Minutes - 14 Apr 2021

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 14 April 2021
Location: Held remotely, via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 15

Download meeting minutes (PDF 190KB)

 

Attendees

  • Andrew Stevens, Data Standards Chair
  • Jill Berry, Adatree
  • Lawrence Gibbs, Origin Energy
  • Peter Giles, CHOICE
  • Melinda Green, Energy Australia
  • Joanna Gurry, NBN Co
  • Joe Locandro, AEMO
  • Frank Restuccia, Finder
  • Lisa Schutz, Verifier
  • Ed Shaw, Ausgrid
  • Dayle Stevens, AGL
  • Barry Thomas, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Paul Franklin, ACCC
  • Mark Staples, Data61
  • Athena Jayaratnam, OAIC
  • Kate O’Rourke, Treasury
  • Louise Benjamin, ECA
  • Aakash Sembey, Simply Energy
  • Lauren Solomonm, CPRC

 

Chair Introduction

The Data Standards Chair opened the meeting and thanked all committee members and observers for attending meeting #15 of the energy sector Advisory Committee.

The Chair noted that at the end of the first calendar quarter, good progress has been made by the Technical & CX Working Groups with the second draft of the Energy standards and ongoing consultation being published and the CPRC’s report on vulnerability has now been finalised.

The Chair noted that there are a number of workshops planned over the coming month including a series of workshops with OpenID Foundation and a workshop on the Draft Standards API Feedback.

The Chair noted that Louise Benjamin (ECA), Aakash Sembey (Simply Energy) and Lauren Solomon (CPRC) are apologies for this meeting.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 10 March 2021 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Item for the DSB to set up a Standards Design Challenge Subcommittee will be taken into account and done as part of the upcoming committee refresh.

The DSB also provided a link in the papers for the ACCC’s knowledge article on the co-existence of screen-scraping.

Working Group Update

A summary of the Working Group’s progress since the last committee meeting was provided in the Committee Papers and was taken as read.

Technical Working Group Update

A further update from was provided on the Technical Working Group by James Bligh as follows:

The DSB noted they are nearing the closure of their second holistic review of the energy draft standards and the amount of feedback being received is starting to slow down. This means from an API payload perspective they are getting to a level of stability which is a good foundation to build on. They are starting to work out their program of activities and depending on various decisions from a policy perspective about how they engage in a consultation going forward, filling in the gaps for the rest of the regime.

The DSB appreciate the energy industry’s active participation in some of the cross sectoral items like white labelling which immediately affect banking but will have flow on effects in energy. It has highlighted a couple of things which they will need to address before implementation begins because there are some situations where energy data holders (DH’s) are more likely to be cross industry, as in they will come up in designations under multiple industries sooner, and that will have an immediate impact particularly for white labelling scenarios.

The Chair noted that he endorses those comments and appreciation and once again thanked those who’ve been participating and supporting the consultation process.

Consumer Experience Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that there has been a lot of activity since the last Advisory Committee, they have consulted on and finalised a range of CX standards and published new CX artefacts. They have a report on vulnerability from the Consumer Policy Research Centre (CPRC) which is being finalised and will be released soon.

The DSB noted that Version 1.7.0 of the standards was released in March which and includes a change to present the CX Standards alongside the technical standards. Decision Proposal 168 was incorporated into this release as well as a revision to Decision Proposal 144. These CX standards will be incorporated into an upcoming standards release and will be accompanied by relevant CX artefacts.

The DSB also published the revamped authorisation, Data Holder Dashboard, and authorisation withdrawal artefacts on the new CX Artefacts website which reflect Version 1.7.0 of the standards. There are some items that relate to single occasion disclosures and also the relevant Version 2 rules recent research and leading practice.

The Chair noted that he would commend everyone to read the CPRC report on vulnerability to understand in greater depth the implications for vulnerable customers of the CDR. It is a very well written and detailed report.

The DSB agreed that it’s a very comprehensive report and is useful as a knowledge base to understand what they need to look out for, what they need to facilitate, support and mitigate where possible and within scope. There is also a lot of actionable material and a framework which they are looking to incorporate into the CX artefacts which is incredibly useful. There are also some great use cases that go beyond the scope of the CDR, but also highlight the intersections with CDR.

The Chair noted that he reached out to CPRC to thank them for the comprehensive nature of the report as it’s really helpful for the DSB to understand the CDR relevant implications of vulnerability.

