Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 11 November 2020
Location: Held remotely, via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 11
- Andrew Stevens, Data Standards Chair
- Louise Benjamin, ECA
- Jill Berry, Adatree
- Lawrence Gibbs, Origin Energy
- Peter Giles, CHOICE
- Melinda Green, Energy Australia
- Joanna Gurry, NBN Co
- Joe Locandro, AEMO
- Frank Restuccia, Finder
- Aakash Sembey, Simply Energy
- Ed Shaw, Ausgrid
- Lauren Solomon, CPRC
- Dayle Stevens, AGL
- Barry Thomas, DSB
- James Bligh, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Staples, Data61
- Mark Verstege, DSB
- Michelle Looi, ACCC
- Jodi Ross, ACCC
- Fiona Walker, ACCC
- Athena Jayaratnam, OAIC
- David Havyatt, ECA
- Aaron Lester, Treasury
- Philip Schofiled, Treasury
- Lisa Schutz, Verifier
The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting no 11.
The Chair welcomed new members Jill Berry from Adatree and Louise Benjamin from Energy Consumers Australia (ECA) to the committee. He also thanked members transitioning off and those members who have accepted the invitation to extend their membership for a further 12 months. It is an important role that we play in the Advisory Committee in the process of the roll out of the Consumer Data Right (CDR).
The Chair noted that the first full draft of the Energy standards are nearing completion with two of the final three consultations currently open and only the DER data structures yet to be defined. Further details will be provided in the Technical Working Group update.
The Chair noted that the CX Working Group has started its eighth round of research on proposed new rules areas, such as disclosure consents. Further details will be provided in the CX Working Group update.
The Chair noted that the Banking Product Comparator tool continues to be a powerful and insightful tool for organisations publishing their Product Reference endpoints. There is a new feature called Status and Outages where you can view the current status and outages for organisations. At the time of writing there were 68 banks available in the Product Comparator Tool.
The Chair noted that he will be attending the next CDR Board meeting on Tuesday 17 November 2020 and Barry Thomas attended the CDR Operational Committee meeting on Monday 2 November 2020.
The Chair noted that Lisa Schutz from Verifier is an apology for this meeting.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 14 October 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be discussed later at this meeting.
Working Group Update
A summary of the Working Groups progress since the last committee meeting was provided in the Committee Papers and was taken as read.
Data Quality Update
A further update was provided on Data Quality by Barry Thomas as follows:
The DSB noted that data quality issues only emerge once you have a live system and can look at the data flowing through and whether it meets the practical needs. They are holding a Data Conventions Workshop on the 8 December and they are very conscious of the fact that in each sector they work on, other parties have already done a lot of work on the data that is relevant in that sector.
The DSB noted that they are actively collaborating with LIXI Limited (LIXI), which is the messaging standards body for lending transactions, to see whether it is possible to use their pre-existing definitions and schema that define many transaction payloads in the lending space. They are hoping to build conventions around data structures which map cleanly to LIXI data which should significantly improve the efficiency of systems which blend CDR and LIXI data and will be very relevant to the process of identifying and acting on switching opportunities for lending products. This active collaboration is a significant step forward.
Technical Working Group Update
A further update was provided on the Technical Working Group by James Bligh as follows:
DSB provided an update on the Kanban board, how it has evolved and how they intend on using it going forward. The Kanban board will be the process for future planning and is available on GitHub. It provides visibility to both what they are working on now and forward planning. They will seek advice from the Advisory Committee to determine priorities, impacts and the likely outcomes of scheduling etc. going forward. This will help the DSB balance the demand and supply of their time and make sure they are focusing on the right things and provide a forward view to the committee and public of when they will look at and consult on particular topics.
The DSB noted that they will talk to committee members at the next Advisory Committee meeting about the next quarter of work and lock it in - to the extent that is possible. They will also seek advice on topics that can be put into the backlog that aren’t there; how they can unblock items; defining the maturity; and timing.
The Chair noted that the Future Directions Inquiry Report by Scott Farrell has now been presented to the Treasurer. This item on the Kanban board is blocked for now and this item could create numerous items over numerous quarters for the Advisory Committee.
The DSB noted that depending on the recommendations in the report and the government response to those recommendations, they could end up with a dozen different items in their backlog over the next two years.
