Data Standards Advisory Committee, Meeting Minutes
Date: Wednesday 14 April 2021
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 30
- Andrew Stevens, Data Standards Chair
- Brenton Charley, TrueLayer
- Damir Cuca, Basiq
- Nigel Dobson, ANZ
- Gareth Gumbley, Frollo
- Rob Hale, Regional Australia Bank
- John Harries, Westpac
- Frank Restuccia, Finder
- Lisa Schutz, Verifier
- Ross Sharrott, MoneyTree
- Barry Thomas, DSB
- James Bligh, DSB
- Ruth Boughen, DSB
- Rob Hanson, DSB
- Terri McLachlan, DSB
- Michael Palmyre, DSB
- Mark Verstege, DSB
- Paul Franklin, ACCC
- Mark Staples, Data61
- Shona Watson, OAIC
- Kate O’Rourke, Treasury
- Jessica Robinson, Treasury
- Andrew Cresp, Bendigo & Adelaide Bank
- Lauren Solomon, CPRC
- Stuart Stoyan, MoneyPlace
The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting # 30.
The Chair noted that at the end of the first calendar quarter, good progress has been made by the Technical & CX Working Groups with the second draft of the Energy standards and ongoing consultation being published and the CPRC's report on vulnerability has now been finalised.
The Chair noted that there are a number of workshops planned over the coming month including a series of workshops with OpenID Foundation and a workshop on the Draft Standards API Feedback.
The Chair noted that a paper on New Payments Platform Australia (NPPA) & Consumer Data Right (CDR) Alignment was circulated to the committee and would be discussed as part of the Technical Working Group update later in the meeting.
The Chair noted that Erin Turner has advised that Choice will be stepping down from the Advisory Committee for the banking sector. They have valued their time on the committee but unfortunately as a non-profit they have limited resources. He noted that Choice had been involved in the committee since the beginning and he wanted to extend his thanks to them for their contributions.
The Chair noted that Andrew Cresp (Bendigo & Adelaide Bank), Lauren Solomon (CPRC) and Stuart Stoyan (MoneyPlace) are apologies for this meeting.
The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 10 March 2021 Advisory Committee meeting. The Minutes were taken as read and formally accepted.
The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.
Working Group Update
A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.
Technical Working Group Update
A further update was provided on the Technical Working Group by Mark Verstege as follows:
The DSB noted that it has been a busy month and they are close to the end of their current Maintenance Iteration # 6 which has been going well. The DSB trialled a new process which has staged all the changes in draft format which is available for participants to review which has worked effectively. Good engagement and buy in has been received from the community.
The DSB have had a number of Decision Proposals and consultations that have recently concluded, most notably white labelling; during which they have walked through the scenarios outlined in white labelling and current position and how they could be addressed in the Data Standards (both Consumer Experience (CX) and technical) which seemed to resonate quite well. Hopefully this allows for greater clarity as to introducing the white labelling arrangements into the regime.
The DSB are preparing for the next release of the Standards (version 1.8.0) which will include changes from a CX perspective, the iteration process and the changes resulting from the proposals that they’ve been consulting on.
The DSB noted on the NPPA alignment paper and the question on how they ensure Open Banking authentication and consent management is supported by NPPA and the importance in making sure they're aligned and don't negatively impact consumers or make it confusing by having separate flows. The DSB have discussed this internally and realised that is probably too soon to be able to talk about how they will resolve these issues and they need to couch it into a broader position around what action initiation might look like and how that may flow through from both a technical perspective and CX standards and what are the key problems they’re trying to solve.
They are also looking at how not only does payment initiation work within a broader action initiation framework and that the NPPA is only one of the payment service that offers payment initiation for consumers. They are looking at a top down perspective.
The DSB noted that with the paper they have tried to present a set of questions they need to progress and solve first. They acknowledge that this is quite a collaborative process and what the paper lays out is not a formal position from the DSB or Treasury’s CDR Division, rather it is recognising the current stage. They are waiting for a determination around which recommendations will be taken up out of the CDR Inquiry and it is more a hypothesis around what it may look like and what we need to consider.
