Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 9 December 2020
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 27
- Andrew Stevens, Data Standards Chair
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Gareth Gumbley, Frollo
- Rob Hale, Regional Australia Bank
- John Harries, Westpac
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Marie Steinthaler, TrueLayer
- Stuart Stoyan, MoneyPlace
- Barry Thomas, DSB
- James Bligh, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Verstege , DSB
- Paul Franklin, ACCC
- Jodi Ross, ACCC
- Ying Chin, OAIC
- Kate O’Rourke, Treasury
- Jessica Robinson, Treasury
- Philip Schofield, Treasury
- Andrew Cresp, Bendigo & Adelaide Bank
- Lauren Solomon, CPRC
- Erin Turner, Choice
The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting no 27.
The Chair wanted to acknowledge and congratulate Rob Hale and Regional Australia Bank as they're the first non-major bank to go live as a data holder (DH) and the first organisation to go live as a data recipient (DR) and DH which is quite an achievement.
The Chair noted that he will be attending the next CDR Board meeting on Tuesday 15 December 2020 and Barry Thomas attended the CDR Operational Committee meeting on Tuesday 1 December 2020.
The Chair welcomed Kate O’Rourke the Head of the CDR Division and Jessica Robinson the Assistant Secretary from Treasury and invited them to introduce themselves to the committee.
Kate O’Rourke noted that with Treasury assuming some of the responsibilities from the Australian Competition & Consumer Commission (ACCC) and with the Data Standards Body (DSB) moving into Treasury from CSIRO, they have decided to create a new Division. The combination of the new responsibilities and the very significant and really interesting issues ahead of us when thinking about rolling out new sectors, and issues considered in the Farrell Report, there is a lot of work to do in the CDR and they are really pleased to have more people coming on board to help with that work. They are keen to make the transition for both ACCC and the DSB as smooth as possible. This will remain a multi-agency program and they look forward to working closely with colleagues, especially in other sectors.
Jessica Robinson from Treasury noted that she is the second week of the job but has been in Treasury for a few years. In the last 18 months she has been seconded out to different pieces of work. Most recently she led a task force in Prime Minister & Cabinet (PM&C) on sensitive and critical technologies in critical minerals and before that at the Department of Industry, Resources and Science heading up the Critical Minerals Facilitation Office. She is really excited about the opportunity to bring together a multi-disciplinary team and maximise the opportunity to drive a seamless approach to CDR across the standards and regulation.
The Chair noted that Andrew Cresp (Bendigo & Adelaide Bank), Lauren Solomon (CPRC) and Erin Turner (Choice) are apologies for this meeting.
The Chair wanted to thank everybody for the incredible work and contributions they’ve made on this committee and indeed to the implementation of CDR in Australia. He wishes everyone all the best for the holiday season.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 11 November 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
In regard to the Action Item on ACCC sharing the CDR performance metrics with committee members, ACCC noted that they have considered the issue and do not consider it appropriate to share the data that is being captured more broadly at this stage, due to the data representing the activity of a small number of participants. The ACCC is prepared to re-visit this in the future.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
The Chair wanted to acknowledge the great value of work that has been done by the Working Groups this year. As we moved from Phase 1 implementation to Phase 2 you can see how the balance has swung more towards implementation and assistance and advice and discussion as well as keeping the standards developing in line with the rules.
Technical Working Group Update
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB held a Product Reference Data (PRD) Workshop yesterday, which looked at lending rates for residential mortgages. The intent was to identify a bunch of issues, particularly as they’re starting to get real production data from the banks around residential mortgages and lending products, and to start to identify a set of conventions or potentially change requests. Over 30 people attended from a variety of banks, including a number of non-majors, DRs and consumers. A Miro board with the findings will be publicly available before Christmas.
The DSB thanked everyone for reviewing Decision Proposal 325, which has been approved by the Chair. They are working on the version 1.6 release which will include the changes that constitutes DP 325 regarding the client authentication for DRs.
The DSB noted that the 5th Maintenance Iteration concluded last week. They have a set of change requests, which they’re working through to finalise with the intent to include in release version 1.6 sometime this year.
The DSB noted that for the Enhanced Error Handling Decision Proposal, they are looking to provide an updated consultation before the end of the year, so they consult on that in the New Year.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that a lot of the focus over the last month has been on v2 of the rules. They have been working closely with the ACCC to identify items they expect to emerge from that. They have wrapped up the last round of research for the year, which was on disclosure consent. The research brief is online, and they will publish a short summary with a full report being published in the new year.
