefit from this process is that they have broad community feedback and a rich set of views with a lot of experience.
The DSB noted that from a technical standards perspective, they are looking at the notion of “conventions” or “guidelines”, particularly for things like data quality and consistency with implementation.
The DSB also noted that in the “DSB Future Planning” paper (included in the committee papers), some of the things they are looking ahead at are not only how they consult but also how do they mature, how do they manage demand and supply and how do they prioritise the things they consult on? They also wanted to highlight the process around prioritisation for planning in the noting paper and the role they are proposing the Advisory Committee plays in helping to define the problem statements and give them advice on prioritisation.
One member commented that is very flattering to think this committee is capable of making those recommendations, but personally their depth of knowledge in the technical standards is not sufficient. They do like the idea of a public Kanban Board and wondered if the DSB have considered extending that somehow to a voting system that would allow audience to provide their input.
The DSB noted that they have discussed the idea of voting systems in the past and when they have spoken to other jurisdictions, for example the UK decisions do require voting because it is industry driven rather than regulatory driven making process. The concern they have is people attempting to gaming or something that maybe very popular, but it is not the right time and it creates an expectation of obligation. They are talking about the Advisory Committee being a forum to discuss things and they have a policy of being 100% transparent and being driven by the community.
The DSB noted that ultimately the decision making legislatively sits with the Data Standards Chair. They have tried to make it more objective by giving a criteria to use for prioritisation to be more data oriented and measurable.
Consent Comparison Discussion Paper
An overview was provided on the Consent practice in Australia by Barry Thomas from the DSB as follows:
The DSB noted that this discussion paper follows a conversation at a previous committee meeting raised by a member. This paper does not cover the brief entirely and it is still a work in progress.
The DSB noted that the paper needs to be read in the same vein that our general CX research needs to be understood. At a detailed level, they are very involved in how consent is implemented, and they value open and vibrant conversations with stakeholders. It is important to understand that when it comes to how consent actually works, the DSB does not set the rules, the ACCC does. This paper should not be read as indicating any direction, it is a document to address issues that our community have raised and for further discussion.
One member noted that in the Senate Select Committee on Financial Technology and Regulatory Technology Interim Report, it supported screen scraping saying that it is not something that should be made illegal and it should be allowed to be a natural alternative to the CDR.
Joining the regime as an Accredited Data Holder
Nigel Dobson from ANZ presented his experience in joining the regime as an accredited data holder (ADH) as follows:
The ANZ noted that this presentation will cover their initial approach, some of their learnings and also the data quality topic.
The ANZ noted that they are typically dealing with up to a dozen projects of this nature (e.g. compliance, regulatory) at any one time and they do have a body of individuals who have a lot of experience in this domain.
The ANZ noted that as an organisation, they had talked about and planned their data strategy ahead of time in anticipation and also in regard to consolidating the number of data bases that feed their business transaction reporting (BTR). They had a plan to consolidate at an enterprise level all of the BTR for business, retailers and institution customers into a single data base. They were thankful they did that, it looked visionary in its construct at the time, but it is a requirement for Open Banking in CDR, and it did serve a purpose earlier on. It served them well in this process and cut down substantially on the integration challenges.
The ANZ noted the challenges in regard to coping with uncertainty. They were able to take an agile approach and this particular initiative presented an interesting challenge. Whilst they had teams working in an agile fashion, they also had their initiative lead team with the job of herding the various requirements, backlogs, delivery etc. across 14 other teams across the bank. That was a fascinating exercise for them, and it went as well as they hoped, with learnings on the way.
The ANZ found that it was important to have a dedicated project legal and technical support as they were dealing with regulations and emerging rules and standards. Having the additional support was very beneficial.
The ANZ noted, in regard to some of the lessons learned, that utilising the automated test tools is important for efficiency particularly in the future. That does not however relieve them of internal or ongoing external testing with DR’s as they move towards November. The mix of legacy systems to navigate will lead to different DH organisations having varying pressure points for delivery. It also can not be underestimated how important it was to build a strong open and collaborative working relationship with the ACCC and D61 to understand their obligations.
