Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 14 October 2020
Location: Held remotely, via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 25
Download meeting minutes (PDF 208KB)
Attendees
- Andrew Stevens, Data Standards Chair
- Andrew Cresp, Bendigo & Adelaide Bank
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Gareth Gumbley, Frollo
- Rob Hale, Regional Australia Bank
- John Harries, Westpac
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Lauren Solomon, CPRC
- Marie Steinthaler, TrueLayer
- Stuart Stoyan, MoneyPlace
- Barry Thomas, DSB
- James Bligh, DSB
- Rob Hanson, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Staples, Data61
- Mark Verstege, DSB
- Paul Franklin, ACCC
- Jodi Ross, ACCC
- Ying Chin, OAIC
- Daniel McAuliffe, Treasury
- Michelle Ducat, Bendigo & Adelaide Bank
- Erin Turner, Choice
Chair Introduction
The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting no 25.
The Chair noted that it has been a pretty significant month across the regime and the Data Standards Body (DSB) specifically.
The Chair noted that this month has involved two versions of the Data Standards, version 1.5.0 and version 1.5.1 which combined a number of critical changes but also some clarifications and explanations. A further update will be provided in the Technical Working Group Update.
The Stakeholder Engagement includes a range of community engagement activities which will be taken as read. He noted that the level of interest at the weekly Implementation Calls continues to increase and next week’s call will include the Australian Competition & Consumer Commission (ACCC) presentation on version 2 of the Rules.
The Chair noted that the next CDR Board meeting is being held on Tuesday 20 October 2020. Due to a clash, Barry Thomas will represent the DSB at this meeting. Barry also attended the CDR Operational Committee meeting on Tuesday 6 October 2020.
The Chair congratulated Jodi Ross from the ACCC on her new appointment and invited her to say a few words.
Jodi Ross noted that she is the new acting General Manager for the Policy Engagement & Compliance in the Consumer Data Right (CDR) division, but she is not new to the CDR. She has been working on CDR for a several years now and was closely involved in the development and design of the banking rules including through the implementation journey and is now looking forward to participating in these meetings.
The Chair welcomed Michelle Ducat, who is doing a women in leadership course, and is shadowing Andrew Cresp from Bendigo Bank. He hopes that this is a useful experience to see how a group of people from all sorts of organisations work on a mission in the national interest.
Minutes
Minutes
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 9 September 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
Action Items
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
The Chair noted that John Harries from Westpac will present their perspective of coming into the regime as a Data Holder at the next Advisory Committee meeting.
ACTION: Westpac to present their perspective of joining the regime as a Data Holder at the next meeting
Treasury Update
Daniel McAuliffe from Treasury provided an update as follows:
Treasury noted there were a few Consumer Data Right (CDR) items in the budget, some of which were not immediately obvious from reading the budget papers. There was some further funding that was given to the agencies for completing the core CDR implementation of the rollout for banking and to progress the roll out in energy.
Treasury noted that apart from the headline numbers in the budget, there was also a couple of other decisions made. One of those was that as we move out of the initial development phase for CDR, and things become more established as we move to initiate the roll out to multiple sectors, there is going to be some organisational changes. All design work is going to be centralised within Treasury. This involves moving the rulemaking and the sectoral assessment functions into Treasury. In additional to those two functions, the hosting of the DSB will move to Treasury from Data61 (D61). The independence of the DSB will not change. The support services will now occur within the Treasury portfolio.
Treasury noted that this set up is not new for them, they have quite a few small independent agencies hanging off Treasury for example the Takeovers Panel and the Australian Accounting Standards Board and the DSB will be joining those entities within the Treasury portfolio.
Treasury noted in terms of the design being centralised, they will look at how the design occurs, the processes and consultation arrangements and do a design review. The CDR announcements are part of a broader digital business package by the government. There are a range of other digital reforms and programs with which they want to ensure that CDR is implemented in a coordinated way.