One member asked about the status of secondary users and joint accounts (JAs) and how that’s playing out.

The DSB noted that in regard to secondary users, one of the things they’re discussing internally between rules and standards is the idea of trying to address rules and standards, particularly on big topics, so that they can work in parallel and in unity so they don’t find some technical issues later that could impact policy. They are working with the rules team on energy on a concept paper on some of those topics. The paper will be released shortly followed by a consultation process.

The DSB noted that on JAs and secondary users they are working to a timeline for banking and they have artefacts coming out for both of those largely reflecting on what they covered in the recent workshop on JAs with some minor additions in relation to secondary users and keeping it quite high level.

The DSB noted that it depends on the direction and the clarity that comes in the energy rules in relation to JAs and secondary user and when it becomes clearer on how those will operate in energy, they will adjust their artefacts accordingly and conduct workshops where necessary. They plan to release the artefacts within the next month in time for the November timeframe for banking.

Treasury noted the idea of hearing issues coming through from different forums, whether it being through workshops or discussions about policy issues, they are making sure they consider how the same issues played out in banking and taking that into consideration for energy.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and maintenance iteration cycles was provided in the Committee Papers and was taken as read.

The DSB noted that we have over 500 articles on the knowledge base and it’s growing nicely. It’s giving us a practical problem in terms of being able to discover all the information and an ongoing practical challenge of answering waves of questions as new people come into the regime. They are also testing an AI answer bot which is proving quite effective and they are looking to deploy that soon.

The DSB noted that they are holding a series of workshops with OpenID Foundation (OIDF). The OIDF standards underpin the DSB standards, particularly when you’re talking about financial-grade API (FAPI). It is fundamental to everyone’s implementation so being able to be appropriately compliant is a big deal. OIDF have taken it upon themselves to create a Consumer Data Right (CDR) compliance test suite. The DSB are working with them to present the workshop next week to introduce the test facilities that have been created which they think will be really useful because it is outside the accreditation or onboarding process and it is a way to validate your build without having to go through a formal process. You can also optionally choose to be OIDF certified for a fairly modest fee. There is a follow up workshop scheduled for 4 May 2021 and will focus on a deep dive into conformance testing.

One member asked if the workshops were aimed at conformance testing for data holders (DHs) or Accredited Data Recipients (ADR)? The DSB noted that the workshops are suitable for either.

The Chair noted that we are trying to ensure that our standards are aligned with global standards and the degree to which OIDF have come forward and looking to find ways to provide a OIDF certification in relation to CDR is helpful, although it is still early exploratory stages.

Treasury Update

Kate O’Rourke from Treasury provided a general update as follows:

Treasury updated the Committee on engagement with the CDR community on options to  drive uptake and the extension and growth of the CDR regime. Treasury has also received a lot of feedback from people on energy design issues, so that the expansion to the energy sector is as smooth as possible and opens opportunities for ADRs to offer products and services across sectors. They thanked everyone for their valuable input on these issues.

Treasury noted that they have also received feedback on issues that were raised but not resolved in relation to Version 2, including  tiered accreditation, sharing data outside the regime whether it be to trusted advisors or in the form of insights (collectively, ‘access’ arrangements). In considering these issues, Treasury is seeking to increase uptake and expand the regime, while managing associated risks, keeping the rules universal, simple and as principle based as possible and also consider revisiting rules in light of the experience once implemented i.e. rules maintenance.

Treasury are identifying what the next steps will be and will provide more clarity as soon as possible. They recognise the very high level of interest not just in the outcome but in speed as well.

Treasury noted they have been thinking about an integrated approach of testing people’s ideas with draft rules and draft standards and CX so the feedback loops in relation to the rules and policy are well informed by people who can see how they might apply in practice.

Treasury noted that in regard to the framework level and design and the issues that Farrell raised in his CDR Inquiry, they are starting to think about some of the policy issues around action initiation, payment initiation, new sectors, reciprocity and liability. Treasury will be setting up and trialling a regular forum to address these issues as they anticipate those conversations will be really important over the next few months.

One member asked if Treasury could provide an update on when the rules will be out in draft.

Another member noted they met with a company yesterday who want to be early adopters for energy and they, as well as the member, are very keen to hear about the timing of when energy data will actually be shared.