The DSB noted that is important that instead of starting with NPPA as a specific action initiation we need to solve, or how do we fit in mandated payment systems or services, recognising what the CDR is trying to solve for is an economy wide problem. We are payment system / payment initiation agnostic and trying to come up with a comprehensible framework for consent that would allow multiple different actions to be initiated and potentially combined with other actions, data sharing and read access.
The DSB noted that when it comes to alignment of CDR action initiation and CX to industry initiatives, some use cases can be dealt with entirely through a CDR action imitation, some use cases may have non CDR processes that cannot be incorporated into CDR flows at all and some use cases may have non CDR processes that can be incorporated into CDR flows partially or entirely.
The DSB noted that having some sort of framework of assessment to be able to identify what are the key problems that the CDR is trying to solve and would the CDR fit into a particular sector solution or sector model that exists today. Starting back at CX and understanding who are we solving it for, what are the consumers expectations and who are the consumers involved for any given action. Understanding when a sector action is a CDR action and how and when actions be combined under one purpose to fulfil a use case or journey. Also, to what degree do they need to offer specificity and prescription versus giving participants flexibility to be competitive and to be able to accommodate voluntary actions and introduce changes identified that are valuable to consumers.
The DSB noted that by taking a top down economy-wide lens to action initiation, they are seeking to minimise or remove risks and they have also considered some assumptions recognising that many Accredited Data Recipient’s (ADR’s) will want to be action initiators but not all initiators will be ADR’s themselves and they’re going to have a different type of accreditation for different roles that those third parties may play in the CDR. Similarly, not all DHs are necessarily action providers, or action providers of the same set of actions, even within a sector. There assumption is around making sure they have that cross-sector consistency, reducing implementation costs and also allowing for the foundations of the action framework to be built so it's easier to introduce other actions as they go forward.
The DSB noted that on NPPA and the mandate payment service (MPS) although it is an incredibly compelling payment service, it is still one method of payment that Australian consumers have at their disposal and CDR should facilitate all methods designated.
The Chair noted the Government led by the Minister is considering the whole action initiation recommendation from the CDR Inquiry, and they are not seeking to get ahead, their objective is to do some thinking so they can not only deliver on the issue raised by this committee but also inform any decision making or any options being considered.
One member thanked the DSB for doing this great work which is really important to the policy goals and wondered how the design thinking approach be baked into the process. There are other pieces of data flowing in a lot of the journeys, for instance ID verification and from a demand point of view, it is going to come down to what ADR’s are willing to put their money into building those user journeys. It was good to get a sense from the ADRs of where they want to focus because ultimately if you don't build it nothing will change.
The DSB noted that it is has been really encouraging to see the process they’ve been taking around the more recent engagement on rules and how they work within that Treasury set up. They are looking much earlier in the piece for what is needed for consumer experience research and how that may flow into that early upfront thinking. There is definitely a recognition and acknowledgement that it needs to happen.
The DSB noted it is their intention to take a design thinking approach to develop this and there are some key questions for them around the exploratory phase about what does it mean to authorise an action in the first place and what are they are overlooking when it comes to mental models or what are we getting right? That is a key part of the process they want to attempt to engage in upfront. They also want to understand from an ADR perspective what the use case is, what the action they are proposing will look like to the consumer and what the outcome is intended to be. There is an also a range of questions around what the use cases are for action initiation as there would be a huge benefit in applying a design thinking lens upfront.
One member asked what bits of the CX is centralized and rules driven and what bits are emergent? Whatever work is done centrally in terms of standards setting around CX is great at one level but it inhibits innovation. There are plenty of ADRs who have whole teams working on this constantly. At a conceptual level, how far down the path does CDR regime go to mandating user journeys? This is a really critical point because you can't solve this, as the whole digital ecosystem is doing this all the time and you'll get to them very slowly and potentially not allow for emergence. There are also not enough designer and it would be much better to let the ADRs innovate.
The Chair noted that they are trying to make the CDR regulated space as tight as possible so that the competitive space outside is where the real differentiated user experience will blossom. The tension is where that boundary is.