Treasury noted that there will be a data standards audit which is broader than the CDR. They will look at what data standards are being used across the commonwealth. For example, what standards are government agencies using to build their own API’s; and what standards are imposed under commonwealth regulation. There are similar problems in specific sectors with agencies or sets of laws seeking to solve them in different ways - perhaps inconsistently or duplicating work. They will look to see if there are solutions that will facilitate the idea of a customer-focused data economy.
One member asked about shifting some of the responsibility into Treasury, does that impact on the existing development work that the participants are undertaking at present and how the communication within those teams will evolve and continue from that point on.
Treasury noted that this should not disrupt any of the current processes. On the timing, for the change to the rules and the sectoral assessment functions they need legislative change. They have a bill out for consultation with the goal to introduce in late November and pass in February next year. Those two functions will not move until the law changes. In regard to the current timetable for the rule’s version 2.0, that should carry on with its current processes with ACCC. There are some other processes, like the drafting of rules for energy being done by February which will need to cross between agencies. They are looking at opportunities to get Treasury staff more engaged in the ACCC’s rule making process and how they can move staff across and transfer expertise so it will be as seamless as possible.
ACCC noted that they will be working with Treasury to make the transition as seamless as possible. They are working on a plan for consultation on the rules for energy that will proceed in the first quarter of next year, regardless whether the functions formally transfer around that time. For version 2 of the rules, they will be working to finalise those rules this year with a couple of resources seconded from Treasury. There will be good coordination so the formal handover of the accountability should not lead to change of direction or plan.
Treasury noted that in regard to legislation, they have gone out for consultation on the draft bill which they will introduce in late November and pass in February. It has the rules and sectoral assessment transfer and also the provision to clarify the ability of the rules to allow either accredited or non-accredited outsource services providers (OSP) to collect data. It does not lock it in, it just makes it quite clear that the rules are able to provide for unaccredited OSP’s.
Treasury noted that they posed the question as to whether they should have a regulation-making power that allows them to impose obligations directly upon OSP’s. At the moment, the rules provide for the requirements for outsourcing but those obligations in the rules only bind the accredited data recipient (ADR) so if an OSP does something wrong, it's the ADR who's responsible for the conduct of their OSP’s. This is not an “instead of”, but whether or not there should also be the capability to impose some kind of requirements directly on the OSP.
Treasury noted that the rest of the amendments in the bill are genuinely technical fixes and include clarifying how the provisions work regarding DH’s being able to charge for voluntarily provided data; clarifying how the designation instrument can specify the earliest holding day for data; and provisions on how data can flow through designated gateways etc.
One member asked whether the ACCC would focus on the enforcement of rules?
Treasury noted that ACCC still have a role in the design and part of the rules review will be how can we have a more collaborative approach to design that's collaborative between agencies but also collaborative within industry. In terms of actual current compliance and enforcement functions, there has been no proposals to change those – compliance, enforcement and education roles will remain unchanged in their division between ACCC & OAIC.
One member asked about the OSP structure, is it possible for the ACCC to impose sanctions directly against those versus the unaccredited parties or would it always run through the accredited party and they have to figure it out themselves.
Treasury noted that the main difference of the idea of the regulation is direct enforcement so it might be exactly the same obligations they've got at the moment but it’s directly enforceable by a civil penalty.
The member asked would both models exist at the same time, or would you foresee that one would replace the other.
Treasury noted that legislation would allow different models to apply but the content of any possible requirements would be subject to further rules consultation and this is about the ability and flexibility to have a graduated approach to regulating OSP’s via the rules.
Treasury noted, in regard to the inquiry into the future CDR, Scott Farrell was originally scheduled to issue his report to government in September. The Government extended the timeframe to the end of this month and the driver of the delay has been issues with COVID, mainly not having access and engagement from people in the payment initiation side of things. They would not expect a government response until early next year.
One member asked what they can do together to ensure that’s enough time to implement given the changes.
Treasury noted that all the CDR agencies have a good understanding of the challenges and the need to get design sorted early. They don’t think this reorganisation will change the process for setting the timetable.
ACCC noted that there has been a lot of discussion about implementation timeframes since the start of the COVID-19 crisis. The Government has no appetite to move any implementation dates that are in the current rules, but the ACCC is not proposing any new implementation timeframes until they're in a position to fully assess the impact of proposed future work.
