Minutes - 11 Nov 2020

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 11 November 2020
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 26

Download meeting minutes (PDF 207KB)

 

Attendees

 

Chair Introduction

The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting no 26.

The Chair noted that the first full draft of the Energy standards is nearing completion with one final consultation open and only the DER data structures yet to be defined. Further details will be provided in the Technical Working Group update. He also noted that there will also be a workshop on the 24 November.

The Chair noted that the CX Working Group has started an eighth round of research on proposed new rules areas, such as disclosure consents. Further details will be provided in the CX Working Group update.

The Chair noted that the Banking Product Comparator tool continues to be a powerful and insightful tool for organisations publishing their Product Reference endpoints. There is a new feature called Status and Outages where you can view the current status and outages for organisations. There are currently 68 banks available on the Product Comparator Tool.

The Chair noted that he will be attending the next CDR Board meeting on Tuesday 17 November 2020 and Barry Thomas attended the CDR Operational Committee meeting on Monday 2 November 2020.

The Chair noted that Damir Cuca (Basiq), Lisa Schutz (Verifier) and Erin Turner (Choice) are apologies for this meeting.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 14 October 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.

Working Group Update

A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.

Data Quality Update

A further update was provided on Data Quality by Barry Thomas from the DSB as follows:

The DSB noted that they have scheduled a Data Conventions Workshop for 8 December 2020. They are actively working with LIXI Limited (LIXI) which is a well-established messaging standards body for the lending space. They have a rich data dictionary and a lot of things that they will look to borrow from in terms of conventions, particularly product reference data (PRD), as these are problems that have probably already been solved by LIXI and there's a lot of potential advantages in reusing their data structures, or at least using their data structures as a starting point. It is a very positive step forward and a great test case on how they can collaborate with existing central standards bodies.

Technical Working Group Update

A further update was provided on the Technical Working Group by Mark Verstege as follows:

The DSB noted that over the last couple of meetings they have provided a noting paper and briefed the committee on the Kanban board. Today they will present the Kanban board with all the content populated.

The DSB noted that the intent going forward is twofold. One is that the stream leads will present at future meetings with the Kanban visible which will give some context for what they're talking about, and they can highlight things that are problematic or going well. The second point is that this gives the Advisory Committee a forward view which will help them to advise the Chair on how to prioritise work in coming sectors for the next quarter; to add to the backlog if they’ve missed anything; to help define a problem statement so they can begin to work on it successfully.

The DSB noted that each item on the Kanban board has a tag associated with it. For example, one item “CX Standards arising from v2: Nov 2021” has a “blocked” tag. This is blocked because until version 2 of the CDR rules is made there is no point in the DSB progressing it. It does not mean it is a problem, it just means that they may need to push the work to another quarter due to an external dependency.

The ACCC noted that in relation to version 2 of the rules, they are on track to give the DSB a view of the likely rules within a week or so, even though they will not be finalised contingent on consent by the Treasurer until sometime before Christmas. As to when various rules take effect, whether it's February or July or another date, it will depend very much on whether or not there is a significant amount of work to be done on developing CX standards or data standards to go with rules.

The DSB noted that if the Treasurer doesn't give consent until just before Christmas, they will probably push some of the consulting into the 1st quarter of next year.

The Chair noted that most of the items on the Kanban board are “sector all”, which is consistent with building and establishing an economy-wide cross sector regime.

The ACCC noted in regard to version 2 of the rules, they are not seeing the Treasurer's consent as being a necessary precondition in itself for consultation on CX standards and guidelines changes that might result from version 2 of the rules being in place.  They envisage a world where some of those consultations that are slated on the Kanban board may well be able to occur before Christmas but as everyone would understand, they'll need to caveat the actual making and commencement of those standards, just as they would with the rules, on the Treasurer’s consent.

The Chair noted that the readiness to undertake the consultation allowing 28 days, will be one of their terms of collective advice to the Treasurer, in relation to potential compliance dates.

The DSB noted that the Kanban has a card in each quarter for the Maintenance Iterations. This is where they adopt a large amount of the community-driven change requests. They are close to completing 5^th Maintenance Iteration with a further call around change requests this week.

The DSB noted that they are progressing the work on enhanced error handling which will be out shortly for consultation.

The DSB noted in regard to the cycle of the Maintenance Iteration calls that, after feedback from the community, they are looking at closing engagement from 10 December. Maintenance iteration # 5 will be the last one of the year with # 6 commencing in mid-January 2021.

