Minutes - 12 May 2021

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 12 May 2021
Location: Held remotely via WebEx
Time: 14:00 to 16:00
Meeting: Committee Meeting No: 31

Download meeting minutes (PDF 200KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Brenton Charley, TrueLayer
  • Damir Cuca, Basiq
  • Nigel Dobson, ANZ
  • Gareth Gumbley, Frollo
  • Rob Hale, Regional Australia Bank
  • John Harries, Westpac
  • Lisa Schutz, Verifier
  • Ross Sharrott, MoneyTree
  • Lauren Solomon, CPRC
  • Stuart Stoyan, MoneyPlace
  • Barry Thomas, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Paul Franklin, ACCC
  • Mark Staples, Data61
  • Athena Jayaratnam, OAIC
  • Kate O’Rourke, Treasury
  • Jessica Robinson, Treasury
  • Jodi Ross, Treasury
  • Andrew Cresp, Bendigo & Adelaide Bank
  • Frank Restuccia, Finder

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 31. 

The Chair noted that good progress has been made in the last month with the Technical Working Group releasing v1.8.0 and v1.9.0 of the standards and completing Maintenance Iteration # 6.   The CX Working Group has been working closely with the rules team on CX changes related to the v2 Rules and have concluded their engagement with the Consumer Policy Research Centre (CPRC).

The Chair noted the Data Standards Body (DSB) held a series of workshops with the OpenID Foundation (OIDF), which were well attended and received. 

The Chair noted that a new Software Engineer will be commencing with the DSB at the end of May.

The Chair noted that Andrew Cresp (Bendigo & Adelaide Bank) & Frank Restuccia (Finder) are apologies for this meeting. 

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 14 April 2021 Advisory Committee meeting.  The Minutes were taken as read, and formally accepted.

Action Items

The Chair noted that the Action Items were either completed or would be covered off in scheduled discussions.

Advisory Committee Refresh

The Chair noted that the banking Advisory Committee current membership runs through to June 2021.  Given the changes in engagement that Treasury are in the process of exploring and our desire to have one Consumer Data Right (CDR) (for all sectors of the economy) it’s appropriate that we merge both our Data Standards Advisory Committees back to one Advisory Committee from July 2021. 

Therefore, the Chair noted that both Committees will meet as one committee, between 10am to 12pm on the second Wednesday of the month from July 2021 until November 2021, which is when membership of the energy Advisory Committee is due for renewal.  At which time the membership of the combined committee will be re-considered.

Consequently, the Chair requests any members who would like to opt out, or perhaps nominate someone else from their organisation with effect from July onwards to let him know. 

The Chair noted that he will refresh the Advisory Committee in November 2021 taking into account next sectors. 

ACTION: Members to advise the Chair if they would like to opt out of the Advisory Committee from July 2021

Working Group Update

A summary of progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read. 

Technical Working Group Update

A further update was provided on the Technical Working Group by Lead Architect Mark Verstege as follows: 

The DSB noted that it’s been a busy month with the release of the Design Papers, a number of which are relevant to banking like joint accounts, access arrangements and accredited data recipients (ADRs).

The DSB have had two releases of the data standards, v1.8.0 which focused on CX amending consent standards and v1.9.0 which focused on the changes arising from Maintenance Iteration # 6.  The DSB are also in the planning stages for the v1.10.0 release with the final decision going to the Chair in the next couple of weeks.  The scope of the v.1.10.0 release is related to the enhanced error handing work and they are using the new standards staging process which provides the community early access to what the standards are going to look like. 

The DSB noted that in terms of current and future consultations, they are continuing their work on consultations around metrics and reporting and released the first Consumer Experience (CX) metrics Decision Proposal this week.

The DSB noted that as the standards have been published for some time, and as there are a number of international standards that underpin the Consumer Data Standards (CDS) which have moved over that period of time, the DSB intends to perform a holistic review of the standards and do a gap analysis over the next quarter to understand what changes if any impact the CDS. The DSB will also look at a number of other items regarding information security like consideration around for example, are there any changes required to support voluntary extensibility and right access. 