The DSB noted that they have set up four tags in the Kanban board. The green tag is whether there’s enough detail to the problem statement to work on it or not; the light green tag is that we don’t understand the problem well enough to start; the blue ones indicates the sector; and the red one indicates whether something is blocked. They noted that the vast majority of items are “sector all” which is in keeping with their approach of trying to be cross sectoral wherever possible.
One member noted that it would be really helpful to the community and external stakeholders for each of these items to have an indication whether it’s open for consultation and who they should contact if they would like to discuss that with the team.
The DSB noted that this is good feedback and they will take it back to the team as well as the suggestion of adding a further label for “open consultation”.
The DSB noted that as the Zendesk support portal is developing, it is becoming quite effective and it is an easier way for them to give direct responses to people and also turn them into reusable articles. They have decided to take clarification questions from the standards maintenance repository, which is focused on maintaining the standards for the sectors that are in baseline mode, so that going forward it can focus only on change. Zendesk is a much better tool for the purpose of clarification and questioning and it helps them manage to SLA’s and internally etc. They are closing down clarifications through GitHub and moving to Zendesk.
The DSB noted that they published the DER Standards this morning and noted that the Australian Energy Market Operator (AEMO) have been incredibly helpful. The DER proposal is the final consultation for the designated data clusters. This consultation will end at the end of the month.
The DSB noted that they are in consultation with the Australian Competition & Consumer Commission (ACCC), AEMO and Treasury and they are proposing to have an Energy Workshop on “Draft Standards with Authorisation & Authentication” on the 24 November 2020. This workshop will run through the overall standard and look at the consultation on authentication and authorisation for the energy sector using the gateway.
The DSB noted that the ACCC have also asked them to do a technical and CX consultation on the impacts of a gateway with regard to authentication and authorisation before they finalise the rules framework so they can understand the implementation impacts and the possible technical solutions and how people see those from an implementation perspective. They will be doing that consultation and publishing a decision proposal as well at the workshop on the 24 November 2020.
The DSB noted that Zendesk is a shared resource with the ACCC and it is a one stop shop for clarifications on standards, rules and register issues.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that on the Kanban board there are a number of issues listed for this quarter and the next. They are working on the energy data language standards which are moving towards a final iterated version and they can then publish a full set of AEMO held and retailer held data language standards to consult on. There are also a number of CX guidelines, based on community requests for existing rules; various updates; open source assets that they’ve received requests for; and the Consumer Policy Research Centre’s (CPRC) community engagement.
The DSB noted there are a number of items which are either blocked or undefined that they need to wait for more clarity on before they can move ahead. They also noted that for the work planned for this quarter - there is not enough time to do what they need to do to meaningfully consult on proposed standards (new or amended) as they need four weeks plus development, review and approval time for any appropriate standards. They also noted the community has asked for things like the Implementation Calls etc to taper off after 10 December 2020. They noted that it would be near impossible to have standards by the end of year break to give that 6-month lead time for July 2021.
The DSB are hoping to get feedback from committee members and the community on a number of things, the key ones being, depending on the intentions of the v2 rules, what if any CX standards need to be considered for these items; what effort would be required; what are the priorities; the expected lead time required for implementation; and what are we missing.
ACCC noted that they are currently considering submissions on version 2 of the rules which closed on the 29 October 2020. They are conscious of the issues raised by the DSB but noted that not all rules that provide for a potential role for the standards will result in an obligation on data holders that involves build for their systems, and compliance dates linked to them. For example, where a rule envisages that a data recipient could do something in compliance with the standards that obligation in itself is not given content until the standard is made and therefore this does not give rise to a compliance date for data holders. That allows more time for a standards process to occur. The ACCC is working closely with the DSB so that any CX standards and guidelines related to V2 of the rules can be progressed, ideally within the remaining time this year to enable that to happen. This process needs to be done on the caveat that any rules that are finalised this year, are subject to the consent of the Treasurer, and they are not likely to get that until sometime in December.
One member noted that in relation to the workshop they would like to know more about the nature of the gateway consultation as they have been thinking about what that might means for them. It does have a definite impact on CX and payloads.
