Minutes – 11 Feb 2021
Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 10 February 2021
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 28
AttendeesOpen allClose all
- Committee Members
- Andrew Stevens, Data Standards Chair
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Rob Hale, Regional Australia Bank
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Lauren Solomon, CPRC
- Marie Steinthaler, TrueLayer
- Stuart Stoyan, MoneyPlace
- Barry Thomas, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Verstege, DSB
- Paul Franklin, ACCC
- Mark Staples, Data61
- Ying Chin, OAIC
- Sarah Coe, Treasury
- Indiana Lowe, Treasury
- Daniel McAuliffe, Treasury
- Kate O’Rourke, Treasury
- Brenton Charnley, TrueLayer
- Andrew Cresp, Bendigo & Adelaide Bank
- Gareth Gumbley, Frollo
- John Harries, Westpac
- Erin Turner, Choice
The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting no 28.
The Chair noted that he attended the first Consumer Data Right (CDR) Board meeting for 2021 on 9 February and Barry Thomas will attend the CDR Operational Committee meeting on 2 March 2021.
The Chair noted that the Technical Working Group have completed Maintenance Iteration # 5 and are about to initiate Maintenance Iteration # 6. They are also expecting to consult on the Direct to Consumer model alongside with the ACCC.
The Chair noted that the CX Working Group have released a significant revamp of the CX artefacts on a new platform and work on the new v2 rules CX artefacts is underway, including Joint Account (JA) guidelines.
The Chair noted that a new member of the team will be commencing at the end of February. The Business Analyst will provide technical analyst and requirement mapping between legislation, CDR rules, major payment system standards and technical requirements.
The Chair noted that Andrew Cresp (Bendigo & Adelaide Bank), Gareth Gumbley (Frollo), John Harries (WBC) and Erin Turner (Choice) are apologies for this meeting.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 9 December 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Ying Chin from the Office of the Australian Information Commissioner (OAIC) provided an update on CDR policies for Data Holders (DH’s) and Data Recipients (DR’s).
OAIC noted that she met with Rob Hale from Regional Australia Bank (RAB) who provided some helpful feedback on their guidance pieces, largely focusing on how OAIC privacy safeguards guidelines could assist with entities participating in the CDR in more than one capability (i.e. DR & DH) and the challenges that arose in the context of developing the policy.
OAIC noted that as they are in the process of updating their guidance pieces they have been considering how to more clearly outline their expectations of how an entity would develop their CDR policy when they participate in the CDR in more than one capacity as there are different legal terms to refer to similar concepts. For example, as a DH you seek authorisation, which is essentially permission and as a DR you seek consent which is also an equivalent permission but those terms are not interchangeable from a legal perspective and that can present some challenges on how you convey that in your CDR policy.
OAIC noted the challenge of getting the level of detail right, especially where your data handling practices might differ between use cases, and striking the right balance and explaining those data handling practices in a way which isn’t so high level where it becomes meaningless but also not so detailed as to overwhelm the consumer.
OAIC noted that another important thing is testing your CDR policy by running your policy on a target audience to see if it is comprehensible and can be understood.
RAB noted that they have not resolved all of the challenges and more input would definitely help, particularly for the multiuse case scenario.
One member asked doesn’t the CDR already provide the data model to be able to facilitate that – we’ve got ADR’s and products – shouldn’t the scope be around the product as ultimately a product is a use case. Shouldn’t the policies be bound to that?
OAIC noted that the CDR policy could be bound by the specific products that the ADR is providing. They have to come back to what the purpose of the CDR policy is – which is to provide a general overview of how that CDR entity generally manages CDR data. It is important to remember that when a consumer goes through the consent process under the CDR, as an ADR you have to tell them specifically the use case that they are taking out with you and what Outsourced Service Providers (OSP’s) you are using.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
Technical Working Group Update
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB finished Maintenance Iteration # 5 late last year for banking and the changes were summarised into the decision record that was sent to the committee for review. They will be implementing the next release of the standards shortly.
The DSB noted that Maintenance Iteration # 6 will kick off next week and they are going to try a few new things. Last year, they released a public version of a draft or a staging area for the standards which provides an opportunity where they can draft up decisions as discussed with the community, and to see them in situ in the standards prior to a decision being made by the Chair.
The DSB noted that they released the latest set of Decision Proposals around error handling to improve the interoperability between DR’s and DH’s and make things more consistent so that DR’s can rely on standardised consistent reporting of errors across all data holders.
The DSB noted that they are continuing the engagement on metrics and looking at the consultation on targeted improvements and discoverability.