The ANZ noted, in regard to improvement opportunities, that there is an opportunity to tighten the gap between the standard setting process led by D61 and the timeline and compliance process led by ACCC, in terms of co-ordination on impact assessment and timing of changes. Moving forward, they recommend a standards management approach coordinated with ACCC where standards for any release are locked down 9 months prior to an implementation.
They also note that variance in existing product data structures between DH organisations requires a balanced level of openness in API standards for product data. It’s important that these are not positioned as ‘data quality’ issues. One solution would be to simplify the standard to only provide essential data - it may be less rich, but it would enable easier consumption.
ANZ noted in regard to the critical considerations going forward, they were pleased they got a good balance as an industry between CX for customer experience and the right security authentication model. They think they have got it right certainly to start with, and there will be evolution of those elements. Complying with their obligations to their customers, they looked at the opportunities to ensure the customers user experience was coherent and useful. They spent a lot of time on UX design, and the process flow and mapping of the steps as they designed that experience with a view to ensuring that their customers find the process both informative, resilient and also pleasurable.
ANZ noted that as they went live in July, it was a reasonably good launch and good experience and they are working closely with the DRs in terms of how the standards and elements are being interpreted and looking forward at testing for November. They noted that it is a tight testing framework (4 weeks) which is quite a challenging timeframe.
ANZ noted that they are now running a service and not running a program which takes time, resources and an operating model around it and that can’t be underestimated for future DHs.
ANZ noted that they are looking at how best to take advantage of the data sharing opportunities, both data in and out, for their own customers.
ANZ are very positive about the regime, but it is always going to be difficult to please everyone and agree and drive consensus. Ultimately there is a customer in the middle of it, and they want to think about future use cases for them.
One member asked in regard to the harmonisation of the product data sets, is that something that they see as a long-term goal and something to work towards?
ANZ noted harmonizing the data sets is desirable from a number of perspectives, whether it was purely the intent of the CDR is obviously debatable. They are not sure you can get 65 ADI’s to get near that or spend time on that.
Another member asked as more ADR’s come on board, do they expect the model will be ADR’s feeding back to the ACCC and DSB then working with the DHs to figure things out or will/can there be direct engineer to engineer contact?
The ANZ noted that direct engineer to engineer contact is incredibly beneficial. It’s to the point, it’s in the same language and both sides are learning. They would encourage bilateral conversations.
The Chair agrees but noted if there was something systemic that is standards or rules, they would value from hearing about it.
The ACCC agreed and noted that they are keen to hear about issues where guidance or updating of the rules may be required and endorse ANZ’s comments that open engagement with ACCC and DSB is very helpful.
The DSB noted, in relation to the standards needing to be set earlier (i.e. 9 months), that they are very conscious of giving enough implementation certainty but the challenge is that if they look at 90% of the changes for November, they have been community generated – not by rules changes or DSB itself. They receive a lot of conflicting messages where people require standard stability but on the flip side, they need the DSB to make changes to the standards. What is the advice or suggestion on how the DSB balances that?
ANZ noted that the DSB is right in saying that the change requests are coming from the user community. There has to be some brutal discipline around change windows and how decisions are made and a governance regime that can incorporate forward planning with the right amount of consultation. They are running a live service and therefore there are consequences to change.
One member noted that to hear the importance for the community in terms of the prioritisation of what gets focused on for changes, they think it is important to reflect on the diversity of that community and that community is driven by a number of market participants. Going forward, for people that don’t have the technical competence to engage in that conversation on a live basis who are not from industry, is there in some sense regular reporting of consumer outcomes to enable people who are not participating in GitHub conversations on a daily basis to also provide some input into what should get prioritised as part of that process?
The Chair noted that the ‘Noting Paper – DSB Future Planning”, which was included as Appendix B in the papers, mentions “community”. The DSB should work to establish what the process is for that, and also provide more definition around what “community” and “diversity” covers.
ACTION: The DSB to review the DSB Future Planning Noting Paper and establish the process for “community” and also provide further definition of what “community” and “diversity” covers
The DSB noted that they will be doing a consultation shortly along the lines around consumer-oriented metrics and they could be a good conduit to get some of those things surfaced.
The Chair thanked ANZ for their presentation.