The DSB noted that the history of the CDR over the last 2 ½ years is the rules obviously influence the standards, but sometimes the technical implementation considerations that they find during standards consultation impact the rules as does the CX research. The ACCC have asked them to look at authentication and authorisation to help inform the development process for energy. This workshop is the start of that. They will not look at any of the questions that the rules framework consultation has open for energy. This is looking at what are the options for implementation, what are the CX impacts, and the implementation and technical impacts. The purpose of the workshop will be to present the data standards in their entirety and the other part is to walk through different technical issues, questions/scenarios. This workshop will not be held in isolation, they will be publishing a Decision Proposal with some of those questions in the next week and at the workshop they will work through the questions within a working group.
A summary of stakeholder engagement including upcoming workshops, weekly meetings and maintenance iteration cycle was provided in the Committee Papers and was taken as read.
Issues raised by Members
Frank Restuccia presented on the ‘CDR User Experience’ and how to help create the most frictionless but secure consent and authentication experience for consumers.
Frank Restuccia noted that he has spent most of his working career in consumer land and is very passionate about the consumer flows which ultimately allows customers to share their data simply and securely.
He noted that we want people to talk about a great application where they have seamlessly been able to authenticate and get access to all the benefits that we are working on. Some obstacles they might face are they’ve gone through the process and they have forgotten their unique ID; or perhaps they don’t want to punch the ID as it is less secure; or the one time password (OTP) method does not always work. He noted that the current methodology is fine, but we need to set ourselves a higher standard and encourage innovation by setting the bar high for participants to come in and create an amazing experience.
He noted that we can benefit from what we have seen around the world, for example in the UK. The conversations they are having are more advanced and we can leverage off what they know. Marie Steinthaler from TrueLayer (and on the banking AC), her experience has also been invaluable to leverage as she sees a lot of the data and benchmark analysis at an institutional level and the ones who have been most successful at that authentication phase.
He noted that the UK have a strong customer authentication with a big focus on biometrics. With the prevalence of applications, approximately 80% of participants have an application which is normal for consumers in the UK. The combination of a mobile device, fingerprinting and biometrics to authenticate is shown to be more successful in the authentication phase. He noted that is a much simpler process, less steps and some of the obstacles are reduced.
He noted that there is a potential to deep link straight into the authorisation screen from an app-to-app flow. Whenever we cut out steps in the consumer journey, we tend to see higher conversion rates and obviously that means more consumers being part of the regime and getting that great experience.
He noted that if we look at the number of customers who enter the bank flow, we’re seeing a 33% increase in connection success rate with app-to-app flows when compared to other authentication methods. Having app-to-app flows is crucial to creating the best possible world class system.
He noted from a trust perspective we are seeing an increasing trend and 64% of Australians saying they trust fingerprint or facial recognition more than traditional passwords.
He noted in the banking space, every major institution that he could find already has fingerprint and face ID so it may not necessarily be a huge step to incorporate it into the standards.
He noted that in his view the Australian standards are quite prescriptive, and he respects the rationale behind that. Looking at the UK, they have an option to offer it for a first choice for consumers. The idea of a ‘waterfall authentication” where app-to-app is possible that we allow for participants to offer that to consumers. When it is not available, it falls back to an OTP authentication. This is not the only way to do it, but we want to have it as an option.
He noted that on CX research on authentication, some research has been conducted on this but suggest more research is required in this space as the authentication step is critical to the success of this flow.
He suggested that we should be reporting on authentication performance to capture how each method performs with regards to successful connections, average time to completion, number of customers unable to connect etc.
He noted that in summary, app-to-app will deliver a lot of benefits from more successful connections; more CDR customers; more CDR advocates; more happy data holder customers; improved data security; increased trust; increased competition; improved productivity; and aid in the economic recovery. This will lead to a world-leading CDR ecosystem delivering better outcomes for consumers and participants.
One member noted that there was a good point raised about design and too often we don’t consider the end point of the device or the way the consumer's going to go in. The real crux of the matter is to try and get it to the extension of what's in the user's hand or device and make sure our standards are applicable to handle that.
One member noted that it makes sense being able to leverage a customer experience and leveraging the data holder’s existing infrastructure. Another benefit is that if data holders can’t authenticate through biometrics, they have an identity provider that isn’t CDR compliant, this would be easier for them to comply and have a lower the cost.