The DSB noted that they are holding a Data Conventions Workshop on the 8 December 2020. There are quite a large number of data holders (DHs) now online with their PRD, which gives them a better body of data to work with, and with mortgages and lending products coming into play. At the workshop they will be building personas around some common use cases for residential mortgages and focusing on that aspect. They have also released conventions which looks at providing some guidance around the standards to allow for best practice implementation without imposing strict requirements in the standards.

The DSB noted that one of the change requests that was raised on GitHub was flagged as urgent. This was issue # 325 - Future dated obligation for change to how audience is set for data recipients calling data holders which has been reviewed and approved by the Chair and now flagged as urgent. This is looking how the aud claim is set between DRs and DHs. They are looking at how they can do that with minimal impact to DR’s but taking on board the feedback they’ve had from the DH’s. This is likely to result in a version 1.6 release prior to the end of maintenance iteration. The Decision Proposal is out for consultation and closing on 16 November.

Consumer Experience Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that since the last Advisory Committee meeting the key focus has been the two rounds of research they have conducted. The first one on the energy sector which they are conducting analysis on the findings and will use to iterate on data language and design patterns. The second one, # 8 round of research was on proposed new rules areas, such as disclosure consents.

The DSB noted in regard to the Kanban, there are a numbers of items planned for this quarter and the next. They can move ahead with items like the energy data language and known CX guidelines etc. There are some items that are a bit up in the air, but they don’t want to jump ahead of the rules finalisation and diverge.

The DSB noted that the items around disclosure consent, the CDR log and amending consent, these are planned for this quarter but the reality is that with the 4 week window for consultation and the community expectation they’ve received to taper off the Implementation Calls from the 10 December, that some of these items will spill over into the next quarter.

Joining the regime as a Data Holder

John Harries and Sanjave Walia presented Westpac’s (WBC) experience of joining the regime as a DH.

WBC noted that, in the consumer division at WBC, they have at any one time around 50 large programs or projects, most of those technology-based and across the group around 100. This project has been amongst one of their biggest in the sense that if you look back over the 2 years heading to the July release and pleasingly what they’ve just successfully implemented in November. They have also had the New Payments Platform (NPP) and payments link up projects in the industry.

WBC noted that when they talk internally about CDR and about DH and open banking at WBC, it is seen to be successfully launched in a fairly complete stage which has been a highlight for them. It’s a high-quality solution that's being delivered in terms of doing all the right work on the scope, solution design and opportunity within the realm of a target state. CDR and open banking have given them the opportunity to accelerate work on their data capabilities, data platforms and data strategies.

WBC noted that they have had incredibly strong collaboration, not just with the Advisory Committee, but also internally. As a large organisation, they have the right intent but it can be a challenge given multiple priorities. However internal support has been strong including at the most senior management levels of the Group and Board.

WBC noted that it has been a challenging journey technically. The audit and reporting obligations added significant technical complexity, and the data standards and data stored in their systems needed to be matched.

WBC noted the need internally for collaboration. It’s not just a technology change project, it requires new and enhanced businesses processes. If seen internally as just a technology project it would not have been successful because it needs to integrate and compliment other activities. You need a holistic view and prioritisation is required to manage contention across key activities and resources.

WBC noted that the privacy and consent frameworks are more onerous, but they have a longer-term benefit if they get it right and can apply elsewhere. Robust processes to manage data quality issues are important to have in place.

WBC noted the ongoing challenge of the gap between the legislation, the rule and the standards and then how they align and interpret some of those rules.

WBC noted that the key thing on complexity is the transaction data they need to share via online channels. When trying to solve that for the program, just making sure they met all the technical requirements from the data standards required them to think differently about how they solved some things that they already do today. They needed to protect the performance of their existing systems, and they looked at how they could solve it in a strategic way that helps other use cases internally.

WBC noted that it is not just technology, though technology is a big part, they also needed to think about how their frontline supported this change and supporting their customers. They worked on the business process element and internal change element from early on. The collaboration has helped them through that as a team across all the different parties participating.

WBC noted some tips based on their experience for those starting the journey. You need to figure out what steel-thread you want to build, which helped them get match-fit early. That was critical for them being ready for the July timeframe. The requirements traceability was also important. The rules and obligations are complex and being able to prove internally how they have designed and built the system that meets the obligations is critical and having that requirements traceability is important.

WBC noted that having the right technical experts early was key and having a dedicated legal and compliance team was imperative to help them understand the rules and make sure what they were designing worked for the rules.

WBC noted that open, transparent and constructive relationships with all participants, including the Fintech’s during the industry testing phase, was critical.