The DSB have opened up a consultation in response to the v2 rules as they wanted to make it clear the DSB’s current view as far as the technical requirements and technical changes. They had an end to end review and their assessment was that for v2 rules, you won’t need any changes to the technical standards . They are seeking advice from the community on that view via Decision Proposal 153.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that since the last Advisory Committee in December, there has been a significant revamp of the CX artefacts on a new platform that they are using. They are porting the artefacts over from what was previously a PDF and have done this in response to community requests to assist with requirement discoverability and compliance recommendations. They initially focused on authentication as this was the least likely not to change after the v2 rules were made. They are now working on the new v2 rules and generic updates to the CX guidelines.
The DSB noted that they also have the CX metrics and research page which is to assist the community in measuring informed consent. They are now in the process or porting the remaining of the CX guidelines over and currently working on authorisation flows and dashboards and v2 rules items like joint account guidelines.
The DSB noted that they published the Consumer Policy Research Centre (CPRC) report on community sector engagement on JA in late 2020. That can be found on our website and this report includes recommendations that have informed further standards development work, including recommendations on error messaging and an in-flow notification for joint account holders. These have been reflected in both the error handling work and in Noting Paper 157 relating to the CX Standards Arising from v2 Rules.
The DSB noted that they closed Decision Proposal 127 on the CX of error handling in December. There were no proposals raised so this closure merely indicated that future CX Guidelines will cover a range of the issues highlighted in the CX workshop on error handling.
The DSB noted that Decision Proposal 144 was closed on 1st February following a request for extension. There was broad support for the CX proposal with a few recommendations and considerations. They did want to note that the consultation does not account for a gateway and that is because they are waiting for the practical roll out of the CDR gateway becomes clearer. They will then consider additional consultation on that.
The DSB noted that Noting Paper 157 was published in January providing a list of anticipated CX Standards changes following the making of the v2 rules. The paper highlights the mostly optional aspects being anticipated, and the extent to which new items are being considered. It also details the expected timing for standards completion and compliance, all of which will be consulted on in targeted decision proposals. NP157 also covers where standards are not anticipated, which was done to provide clarity for participants who may be anticipating substantive proposals in relation to new v2 rules.
The DSB noted that they published a placeholder for Decision Proposal 160 – CX Standards | Non-Individual Consumers | Business Partnerships | Secondary Users that they’ve called out in Noting Paper 157. The proposal is currently being developed but they opened it early so the community can provide input.
A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the Committee Papers and was taken as read.
The DSB noted the OpenID Foundation is an international Standards Body that sets a number of the dependent standards that the CDR uses like OpenID Connect and OAuth standards which allows us to implement the information security profile. Last year they worked on a certification test suite that builds on those international standards specifically for the CDR for DH’s. They reached out looking at the possibility of setting up some workshops to discuss with the community how participants could go about doing that testing and the coverage and what it entails.
The DSB noted that similarly this has been done in the UK with a good reception.
The Chair noted that increasingly the engagement of global standards organisations and the testing and tooling arrangements to reinforce and reflect the CDR from Australia is a big thing in terms of international opportunity and international interoperability.
Issues raised by Members
Rob Hale from Regional Australia Bank (RAB) & Damir Cuca from Basiq provided an update on JA holders and how it’s making it hard to onboard customers.
Basiq noted that they work with 190 FinTechs who use their platform for digital data capture which they are looking to transition into Open Banking as more banks come on board. Something that is incredibly sensitive and really important for them is usability. If they can’t provide a good, simple, seamless user experience, then that means loss of businesses to them. One of the concerns that has been raised is that there is generally a very serious concern around how JA holders works because of the complexity it creates in terms of communication with the end consumer. The practical elements need to be put into consideration as well.
RAB noted that their knowledge wasn’t where it needed to be initially, and this was an interesting learning. They have been immersed in this for a couple of years and despite that, they hadn’t appreciated some of the nuances and subtilties of the joint account rules in what is a very dynamic environment.
RAB noted that Joint Account Management (JAMS) is a having a big impact on their credit assessment use case, and they realise they are not quite where they want to be, but how do they correct and overcome that? RAB suggested that the Advisory Committee may not need to know the details of every rule but need to be aware when things aren’t working perhaps as we would like them to.
RAB noted that they have around 80,000 active customers, just under a quarter have open joint accounts with 3.5% of those having arrangements where another party has authority over what that primary account holder can do. Most JAs operate today with either party able to operate the account without the other party’s involvement.
The ADR use case RAB launched in July 2020 uses one-time consent. They ask customers to give them a snapshot of their data and they use that information to help determine suitability for a loan. One-time consent has a time limit with data holders (2 to 10 mins) with the possibility of extending to 24 hours with likely up-coming modifications to the Data Standards.
RAB noted their use case for online lending involves a complex series of pathways that vary according to the information you’re providing. The customer is prepared to invest time as part of a value exchange – sharing information and going through the application process in order to get something in return.