The DSB noted they held a workshop on the 24 November on Draft Standards for Energy with Authorisation & Authentication CX. The workshop focused on energy and the gateway and had a great turnout, with representation from the financial sector. The artefacts are outlined in Decision Proposal 140 and are worth talking a look at.
The DSB noted that in relation to the Consumer Policy Research Centre (CPRC) Engagement, the Joint Account report is going through a final review process before being made public. It will be published in the DSB newsletter and accessible on our Community Engagement page. CPRC are now consulting on the issue of vulnerability.
The DSB noted that they have been working closely with ACCC to identify requirements, priorities, and timelines for CX items emerging from the v2 rules proposals. A number of key guidelines and related decision proposals are being developed for consultation on GitHub.
The DSB noted that the last Implementation Call for the year will be held tomorrow (10 Dec 20). They will provide an overview of how they’re currently developing new versions of the CX Guidelines to be web based.
One member asked if the DSB have received a lot of feedback on consent and have they had any insight from overseas about their learnings around consent changes?
The DSB noted that their research is not based on people who are currently using CDR but that is something they plan to do as CDR scales up and it is definitely on their radar. In regard to learnings from overseas, they have been talking occasionally to the Open Banking UK team and consultants who have worked in the UK on CDR and there is a lot of sharing and learnings. They noted that Australia is being seen as covering new ground, even compared to the UK who have been established for longer.
One member noted that using this ecosystem in practice is highlighting some things that weren’t picked up as part of the consultation process or workshops etc. Some unintended consequences have started to come to light, as part of being a DH and DR which is inevitable and perhaps, we should steel ourselves for another round of adjustments. They are starting to form a stronger view that pausing, fixing some fundamental things that aren’t perhaps working as planned and then going again will result in a much better outcome and we shouldn’t be fearful of doing that.
One member noted that they have over 100 FinTech’s using their platform to acquire data, predominantly via screen scraping. Many of them have a desire to move over to Open Banking but one of the biggest concerns is the potential drop off of customers and the direct impact to the business as a result of Joint Accounts. They appreciate that there are a lot of new concepts in CDR but the act of exchanging data has been used for a long time and there’s a lot of successful FinTech’s in Australia that have invested a significant amount of time and energy in making sure they provide the best possible user experience. It would be a shame not to engage those companies that rely on those services and obtain insights from them.
The Chair noted that they will kick off 2021 with a bit of a scoping review to get a view on these issues, and to identify the nature of the potential impacts.
ACTION: The DSB to reach out to members to get a view on the issues and potential impacts relating to Joint Accounts.
ACCC would be interested to know whether some of the concerns around Joint Account sharing will be addressed in v2 of the rules given the intent for v2 of the rules to provide an improved CX and inflow authorisation. This is an evolution of the rules based on CX suggestions.
The member noted that it does in part but not fully. There was broad consultation and they didn’t spot some things. There are evolutionary adjustments being made and to some extent these will compensate some of the challenges they are starting to see. They hope that collectively they can take in some of the learnings, and if it is not working, take the time to recalibrate.
The Chair noted that we will see what the v2 rules and CX implications are and if this influences where we end up in February. He has asked the members to document the issues and the implications to provide to the DSB.
Another member noted there is always going to be tension between CDR and screen scraping and ubiquity for CDR is the ultimate goal. They noted that we will still need screen scraping as part of a broader ecosystem for the small credit unions etc.
ACCC noted that they have 97 authorised deposit institutions (ADIs) which will be required to commence consumer data sharing by 1 July 2021 and are sharing phase 1 product data. Every Australian ADI, not including the branches of the foreign banks, but including the foreign owned domestic banks.
One member noted that it is great in terms of having 97 ADI’s but in reality, it depends on the use case, the company consuming the data will most likely need to leverage screen scraping with Open Banking to get a holistic view of the customer’s finances. These technologies will have to co-exist, but we should always strive to make open banking supersede screen scraping.
The DSB noted that they have been working through the future planning backlog to manage the workload. They would welcome content that could be added as a future item to be scheduled to look at things that could be done to close the gaps between screen scraping and the CDR.
A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the Committee Papers and was taken as read.
Barry Thomas from the DSB provided an update on the Service Provider Directory as follows:
The DSB noted that the Service Provider Directory is due to go live with the intent to provide a “yellow pages” type service to help the large number of new entrants of the regime understand where they can go for services and products. The DSB will not be endorsing any products and if the directory is widely supported it will be a very useful resource for the service and product providers. Prior to going live, they would like to give members the opportunity to look at the Directory and provide feedback.
The Chair wanted to acknowledge the close working relation the DSB have with Treasury, ACCC & the Office of the Australian Information Commissioner (OAIC). They couldn’t have operated to the extent they have without those close interactions which have been very helpful and constructive. It has been a tremendous asset to have the 4 agencies working closely together.