The DSB noted that they also intend to consult on purpose-based consent, which at the moment is exploratory work, but is driven out of our Consumer Experience (CX) research, as well as community feedback. The DSB will look at how to improve that model and again preparedness for future changes. 

The DSB noted that they are considering a Noting Paper given the success of the White Labelling Noting Paper and they’re intending to publish a Noting Paper on the technical standards view of supporting data holder rebranding merges and acquisitions. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by CX Lead Michael Palmyre as follows: 

The DSB noted that the CPRC's report on vulnerability has been published on the DSB's community engagement page. CPRC's final draft report on the topic of consent is nearing completion which takes a slightly different approach to previous reports.  It moves its emphasis from the problem space to four impact areas which are i). empowered consumers ii). meaningful participation iii). trusted systems and iv). inclusive and fair outcomes.  There is a fair bit of analysis, outcomes, and indicators that signify successful impact and opportunities to measure and support these impacts.

The DSB noted that this report concludes a successful yearlong engagement with CPRC, who have expanded the DSB's ability to receive input from the community sector while also providing advice on key issues relating to consumers, particular those experiencing vulnerability.

The Chair acknowledged the incredible value of this engagement and the outcomes of the reports, which he said, are tremendous, particularly because of CPRCs knowledge of the CDR and to give relevance of the CDR context.  The Chair thanked the CX Lead, and CPRC and their teams for their incredible work. 

The DSB noted that v1.8.0 of the standards was released in April, which incorporated Decision Proposal 144 that relates to the simplification of the amending authorisation process. The CX Artefacts related to amending authorisations have also been published to accompany those standards.

The DSB noted that in regard to the Design Papers, Decision Proposal 162 on joint accounts has been incorporated into the joint account Design Paper and will be progressed accordingly. DP162 may open for consultation in due course but has been paused whilst the Design Paper work progresses.

The DSB noted that the peer-to-peer Design Paper touches on the applicability of the account selection standards for non-banking sectors, beginning with energy.

The DSB noted that the CX standards for disclosure consents have been drafted to support ADR to ADR disclosures (AP Disclosures), in anticipation of the access arrangements referenced in the recent Treasury announcement and further analysis on the DH Dashboards issue to support the access arrangements.  

The DSB noted that DP160, which covers non-individuals, business partnerships, and secondary users, has been published and is open for feedback. 

The DSB noted that there is a workshop coming up in relation to the Joint Account Design Paper which will be in place of the Implementation Call this Thursday. 

The Chair asked the DSB to provide some further context around the Design Paper process. 

The DSB noted that the Design Paper is a new consultation approach intended to provide an opportunity for simultaneous consultation on Rules, policy, CDS and guidelines for a change to the Consumer Data Right. The DSB said this process will enable people to grasp, not only what’s intended but what it will look like in practice and ensure they are fully informed. The DSB said the Design Papers are preliminary to their other processes and will lead onto Decision Proposals which create the actual CDS in support of the next version of the Rules. Consequently, the DSB said the Design Paper process will allow opportunity for more robust, well informed feedback on the process. 

The DSB noted that they still have the challenge of progressing the CDS in a timely manner and there is tension between the need to get everyone’s views and to make informed decisions.  The DSB said the time available to go through all the processes is limited so the Design Paper window for consultation is relatively short, and they encourage everyone to join the conversation on GitHub if they would like to have a conversational style of consultation. 

One member welcomed the Design Paper approach but wanted to note that they are attending Intersekt Festival 2021 Conference next week and sought an extension noting concurrent forums  and potential for FinTech’s to be tied up in Intersekt.

TSY noted that they will also be at Intersekt and they’d be happy to informally discuss issues or have some way of making more efficient contributions.  TSY noted the following week is when they need to wrap things up for this part of the consultation process. 

One member noted that a lot of people from this group will be speaking or presenting at Intersekt so  there may be the potential to find time to collaborate.  There is also an invitation only round table happening that will support feedback. 

The DSB noted that while the cut-off for providing feedback into the current design process is relatively short there will be further opportunities to input into the process of drafting Rules and the DSB will continue to consult on the specifics of how the Rules will be put into effect well past that two week cut off and they are happy to engage at a fine grain level specific to the standards.