One member noted that with some of their discussions with consumer organisations over the last couple of days there is a concern, not necessarily about the hosting of the DSB and functions, but the shifting of the rules functions from the ACCC to Treasury. The ACCC have an explicit remit to look at both consumer protection and competition hand-in-hand and Treasury has a broader remit for economic development. They want to talk to Treasury about what the guide rails will be in that process to ensure that consumer protection rights are put centrally to the reform process. They are very mindful of the pressures that are being placed on government at the moment on the economic growth and recovery. There are some significant medium to long-term benefits that could come from this regime and getting it right and ensuring consumers are protected and have trust and confidence will be important for the medium-term success of the scheme. What will the transparent reporting be on the consumer benefit as it rolls out so not only industry and economic growth benefit? What metrics will be used to determine the extent to which consumers benefit and having transparent reporting of those processes?
Treasury noted that it would be good to have those conversations and part of the rules review is looking at how they engage with stakeholders and ensure their views are taken into account. The CDR rule making and sectoral assessment will retain the current mandate for them to take into account the various considerations on privacy and consumer impacts.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
Data Quality Update
A further update was provided on Data Quality by Barry Thomas from the DSB as follows:
The DSB noted they have run a couple of workshops and done some analysis and are getting towards the point of business as usual. Broadly summarising, there are three data quality buckets i) there may be a perception that the CDR should enable the sharing of data, which just hasn't been allowed for, ii) the data may be poor due to a deliberate action or non-compliance and the need to involve the ACCC’s enforcement and compliance team and, iii) the data may be poor because of some sort of ambiguity. In many, perhaps most cases, it won’t be appropriate to tighten down the standards and the approach they will want to take is to communicate “conventions” which are suggestive rather than mandatory. This will be communicated via our Support Portal.
The DSB noted that the Noting Paper that summarises all of our analysis will be published in the next day or so and they are planning another workshop on 8 December on fees and rates for mortgages.
ACCC noted in regard to the data quality work, from a rules perspective they are carefully watching the discussions via the data quality forums with a view to being able to recommend or consider clarifications to rules in the future. There is a role for them in terms of interpretation and clarification of any grey areas. They are actively participating in the data quality workshop as they would like to be aware of issues that are currently potential compliance issues as opposed to areas of ambiguity that need clarification. They also support the “conventions” approach and are watching it carefully.
One member also supports the “conventions” to “standards” approach and was wondering whether as a committee, is there much they can do to inform what a convention is or is that still to come?
The DSB noted that they just need to work through the process of creating a few concepts and see how it works. The idea of “concepts” has been used in other standard settings and to a degree it is a safety valve, it’s a way of dealing with issues which otherwise can stop the standard-setting process in its tracks, and where you can provide useful guidance without having to go to the point of completely determining something.
The DSB noted that usually, the problem with standard setting is getting enough engagement from people, but that doesn’t happen here. There is strong engagement and a very committed community who can provide lots of value which creates a different dynamic.
One member noted that one of the key milestones for conventions getting traction is likely to be when DHs become DRs. Getting commercially active traction behind this prior to that symbiosis of a DH or DR occurring at scale is probably unlikely.
Technical Working Group Update
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted there is a fair bit going on and probably the most notable is the maintenance iteration. The iteration is fairly large with about 18 changes as well as a few larger decision proposals. Within that there's were some changes that were raised by the community, one of which was the CRN types for BPay billers within the standards. There was some good movement around changes around the new payment platform (NPP) and they are close to signing a non-disclosure agreement with NPP Australia which will allow them to access all the technical documents. This will bring them in line with some of the Osko service overlays such as single credit transfer and international transfers. There was also a change request raised around how do they handle the separation of collection and use, and the scope around single or one-time collection.
The DSB noted there has been a consultation on enhanced error handling. They will be publishing this in conjunction with a set of code artefacts that the community can gain benefit from and hopefully lower the comprehension burden for stakeholders.
The DSB noted that they have been doing some work around a discovery service to decouple the compliance obligation dates and facilitate smooth transitions as standards evolve, which will be quite an important step forward.