The Chair noted that when the DSB had the first engagement with WBC it was Gary Thursby (Group Executive) who was the responsible executive for the CDR. With the comments about the steel-thread and legal and compliance, he noted that the approaches of the big 4 have been quite different. For WBC it started with strategy and the steel-thread set the tone. You didn’t start with legal and compliance and try and retro fit the steel-thread. That has produced dividends in terms of their response, their system and the success on July 1 and November.

WBC noted that Gary Thursby’ s role at the time was Group Executive for Enterprise Services so part of that role was the coverage and governance of the enterprise investment plan, large technology projects, notwithstanding how they're organised within the divisions. He had the advantage of the strategy piece and the enterprise piece, which is where the funding and managing contention comes from. He is also very strong on having the reusable capabilities perspective, which helps get the right sponsorship and priority for these large programs of work, particularly when they are externally based.

WBC noted, in regard to learnings for future consideration, that there is a lot of work for better alignment across rules and standard development and timelines. CX being done early and up-front is critical, particularly for the purpose of making it usable for the consumer. They would advocate implementing a backlog management process to prioritise features and timelines integrated across all areas that are setting the rules and standards. It was good to see the Kanban board for the Advisory Committee work but they would like to be able discuss and agree what set of features they want to prioritise and what they may look like, and the timeline and trying to get into that cadence as we mature up the ecosystem. They would also encourage the automation of testing and consider having a mock DH and a mock DR capability.

One member noted that they’re at a different part of the journey and have been surprised at some of the partners approaches to managing the version management between the CDR versions. They thought they were signing up for cloud agile vendors and they feel as though they are caught in the 80s and 90s. Has WBC found some maturing of that capability in moving to a more dev ops capability?

WBC noted that aren’t a lot of mature vendors in this space in Australia. In the UK there was some vendors that have done this before, but in Australia there is some expected deviations from those. There has been a huge learning curve for vendors, and they have also had to manage in terms of how they’re dealt with the standards and implemented version control and being able to have continuous change.

One member asked what has been the perspective from the rest of the organisation? How have you interacted with the other divisions in WBC and have they been engaged / disengaged?

WBC noted that engagement has been good. You can get the challenge internally when you’re building a capability, that is, a focus only on complying with a regulatory or a public government policy need. People then realised it is broader, e.g that it is a data capability build, and how they can leverage that, and what it means for the customers.  Also having someone like Gary Thursby who is a Group Executive and a very active sponsor helped in terms of having that focus and collaboration.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the Committee Papers and was taken as read.

Issues raised by Members

Frank Restuccia from Finder presented on the ‘CDR User Experience’ and how to help create the most frictionless but secure consent and authentication experience for consumers.

He noted that he has spent most of his working career in consumer land and is very passionate about the consumer flows which ultimately allow customers to share their data simply and securely.

He noted that the authentication piece is something which he’s seen time and time again, it's that last mile for the consumer, they're in that moment, they've given the consent, they're ready to go, they want to connect they want to get that great experience. This authentication piece is critical, and we know that this is the most technically difficult piece to execute. From a consumer point of view, looking at the consumer first approach and experience they’re getting in this particular phase is super important.

He noted that when people have conversations about their experience with the CDR, they want it to be a good one. This will be determined by the success of the flows and ease of which people can engage with the CDR.

He noted that we are familiar with the flows that we have today which are working but some of the obstacles that he can see are in that phase where people are having to remember their unique ID and that unique ID often is not well known and that causes a bit of untimely moving away from the actual application flow into an inbox etc. They might have issues inputting the details and there are some examples of One Time Password (OTP) where it doesn't work as well.

He noted that we can benefit from what we have seen around the world for example in the UK. The conversations they are having are more advanced and we can leverage off what they know. Marie Steinthaler’s (TrueLayer) experience has also been invaluable to leverage as she sees a lot of the data and benchmark analysis at an institutional level and the ones who have been most successful at that authentication phase.

He noted that the UK have a strong customer authentication with a big focus on biometrics. With the prevalence of applications, approximately 80% of participants have an application which is normal for consumers in the UK. The combination of a mobile device, fingerprinting and biometrics to authenticate is shown to be more successful in the authentication phase. He noted that is a much simpler process, less steps and some of the obstacles are reduced.

He noted that there is a potential to deep link straight into the authorisation screen from an app-to-app flow. Whenever we cut out steps in the consumer journey, we tend to see higher conversion rates and obviously that means more consumers being part of the regime and getting that great experience.