One member noted that we need to be careful not to regulate things that are already regulated elsewhere. They have this problem with joint accounts where processes already exist that determine who can share what with whom and adding another layer on top of that pre-existing authorisation process has created a challenge for them today. Action initiation might be another potential candidate if we are not more mindful of pre-existing regulations.
One member noted that from their perspective of doing both data and payments in the U. K. is that customer experience and the consistent consent flow and authorisation flow. He recommends that in terms of the design process we keep tight on how we ensure open baking authentication and consent management is supported, or maybe not supported but aligned with NPPA. We can’t control how the NPPA designs their mandates and they can’t influence how we are providing authorisation and consent. Who is responsible for ensuring the consumer outcome is as good as it can be? There is a consumer risk that if nothing happens and there’s different outcomes for consent under payments and consent under the CDR. Who has accountability and responsibility for the current issue which is CX around consent management?
The Chair noted that they have started working with NPPA on an informal basis and there has been reasonable intent expressed from both sides to work collaboratively.
One member noted from a banks point of view, they would love to reuse the consent flow that is already in existence for data sharing with the appropriate liability and accreditation models in place for payment initiation. It would make a great deal of sense for them as banks as data holders and payment recipients to receive in a similar manner as it's been proven and validated and reuse that consent flow where appropriate and possible.
One member concurs and noted that it has been a really good discussion and it is worth considering what role Treasury plays to help guide this process. They also noted that in regard to high integration costs with existing action networks and/or non-interoperable standards, what do the DSB fear could go most wrong?
The DSB noted that on the integration costs they were trying to get to the high integration costs to integrate with particular networks or action network and it might be important to draw out a slight distinction between what NPPA and the MPS is trying to do with authorisation. This is about a consumer authorising a mandate to be created as opposed to the CDR granting consent to a third party to instruct particular actions on their behalf. The roles have slightly different approaches and the consent is very similar, but it's not exactly the same.
One member noted that it’s one thing to have a standardised consent to a range of activities but what is probably more important is the liability regime and the accreditation model. Ultimately the liability model will be different because there’s different consequences for mis actions or inappropriate actions etc. and under payment initiation that are under data sharing. Consent is not the contentious issue; it will be around the liability relating to the different choices of payments and the accreditation methodology and the frequency of audit and resilience checks to ensure that the initiators are constantly able to make secure and compliant payments.
One member noted that from an ADR perspective, it’s very exciting for them to make those experiences really slick using payments. In the UK market, they have achieved some of that and if we can get to that point and piggyback off the NPPA services using the CDR and perhaps some tiered accreditation service that would allow some participants who have done the necessary work to cover off some of the extra complexity of being able to manage those payments and initiate that sort of experience for customers and we can accelerate the timeline using that work.
The DSB noted this is all speculative at the moment and its great we’re having these conversations, but this is built on a general expectation that things might happen, but that's to be seen and the timing is still to be determined.
The Chair noted that it is useful for those who will be discussing and advising Minister Hume on these points to actually observe this discussion because the hardest thing they’ve seen in the last 2 ½ years is to see the possible, it is easier to see the risk and shortcomings and challenges.
Treasury noted that part of the consultation they went through recently was to start looking at the CDR Inquiry and they have started to engage with people around the future possibilities. The have been engaging with ACCC and the DSB around the NPPA and looking at opportunities to piggyback and drive alignment early. They are very excited about what the future directions capability offers and they will hard at looking at how they take that forward in terms of an implementation process and the opportunities to leverage off existing commercial progress on payment imitation and how they build the action initiation around that which is really important.
Consumer Experience Working Group Update
A further update was provided on the CX Working Group by Michael Palmyre as follows:
The DSB noted that they have been very busy this month with both standards and CX guideline work and also finalising the activities around the Consumer Policy Research Centre (CPRCs) report.
The DSB noted that the CPRC report includes a lot of detail around context, a comprehensive knowledge base around vulnerability to help us understand what to look for, what to support and what to mitigate etc. It also has a very useful toolbox for tackling consumer vulnerabilities. This is a step towards acknowledging the difficulties in this area similar to what open banking UK have done in providing some artefacts in that respect.
The DSB noted that there is another CPRC report that is being finalised which is on consent and measuring and that will be released shortly.