The DSB noted they are working through the feedback around opportunities and requests at the moment, for example how might they be able to collate and publish synthetic data sets which would require assistance from our community and potentially a way they could start to marry up the work on PRD data quality and put real payloads as best practice and good conventions, make them tangible and also give ADR’s something they can consume early so that get a sense of the data they’re dealing and interacting with as they go live.
The DSB noted that, in regard to the privacy safeguards 11 and 13 and the concept of data correction, they met Treasury, ACCC, OAIC and the ABA earlier this week to explore and canvass the issues. The concept is about making sure that consumers have an avenue to be able to raise issues where they see data that is held on them can be corrected and updated in a timely manner from a DH perspective and where there may be valid reasons not to change that data and providing a mechanism that the ADR’s and consumers can understand.
The DSB noted that, in regard to publishing version 1.5.1 of the standards, this provided valuable learnings for them with regard to continuous improvement of their process. In version 1.5.0, under the maintenance iteration there was a minor amendment that was consulted on to do with CRM types in the BPay biller section. They agreed on a decision on the issue, which was approved and was part of the updates. When documenting the standards and amending the Swagger they got some feedback indicating that the decision that had been made would be problematic for some people for November. In an effort to address the issue, they made an adjustment to the decision. They didn’t check the decision proposal to see whether they’d actually implemented according to the decision statements. Once they realised the error, and because they felt the decision was impaired, and it would have been a negative for some participants, they reversed the decision back to version 1.4.0 and opened it up for consultation again which warranted another release (version 1.5.1). This has prompted them to look at their processes and make sure they have checks in place to avoid similar errors in the future.
The DSB noted that they are getting a lot of feedback on the way they publish the standards and the difficulty in comparing versions. They are looking at changing the way they publish and investigating the idea of putting up a work in progress version of the standards. As decisions are approved by the Chair, they can publish in a “work in progress” environment before they publish into a version.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that they have a number of outputs coming out in the last few weeks. In relation to the Consumer Policy Research Centre (CPRC) community sector engagement work that is underway, the second report is being reviewed and finalised at the moment. The report focussed on the issue of joint accounts in relation to data standards and guidelines and looking at how the standards and guidelines could be augmented to better support safe and inclusive joint account data sharing experiences. The report will be released in the coming weeks.
The DSB noted that in regard to CX research they have another round of research planned in the next few weeks that's going to focus on the energy sector and the outputs that have been informed from the work that came out of the retailer data set workshop and also formed by some of the energy consultation issues that have been highlighted.
The DSB noted that in regard to the amending consent workshop, this was looking towards the future state which summarised the outputs on a blog last week. They also published an interim state for amending consent which they will consult on based on the Rules version 2 progression.
The DSB noted that the CX team were involved in developing wireframes in collaboration with the ACCC which will assist with the version 2 rules consultation. These are not compliant examples of those rules, they are illustrations of how they could be put into effect. This is available on the website and also a Miro link.
The DSB noted that they are working on open source design assets that reflect examples of the rules being put into effect for CX guidelines. They used those open source design assets to develop the wireframes that are now public. The wireframes are derived from the Digital Transformation Agency (DTAs) design system and also are CAD compliant.
One member noted since the transaction phases of data sharing begun in July, when is a good point to look at how the conversion rate on the ADR and DH sides look in practice. We should have
increasing data to see how it's performing behind the scenes and it would be really valuable to start looking at it in a systematic way and work together to improve it.
One member noted that they are essentially seeing 90% of the consent attempts being successful, so the issues are about 10% and they vary by bank. There is still an education process that is required to occur within the banks not just in the consumer domain, and there's been talk about budget and the ability to educate consumers, but equally within the DH’s there's an education process that needs to exist which is worthwhile for the current DH’s and also the future DH’s to educate consumers when there are problems.
One member noted that, as a DR using CDR for online lending, their consent volumes are much lower because everyone using their process is applying for a loan - which is a low-volume activity. When they make the calls with DHs, they're technically performing as they should across all the DHs. They are dealing with the challenge of a complex consent flow and recognise it can be improved. They know exactly where people are hesitating and dropping out and that the associated conversion rate could be improved. There is also an element of consumer awareness and consumer understanding that’s central to that issue and believe that's something that will improve over time as people become more aware of CDR.