ACCC Update
Paul Franklin from the ACCC provided an update as follows:
The ACCC launched their Conformance Test Suite (CTS) on the 1 September 2020 for ADR’s. The CTS allows DRs to test critical functionality in preparation for their go live and it covers all of the Phase 1 scope. It is also currently being expanded to cover the Phase 2 scope.
They have also made available the DH version of the CTS which is available in beta from 1 September 2020 which was 1 month earlier than the published release date. This was in response to a request from the major banks to make it available earlier.
The ACCC will be commencing a consultation process on version 2 of the Consumer Data Right Rules by the end of September 2020. The recent newsletter provided details of the items that will be covered in the consultation. There are 8 substantive changes and some minor clarifications. They expect that version 2 of the Rules will be finalised by the end of the year; anything that doesn’t have build implications will take effect immediately; anything that does have build implications they expect it to take effect from 1 July 2021; but this will be subject to the consultation process.
The ACCC have received a number of applications for accreditation, 4 are assessed as complete and being assessed; 2 of those came from initial DRs and the other 2 are from new DRs. There are 30 organisations who have started to compile their applications but not submitted as yet. Another 60 organisations have been granted access to the portal but have not started their applications. The ACCC are very keen to get more applications as soon as possible.
The ACCC noted that they are working through the testing with the existing participants for November and very much look forward to having Phase 2 Go Live on the 1 November 2020.
The ACCC noted that Bruce Cooper will be finishing up at the end of this week and there will be someone put in his role in an acting capacity. They would like to thank Bruce for getting the CDR to this point and they very much value the support from him and making it successful.
The ACCC noted that there were 41 submissions in relation to the energy rules framework consultation which is now closed. These will be published on the website in due course. The ACCC noted their intention to have one set of rules as far as possible for the whole of the CDR. The issues for individual sectors will be kept as minimal as possible. In terms of the total package of rules, the sequence will be version 2 of the rules will build on the existing foundation in the rules and give effect to a number of issues which were recommended by the 1st Farrell review. Following that, version 3 will include what is needed for energy. Those will have a sector specific schedule for energy that will be kept to the minimum required.
Treasury Update
Daniel McAuliffe from Treasury provided an update as follows:
Treasury noted that on the awareness campaign, the research phase is now largely complete.
Treasury noted that they are thinking very strongly about the timing of the campaign. There are two competing points of views, one is that they want to get it out as soon as possible so no one comes into the system without being subject of an awareness campaign. On the other hand, the UK experience of an awareness campaigns and education didn’t get much traction until people could actually see real live services. UK feedback has been to not go out with the main part of the awareness campaign until there is a reasonable critical mass of people who they can engage with. Treasury are trying to balance those two and also how to phase the campaign.
Treasury noted that out of the ACCC consultations on intermediaries and particularly around outsource service providers (OSP) being used for collection, there has been concerns raised on how the CDR provisions in the Act are interpreted and whether or not you can use unaccredited OSPs for collection. They are looking at that and whether they need an amendment if there is some uncertainty in that respect.
Treasury noted that the Select Committee on RegTech and FinTech have issued their interim report. They made a series of recommendations regarding intermediaries, screen scraping, the awareness campaign, organisation arrangements for the CDR and a lengthy analysis regarding the extension of the CDR for superannuation. This is an interim report and the government has not yet decided whether to formally respond to the interim report or wait until the final report has been released.
One member noted that in regard to the campaign, it would be good to receive that information sooner rather than later. They are sure the ACCC are well across the problems that are emerging in markets around scams at the moment. They would strongly encourage the government to think about what warnings or confirmation that can give to consumers that if data is moving through the CDR, this is what they should expect, so they can identify scammers. Also, what sort of protections need to be communicated to consumers about the CDR regime and why they might be different to other things in the marketplace.
The ACCC noted that they do a lot of work through Scamwatch and there are some general material that has been issued reminding people to look out for scams. What they haven’t done specifically, is target the CDR. One of the challenges is that they are not at the point where they can recommend screen scraping should be removed but there are some inherent risks.
One member noted that it would be useful to better understand how the budget gets broken down and whether there are localised opportunities for awareness rather than a big bang campaign.
The ACCC noted that the www.cdr.gov.au website has some consumer education materials that explains how it works and they are welcome to direct their customers to their site.