Issues raised by Members
Ying Chin provided an overview of OAIC’s guidance and advisory pieces that they have developed to help participants understand their privacy obligations under the CDR regime as follows:
The CDR is co-regulated by the ACCC and the OAIC. The OAIC is responsible for enforcing the privacy safeguards, which are in the legislation; enforcing the CDR rules that relate to privacy and confidentiality; provide advice to the ACCC and the DSB on the privacy implications of the CDR rules and standards; handle complaints about the handling of CDR data from individuals and small business consumers. They also have a guidance and education role and have issued a suite of guidance materials for entities about their privacy obligations. They have a suite of web content that is targeted to consumers to help them understand their rights under the CDR regime.
The OAIC noted that the content on the website is current as at July 2020 and they are in the process of updating it to reflect the accredited intermediary rules which came into effect in October.
The OAIC noted that a useful resource is the OAIC CDR Regulatory Action Policy which sets out their priorities, goals and principles in regulating the CDR and complements the joint OAIC & ACCC’s compliance and enforcement policy.
In regard to the CDR Privacy Safeguard Guidelines. These Guidelines outline how they will interpret and apply the 13 privacy safeguards. The privacy safeguards aim to protect CDR data throughout the information lifecycle and are contained in Part IVD of the Competition and Consumer Act 2010 (Cth) and supplemented by the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) and the CDR Privacy Safeguard Guidelines bring together the requirements from the Competition and Consumer Act and the CDR Rules. Each Chapter opens with a table which outlines the interaction between the privacy safeguard and corresponding Australian Privacy Principle under the Privacy Act. Chapter A (Introductory Matters) includes a table which outlines this interaction at a global level, for all CDR participants.
OAIC noted that they have also published a range of web content for consumers to explain the CDR, their privacy rights, privacy obligations of organisations which handle their data and how to make a complaint.
One member noted that around CDR policy development, and in their unique case of being a DH and an ADR, they had some real struggles which they would like to discuss with OAIC as this may help others that find themselves in the same situation.
OAIC noted that there are two distinct sets of requirements that you need to meet for the CDR policies for both DHs and ADR’s. They can see there might be some challenges in doing that which perhaps they didn’t contemplate when writing the guidance because it wasn’t in practice. They would be happy to speak offline to the member regarding that.
ACTION: OAIC to reach out to member regarding the requirements for CDR policies for DH & ADRs.
Paul Franklin from the ACCC provided an update as follows:
The ACCC are on track to make v2 of the rules as soon as they receive the Treasurer’s consent. They are not in a position to discuss the content of the rules at this stage, but they will make an announcement as soon as the rules are made.
Given the expected transition of rulemaking and future sector assessments from the ACCC to Treasury, the ACCC is working very closely with Treasury to make sure there is a smooth transition with no disruption to participants.
The ACCC is continuing to receive applications for accreditation and expect many more to come in the New Year.
The ACCC have started the onboarding of non-majors ADI’s, commencing with Regional Australia Bank (RAB) who they would like to congratulate. They have also started a heavy engagement schedule with all of the non-majors’ banks and held meetings with the CEOs of the Australian Banking Association (ABA) & Customer Owned Banking Association (COBA) banks. They are now proactively contacting each of the banks to ensure that everybody who has a DH obligation is onboarded in a smooth way.
The ACCC noted that they have bought in a new Director of Onboarding and a few resources in the onboarding team. Emma Joy, the new Director comes from Open Banking Implementation Entity (OBIE) in the UK and they want to make sure that they provide a high level of support to help with that process.
The ACCC noted that the last Implementation Call with the DSB is on the 10 December 2020 and recommencing on the 14 January 2021. They have notified stakeholders that they will have a 2-week close down within the ACCC. Access is available for emergency contact, but they will not be onboarding any new DRs or DHs during the shutdown period.
In the next ACCC newsletter, they will provide an update on the test strategy, updated accreditation guidelines, new onboarding materials and new information on the conformance test suite.
The ACCC would like to thank everyone on the call and all of the stakeholders for an incredible year with a lot of hard work to make the CDR successful. Looking back on the year, there were times it was looking difficult but the commitment to deliver the CDR has not waivered. They also recognise the support from Treasury, OAIC and the DSB to make the CDR a success.
One member asked what is the closing date for submissions for accreditation?
ACCC noted that the last committee meeting of the year is on 17 December 2020. There is no closing date as such but if your submission is not reviewed at that meeting, it would go to the meeting early next year.