One member asked in regard to consumer awareness, is there any consistency in the areas where it seems to be going wrong?
The member noted that it is not so much going wrong, it is the process that is not familiar.
The ACCC noted that there are a couple of issues which they are working through and the process seems to be working well in the vast majority of the cases. The issue of the consumer awareness is an important one that is ‘a chicken and egg’ problem. It’s difficult to run a market media campaign to educate consumers about CDR until there’s a sufficient number of DR’s in the ecosystem that consumers can engage with. It is also important that we keep focussing on identifying where the issues are occurring.
One member noted in regard to the conversion rate by institution, how can we make that data readily available for this group and maybe beyond? The success of this will come down to how easy it is for consumers and it’s still very difficult and a long way from being useful for consumers. We need to create a level playing field for organisations who want to participate.
The member also noted whether there is some usability testing or time allocated for those live examples in addition to the research groups in more than the wireframe mode.
The Chair asked ACCC whether it’s possible for the team to come back with some analytics at the next meeting, without naming names, to highlight differences. If there is a difference in connection and conversion rate by DH that would be useful information.
The ACCC stated that they don’t actually have that data available, certainly the DR will have that data.
ACCC noted that there is a range of reporting currently in place under the regime, there is 6 monthly reporting for the ACCC and OAIC which gives them authorisation and consent numbers which they can marry up and the get metrics information which is geared more towards performance and timing for sessions. They do not have precise information about conversion for individual consumers.
The DSB noted that in regard to the metrics API, there’s an ongoing collaboration between the ACCC and DSB to look at expanding the Get Metrics API to reduce the manual overhead for the 6-monthly reporting. They will be doing a consultation and actively looking at the CX metrics. The metrics API at the moment is very much geared towards technical availability response times. The next order is the qualitative metrics and they would like to get feedback on the appropriate types of metrics to be obtaining through that.
The ACCC noted that even if the data is available to the ACCC and/or the DSB, there is a question of the appropriateness as to whether they provide a breakdown by entity even if it's masked.
DSB Future Planning
An update was provided on the DSB Future Planning Noting Paper by James Bligh as follows:
The DSB noted that at the last Advisory Committee meeting they presented a Noting Paper talking about how they can examine demand management for the DSB, especially as they bring in new sectors. Looking ahead and understanding what is coming is important and that's for the community to understand, but also for them to be able to balance their work and for the Chair to make prioritisation calls around where we should focus.
The DSB noted that they have created a public repo called “DSB Future Work Plan”. They will not be asking people to contribute to this repository, it is more for read only. It will be an indication of what they’ve committing to on a quarterly basis and the board will be used at the Advisory Committee meetings to get advice for the Chair on priorities and understanding the impacts on likely issue etc.
The DSB noted that priorities in the Kanban board will be sorted quarterly with categories and a backlog column. The backlog column will be used for new items until a decision is made on which quarterly the work needs to be completed in. The current quarter will be fixed, and the subsequent quarters will be more tentative etc.
The DSB noted that they also have three labels in the Kanban board that they like to apply to each item. The “blocked” (red) label indicates that they can’t progress with the item, it doesn't mean there's a problem, but something else has to happen before they can do this activity. The “maturity” (green) label is around the maturity of the problem statement and whether it is defined or whether it’s ready for them to work on. The “sector” (blue) label is a sectoral analysis about which sectors things hits noting that a lot of the work they are doing is cross sector.
The Chair noted that this is part of the way they get early agreement on priority, where the work will be done, the prerequisites for the work commencing and timing and window for the build.
The DSB noted that they will email the link to the Kanban board over the coming weeks and seek feedback.
ACTION: The DSB to share the Kanban link to committee members for feedback
One member noted this looks very useful and thanked the DSB for their work on that. Is it possible to differentiate between changes that impact a DR versus a DH because that's quite a significant differentiator for audiences?