TSY noted that there is also the consultation process that comes after, in terms of the formal consultation on the Rules.  The point of the Design Paper is to try to get input earlier so the design is a good one, but it is not the last of the discussions.  

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the Committee Papers and was taken as read. 

Design Paper introduction and overview: ‘opt-out’ joint account data sharing model

Jodi Ross, Assistant Secretary (TSY) and Michael Palmryre, CX Lead (DSB) gave an overview of the issues being consulted on in the Design Paper.

The current Rules in relation to joint accounts are sector specific (relating to the banking sector) and require all joint account holders to actively opt-in to CDR data sharing before that can actually occur.  They have received feedback that the opt-in setting (including with the “in-flow election”) could cause an undue level of friction and poor consumer experience and is a disincentive for businesses joining the CDR as data recipients and offering value propositions to consumers.

The design process for consulting on an opt-out approach has also enabled consideration of a universal approach in the rules for joint accounts, including energy, and accommodating future functionality and the potential implications of moving to payment and action initiation. The Government is considering the Future Directions report and will respond formally to its recommendations in due course. 

A key issue raised for feedback relates to complex joint accounts where joint account holders have set up their joint account so the approval of each of them is required in order to transact.  The design paper seeks feedback on three options which are i). mirror ability to share with authority to transact ii). Apply the opt in approach or iii). disregard authority to transact.

The announcement of consultation on the opt-in approach also announced the Government’s intention to implement a deferral for the obligations that would apply from November in relation to joint account functionality.  For the major banks, this means continuing to facilitate joint account data sharing as per current obligations and for non-major banks there will be no requirement to share joint account data until the new compliance date is set in the rules. This will occur even if the decision, in light of consultation, is to maintain the current opt-in approach.

The DSB noted that for the CDS section of the joint account design paper, the co-approval and opt-out settings will mean data disclosure may be delayed or denied in some instances, and that this may need to be accommodated in other CDR contexts regardless of the position taken on joint accounts. 

The DSB noted that they have received community feedback around enhancing communication between CDR participants to support ADRs in understanding account statuses changes, such as when additional approvals have been granted or denied, or when data sharing has been set to ‘off’.

The DSB noted that there are no changes anticipated to existing technical or register standards and when it comes to CX Standards it is really only a few things that have been acknowledged in Noting Paper 157 around generic messages to display in the authorisation flow for various use cases.   The other item to note is the potential for withdrawal standards may be warranted for opting-out to support informed opt-out processes and  achieve consistency with existing requirements.   

One member wanted to acknowledge TSY’s decision to pause based on the feedback and it was right thing to do. 

Another member asked if there was anywhere else in the economy where we have joint accounts or is that unique to banking? 

TSY noted that they will be exploring that as they start to conduct a sectoral assessment for telecommunications and through the strategic assessment across sectors that is being conducted. 

One observer noted that there is an example in stock broking and the equity industry where you can have shareholdings in joint names as there is a requirement that they are traded through brokerage accounts in the same names as shareholdings. 

One member asked whether there is an abstraction for joint accounts, because this could be applied to businesses in general, which incorporates lots of roles. They therefore wondered if there is useful abstraction for joint accounts because it is a specific form of multiple roles managing an account. 

TSY noted in the December rules data sharing by business customers was covered and requires data holders to give businesses the ability to tell them who is authorised to share data on behalf of the businesses and similarly for business partnerships.  

One member welcomed the work that TSY is doing on joint accounts and moving towards a more simplistic approach, however they were concerned about the timing implications of deferring particularly around mortgages for joint accounts, as it would have a lot of practical implications.   They asked, “What is the opportunity of bringing that through sooner rather than later particularly as it seems more simplistic approach from a technology perspective?” 

TSY responded that the issue of new compliance is a key consultation issue, noting the expectation to minimise the extent of the delay to support the offering of use cases for consumer benefit. The views of data holders in relation to implementation requirements, and time needed to do so, are also being sought. 

One member expressed because of the view that implementers should embrace the benefits to consumers becoming a data holder as soon as possible, rather than asking for timelines to be pushed out. They further opined that it feels like the banking industry perhaps doesn’t grasp the benefit to consumers of participating early and they then wondered what can we do to change that, or can’t we because there is a fear of non-compliance that’s forcing everyone to spend more trying to build the perfect solution, and in doing so pushing the timelines out. 