The DSB noted that Version 1.7.0 of the standards was released in March, which includes a change to present the CX Standards alongside technical standards. Decision Proposal 168 was incorporated into this release.
The DSB noted that a revision to Decision Proposal 144 was published and consulted on for a second round. This decision was finalised and approved by the Data Standards Chair on April 6. The decision record has been published to DP144. These CX standards will be incorporated into an upcoming standards release and will be accompanied by relevant CX artefacts.
The DSB noted that they have also published a revamped authorisation, DH Dashboard, and authorisation withdrawal artefacts on the new CX Artefacts website. Those artefacts have been updated to reflect v1.7.0 standards, relevant v2 rules, recent research, and leading practice.
One member noted that the updated artefacts are already proving really helpful for them. Do they have a timeline for the checklist to include the data recipient consent screens?
The DSB noted that they are looking at a May or June timeline for the bulk of the work on ADR artefacts as they have been focussing on data holder obligations initially.
A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the Committee Papers and was taken as read.
The DSB noted that they have over 500 articles on the knowledge base and it’s growing nicely. It is a very useful set of information for the community and they actively tracking which articles are getting read which help them inform, in particular if they want to present something in the Implementation Calls. They are proactively identifying where the pain points are. They are also testing an Artificial Intelligence (AI) answer bot which is proving quite effective and they are looking to deploy that soon.
The DSB noted that they are holding a series of workshops with OpenID Foundation (OIDF). The OIDF standards underpin the DSB standards, particularly when you’re talking about financial-grade API (FAPI). It is fundamental to everyone's implementation so being able to be appropriately compliant is a big deal. OIDF have taken it upon themselves to create a CDR compliance test suite. The DSB are working with them to present the workshop next week to introduce the test facilities that have been created which they think will be really useful because it is outside the accreditation or onboarding process and it is a way to validate your build without having to go through a formal process. You can also optionally choose to be OIDF certified for a fairly modest fee. There is a follow up workshop scheduled for 4 May 2021 and will focus on a deep dive into conformance testing.
Kate O’Rourke from Treasury provided an update as follows:
Treasury noted it has been working to understand options for driving uptake in the CDR by both ADRs and consumers. There has been a lot of investment in time, money and business opportunities by ADRs, DHs and the Government in CDR, which increases the importance of encouraging uptake for the regime to flourish.
As part of this analysis, Treasury has been considering questions of energy design and also considering issues that were raised but not included in version 2 of the rules, including tiered accreditation and the idea of sharing data outside the CDR to particular groups of people i.e. trusted advisors. Treasury has also been considering areas of friction that might be slowing uptake, noting the importance of balancing any expansion of the regime, with managing the risks associated with that expansion.
The Treasury noted that they’re trying to keep the CDR rules as universal, simple and principles based as possible and remaining open to making revisions when they see how they apply and practice. They have been thinking about the process for how to move from a set of policy positions to a good set of rules, noting the importance of rules and standards design.
Treasury noted that they have been thinking about trialling a new monthly forum on the big picture of the CDR framework, design and strategy. They’ve had a lot of ad hoc discussions on the CDR Inquiry and the bigger picture and the way forward and they see further value in holding discussions about framework and design as there are so many aspects of Farrell that are going to be really interesting and complex.
In relation to communications and engagement in CDR more generally, Treasury will be taking this on from ACCC and they are in transition in terms of the website and the newsletter etc.
Treasury responded to a member’s query on to what products and apps will DHs be able to see consumers are using when they're using CDR. Treasury confirmed that under the rules, the DH will know the identity of the ADR that requests the data because of the consent process, but there won't be a provision of any details of the purpose for the data source or how it will be used. There are rules that prohibit the DH from requesting additional information from the consumer like the products the ADR is offering when they’re asking to authorise the disclosure. There's also rules that prevent the inclusion of additional information at that point i.e. there can’t be an offer of a new product at that point in time.
One member noted that it’s about levelling the playing field and making sure everyone has equal time. As a bank you have extensive visibility of what your customers are using which Fintech’s don’t which gives them the upper hand. That is something that DHs will have but ADRs won’t and it may be misused and give them a competitive edge.
