Minutes - 14 Sep 2022

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 14 September 2022
Location: Held remotely via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 46

Download meeting minutes (PDF 237KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Chris Ellis, Finder
  • Prabash Galagedara, Telstra
  • Peter Giles, CHOICE
  • Melinda Green, Energy Australia
  • Chandni Gupta, CPRC
  • Rob Hale, Truelayer
  • D’Arcy Mullamphy, Adatree
  • Lisa Schutz, Verifer
  • Aakash Sembey, Origin Energy
  • Stuart Stoyan, Fintech Advisor & Investor
  • Zipporah Szalay, ANZ
  • Tony Thrassis, Frollo
  • Glenn Waterson, AGL
  • Barry Thomas, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Paul Franklin, ACCC
  • Vaughn Cotton, ACCC
  • Andre Castaldi, OAIC
  • Elaine Loh, OAIC
  • Bart Hoyle, Treasury
  • Emily Martin, Treasury
  • Belinda Robinson, Treasury
  • Luke Barlow, AEMO
  • Damir Cuca, Basiq
  • Jason Hair, Westpac

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 46.

The Chair acknowledged the traditional owners of the lands upon which we were attending the meeting.  He acknowledged their custodianship of the lands and paid respect to their elders, past and present and those emerging.  He joined the meeting from Darkinjung country.

The Chair noted that we have a number of new members joining the Data Standards Advisory Committee (DSAC): Prabash Galagedara (Telstra), D’Arcy Mullamphy (Adatree) and Zipporah Szalay (ANZ). The Chair invited new members to introduce themselves.

Prabash Galagedara said he was looking forward to working with the DSAC and noted that his role in Telstra is to look after a range of customer facing technologies for the Telstra Consumer & Small Business unit which includes Customer Identity and Platform Data across all channels. He said he had been in the role for 15 months and his background is in finance and data analytics.  Outside of work he said he had recently published a book on AI (Embrace: In pursuit of happiness through Artificial Intelligence), which has gone on to be a # 1 bestseller. 

D’Arcy Mullamphy said he was stepping in for Jill Berry (Adatree) who is currently on leave.  He mentioned he had previously worked for Treasury (TSY) in the Consumer Data Right (CDR) Division, working across a number of things including the rules and strategic decision-making areas. He said he was very excited to be standing in for Jill on the DSAC. 

Zipporah Szalay said she is Head of Open Banking at ANZ and noted that Richard Hough has moved into a new role of General Manager for Non-Financial Risk.  She said she had worked with Richard in creating and delivering the Open Banking program at ANZ for the last 4 ½ years.  She said she was very intimate with the program and it has been an incredible journey to date and was looking forward to the next 4 ½ years. 

The Chair thanked Richard Hough for his commitment to the CDR and involvement in the DSAC and wished Jill Berry well for her leave. 

The Chair welcomed new members of the DSB team Nils Berge (Solutions Architect) and Erez Ben Aharon (Senior Software Engineer).  

The Chair also noted that Emily Martin would provide the TSY update in Kate O’Rourke’s absence.

The Chair noted that also in attendance as observers were Vaughn Cotton (ACCC), Andre Castaldi (OAIC), Elaine Loh (OAIC), Bart Hoyle (TSY) and Belinda Robertson (TSY).

The Chair noted that Luke Barlow (AEMO), Damir Cucua (Basiq) and Jason Hair (Westpac) were apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments, and last-minute feedback on the Minutes from the 10 August 2022 Advisory Committee meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that the Action Item for Westpac around whether the DSB can participate in the regular meetings with the bank’s fraud teams is still pending.  The Chair noted this would be carried forward to the next meeting as Jason Hair was an apology for this meeting. 

Working Group Update

A summary of progress since the last DSAC meeting on the Working Groups was provided and these DSAC Papers were taken as read.

Technical Working Group Update

The update was provided on the Technical Working Group by Mark Verstege as follows: 

The DSB noted that they had published version 1.19.0 of the Standard, which incorporated two changes to support the energy go live in November which were Decision Proposal 260 – Energy Closed Accounts and Change Request 529 which was an urgent request and around CX – Energy Data Language Standards – National Metering Identifier (NMI) and Schedule Payments.

