Minutes - 10 Nov 2021

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 10 November 2021
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 37

Download meeting minutes (PDF 273KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Luke Barlow, AEMO
  • Jill Berry, Adatree
  • Damir Cuca, Basiq
  • Chris Ellis, Finder
  • Lawrence Gibbs, Origin Energy
  • Melinda Green, Energy Australia
  • Chandni Gupta, CPRC
  • Joanna Gurry, NBN Co
  • Rob Hale, TrueLayer
  • John Harries, Westpac
  • Richard Hough, ANZ
  • Lisa Schutz, Verifer
  • Stuart Stoyan, Fintech Adviser & Investor
  • Glen Waterson, AGL
  • Barry Thomas, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Paul Franklin, ACCC
  • Mark Staples, CSIRO's Data61
  • Sophia Collins, OAIC
  • Kate O’Rourke, Treasury
  • Brenton Charnley, TrueLayer
  • Peter Giles, CHOICE
  • Gareth Gumbley, Frollo
  • Aakash Semey, Simply Energy

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 37.

The Chair wanted to acknowledge the traditional owners of the land, their elder’s past, present and those that emerging and in particular female elders in the indigenous community.  He is on Cammeraygal land which is on the northern side of Sydney Harbour. 

The Chair noted that it has been another very busy month for the Data Standards Body (DSB) with four releases of the Consumer Data Standards (CDS) and continued development of the Consumer Experience (CX) guidelines and artefacts to facilitate Consumer Data Right (CDR) implementation.  

The Chair noted that we have added to our engagement and communication methods by developing some video content which will help people absorb what is going on in the standards world.

The Chair noted that we have added some new members to our team including Bikram Khadka as CX Designer and Ivan Hosgood as Solutions Architect.  We also have a few others who will be joining us in the next couple of weeks as we build up the teams’ capability.

The Chair noted that the DSAC Design Challenge Consultative Group had a constructive meeting on the 15 October and are due to meet again on 16 November.  

The Chair noted that we are at the end of term for the Energy Data Standards Advisory Committee (DSAC) members and he will be considering the ongoing role of the energy members. The Chair plans to re-establish the DSAC in its combined form ahead of the next meeting.  The Chair asked members to communicate directly to him and Terri McLachlan if they would like to continue as a member or to step down.  The Chair noted that we will also update our establishment instrument and governance arrangements to be in line with Treasury.

ACTION:  Members to advise the DSB if they would like to continue as a member of the DSAC

The Chair noted that Aakash Sembey (Simply Energy), Brenton Charnley (TrueLayer), Gareth Gumbley (Frollo) and Peter Giles (CHOICE) are apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments and feedback on the Minutes from the 13 October 2021 Advisory Committee meeting.  The Minutes were formally accepted. 

Action Items

The Chair noted that the ACCC have agreed to present on how the CDR system is working at the December DSAC meeting.

Working Group Update

A summary of progress since the last DSAC meeting on the Working Groups was provided in the DSAC Papers and was taken as read. 

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh and Mark Verstege as follows: 

The DSB noted that the Technical Working Group have published four releases in the last month.  Version 1.11.1 release included changes arising from Maintenance Iteration 8.  The final outcome of this iteration were minor documentation fixes so a patch release was deemed sufficient.

Version 1.12.0 release focussed on the Non-Functional Requirements (NFR) and also included decisions for the energy sector related to NFRs with specific reference to the handling of invocations between Retailers and the Australian Energy Market Operator (AEMO).

Version 1.13.0 release included the merging of the Register Standards from the Australian Competition and Consumer Commission (ACCC) into the main standards site.  This has been a very collaborative process between the ACCC and DSB for most of 2021.  It also includes all energy standards that were not directly related to data clusters such as changes to the information security profile.

Version 1.14.0 release was primarily an energy release that included all of the candidate URIs and payloads for energy specific endpoints.  It also includes the CX data language standards to support the energy specific data clusters.

The DSB noted that they are now looking at the Standards maintenance process as historically this process has been focused on banking. The DSB will be trialling some different approaches as the scope of the maintenance iteration expands and they are looking for feedback from the community. 

The DSB noted that they are tailing out their consultations as they head into Christmas.  They anticipate the need to ramp up again in February as the energy community goes into implementation. 