Treasury noted that the rules have been developed in relation to read access, and that in the new world of action initiation, this issue will be important to consider further.
Paul Franklin from ACCC provided an update as follows:
The ACCC noted that of the 94 authorised deposit-taking institutions (ADI’s) that exist in Australia, 5 are already live, there are 2 or 3 that have no relevant consumers or accounts for example Cuscal Limited and Australian Settlements Limited (ASL) who only provide settlement services. They have around 86 they need to be onboard by the 1st July. There are a number of exemptions that have been granted including for example if an ADI is going through a merger or integration of two emerged entities etc. Participants are able to see those who have been granted exemptions on the CDR exemptions register. The Onboarding Guide can be found on the CDR website and outlines the timeframes and process.
One member asked if ACCC can give any indication about any tiered two banks who might go early as it would de-risk their use cases somewhat.
Another member noted that they have raised this before when the big 4 went live and it was about getting access to test data. Seeing production data before they go live is useful for all of them as they get optional data fields and the sooner they can start to see production data rather than test data will be beneficial. The operational load of ADIs coming live to support that will be a real challenge.
ACCC noted that they are not in a position to indicate which banks will go early and unfortunately they don’t have any way of compelling them to go live before their obligation kicks in. When they are in a position (and with the banks permission) they would be happy to share that information.
The ACCC have a dedicated team working through the onboarding process with each of the ADI’s over the coming months and they have recently increased the number of members of that team to make sure that they’re appropriately resourced to support the expected wave of activity that will peak around June. They are encouraging participants to plan for activation as soon as possible after they have finished onboarding, especially if they want to do any pilot activities with a limited number of customers, which they will need to do that in the period before the 1st of July.
One member noted in regard to operational support, they have learnt a lot with the big 4 in terms of errors and issues with APIs and they will see that again on a much larger scale. When they go into an error with an API, the amount of work they need to do to provide evidence of that error is quite significant and when they start to multiple that out across many providers they have real concerns around that.
ACCC noted that the testing strategy was published a while ago and they can circulate that again and that presupposes that everyone will have done their own solution testing first and that the conformance test suite (CTS) is essentially the last step before go live to ensure they are compliant.
ACCC noted in regard to a relatively large number of small banks that are using a common vendor and where they expect those vendor product to be available in a relatively shortly time before the compliance date, they are actively managing the testing and go live process with those organisations to make sure there are a handful of lead ADIs who are able to test early and share their learnings with other users of the same product. They don’t underestimate the size of the challenge that they have to bring on a large number of organisations.
The Chair noted the situation where ADR organisations are unable to do industry testing, due to the volume it may expose the industry testing of the DH’s who won’t have an ADR to play with.
ACCC noted that there is no multilateral testing for this onboarding exercise, the multilateral testing that they did before go live for the whole environment was because they were standing up a new environment. The test strategy is much more light touch and is up to each of the DHs to determine.
ACCC noted that you will see a number of additional brands being added to the system. At least 3 of the major banks have non major banks brands like Bankwest, St George & Bank SA and will be coming into the ecosystem around the same time. Some of the ADIs will be going live with a large number of brands including a number of white labelling brands.
The ACCC noted that as at 8 April 2021, 9 ADI’s have received an exemption to defer their commencement date for one or more obligations, 3 ADI’s were granted exemptions to defer their Phase 1 obligations until the 1 November 2021, 3 were granted exemptions to defer all 3 Phases until mid-next year and 3 have been granted longer term exemptions due to their unique circumstances. Those ADI’s represent a very small number of eligible CDR consumers and all exemptions are published on the ACCC website.
The ACCC noted that all applications for exemption, particularly for consumer data sharing, are assessed on a case by case and the ACCC carefully considers each application including the reasons for the application and the impact to the consumers given the market share of the organisation.
One member noted that in regard to the remediation plans that came out with the big 4 and the 9 that have exemptions, are there remediation plans outside of these exemptions for example, can they make the July deadline but not provide all of the data or the data reliability is not there?
ACCC noted that any gap in functionality will either be covered by an exemption or will have a remediation agreed with the ADI. Between the remediation schedule and the exemptions register that should give a full picture of all gaps.