The DSB noted that Maintenance Iteration # 12 concluded that day, and they have dealt with 18 Change Requests which covered the full gamut of the CDR Data Standards.  This included consumer experience, Register, banking, energy and information security changes which they would look to publish in the next release.   

The DSB also welcomed into the team Nils Berge who was an active participant in the CDR with previously being the Product Owner of Open Banking at Rabobank and Bank of Queensland for their CDR implementation, and also Erez Ben-Aharon who had recently worked as the Technical Lead on the Conformance Test Suite at Australian Competition and Consumer Commission (ACCC). 

One member asked for an update about the Closed Accounts error of one Application Programming Interface (API) being captured when it should not have been. 

The DSB noted that this error had been corrected and is included in version 1.19.0 of the standards.  They said this change covered both the general GetEnergy accounts API as well as the GetEnergy Account detail API. 

One member asked if the Product Reference Data (PRD) for energy had been released, and if not when it will be released? 

The DSB noted that the PRD for energy will go live on 1 October 2022.  The three major energy retailers have a go live date of 15 November 2022 with non-major energy retailers going live next year.

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows: 

The DSB noted that Change Request 485 was incorporated into version 1.18.0 of the Standards and was in relation to data language standards to treat customer data as sector-agnostic. 

The DSB noted that Change Request 529 was treated as an urgent change and incorporated in version 1.19.0 of the Standards. They said this decision amended the energy data language standards to remove ‘NMI’ from the accounts and billing clusters and altered the language for the payment schedule cluster to more accurately reflect the data made shareable through that scope. 

The DSB noted that the consultation on Decision Proposal 267 – CX Standards | Telco Data Language will close on the 15 September.  They noted this consultation would be conducted over two rounds with a public workshop to be run during the second round of DP267 in order to facilitate the last round of submissions before the telco language standards are finalised.  They also noted that they are very interested in receiving feedback early, especially from telco stakeholders, to ensure that any significant concerns are addressed and keeping in mind the upcoming deadlines. 

The DSB also noted that the CX research is continuing on the data language standards and which would be fed into the second round of DP267.

The DSB noted that Decision Proposal 229 – CDR Participant Representation would be published shortly and would determine appropriate and consistent ways to represent CDR participants in the CDR ecosystem, particularly in DH authorisation flows and dashboards.  They noted it was a core uplift, and projected consultation to occur somewhere during October and November.

The DSB noted that the research on CX of Authentication is progressing well and that they had finished the first round of research on the pilot state for the current state of the authentication flow.  They stated that they would publish a Noting Paper on this which would provide their research findings, via GitHub, in order to keep the community updated. 

The DSB noted that they had finished the first round on the Consent Review work to understand how the consent flow might be simplified while maintaining intuitive, informed and trustworthy consent experiences. They stated there was further research planned which was expected to conclude in late October / early November and would be followed by a public workshop in November. 

The DSB noted that they have released some new Open Source Assets that were coded prototypes of the consent flow, which were developed with PwC’s Indigenous Consulting (PIC) and the Centre for Inclusive Design.

One member noted that in terms of authentication and consent, that the DSAC had previously discussed the barriers for energy consumers not being able to provide digital consent and therefore they needed other means.  They asked if there were any further insights on how this would be managed? 

The DSB noted that Offline Customer Guidance had been published on Zendesk, co-authored with the ACCC, which was based on a request from energy sector stakeholders for how offline customers would share their energy data. 

One member asked if app-to-app authentication would be in scope, for some of the areas the DSB mentioned in the CX workstream update, because of some European examples that had driven a lot of take-up.

The DSB noted it was definitely in scope and the CX research, which was a key input into the Data Standard development, and any authentication uplift, along with community consultation and other facts, would be considered.  They noted that their first round of research looked at “current state” (redirect with One Time Password (OTP)) and then each additional round would look at different modalities, devices, channels that might be used.  They said they would factor this into compelling authentication approaches, and app-to-app is the next round of research to be conducted, which is based on community feedback that should be supported, especially in banking.