The DSB noted that they have been looking at different flows for authentication, and they agree that app-to-app is a great consideration for real world CDR, especially the waterfall authentication approach for the energy sector.
Frank Restuccia noted that he would love to hear the views of the energy retailers to understand if we are moving towards more application development for the energy providers. He wants to encourage that benchmark and the ability for the retailers to develop those apps.
One member noted that this speaks to what they’re trying to do constantly – improving the user experience through their digital interface as well and certainly the path that is described is a continuation for them.
One member noted it’s a challenge in this area where people don’t have that relationship with their energy retailer, they don’t have online accounts generally. This could be used as some kind of encouragement to get people to start that sort of relationship. Is there any data around biometrics actually increasing uptake of people signing on for online accounts?
Frank Restuccia has no data on hand, but he will take that on notice and bring back to the group. He noted that customers are expecting more and more from brands and he thinks that as an energy retailer, there’s potential in broadening the possibilities and using other data sources to provide services for their customers.
ACTION: Finder to report back with data on biometrics increasing uptake of online accounts.
One member noted that energy is not as interesting to consumers and everyone's more interested in their mobile broadband, NBN service etc. One of the trends missing in energy is your smart inverter, and battery management, they will use that data, and it probably won’t be consumers using it and wanting it directly. They don’t think you will get a lot of people logging on to look at their billing data and plans etc.
The Chair noted that when we get to an economy wide regime, the rules are going to be different and we need to look at it.
The DSB noted that there are some technical implications that the group needs to consider when thinking about app-to-app, particularly in a gateway model. There are 3 parties, and AEMO stands between the accredited data recipient (ADR). In the app-to-app model, technically we would need to figure out a way of transitioning from app to AEMO to app and it's unlikely based on the submission from AEMO to the rules framework regarding not being customer facing that there would be an AEMO app for instance. Even if a retailer had an app, the ability to go directly from an ADR to that retailer’s app would have to be proxied through the gateway and then back to the gateway, so there are some challenges there.
The DSB noted that another challenge that has been highlighted is the need for data holders to potentially maintain multiple implementations because this isn't just an app enabled ecosystem it’s also a web enabled ecosystem. From a policy perspective, they’re trying to reach the Australian citizen cohort as a group, not just those with phones or digitally enabled.
The DSB also noted that they are working to empower Australian citizens by establishing a regime build on Trust. If we do app-to-app with some data holders, and its browser based or redirect with others there was a perception that we could potentially undermine the initial trust building activities.
One member noted the use of omni-channel where the consumer can use any channel (Mobile app or otherwise ) and is able to retrieve information via a gateway model - the best example of a gateway is the Amadeus Central Reservation System where consumers can use mobile apps through the gateway and receive a price and reservation sent back to you. They think that sometimes we are constrained in our thinking and if we look at other models in other industries, the competitive advantage is not the authentication, it’s what products and services you're offering and bundling etc. They don’t believe it’s a technical challenge of using a gateway for apps, they believe it’s more important for trying to make it consistent for trust and ease of use. They noted that if you look at Energy Made Easy or Victorian Energy Compare they are using brand new technology that goes through the website and the web browsers of others. The gateway model to allow consumers to compare their energy now is already done.
One member noted to what extent can we forecast our expectations around what sorts of technology solutions that will come to market as part of the issues here. What is the process that we're going to use to identify new emerging technologies that could enhance the CDR scheme through time and bring them on board or test them in a way against the rules which are consistent? If we are adopting a technology neutral approach, this is going to keep happening and we need a way of identifying how close it is to deployment, how significant it could be to improving the system, how we have a regulatory sandbox approach of testing and bring it into the scheme.
The member also noted that they will always come at it from the perspective of the consumer's comprehension, control and security, regardless of whatever platform is being used, because from their perspective friction is not always a bad thing. So, regardless of what you're using do you have the same level of comprehension, control and security?
One member noted that their focus is always on trust, and they don’t know if having consistency across authentication methodologies across different sectors automatically equals trust. They are more interested on how you get consumers trust which is around control. The trust lens is what they are looking for and they wouldn't want to necessarily start on a presumption of consistency. In terms on how this is being used, sometimes it's the consumer that's going to want to look at the data, but more often it's going to be an innovator or the supplier of a new service, and there’s a whole education of the customer and making sure they understand the consumer’s context as well.