The DSB noted that they can look at that, but it tends to be fairly high-level items and as a result they tend to impact across multiple participants.
Treasury asked whether it has any transparency about whether there has been a concrete decision made on whether we are doing some of those things and how does something get on the board?
The DSB noted that some of the detail will need to iterate and work through. If something is tentative it will go into the backlog schedule until there is some certainty that it’s real.
The ACCC noted that in relation to the schedule, they worked closely with the DSB recently to publish the CDR Roadmap and they would like to highlight that document as representing the things that they have a high degree of certainty of being implemented into the regime in 2021, particularly for DH holders in the banking sector.
The DSB noted they have tried to align the Kanban board to the CDR Roadmap, but this needs to be reviewed internally before it is published.
The Chair noted that there is no reason that we couldn’t extend this approach to start with the latest policy legislation and mapping on a similar model which would complete the picture.
One member noted that because consumer organisations and other representatives are not market participants, they don’t have access to data to see how the system is flowing through and impacting business or customers. The ability of consumer organisations to identify priority issues is highly dependent on both the metrics that you're choosing to collect and report at the DSB and ACCC level to identify the consumer risk and opportunities. Without a regular process it is near impossible to see how the data indicates how the consumer are faring and their ability to look at it in line with the future work plan.
Stakeholder Engagement
A summary of stakeholder engagement including upcoming workshops, weekly meetings and maintenance iteration cycle was provided in the Committee Papers and was taken as read.
The Chair noted that the level of interest at the weekly Implementation Calls continues to increase and next week’s call will include the Australian Competition & Consumer Commission (ACCC) presentation on version 2 of the Rules.
The ACCC noted that at the weekly Implementation Call tomorrow their onboarding team will be presenting in relation to the draft onboarding guidance that was published last week. The session will be of interest for both prospective DR’s and ADI’s who have not yet been onboarded to the register.
The ACCC noted that at the following week’s Implementation Call, the rules team will present an information session on the proposals they’re consulting on as part of version 2 of the rules.
Issues raised by Members
The DSB noted that the intent is to put a new agenda item for members seeking their input on issues you would like raised. The mechanism for that is to reach out to you after each meeting for your input on questions or proposed agenda items. They are looking for questions you would like answered, or questions for value in the whole for discussing.
The DSB thanked those members for providing questions after the September meeting which were very useful.
The Chair noted that one of the learnings so far is that this may not be the best environment in which to discuss some of the items raised, some might be quite technical which would be better addressed by the Technical Working Group. If there are comments raised about version 2 of the rules, it might not be the right environment for those discussions.
ACCC Update
Jodi Ross from the ACCC provided an update as follows:
The ACCC recently made the rules to enable the use of accredited intermediaries and wanted to note that they will be publishing some technical guidance in relation to the way in which those rules will be implemented and supported in the CDR register. That guidance will be advertised via the CDR newsletter and accessible via the information portal which is being maintained on the CDR website.
The ACCC noted the accreditation of Intuit Australia and Intuit Inc last week and they are an example of how the new collection rules will be utilised, and they expect some further announcements will be made in the coming weeks in terms of accreditation.
The Chair noted that there is a substantial list of potential DR’s who are at various stages in the accreditation process and if ACCC could provide an update on this.
ACCC noted that they currently have 5 applications under active consideration. These are applications where the applicants have given them everything except for the IT security assurance reports. They are working closely with those applicants to finalise their applications. There are a number of people who have gained access to the portal where they can draft an application, and a smaller subset of those, around 40, who have started drafting an application.
The ACCC noted that they have announced their intention for the unrestricted level of accreditation to partially recognise ISO 27001 accreditation. They consider a number of controls and elements of the CDR IT security requirements can be recognised as part of that certification, and they’re working on revising their accreditation guidelines so interested parties can understand how they’ll approach that issue. They hope to announce this later in October.
The ACCC noted that they have announced their intention to recognise parties who have recognition from the ATO at the highest level under their digital service provider framework as well.
Meeting Schedule
The Chair advised that the next meeting will be held remotely on Wednesday 11 November 2020 from 2pm to 4pm.
Other Business
No other business raised
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 15:55