Another member noted that in terms of authentication, in the telco sector Australian Communications and Media Authority (ACMA) had mandated a two-step verification.  On the consent flow they said they were concerned that they didn’t have to do two-step verification, which was a deviation from ACMA’s point of view, and they would be keen to have an offline discussion about this.

The DSB acknowledged that it should be discussed in further detail, especially as we move to other sectors and it is a question of priority in how those things are phased so that they can flow seamlessly.  

Another member asked if there was a current requirement for CDR User Identifiers for authentication flow, or was this currently up for discussion with the energy retailers? 

The DSB noted that this was currently with the energy retailers and it just needs to be a unique ID.  They provided a link to a knowledge article on user identifiers for authentication, which aren’t prescribed in the Data Standards but the identifier selected by the data holder (DH) must be unique to a single eligible CDR consumer. 

The Chair noted that it was going to be a very intense quarter with the range of issues that are coming up and quite momentous with the energy obligation dates arriving in the first phase which would be a very important day for the CDR.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Issues Raised by Members

The Chair thanked all members who had tabled discussion items.  

Presentation on “CDR Consent Issues”, by Frollo

Tony Thrassis from Frollo presented an overview of failed (pending) consents in the Frollo consumer app as follows: 

Frollo noted that one of the important factors for CDR was the consent flow because that’s where the journey for a consumer starts.  And if the consumer’s consent was not successful then they are unable to retrieve CDR data. 

Frollo provided some data for the total failure rate of CDR consents for all DH’s active on the Frollo Open Banking platform over the last year.  They showed a monthly failure rate of between 7.6% to 10.8% over a 12-month period.  A consent failure was considered being able to obtain a consent from the consumer, but the consent was then not successfully authorised by the DH. 

Frollo noted that for the July 2022 period, the active or withdrawn consents totalled 15,659 with 1,869 failed consents which was 10.7%. They noted the numbers of consents in their dataset were substantial, which provided credibility to this analysis.  They noted that the numbers are slowly stabilising after the non-major banks coming into the CDR, but it was still a significant amount.

Frollo provided a snapshot of failed consent for the July 22 period for a total of 7 banks. This showed a wide range of failure percentages between the 7 banks presented ranging from 4% to 20%.

Frollo noted that consumers were raising issues to their customer service team of around 39% for joint accounts not being available, and 61% that were DH errors. 

Frollo noted that a number of scenarios caused CDR consumers to drop off when setting up a consent during the authorisation phase which are:

  • The user closed the DHs authorisation browser window (the ADR has no visibility as to why they have closed the browser). Some reported reasons are:
    • Issues with the OTP
    • Consumers did not see all their accounts in the list of accounts to select
    • DH had a general web page error 
  • User pressed the cancel button in the DH browser (ADR is notified by a redirect from the DH); and
  • The DH system was not available

Frollo expect the 10.7% failure rate for July 2022 period to drop, and then stabilise by up to half of this rate once joint accounts come in, but that this failure rate would still be significant. 

The Chair asked if Frollo’s team had been entering the failed consents into JIRA as incidents for follow-up and reporting for the attention of the ACCC.

Frollo confirmed that they had, but as the volume grows raising a single ticket is becoming unwieldy.  They asked whether they should continue to raise these types of tickets, or should they ask the consumer to call the DH instead as this was becoming too onerous.  

Frollo noted that there was a broad category of ticket options under rules and standards, but this category did confuse them because it was too broad and undefined and does not clearly translate to the type of issue being experienced. 

The Chair agreed that he would like to see all of this detail because if there’s a persistent interpretation problem, he would like to see this addressed. 

One member asked whether there were regular discussions with the DHs on the performance standards and failure rates.

Frollo confirmed that they attend the Incident Management, Data Quality and Ecosystem Performance Working Group which had commenced recently, and where these type of discussions were held.  

The Chair noted that the failure rate of 20% for one bank for the period of July 22 was concerning, and whilst joint accounts would explain some of the failures, that a persistent 5% failure rate, in as something as fundamental as this, was not acceptable. 