The Chair wanted to acknowledge the achievement of the candidate standards being complete for energy. It is a major milestone and he wanted to thank the team and noted that Minister Hume was particularly delighted with this achievement when he recently spoke to her. 

One member noted that there is still some work to be done on the standards for the commercial and industrial (C&I) customers - the standards are ready for mass market customers primarily.  The member also asked what is the best way for energy data holders to get across the details, is it via the implementation calls?

The DSB noted that the maintenance iteration is a 6–8-week cycle with fortnightly meetings which everybody is welcome to attend.  They have recently seen an uptick in people participating and they would encourage members to attend.  The DSB will provide details of this call to members. 

ACTION:  DSB to provide details to the Maintenance Iteration calls to members

The DSB noted in terms of C&I customers, there is still work more to be done and they will proactively raise change requests to carry that conversation forward. 

The DSB noted that they are looking to increase the product feature support i.e. expanding the types of features that can be explained and expressed through the standards for products. The DSB have also been looking at allowing for multiple balance plans for lending products which is important as they start to see an increasingly common trend across lending products like buy now pay later etc.

The DSB are also looking at providing a much more standardised structure around loyalty data in terms of how they describe it from a product and a feature perspective, and how to support describing the balances for loyalty accounts. 

The DSB noted that in terms of information security there is an open consultation around the migration to FAPI 1.0 which closes next week.  As they move into the shutdown period, any decision proposals that are out for consultation will have an extended consultation date into 2022 to allow participants to have additional time to review over the shutdown period.

The DSB noted that they will releasing a decision proposal next week around whether or not standards should be made and if so, what considerations should be factored in. This decision proposal will have an extended consultation period. 

One member noted that in terms of the Christmas shut down, it’s important to note that teams are busy rebuilding joint accounts for the July obligations and the FAPI proposal comes on top of that with timelines that don’t match vendor product certification.  The member said some softening of the timelines would be appreciated by the teams as they generally require a six-month window to meet obligation dates.    

The DSB noted that try and steer towards the six-month window, and with the complexity of the two sectors and well as data recipients (DRs), it is important to bring everyone onto the same cadence.  The decision proposal provides recommendations on the obligations dates and they would welcome community feedback to help steer them towards what the industry sees as achievable. 

The DSB noted that they have added the implementation consideration section to the decision proposal so people can push back if they think it is not achievable.  They noted that there is a desire to have a stable InfoSec profile for ADRs for the energy sector so that ADRs in banking can transition to energy.  Another strong driver is for energy sector data holders (DHs) to implement and then have to implement again shortly after. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows: 

The DSB noted that one of the major milestones this month is related to the consultation on candidate energy data language standards which closed on 22 October. This decision was incorporated into the version 1.14.0 release. 

The DSB noted that a key difference in relation to the decision proposal versus the actual decision was the additional descriptions. In the submissions received, there was majority support for making additional descriptions "mandatory", but there was also variation between how data holders might describe certain datasets to their own customers. The decision proposal included examples of additional descriptions within the CX standards, however the final decision relegated those examples to the CX Guidelines. Additional descriptions are still strongly recommended in the CX standards (as a 'SHOULD'), and CX is now working to refine those descriptions to be released as part of the CX guidelines.

The DSB noted that the CX and Technical team have published Decision Proposal 216 on Profile Scope which closes on 19 November. This proposal identifies a gap between the technical and CX standards and the proposal provides guidance around what to do in the interim as it has been identified as a critical issue. 

The DSB noted that it will be a very busy quarter with the v3 Rules CX Standards related work.  They published Decision Proposal 162 on Joint Accounts yesterday which relates to v3 Rules.  They’ve consulted extensively on a number of options including Joint Account notification settings; sharing notifications; sharing notification for consumers flagged as vulnerable etc. The consultation is open till 30 November with a timeframe of 21 days instead of the normal 28 days.  This extension is due to the implementation timeframes that have been raised and to honour the six-month lead time.

The DSB noted that Decision Proposal 222 - Disclosure Consents:  Insights and Trusted Advisers is being prepared at the moment and relates to insight disclosure consents; establish how accredited persons can meet the requirement to explain CDR insights to consumers and for trusted advisor and insight disclosure consents; and ensure that consumers are aware that their data will leave the CDR ecosystem when it is disclosed.  CX Research on these areas will start this week and the consultation will be open for an extended period. 