The Chair thanked Frank Restuccia for his presentation and noted his commitment on this point and to the CX and the ease of use.
Jodi Ross from the ACCC provided a general update as follows:
The ACCC noted that on the action item to update the committee on the product reference data (PRD) compliance audit they mentioned at the last meeting. This was where the enforcement and compliance team were checking whether all of the non-major banks had made available public endpoints to commence sharing phase 1 PRD with their obligation commencing on the 1st of October. They are pleased to report a 98% compliance rate, which was quite outstanding in the circumstances given that they had a large number of data holders involved, and the data holders had received some additional time to take into account the impact of COVID-19. They are currently working with 2 ADI’s who face some particular issues – one bank does not have an online presence and the other is in merger discussions which may be an appropriate circumstance for potential exemptions.
The ACCC noted that they have 85 ADIs who fall within the regulated cohort and that takes into account exemptions already granted.
The ACCC noted that since the last meeting, 1 November has passed which was the commencement of Phase 2 consumer data sharing for the major banks. That milestone means that there are now significantly increased data sets available under CDR and a much wider range of products in scope and some new API’s including direct debit, scheduled payments and Joint Accounts. The ACCC expects that these increased datasets will encourage participation in the CDR.
The ACCC noted that in regard to version 2 of the CDR rules, they have received a fairly large number of submissions and intend to publish them before the end of the year.
The ACCC noted they are carefully considering the scope of version 2 of the rules to be made in December. There was a broad range of views received on a number of the topics in the consultation.
The ACCC noted in regard to the energy rules, work is continuing in terms of finalising some policy positions to inform those rules, which they’re intending to consult on in February 2021. They don’t have a substantive update for the committee on particular policy issues, but they will be attending the workshop on the 24th November.
The Chair asked if the ACCC have an update on ADRs entering the accreditation process and the levels of volume and interest?
The ACCC noted that they have 6 accredited entities, 2 active entities (Frollo Australia Pty Ltd & Regional Australia Bank), Intuit Australia Pty Ltd and Intuit Inc have recently gone live on the register and they expect Credit Simple Australia Pty Ltd and Illion Open Data Solutions Pty Ltd to follow shortly. They have 4 applications under active consideration, and they hope to announce another accreditation decision before the end of the year. They have another 40 or so potential applicants who’ve moved beyond just getting access to our accreditation portal and have started drafting their applications.
The ACCC noted that the recent announcement about partial acceptance of ISO 27001 has been largely well received. The ACCC has updated their accreditation guidelines to explain to potential data recipients how they will recognise ISO 27001.
The ACCC noted that the accredited intermediary rules commenced in October and are now supported in the register. This will hopefully build some momentum for businesses who want to participate in CDR using an accredited intermediary.
Phil Schofield from Treasury provided an update as follows:
Phil Schofield noted that he has recently joined the CDR team in Treasury. He has spent many years at the Australian Tax Office (ATO) being involved in implementation of projects around sharing of data. His role at Treasury is to get involved with the review of the rules and design and also helping to facilitate some of the role of the platform.
Treasury noted that the Inquiry into Future Directions for the CDR has completed, and Mr Farrell has handed that back to the Treasurer and they are waiting to hear when that will be published and made available.
Treasury noted that in regard to the legislation that was looking to give effect to the shifting the rule making from ACCC to Treasury. They received around 15 submissions which was very productive and helpful. There was one question on bringing in a regulatory power that would look directly at the role of the outsourced service provider. On the balance of the feedback, what they are seeing is that is generally seen to be a good idea and looking to include it going forward.
Treasury noted that they will be reaching out to the committee and stakeholders in due course to seek views on a review of the design of rules and exploration of the Register and Accreditation Application Platform and where that sits.
The Chair asked Treasury if they could let Kate O’Rourke, who is heading the CDR Division in Treasury, know that the DSB will be reaching out to invite her to attend the next meeting.
ACTION: DSB to invite Kate O’Rourke to the December AC meeting
The Chair advised that the next meeting will be held remotely on Wednesday 9 December 2020 from 10am to 12:00pm.
No other business raised.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 11:40