Treasury hear the importance of the timing of the draft rules being soon and transparent but they are not able to provide an update at this time. They are considering whether it would be valuable to have a preliminary level of discussion about the rules input before the formal consultation. This may give people a strong sense of what the direction will look like, and with the benefit of seeing some of the standards & CX implications which might be the next step rather than a full set of rules.

The DSB noted that it would be helpful to the process if they understood the needs of likely early adopters as there is a strong desire to make the CDR useful to consumers. If they are aware of the what data sets they need and to what extent, this could influence how they work through some of the stuff.

The Chair asked the member to reach out to the company who would like to be an early adopter to see if they were willing to meet with the DSB to discuss their needs in further detail.

ACTION: Member to provide the company with the DSB details for further discussion on their needs

The Chair noted that Treasury could safely report back to the Minister the level of interest and the urgency amongst members of the Data Standards Advisory Committee (DSAC) on the timing of the draft rules for energy.

One member noted that the committee is trying to determine standards and work through the framework and noted that implementation is a separate issue, and that for implementation to be successful, legislative changes are required with the data rights which is outside of the bailiwick of the standards, and whilst people are propagating that it’s just a matter of opening up load profile sharing, they are constrained by law. The difference between standards and where we’re going as a committee versus implementation are totally different and there are other critical success factors that need to be moderated and completed. Reporting back to people on timelines of standards and frameworks vs timelines on implementation needs to be very clear.

The member also noted that they have been involved in consultation on the Critical Infrastructure and Systems of National Significance reform, which is occurring in Canberra now. This initiative is with the Commonwealth Departments of Home Affairs, and the Department of Industry, Science, Energy and Resources (DIISR), which is about cyber security. The energy sector is the first cab off the rank with workshops occurring. They said when we look at standards we may want to have a look at the standards that will happen with critical infrastructure and cyber security because they will have a direct or indirect impact on the movement of potentially data or privacy etc. within the umbrella of cyber security.

ACCC Update

Paul Franklin from the ACCC provided a general update as follows:

The ACCC noted that of the 94 authorised deposit-taking institutions (ADI’s) that exist in Australia, 5 are already live, there are 2 or 3 that have no relevant consumers or accounts for example Cuscal Limited and Australian Settlements Limited (ASL) who only provide settlement services. They have around 80 to 90 ADIs they need to onboard by the 1st July 2021. There are a number of exemptions that have been granted including for example if an ADI is going through a merger or integration of two emerged entities etc. Participants are able to see who have been granted exemptions on the CDR exemptions register. The Onboarding Guide can be found on the CDR website and outlines the timeframes and process.

The ACCC have a dedicated team working through the onboarding process with each of the ADI’s over the coming months and they have recently increased the number of members of that team to make sure that they’re appropriately resourced to support the expected wave of activity that will peak around June. They are encouraging participants to plan for activation as soon as possible after they have finished onboarding, especially if they want to do any pilot activities with a limited number of customers, which they will need to do that in the period before the 1st of July.

The ACCC noted that as at 8 April 2021, 9 ADI’s have received an exemption to defer their commencement date for one or more obligations, 3 ADI’s were granted exemptions to defer their Phase 1 obligations until the 1 November 2021, 3 were granted exemptions to defer all 3 Phases until mid-next year and 3 have been granted longer term exemptions due to their unique circumstances. Those ADI’s represent a very small number of eligible CDR consumers and all exemptions are published on the ACCC website.

The ACCC noted that all applications for exemption, particularly for consumer data sharing, are assessed on a case by case and the ACCC carefully considers each application including the reasons for the application and the impact to the consumers given the market share of the organisation.

One member asked if ACCC could present a slide each month showing how the 90 ADI’s are tracking as it would be interesting to see who is on track for July.

The ACCC noted that unfortunately they are not able to provide that information as it is commercially sensitive and they are talking about noncompliance with the law by ADI’s. What they do is promptly publish the exemptions although they don’t publish if someone has applied for one as there is no guarantee that the ACCC will grant one.

The ACCC noted that there are a couple of issues they are actively managing that involve vendors who are important to large numbers of small ADI’s. They would be happy to support and work with any who wish to engage in testing and work with DR’s.