The DSB noted that they are continuing to develop CX guidelines and artefacts to accommodate key v3 rules requirements and standards, v4 energy rules, and additional assistance in response to community requests.  Some of these will be completed this side of Christmas and some will spill over for energy, as the expectation is that they will be complete within three months following the rules being made. 

One member asked about the consultation on disclosure consent (DP222) and to what extent is there a discussion about prescription versus principles based. 

The DSB noted that there is some level of prescription in the rules and the job of the CX standards is to help participants meet the requirements to describe those insights and what it might reveal.  It is almost impossible for them to be prescriptive around describing insight using this specific language. Their intention is not to propose anything that looks like the data language standards for insights, but rather that is much more principled based, and ultimately, it’s about communicating aspects of the insight.

One member noted that if it lands to not being prescriptive, will there be examples to show how things could look differently? For example, how data insights might actually be described so that people can then use a set of what might actually work for particular consumers?

The DSB noted that they could potentially look at the CX guidelines to list examples.  One thing that they have considered in the insight description proposal is for a certain readability level. They are testing this in the research this week and providing an actual example so it’s not relying too heavily on the standards doing the work to provide a structure but rather making the standard a proposal to provide an example of what that insight might look like. 

The DSB is also growing the team by approximately 50% which will expand their ability to cope with a problem set as they move to multi sectors.  The DSB is very conscious of the fact that the actions they take have far reaching and real-world implications.  The team have an extra load imparting knowledge to new team members and it has been a very busy time for them. 

The DSB also noted that this committee is incredibly important as it brings awareness to things that the DSB have not spotted and they wanted to thank the committee for all their attention.

One member asked how big is the DSB team, how many vacancies are there, and what are the key gaps you’re trying to fill over the next 6 months? 

The DSB noted that they currently have 21 people and actively recruiting 2 more into the CX team.  The biggest gap is on the CX front as there is so much work to be done.  On the technical side, the DSB wants to beef up their engineering resources in the future as ACCC are doing a lot of work on the mock registers and sandbox and they will need to work with them to ensure close integration.  In terms of engagement, the DSB is very conscious of the need to be able to communicate clearly so they’ve moved into video production to turn their workshops into assets that people can assess. They are also creating more digestible updates and summaries of what they’re doing.

The member asked if there is anything that the committee can do to help with this in terms of sharing advertisements, or secondments etc to ensure that the DSB have the right team? 

The DSB noted that they have been learning this year on how to procure resources in a Treasury environment and they will need to speak to the Department on the flexibility in terms of secondments.  They also agreed that there’s lots of value in communicating opportunities to members via LinkedIn. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers and was taken as read. 

Issues Raised by Members

Measuring success metrics across the regime

ACCC to cover this off on their regular monthly update. 

Non-Compliance with mandated sharing dates

ACCC to cover this off on their regular monthly update. 

Treasury Update

Kate O’Rourke, First Assistant Secretary CDR Division, Treasury (TSY) provided an update as follows:

TSY noted the increasing maturity of the banking regime, the pleasing number of data holders and and the more general momentum of the CDR over the last couple of months.  TSY noted that the Minister is taking many opportunities to speak about and promote the CDR in the context of her wider responsibilities. 

TSY have continued working to support the Minister on the draft Telecommunication Designation and Sectoral Assessment Report, the Strategic Assessment, and the Farrell Report.  There has been a lot of progress and TSY are hoping the Minister will be able to make further announcements on these soon. 

TSY noted that they run a monthly CDR Framework Design and Strategy Forum with the next one scheduled for next week.  TSY extended the invite to the forum to committee members.

TSY noted that Belinda Robertson has joined the TSY team.  Belinda originally joined the department last year from ATO to work on the CDR but was transferred to work on Job Keeper.  She has now returned to CDR and is heading up one of three branches, the Data Economy and CDR Governance Branch.  Jessica Robinson heads up the CDR Policy and Engagement Branch and Fiona Walker is acting head of the CDR Regulatory Frameworks Branch.

One member asked if there is any update on the potential consumer campaign that TSY was considering?

TSY noted that work is continuing on this and they are unable to share anything specific at this time. 