He noted that if we look at the number of customers who enter the bank flow, we’re seeing a 33% increase in connection success rate with app-to-app flows when compared to other authentication methods. Having app-to-app flows is crucial to creating the best possible world class system.

He noted when we look to Australia, biometrics unlock simplicity and security gains with adoption growing quickly. From a trust perspective we are seeing an increasing trend and 64% of Australians say they trust fingerprint or facial recognition more than traditional passwords.

He noted in the banking space, every major institution that he could find already has fingerprint and face ID so it may not necessarily be a huge step to incorporate it into the standards. This will vary by sector, so we need flexibility and work in the energy space.

The Chair noted that there is no need for a difference in the energy sector and certainly none of the energy Advisory Committee members could point to a valid reason in the earlier meeting.

Frank Restuccia was pleasantly surprised with some of the feedback from the energy retailers saying that they were supportive of biometric authentication which is encouraging. There was a point made that there are opportunities for energy retailers to take advantage around more possibilities around how to access data.

One member noted in regard to energy sector, is funding availability the blocker to getting biometrics?

Frank Restuccia noted that traditionally there hasn’t been as many consumer use cases for applications for energy as the banking sector, but it is changing. The energy sector has a lot of regulation and it is mostly the consumer-facing perceived benefits of having an application or not.

He noted that in his view the Australian standards are quite prescriptive, and he respects the rationale behind that. Looking at the UK, they have an option to offer it for a first choice for consumers. The idea of a ‘waterfall authentication” where app-to-app is possible that we allow for participants to offer that to consumers. When it is not available, it falls back to an OTP authentication. This is not the only way to do it, but we want to have it as an option.

He noted that some CX research has been conducted on authentication, but he suggests more CX research is required in this space as the authentication is critical to the success of this flow.

He suggested that we should be reporting on authentication performance to capture how each method performs with regards to successful connections, average time to completion, number of customers unable to connect etc.

He noted that in summary, app-to-app flows will deliver a lot of benefits from more successful connections; more CDR customers; more CDR advocates; more happy data holder customers; improved data security; increased trust; increased competition; improved productivity; and aid in the economic recovery. This will lead to a world leading CDR ecosystem delivering better outcomes for consumers and participants.

One member noted that often one of the inevitable flaws of a dry CX workshop is that it typically focussed on a happy path. When these principles are applied to real-world use cases, they bump into things that weren’t anticipated when the guidelines were devised. For example, a DH that is also an ADR using CDR as part of an affordability assessment would likely need to obtain transactions from multiple banks. If the DH is one of those banks, the DH would need to “eat their own dog food” in order to provide a comprehensive view of a consumer’s financial position. This scenario presents some challenges in terms of the consumer CX wording and context. They are bumping into real world challenges implementing these guidelines and standards. It would be really good if the guidelines could apply their thinking and represent some real-world examples, rather than some theoretical use cases.

Frank Restuccia noted that we can learn a lot from the UK experience and use those real world examples and the data provided by Marie Steinthaler from TrueLayer’s experience saw a lot of great examples where banks were getting that success rate over and above that 85% mark and beyond. That was more likely to be a case where there was app-to-app authentication.

The Chair noted that when they started there was no real work to actually test so we had to do CX research, but as we get to the point where we get some scale and in particular where we get some cross sector scale, it'll be very useful.

One member noted that they tried to bring data from their experience in the UK, essentially what conversion as authentication methods came online depending on the individual DH. They have a pretty good sample to work on. It is a real uptake and they will see if they can anonymize the data and share with the group to show the inflection points.

ACTION: The member to share with the committee conversation data which should be de identified so as not to disclose confidential and sensitive data

ACCC asked the member whether they need to report conversion data to the Open Banking Implementation Entity (OBIE) or any other regulatory body in the UK?

The member noted that there is definitely reporting requirements as part of our licence. They will get back with the exact reporting obligations vs what they choose to report.

ACTION: The member to come back to ACCC on reporting obligations in the UK.

Rob Hale from Regional Australia Bank presented on the benefits of having and publishing a CDR Business Resource Directory.

He noted that many committee members work with organisations that provide services which other participants could take advantage of and learnings that could accelerate participation. Collectively, they are trying to support the ACCC and Treasury obtain richer, deeper and broader participation as soon as possible, without compromising quality and security. He noted that part of the original objectives in the Farrell report was to enhance competition and innovation to benefit consumers.

He also noted that we should get that information out there so that participants are aware of these and other service organisations, and the product and services that are available which will benefit the ecosystem. The DSB portal is a good place to have a list of providers. We could provide contact details for each provider and perhaps have a way for the community to endorse them. He noted that while he could post this list directly himself, it would have more credibility if it had the mark of Treasury or the DSB.