The ACCC noted that for the initial DH’s, Phase 1 and 2 of Product Reference Data (PRD) obligations have been in place since 1 February 2020 and Phase 3 obligations since 1 July 2020. For non-major banks or ADI’s, Phase 1 obligations commenced 1 October 2020 and Phase 2 on 1 February 2021 with Phase 3 obligations due to commence on 1 of July 2021.

The ACCC are actively encouraging any interesting parties to report issues regarding PRD via their CDR mailbox. Over the last couple of months they’ve been conducting compliance checks to determine whether DH’s are making PRD available in line with their obligations and that the data disclosed by a DH’s PRD services matches the data on their websites and product disclosure statements and that the DH’s product data request services and the data they disclose are in the form required by the Consumer Data Standards. This is a significant piece of compliance work to check both the availability of the information and the conformance to other sources and to the standards. As part of that work, they’ve also investigated data quality issues reported to them by interested parties. While there appears to be a generally high level of compliance across DH’s, they have identified a number of potential data quality and availability issues and they have written to each of the banks affected by that apparent discrepancy to ask for more information.

The ACCC noted that in March they sent a letter to a number of DH’s requesting responses to their findings and they’re reviewing those responses as they come in. They expect the level of compliance to increase as a result of that review and also to identify opportunities to clarify our guidance and relevant standards as they arise. They continue to encourage all interested parties who have problems with PRD to report them via the ACCC email address (accc-cdr@accc.gov.au).

ACCC noted that they currently have 10 ADR’s in the ecosystem. They have 5 applications for accreditation that are under assessment. The key issue with most of those applications under assessment is that they are either waiting on their security assurance reports or clarifying information on the information security assurance reports. There are over 200 entities that have been granted access to the CDR participant portal to either commence accreditation applications or to register as DH’s.

ACCC noted that since they amended the CDR rules in October 2020 to allow for accredited intermediaries to collect data, 4 entities have been accredited to operate as accredited intermediaries (Frollo, Illion Open Data Solutions, Yodlee and Adatree) and they are currently assessing a further 2 applications.

The ACCC noted that they have continued to update the accreditation guidelines and one of the key things they are trying to do is reduce the cost and complexity for ADR’s and clarifying the types of evidence required which they will accept for a secure environment. For example, they have expanded the types of certification that are acceptable to the extent that ISO 27001 certification covers the necessary controls (at least partial evidence) and only ask for a security audit to cover any gaps in a certificate. They still require that ADR’s demonstrate they have a secure data environment.

The ACCC noted that they have an active cyber security team and one of the key goals of the CDR is to enable consumers to safely share their data and cyber security of the register is a critical component in making sure that data sharing is genuinely safe. They have a very experienced cyber security Director and team that is actively monitoring threats and responding and protecting the register and they plan to continually uplift their cyber security capability.

One member noted that ACCC holds the register but they hold most of the meter data for consumers. They have a cyber security posture which they hold nationally and it might be worthwhile getting alignment on the different vectors and cyber security. If you look at the total ecosystem and the landscape, there are various points where we may be secure at the ends but not the middle points and a review of the whole environment might be worthwhile.

ACCC noted that for energy, it would be appropriate for them to do a review of the cyber security posture in light of the completed design for energy. For banking, they have a clearly documented strategy and shared a limited briefing with the interested banks and they would be happy to share a limited briefing with energy participants at the appropriate time.

The DSB noted that they have some work in train on this topic and although they haven’t gone out for consultation as yet, work with the rules team is being been done in the background specifically around expanding the existence of the existing information security profile in the standards to cover the additional interaction points and flows for the energy sector; which  also feeds into the existing PIA mechanisms they’ve been conducting throughout the regime. The DSB wanted to flag a caution about adding an additional process over and above those required processes already in place but noted that they definitely need to focus on the security implications of the new parties in this sector.

The Chair noted that once we know the shape of the rules design and the standards we will do a final review, like we did in the lead up to banking. He noted that the DSB will continue on the path they’re currently on at the moment.

The ACCC noted that they will be sending out their last CDR Program newsletter on Thursday 22 April.  After that date, Treasury will send out the weekly CDR Program newsletters. They will continue to communicate directly on decisions they make as a regulator etc and will provide content to Treasury for the newsletter.

One member asked for an update on the dispute resolution process for the energy industry and when that might come out. Treasury note that this is something they are working on and they will provide further details on this when they can.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 12 May 2021 from 10am to 12:00pm.

Other Business

No other business raised.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 11:05