Kate O’Rourke provided a general update as follows:
Treasury noted that, in regard to the legislation which was introduced to affect the transfer of responsibilities from the ACCC across to Treasury, that passed the House of Representatives yesterday and is scheduled for Senate debate later today. They are working very hard towards a seamless transition of responsibilities. The effective date for the move is the 28 February 2021.
Treasury noted that in regard to the Inquiry into the Future Directions for the CDR Report, this is currently being considered by the Treasurer and they cannot provide any further update on this at this stage.
Philip Schofield from Treasury presented on the CDR Rules Review Consultation Review as follows:
Treasury have been asked to do a piece of work on the CDR Design Review and they are seeking initial thoughts from the committee and equally, more than happy to take this offline to discuss in further detail.
Treasury noted from a policy perspective, they are considering the broader strategic objective of how they bring in additional sectors to the CDR framework, keeping the use of sector-specific rules to a minimum.
The goal is to ensure that new sectors can be brought into CDR relatively quickly through reuse of existing rules, helping to minimise implementation costs, especially for participants spanning multiple sectors.
Treasury is considering three review themes i). universality (considers how readily the rules can be applied across multiple sectors and identifying which rules are appropriate to make or keep sector-specific) ii). Prescription (considers the balance struck between principles-based and prescription for the rules, and whether that balance is appropriate and iii). simplicity (considers the level of complexity of structure and expression for the rules, where there is the potential to simplify them in any way and if so, whether attempting to simplify them would deliver any material benefits).
Treasury noted that considering the three review themes i). whether the committee believed that any changes should be made to the CDR rules to better enable them to be reused across new sectors to achieve the goal of faster and cheaper implementation and ii). had they observed any interactions between the rules and the legislation, standards or guidance that help or constrain the extent to which the rules can be applied across multiple sectors?
Treasury would like to get the committee’s thoughts on growing and reshaping the rules to achieve that objective. They are also very happy to take thoughts and comments offline.
ACTION: Members to provide additional responses to the questions directly to Phil Schofield (Philip.Schofield@TREASURY.GOV.AU)
One member noted that they have not given any attention to energy and telco and they wouldn’t be surprised if it was a similar situation with other ADI’s. What are the expectations on them as participants in the open banking part of CDR to contribute to the discussion about cross economic benefits and features?
Treasury noted that they have expectation on themselves that they are striving towards that strategic goal of heading toward an economy wide ecosystem for CDR, but this does not translate to each individual data holder sharing that expectation. They are very mindful of the various layers of benefit that they see coming from the CDR. One being to the consumer and helping consumers find the best deals for them and the other is around innovation. Once you can access data from multiple sectors, under the terms and conditions of CDR what can be done?
The Chair noted that there was some interesting conversation expressed in this morning’s Energy meeting from DRs and potential intermediaries about the uniqueness in the energy model of the gateway model. They raised the issue of a unique model in energy and how they would cause cross sector use case build implications for DRs and DHs alike.
One member noted that one example would be working out the use case for solar panels and then the finance – this is an example of use case cross sector. Energy has already departed from the banking model with the introduction of the gateway.
Treasury noted that to the extent of talking to people who have yet to come into the system, or just from observing the rules as they currently are, if we do identify opportunities to make them more universal or simpler etc, there is a cost to change which they are very alive to. They need to build a case for change.
ACCC noted that they are currently working on v3 of the rules which is going to be directed at accommodating energy in the CDR and the proposal is to consult on those draft rules in February 2021. They can direct some very targeted consultation that can tie these themes together and provide feedback.
Treasury noted that this timing would work as they need to have this piece of work completed by the end of the financial year.
The Chair noted that the rules energy consultation framework document exists, and it may be that members of this committee haven’t looked at the document. The ACCC have presented a range of options in most areas because of the issues of universality, prescription and simplicity.
ACCC noted that the expected publication of the draft rules to accommodate energy in early 2021 will be an opportunity to provide feedback, and on the basis of draft rules that reflect policy positions and rules that have been developed taking into account the principles mentioned.
The Chair noted that it would be best if v3 of the rules and the consultation to accommodate energy in the CDR, that Treasury formalise the process and reach out to the Advisory Committee members for feedback.
One member asked, in regard to the 2021 format, as we are moving into cross sector whether the committees could be combined which would provide richer conversation.
The Chair noted that there will come a time in the first half of next year that we will converge back to one Advisory Committee and the reason for that is once v3 of the rules exist and it is the CDR rules, then the case for having separate committees is not there. If a third sector is announced that might be the time to have another Advisory Committee.
The Chair advised that the next meeting will be held remotely on Wednesday 10 February 2021 from 2pm to 4pm.
No other business raised.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:30