One member noted that you’ve got Sympli and PEXA competition emerging in econveyacing and that it would be interesting to see how they got to the point of 10,000 practitioners. He would be happy to take that away and talk to a couple of people to see if they have any learnings that would like to share on how they accelerated their network.

ACTION: Member to come back with any learnings from PEXA about how they accelerated their network.

One member noted that Rob Hale is correct in saying that he should not post the list, but there is a lot of authenticity that sits behind it given Regional Australia Bank’s early participation status.

The DSB noted that they have been thinking about this and note that the community section of the portal allows people to post whatever they like as long as it’s within the community guidelines. To post a list of providers with recommendations is possible as long as people don’t get into web marketing. Without presupposing what ACCC might want to do in this space, there is an opportunity for a very lightweight approach which avoids any suggestion that we're endorsing or certifying any products. We have a minimalist facilitation model where we can suggest who it is, what service they are offering, a brief description and a link. This would be enough to provide a useful central directory. This would be a community asset and the DSB is just enabling it to exist.

The Chair suggested that the DSB set up a Business Resource Directory in draft in the portal and release if to the Advisory Committee for review.

The DSB noted that they also have a potential model they have been trialling which they could leverage - the data sources JSON file in the comparator tool. They have created a React app that presents the JSON format and then they ask people to do a pull request and to add their details of their bank. Internally that have been verifying their identity through email to make sure they are associated with the bank they’re reporting to post. They could do something similar and it would avoid having to curate commentary and allow vendors to post their own stuff.

ACTION: DSB to start development of a draft Business Resource Directory in the community portal for review by committee at the December meeting.

ACCC Update

Paul Franklin from the ACCC provided an update as follows:

The ACCC noted that they are planning to finalise Version 2 of the rules by the end of November with the view to receiving the Treasurer’s consent for the ACCC to make those during December.

The ACCC noted that there are 2 more live data recipients (Intuit Australia Pty Ltd & Intuit Inc) on the register and 2 more that have been accredited (Credit Simple Australia Pty Ltd & Illion Open Data Solutions Pty Ltd) but not live on the register as yet. They have at least 4 data recipients who are close to the end of the accreditation process. The ACCC is seeing a steady pipeline of prospective data recipients coming into the ecosystem.

ACCC noted that they are starting to engage with the non-major banks about their onboarding. They recently put out a message to all the non-major banks asking for expressions of interest to start early on boarding. They have had some responses from prospective non-major banks who want to go live early.

ACCC noted that they have recently hired a Director of Onboarding – Emma Joy. Emma came to them from the OBIE in the UK. The ACCC has a significant number of resources available to help onboarding, particularly as they head into early 2021 with the expectation that they have a lot of new participants to onboard and they’re increasing their resources to be able to support that effort.

Treasury Update

Phillip Schofield from Treasury provided an update as follows:

Phil Schofield noted that he has recently joined the CDR team in Treasury. He has spent many years at the Australian Tax Office (ATO) being involved in implementation of projects around sharing of data. His role at Treasury is to get involved with the review of the rules and design and also helping to facilitate some of the role of the platform.

Treasury noted that, in regard to the legislation that was looking to give effect to the shifting the rule making from ACCC to Treasury, they received around 15 submissions which was very productive and helpful. There was one question on bringing in a regulatory power that would look directly at the role of the outsource service provider. On the balance of the feedback, what they are seeing is that is generally seen to be a good idea and they are looking to include this going forward.

Treasury noted that the Inquiry into Future Directions for the CDR has completed, and Mr Farrell has handed that back to the Treasurer and they are waiting to hear when that will be published and made available.

Treasury noted that they will be reaching out to the committee and stakeholders in due course to seek views on a review of the design of rules and exploration of the register accreditation application platform and where that sits.

One member asked in terms of uptake – do they have the metrics for things like how many prospective applicants and active participants are there etc?

The Chair noted that the ACCC prepares a weekly CDR Performance Report for the CDR Board and the Implementation Team Committee. Is it possible to circulate to the members?

The ACCC noted that they do capture some data - they don’t know consumers by individual identities – this is not possible to derive from the data they have. They do know how many consents are granted and how many API calls are made etc. The numbers have not been published outside of Government so they will need to confirm if the information can be shared with the committee.

ACTION: ACCC to share the CDR Performance Report metrics with committee members if permissible.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 9 December 2020 from 2pm to 4pm.

Other Business

No other business raised.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 15:55