The ACCC also noted they are planning to do some further consumer education and are waiting to understand what the broader campaign will look like. They do have some capability but would like to dovetail with Treasury.
One member noted that in regard to the Act and the uncertainty around whether the OSP may in fact be able to do data collection. Can Treasury clarify?
Treasury noted that the uncertainty is whether or not you can engage an OSP to collect data on your behalf (as an ADR) - whether the Act implies that the OSP themselves also has to be accredited. The Act talks about DHs handing over data to ADRs and it doesn’t explicitly say “or their agent” or “someone on their behalf” etc. In other parts of the Act, it explicitly talks about “their agents” etc. There are different views on how you interpret the Bill and if there is uncertainty, do they need to resolve it? If they form a view that it needs to be fixed, they will need to introduce legislation, and have it passed. In that case, they wouldn’t have a fix until February/March 2021 at the earliest.
One member noted that ACCC sent out an email that this is possible on the premise that the Software as a Service (SaaS) provider does not have access to what is called Secrets Manager.
Treasury noted that this issue does not affect that interpretation regarding SaaS. If you have a SaaS provider who doesn’t have access to Secrets Manager, the view is it is still permitted.
ACCC noted that there are three solutions they see: i) if you have an arrangement like a SaaS where the outsource provider can’t see the data, that is available now, ii) if you want to use an OSP that needs to get access to the data, even momentarily, this will be covered by the consultation that they did on the CAP arrangement (noting they have moved away from that terminology) and which the ACCC expect to be finalised shortly and implemented within a couple of months, and iii) an OSP who is not accredited, and that requires legislative change.
Treasury noted that from a policy perspective, the agencies are okay with all of those three options, it is a legislative concern that may block the adoption of unaccredited OSPs. ACCC noted that part of the issue is that the OAIC have guidance about disclosure of data which is relevant beyond the CDR. It appears it may be an unintended consequence of the legislation that there is no possibility of using an unaccredited OSP to collect information. It is possible to use OSP to do the interrogation and data processing once it’s collected.
One member noted that on the legal issue, to confirm that there is no legal issue with a data intermediary model where the data intermediary as a recipient (and an accredited one), collects data and is able to share that again to a DR.
The ACCC noted that is the model they previously consulted on (previously known as the CAP model) but they have a rule change that will be introduced shortly that will allow data to be passed from one DR to another. Unfortunately, until the legislation is updated, the first party that does the collection of the data and the ultimate receiver of the data both have to be accredited.
The member noted that he is inquiring more on the concept of a multiple sourcing data arrangement where you are holding data on behalf of a consumer and they ask you to share it on their behalf with someone else. The next step should fall outside the rules or is that controlled in some other way?
Treasury noted that that model is separate to the CAP rule and the ACCC is developing another set of rules that supports that model.
The ACCC noted that the consultation that will be out in September, there are 8 different issues they want to address. One is the ability to pass data to professionals (accountants, lawyers and financial counsellors etc) who are not accredited persons. They are aware there are a number of accounting platform providers who have third party app providers and they are looking at rules that can accommodate those sorts of arrangements. They would recommend that the member reaches out to the ACCC rules accreditation team to discuss that use case and see how they can accommodate that.
Meeting Schedule
The Chair advised that the next meeting will be held remotely on Wednesday 14 October 2020 from 2pm to 4pm.
The Chair noted that the dates for the first half of 2021 have now been published in the papers.
Other Business
The Chair welcomed Scott Farrell to the meeting and invited him to provide an update in his inquiry.
Scott Farrell thanked those members who made submissions to the inquiry and also reached out to him subsequently. The inquiry is going very well but it is only a reflection of what has been received. They are in the process of writing the report and noted that it is not too late to provide further ideas, feedback or any comments.
One member noted that following on from an early meeting, they agreed to provide to the DSB their insights, assets and materials that they developed as part of participation in the ecosystem. This will be beneficial to others who are joining the regime. When will these be published by DSB on the Zendesk support portal?
The DSB thanked the member for providing the material and encouraged others to share similar material. They noted they have got a practical log jam in getting everything done. They have extended the support portal by providing a ‘Community Module’ but there are some structures that need to put in place that enable the community to function. It is coming very soon!
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.