RAB noted that as an Accredited Data Recipient (ADR), you are unaware of what occurs within the authorisation flow. This is DH territory and is a private dialogue between the consumer and the DH. This is significant because whether the consumer may or may not select a JA is unknown to the ADR. When selecting accounts for sharing, under the new rules this can include JAs that require a disclosure option to be set, as there is another party involved. It’s important to understand what’s going on from a consumer perspective. It is a complex and unfamiliar process (for the consumer) and it’s important to realise that with one-time consent, as a DR you won’t know if there is a JA out there, and even if you did, you can’t go back later for it.
Basiq noted that there are a multitude of Open Banking use cases that are mobile based so the physical consent on location also becomes really important and we need to think about different situations with different kind of parties engaging with this. If the JA account requires another party to engage the whole thing breaks down.
RAB noted that the situation is compounded if you’ve got multiple JA with multiple banks. There has been extensive consultation on JAs, previously known as in-flow election. This is now known in the new rules as setting of a disclosure option.
RAB noted that the learnings are: JA management is complex; JA disclosure adds further friction to data sharing; JA disclosure adds further cognitive load for consumers; JA disclosure involves additional parties; ADR Rules, Data Standards and CX Guidelines associated with JAs are not well understood; a Disclosure Option is required by all JA holders before data can be shared; ADR’s don’t have visibility of which accounts have been authorised for sharing; one-time consent becomes impractical when Disclosure Options have not been made.
RAB noted that there is this concept that if you have got authority to access data, why can’t you share it? There is this other idea that if you can transact on an account does that mean you should be able to share that data too?
There is a warning here, if these two concepts were combined, that could mean where a transaction account requires multiple parties to approve a transaction, might translate to everyone having to approve sharing, which would be even worse. RAB noted that from their conversations, current bank customers expect that if you can access data you should be able to share it.
RAB asked would happen if we default JAMS to ‘ON’ for JAs. Does that create more problems, and if we’ve got payments under CDR what does that mean, do we have to implement some other controls around payments because that’s very different from sharing data. What are the implications on other industry verticals and what learnings can we take?
Basiq asked how do you as a joint holder log onto your bank and give your partner access to be able to share? Major banks have inconsistencies in terms of language and because it’s out of context there is no value exchange.
RAB noted that the JAMS rules were consulted on in late 2019, were made in late 2020 and the new v2 rules will take effect in 2021. This is a big timeframe and the feedback that was provided was a bit limited and some of those foundational assumption that we’re challenging now don’t appear to have been tested. The early CDR adopters were focused on Go Live objectives rather than future directions and did not respond to the consultation. Had they, they would have identified some of the challenges earlier. Now that CDR is live, should the process be modified for Rules, consultation, Rules setting, Rules engagement and how do we get the right people to participate in that? Should we actively seek out those with practical experience in CDR to assist with Rules; should the draft Rules be field tested somehow before being made; is there an equivalent of UAT for Rule making? Maybe if we can that right we can avoid repeating the banking sector joint account situation in other areas of the economy.
RAB noted that they are highly motivated to work on this and find a resolution, but it is going to take a lot of people and time.
Basiq noted that they have been in discussions with the Google team and they are about to release a white paper on best practices in Open Banking and their experiences of what they’ve done in India and the UK etc. They have fundamentally put it down that the adaption is purely driven by user experience. One practical way for us to accelerate some of these concepts is to introduce it to engage with companies that are relying on digital data capture services.
The Chair thanked Rob Hale & Damir Cuca for their presentation. He noted that we need a lot more consumer experience research and talking to consumers, taking them through the flows before the rules are made rather than afterwards.
Basiq highlighted that the part that’s fundamentally missing is that the developers and engineers that are going to be utilising this have just an equal important role to play in CX as the consumers do.
One member noted that whether or not the policy principle that we’re embedding is actually correct, which obviously from their perspective they think it is, how we give effect to that principle through the interface with the consumer is something we should be talking about. If the principle can be delivered through a bunch of ways of engaging a consumer to provide the consent, is an important conversation to have. Is there a simple way to get the consent to the JA holder, can you do it through SMS process which is a more expedient way to achieve the same policy objective?
RAB noted that under the new rules it is possible to ‘ping’ the other party to get a response, but it relies on them being available and understand what’s being asked of them before the token expires.
Basiq believes the controls that have been put in place are right, every consumer needs to have full control over their wish to share or not. The control mechanism is right, the only thing is that it is off by default. If we could honour whatever consent authority that was given to the bank when the accounts were originally set up would be the ideal scenario.
The Chair noted that this has been a great discussion. He has been trying to work out if this about authentication, consent, pre-election in some form of persisting authority and it could be all of the above. He is also encouraged to hear that the policy part is right it is just the mechanisms that we use in the flows and reduce the friction that is there without undermining the policy intent.