One member noted that some screen shots were recently shared with her about the CDR and that the CDR was going viral on TikTok for all the wrong reasons.  The member would be happy to share the shots with TSY so they can understand what they are up against. 

Another member noted that we need to collectively get much more on the front foot around messaging and PR and dealing with some of the noise. It would be good to hear back in terms of TSY’s approach at the next meeting. 

TSY noted that they are happy to come back with some more detailed observations and information.

ACTION:  TSY to provide an update on the Consumer Campaign at an appropriate time

ACCC Update

Paul Franklin, Executive General Manager ACCC CDR Division provided an update as follows:

ACCC noted that 40 bank brands have been activated within the last month which included 25 in the last two weeks of October, 11 on the 1 November and 4 activated since the 1 November. There is a total of 66 active DHs entities and 25 additional brands (or 91 active brands in total).  That takes the DH coverage to more than 95% of the market (if using their standard measure i.e. share of household deposits). The remaining gap includes 15 banks that have ongoing exemptions that continue past 1 November which will progressively expire over the next 12 months. There are a small number of ADIs that are not yet compliant and those are being followed up by the compliance and enforcement team as flagged previously. 

ACCC noted that there are a small number (11) that are not active and they’re being followed up the compliance and enforcement team. 

The Chair asked whether there are any that are active but not compliant and whether the potential investigations are being approached with some urgency?

ACCC noted that they have a Technical Operations team who monitors incidents in the ecosystem. They have two categories of incidents - internal and external.  Internal incidents (ACCC solutions like RAAP, CTS) are technical incidents which they have a direct hand in managing and external incidents (incident between two members) that are technical incidents which impact the exchange of data between participants (DHs, ADRs and RAAP). It is important that incidents are raised within the CDR Service Management Portal, as it is the most effective way to alert another participant of an issue, and to track that issue’s resolution. The ACCC also undertake a monitoring role over external ecosystem incidents and follows up to ensure incidents are resolved, but participants are responsible for bi-laterally resolving those incidents.  The ACCC’s Technical Operations team pass information over to the compliance and enforcement teams but noted that compliance and enforcement activities typically take longer to resolve than operational issues.

The Chair asked about the relationship between compliance and enforcement and if a DH was in a situation with an inability to share data or incorrect data with multiple DRs, how urgently would that be followed up by the enforcement team?

ACCC noted that compliance and enforcement processes are inherently a legal process and they follow legal timeframes. They promptly follow up incidents such as these and try to have them resolved on an operational level before the legal processes are completed.

ACCC noted that the “External Incident Portal” was launched in March 2020 and they’ve had 230 incidents with a couple of spikes particularly around July 21. The ACCC actively monitor the number of incidents and prompt organisations to resolve them, but in the first instance participants are responsible for bi-laterally resolving operational incidents.

One member noted that this is only reporting raised incidents, and they have a number of incidents that they don’t raise because of the operational overhead. The member suggested that when defining an external incident between a DH and DR, it should be between a DH and all of the DRs as it affects everyone.

The Chair asked what is the incentive for participants to raise incidents if it doesn’t initiate any action from the ACCC and also, how long does it take ACCC to resolve incidents reported in JIRA? 

ACCC noted that they follow up and check that participants are resolving issues and pass the information over to the compliance and enforcement team. The ACCC noted if someone is deliberately blocking data, ACCC can impose significant penalties.  The average days to resolve a JIRA incident is 4.6 days but compliance and enforcement issues are resolved under a legal timeframe which could take considerably longer. 

The Chair noted that if the Minister were to take the CDR towards action initiation and we’re talking payments, 4.6 days would be a serious issue. 

ACCC noted that in terms of the “Internal Incident history”, there have been 30 incidents raised in the past 30 days and those have taken 3.6 days to resolve with a total of 410 historical incidents. Most of these incidents were conformance test suite (CTS) related, and therefore don’t impact live data sharing.

ACCC noted that they have a tool called GetMetrics, an API which allows them to collect data from DRs.  This consists of three separate reports and 21 metrics.  As of 9 November, a large number of active DH Brands were not providing GetMetrics data to the Registrar. There are also some issues with data quality (including null or “0” value data responses) and some issues with data inconsistency. The ACCC intend to publish the ecosystem performance data once they address the gaps in the GetMetrics data.