The member noted that we will not know the remediation schedule till after 1 July 2021 and is there a maximum timetable for the remediation plans?
ACCC expect a number of banks will going down to the wire to get functionality launched and in the event they don’t make it, that will go on the remediation schedule even if it's only a particular data field or a particular data set. The timetable decision is made by the Commissioner based on the recommendation from the team and each case depends on the level of technical complexity. The situation between exemptions and remediation is quite different, the exemptions effectively say that they’re satisfied there's good reason that you cannot do the work to comply. If there is no exemption then it's a legal obligation to comply. The remediation schedule is essentially saying this organisation is in breach of the rules in relation to this particular data set for example and there's no permissible timing to not comply with the law. The ultimate goal is to make sure that we have a fully compliant ecosystem with all the data that the DRs need to make CDR work.
The Chair asked if this is the first major deadline for the testing strategy and the industry CTS balance that is currently in place?
ACCC noted that there was no CTS in place for July 2020 but they did have the CTS available to major banks around September 2020 for the incremental functionality and they also have a group of organisations who are their beta testers. The CTS has been enhanced and tested since last year but yes, this is the first time they’ve used CTS for a very large number of organisations.
The ACCC noted that for the initial DH’s, Phase 1 and 2 of Product Reference Data (PRD) obligations have been in place since 1 February 2020 and Phase 3 obligations since 1 July 2020. For non-major banks or ADI’s, Phase 1 obligations commenced 1 October 2020 and Phase 2 on 1 February 2021 with Phase 3 obligations due to commence on 1 of July 2021.
The ACCC are actively encouraging any interesting parties to report issues regarding PRD via their CDR mailbox. Over the last couple of months they’ve been conducting compliance checks to determine whether DH’s are making PRD available in line with their obligations and that the data disclosed by a DH’s PRD services matches the data on their websites and product disclosure statements and that the DH’s product data request services and the data they disclose are in the form required by the Data Standards. This is a significant piece of compliance work to check both the availability of the information and the conformance to other sources and to the standards. As part of that work, they’ve also investigated data quality issues reported to them by interested parties. While there appears to be a generally high level of compliance across DH’s, they have identified a number of potential data quality and availability issues and they have written to each of the banks affected by that apparent discrepancy to ask for more information.
The ACCC noted that in March they sent a letter to a number of DH’s requesting responses to their findings and they’re reviewing those responses as they come in. They expect the level of compliance to increase as a result of that review and also to identify opportunities to clarify their guidance and relevant standards as they arise. They continue to encourage all interested parties who have problems with PRD to report them via the ACCC email address (firstname.lastname@example.org).
ACCC noted that they currently have 10 ADR’s in the CDR ecosystem. They have 5 applications for accreditation that are under assessment. The key issue with most of those applications under assessment is that they are either waiting on their security assurance reports or clarifying information on security assurance reports. There are over 200 entities that have been granted access to the CDR participant portal to either commence accreditation applications or to register as DH’s.
ACCC noted that since they amended the CDR rules in October 2020 to allow for accredited intermediaries to collect data, 4 entities have been accredited to operate as accredited intermediaries (Frollo, Illion Open Data Solutions, Yodlee and Adatree) and they are currently assessing a further 2 applications.
The ACCC noted that they have an active cyber security team and one of the key goals of the CDR is to enable consumers to safely share their data and cyber security of the register is a critical component in making sure that data sharing is genuinely safe. They have a very experienced cyber security Director and team that is actively monitoring threats and responding and protecting the register and they plan to continually uplift their cyber security capability. They provided a briefing to a number of CDR participants recently about the contents of that plan and obviously for security reasons they can’t share due to the sensitive nature of the information.
The ACCC noted that they will be sending out their last CDR Program newsletter on Thursday 22 April. After that date, Treasury will publish the weekly CDR Program newsletters but they will continue to communicate directly on decisions they make as a regulator and will provide content to the Treasury newsletter.
The Chair advised that the next meeting will be held remotely on Wednesday 12 May 2021 from 2pm to 4pm.
No other business raised.
Closing and Next Steps
The Chair thanked the Committee Members and Observers for attending the meeting.
Meeting closed at 15:35