One member noted that this is going to be one of several examples that we see the initial intent and the actual execution balancing between what works and what is needed to make the ecosystem work versus what is pure and what is right and what is perfect. They come back to Scott Farrell’s original simple view of “whatever I can do with money I should be able to do with my data”.
The Chair asked noted that we have Maintenance Iterations for Standards, and should will also have Maintenance Iterations for Rules?
The member noted that where we were three years ago, is very different to where we are at now – our thinking, experience and how the system is working. Rules set up three years ago might have been more precautionary and done in a particular way due to a lack of understanding as to what the actual experience might be. As those things change, we should be iterating, adjusting, amending and maintaining the rules in a manner consistent with overarching policy objectives.
One member noted that, in regard to UAT for rules, in the same way we do testing for development, we have a range of test cases and maybe even a formal set of test cases that we’re solving for and we run them through the rules, the standards as well as development. They think it is the holistic sense as opposed to are the developers okay, but are the product people okay etc and running it through holistically in a UAT effectively of the system.
The Chair noted that this is an issue for the Rules Review that Treasury are currently undertaking and it makes sense to add the questions of not only the UAT on the way through, but how the rules and standards are made, and once they’re in place for a period of time to review, maintain and enhance them based on the results of operations and the rules and use.
Treasury noted that it is not new in the sense that its already got this idea the rules are going to be evolving in new versions of them being published. The changes in November were actually variations to pre-existing rules in relation to JAs so they’ve already been improvements to them. They don’t think it’s a new idea that as they evolve the rules themselves might need to be rethought in relation to particular topics. They need to have a high bar for change because people have built to rules and they’ve built quite detailed systems in response to them, so they need to be really sure about changing them.
Treasury noted that with the movement of the Data Standards Body, and the rulemaking team into Treasury and under one roof will help with the cohesion of the consultation process and development of the issue and seeing how policy issues are interwoven.
Kate O’Rourke from Treasury provided an update as follows:
Treasury noted that we have a new Minister for Digital Economy which was part of the reshuffle in December. The Prime Minister has decided to give this role to Senator Hume and her responsibilities have been expanded to very expressly say digital economy which is welcome and a fantastic development for CDR to have a minister who’s dedicated to digital economy. Minister Hume will be making the rules moving forward now that it’s shifting across from the ACCC. Treasury, who gives advice to the Minister, will be taking a more central role and coordination role, not just for policy but for the rule making.
Treasury noted that the functions are moving and that Treasury will be coordinating the overarching responsibility for the program, but it remains very much a multi-agency beast. We have the Australian Competition & Consumer Commission (ACCC) and OAIC as really close partners with different responsibilities and Treasury taking that policy of the rulemaking advice piece and governance and coordination. They are thinking about the engagement and communication piece and the benefits of doing some consultation process in a coordinated fashion.
Treasury noted that in relation to the Farrell Report (Inquiry into Future Directions for the CDR ), it is long and complex with 100 recommendations and significant reform ideas. They have been working on providing advice to the government on the appropriate response and there will be some consultation on that.
Treasury noted the continuing work on the rules/design review and how consideration is being given to how we might make the rules more universal, less complex and ensuring that we get the balance right between principles based and prescriptive law. This work is continuing but Treasury confirms that they are receiving feedback that those goals are appropriate to focus on to make the rules fit for purpose.
Treasury noted, in regard to what they’re doing about defining the success for CDR and the appropriate metrics for consumer participation levels and consumer outcomes, that it is not just the consumer participation but the developer, engineer or company participation views on this as well.
No update was provided by the ACCC at this meeting.
The Chair advised that the next meeting will be held remotely on Wednesday 10 March 2021 from 2pm to 4pm.
One member noted that he has been in a couple of virtual conferences and also in Clubhouse, the new audio social media platform that the young do with Elon Musk. He has joined a few different regional and start up groups in Australia and people are talking about Open Banking, the CDR and the broadening of it and he has realised that there is a lack of understanding. He noted that there are a bunch of start-ups that are not Fintech’s that are really interested in this and there is going to be a bunch of organisations that we’re missing that we need to think about how to engage with them.
The Chair noted some of the DSB team would be interested in attending these meetings and if possible, could he forward an invite to them as it would be useful.
One member noted in regard to Scott Farrells Inquiry into Future Directions for the CDR Report, is there any possibility Scott could come in and talk to the committee about the report?
The Chair noted that he has been on sabbatical, but he will extend an invitation to Scott to attend a committee meeting to give his view on it.
Treasury noted that in terms of timing, if they have an information session it might have to be out of session from the Advisory Committee rotation.
The Chair wanted to wish Marie Steinthaler all the best as she is heading off on parental leave. Brenton Charnley will be filling in as the TrueLayer representative.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 3:28