Another member noted that banks are not in the business of launching minimum viable products when it comes to data sharing or payments, because it needs to be perfect for go-live, as the risks are too high if they are not fully tested, not fully compliant, or not fully operational. They also noted that some of the changes proposed involved infrastructure, and appropriate testing, validation and training of operational and call centre staff etc.  Consequently, on that basis, the justification for moving the timelines is warranted.

Consumer Dashboard Presentation

Rob Hale from Regional Australia Bank (RAB) presented on the Consumer Dashboards.

Hale noted that many consumers have multiple recurring payments / direct debits for services and that they also have relationships with multiple financial institutions. Just as it is hard to track each of these financial subscriptions, CDR may create a similar challenge for consumers needing to maintain oversight of data sharing consents and authorisations. 

The CDR is a de-centralised model, with data holders and data recipients participating in the ecosystem with a consumer providing consent for each instance of data sharing.  The CDR has clearly defined rules that specify the need for an online service; a Consumer Dashboard that must be provided to help consumers manage these consents. 

Hale went on the explain that as an example he shared some data with Frollo a Personal Financial Management (PFM) app and was able to navigate the RAB Internet Banking portal to find data sharing settings and see the consent information.  He could also jump onto the Frollo app, navigate to the data sharing dashboard, and see the other side of the same authorisation.

When Hale acted as a NAB customer he could use the RAB app to support an application for credit, share his NAB data with RAB, and navigate to a different unauthenticated RAB portal in order to manage his consent. Hale needed to verify himself using his mobile phone, and a token provided in the consent receipt from RAB.  He could also jump ono the NAB internet banking app, navigate to the data sharing area and see the other side of the same authorisation. 

Hale noted that this was already complex, however, if we have 100 banks, 1000 ADRs, and both the Energy and Telco sectors, it is going to get very confusing.  Hale noted that the Future Directions report mentioned “a dashboard” by saying, “Consumers will be able to safely use online services or apps on their mobile phone to give them an up-to-date [Consumer] dashboard showing them who they are sharing data with, how it is being used, and allow them to change those things, or make the sharing stop.”

Hale asked what’s the problem we’re trying to solve with dashboards?  Hale noted there was no reference to dashboards in Farrell’s Open Banking report, but there were 63 references to dashboards in the Rules. Hale noted the UK Open Banking’s experience is that consumers don’t use dashboards much, and consumers prefer the term ‘permissions’.  Hale further noted that PSD2 does not mandate dashboards, but the Open Banking Implementation Entity (OBIE) had mandated them from CMA 9.

Hale suggested the question of providing dashboards is about giving consumers the authority to manage who gets to see their data, where it goes, and how it is handled; and being in control of that and consequently having confidence and trust in the ecosystem.  Hale noted that Farrell’s Future Direction report talks a lot to this, and CPRC comments featured heavily.  Hale proposed there is a need for a mechanism that allows consumers to track and manage all their consents and authorisations and the ability to view detailed activity associated with a consent, so consumers know who has what and have a single (emphasised) place to do this.; because in the decentralised model, which we have today, this is going to be hard to manage as things get more complex. 

Hale then identified a centralised model option.  This would require a Digital ID. Government agencies can currently use a Digital ID between those systems (myGov) but it’s not currently a commercial option available outside those agencies.

Hale suggested a third, Distributed model, that could potentially make use of what we already have, utilising APIs to exchange consent data between accredited participants, with either individual data holders and ADRs accessing them and then surfacing them for consumers within their application; or maybe there’s a commercial entity that has a business model to collect those consents from all those participants and surface them in one place.  Hale suggested this could be a way of leaving the existing ecosystem largely intact yet solving the multiple dashboard problem.

Hale suggested that with only 6 active DRs and 5 DHs it is already confusing, and there is a need to realise that it is going to get very confusing soon; therefore there is a need to go back to the original intent, which was for consumers to feel confidence and trust in the ecosystem, and that it is convenient for them to use.  Hale concluded by saying the current model is none of those things.