ACCC understand that given the challenges of going live, DHs have prioritised the customer facing functionality rather than the reporting but they are actively following those up and raising incidents against the participants. The ACCC also provide a range of technical support to DHs to help them expediate issue resolution.

The Chair noted that publishing the data would get those challenges resolved quickly as participants would have to explain their performance to the community.

One member asked when the energy DHs go live, would the GetMetrics data be published straight away or have ACCC considered whether a gap should be allowed? 

ACCC have not considered whether a gap should be allowed in energy but they would like to publish the data promptly.

ACCC noted that they will be developing a sandbox for multilateral testing where participants will be able to test against the Mock Data Holder, Mock Data Recipient and Mock Register, and test against other participant’s solutions.  The ACCC will be releasing shortly some guidance about the tools they expect to release for the energy sector. 

The Chair asked in terms of the high priority metrics that are taking longer that the 1000ms KPI, when do they expect that to be an enforcement matter versus a gap to allow for compliance?

The ACCC noted that enforcement matters are decided by the Commissioners. The ACCC have flagged with participants that they expect them to comply with NFRs and it is an area they are looking at.  The ACCC recognise that their data is only partial due to noncompliance with delivery of GetMetrics. 

ACCC noted that in terms of compliance and enforcement, it’s their practice to make announcements when a decision has been made and not conjecture in advance of a decision. 

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 8 December 2021 from 10am to 12pm. 

Other Business

The Chair asked the committee for their input on whether we move to physical meetings in 2022, or whether we stay virtual or a hybrid. 

A number of members noted that virtual meetings are working well but it would be good to get everyone together quarterly or half yearly.  The hybrid option was the least favourable.

ACTION:  DSB to send a proposal to committee members on meetings for 2022

One member wanted to highlight some performance within the regime issues they are seeing now with the wave of new DHs: 

  • Passing the CTS does not make a participant conformant.
  • No incentive to lodge issues (bug bounty?)
  • CX vs backend data
  • Some real examples of major customer impacts from sample Data Holders:
    • Incorrect data clusters
    • Incorrect Data Frequency
    • Confirmation from wrong ADR
    • Mandated IFTTT consents
    • Completed vs Incompleted Consent
    • Data They (Don’t) Share
    • Live Production Changes

The Chair noted the seriousness of these performance issues and that there could be some OAIC concerns in relation to people’s consent not being delivered.  He also asked ACCC if this is something that the operational team or the compliance and enforcement team would look into? 

The ACCC noted that incidents had been raised in relations to a number of these performance issues and also reminded members that the CTS was never intended to be a comprehensive test of every interaction and in the onboarding instructions, there are clear expectations set that all participants are required to test their own solution in their own environment. They recognise with the onboarding of non-major banks on the 1 July, the level of testing across the industry wasn’t what they had expected and a number of things have been done to improve the quality of the solution for example Mock Register, Mock Data Holder and Mock Data Recipient had been released to enable testing of components pre-go-live and pre-CTS; and a sandbox is now being developed for multilateral testing.  They noted that the CTS is a minimal set of tests to protect the security of the ecosystem not to test for conformance.

The Chair noted that at the proposal and agreement that a partial CTS would be operated, albeit relying on industry or participant testing, there was a range of mitigations for the risk that solution embodied.  It would appear that some of those mitigations may need to be strengthened.

ACCC noted that expectations were set that participants and their vendors should be actively testing their solutions in full and clearly there has been gaps in testing.  They have seen evidence that their compliance and enforcement is having a real impact addressing these issues. They would like data holders to be resolving issues faster, but they are continuing to work through the issues. 

The Chair noted that we would discuss ADR experiences with Data Holders in the CDR over the coming month to identify if performance improvements have been achieved.

ACTION: ADRs to prepare to discuss the API and CX improvements noted through experiences with Data Holders.

One member noted that these types of incidents are not isolated and maybe now is the time to re-evaluate whether a full CTS should be mandated but also the enforcement capability is enhanced to be able to manage this. They noted it’s a complex and technical ecosystem, but also a fragile and nascent ecosystem and that consumer that are going through this experience are now not going to engage with the CDR again. 

ACCC noted that they treat all issues with a sense of urgency and that there are some steps in regulatory actions they take that cannot be publicised as every legal entity has certain legal rights and they cannot convey confidential information. 

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

Meeting closed at 12:00pm