The Chair noted that if we get to the point in the not too distant future where a use-case uses data from two data holders in different sectors you could potentially have two dashboards for the same use-case, and there are some associated implications for dispute resolution because the current Rule is that the dispute resolution mechanism is defined by the sector of which the data holder is. 

In response to Hale, one member suggested that it comes back to what is the work to be done, and the classic example of principles versus prescription. They noted that APIs would solve this if the data that has to be available to the person and the idea of distributed is right in the sense that people will want to do different things.  They then suggested that if the CDR is principles based, then implementors can be flexible and innovate. 

Another member agreed and noted that sometimes it feels like we’re trying to solve too much and we should be making room for innovation from the participants in the ecosystem.  They noted that they already have a dashboard in Japan to manage 27,000 different inputs across insurance, shares and a number of other areas, and said that these things are solvable but generally not in only one way, and it’s a bad idea to mandate a central way. 

Another member noted they don’t think the consent or the data sharing itself is where the value is and it’s important to work out where consent fits with the value, because consent is only a means to reach the value you’re after.  They also said that it looks like a complex problem but there’s a lot of market force and evolution for where financial apps are heading, which might make it less of a problem potentially. 

The member also noted that in regard to consent from an open banking perspective, that beyond consent to share data there’s likely other consents that the service provider is asking for as well.  And they inquired, how much consideration have we given to that in terms of it becoming a broken experience where a customer downloads an app and how do we grapple with that?  They also suggested screen scraping needs to be addressed, and asked if the CDR is asking for multiple consents and payments as well, then how do we deliver the actual value to customers now that were considering multiple consents outside open banking in CDR?

Another member noted that in regard to consent, Apple have made changes to iOS, which is about actively having users consent to their details being shared back through apps they’re using but also a number of apps will then track their activity across other apps as well.  They added that there is a going to be a much stronger focus and prevalence around consent management as that ties into broader life and broader existence. 

Treasury Update

Kate O’Rourke, First Assistant Secretary, and CDR Division Head, from Treasury provided an update as follows:

TSY noted that they have been thinking about the engagement across the CDR and reviewing the different consultation fora. TSY identified a gap as there is a high level of interest from people in the CDR community to engage early at a big picture, design and strategy level. Consequently, TSY held their first CDR Framework and Design Strategy Forum last Friday and received positive feedback on the forum.  This forum will be held monthly and they are looking forward to working through some of the issues and getting input from the community.  TSY are open to establishing communities of practice for more detailed workshops if there’s an issue that a subset of people are interested in. 

TSY noted that the Budget announcement on the Digital Economy Strategy was released on 6 May by the Prime Minister with the full strategy released in the Budget.  TSY encourages those that are interested in the wider piece around the Governments Digital Economy Strategy which shows how different initiatives are stitched together to look at the strategy. 

ACTION:  DSB to provide the Digital Economy Strategy link to members

TSY noted that it has been announced that Telecommunications is the third sector and they’re conducting a strategic pre-assessment to look beyond Telecommunications and into other future sectors, in order to establish a roadmap that identifies sectors that will have consumer benefits. 

TSY noted that they are working on developing Rules in order to broaden access arrangements to the CDR, including under the umbrella of trusted advisors, managing the sharing of “insights” and address accreditation issues.  An announcement was made on this by Treasury on the 30 April 2021. 

ACTION:  DSB to provide link to the TSY announcement on the 30 April

One member asked TSY for an update on developing Rules for broadening of access arrangements.

TSY responded that they are working to get them out as soon as possible, because they know that this is something that they’ve been talking about for a long time and they are keen to move forward to the next step. 

ACCC Update

Paul Franklin, Executive General Manager, ACCC provided an update as follows:

Franklin noted that the Commonwealth Bank of Australia (CBA) and Adatree have gone live which is welcome news and it is good to see the increase in the number of active data recipients to six. 

Franklin noted that the ACCC’s main priority is onboarding of the non-major banks with the focus of getting them all live, as far as possible, by the 1 July.  The ACCC is continuing to increase resources in order to support that objective.  

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 9 June 2021 from 2pm to 4pm. 

Other Business

No other business raised. 

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting. 

Meeting closed at 3:35