Another member asked whether we have an idea what percentage of the errors were coming from the DH systems not being available.  They asked, ‘are there any trends relating with the kinds of unique identifiers used by the DH to identifier the consumer and if so, is that seen as a barrier?’ 

Frollo noted that it was a very small percentage.  They said the performance data indicated good availability so that was not the issue.  They said, in terms of the unique identifier, it really had to do with the OTP, and the majority used phone numbers and SMS, and they said they don’t see this creating any substantial reason for failures. 

The Chair asked the member if the member had any data on errors which they could share. The member agreed to investigate and come back with data if they were able to share.

One member asked if Frollo had a reconciliation of failed consents, and if the consumer had come back and had a successful authorisation, because this would be good to track over the coming months with the change from joint account management services (JAMS) to disclosure option management service (DOMS), which they said changes the balance. 

Frollo said they were able to track this as they had a “pending consent” state. 

One member noted that in telco, most of the authentication failures were due to fraudsters trying to access accounts which was not always a bad thing as it prevents fraudsters getting into the accounts. 

ACCC noted that the failure of consent requests was one of the issues that came up in the Incident Management Data Quality and Ecosystem Performance Working Group. One of the challenges was the lack of data about what happens to the consent request after it was sent off to the DH. One action that was requested by the Working Group was to ask the DSB to consider lifting the priority of the CX metrics consultation, and the ACCC said they were interested in the Chair’s thoughts around whether this work could be prioritised by the DSB.

The ACCC also agreed that some failure of consents was necessary and appropriate to the extent that they’re fraudulent attempts, in which case they should fail. 

The Chair noted that the DSB had previously run a consultation on CX metrics, but it received no support whatsoever. 

The DSB also noted that they could look into this, but they would need to do a bit of collective work on what exactly the framing for the consultation, and what the guidelines should be. 

ACCC stated that there was a hierarchy of potential problems starting, with could the ADR and DH connect to the register; could they engage in dynamic client registration; could they get consent from the customer; did the API interaction work correctly; and was the content of the API correct.  They said having a relatively high failure rate at the consent level meant it was a blocker to the rest of the consumer experience and that was a high priority issue for them to resolve.

The Chair noted that he was very open to the idea, as this was a priority for everyone and certainly for the Minister, and the government. 

Frollo suggested that DHs could be asked to provide some further information, and voluntarily look into resolving these issues as the problem does not sit with the ADR.

The Chair noted that he would be reluctant to ask the consumer to solve the incidents in the CDR system and “we” needed to find a way to prioritise and rectify this. 

One member asked if Frollo were looking at why consents failed and did they contact the DH that had high failure rates and if so, what were the responses? 

Frollo confirmed that they did raise tickets via JIRA and passed information to the DH to contact the consumer in regard to that issue.  

Another member noted in terms of the rank order of priorities, and asked all ADRs present if a hundred people were invited to participate in the CDR process, how many of them would actually go through it?  What was the conversion funnel and from a scheme point of view, what was the biggest issue? 

The Chair noted that this is a big issue because if 20% of consumer consents fail in some banks, people would come back once to try again, but not a third time.  In the current environment, the assumption from the consumer is that the ADR was the problem which may not be the case.

One member noted that this issue relates to the conversation that the DSAC had a couple of months ago around incentives and bug bounties. They said it was just not possible for companies like Frollo to be logging 1,869 tickets and it therefore goes to a broader ability to actually name the banks, because if a bank, as a DH has 20% consent failures, this is important information which is relevant and should be shared across the ecosystem, especially ADRs.  They also said this experience would not do anything to drive participation and uptake of the CDR, and it is on the DHs and needs to be dealt with quickly as this will create broader issues around confidence in the CDR.

The DSB cautioned labelling all of these consent failures as failures.  They said there is definitely a problem with visibility and it’s one they can fix and/or make changes to the API metrics that the DH implement to get that granular visibility to understand the inherent problems. They also said that in a healthy consumer-led ecosystem, where consent is at the heart of it, positive cancellation is a good outcome. They said there could also be an element, albeit hard to quantify at the moment, where it could be malicious actors as well who are trying to game the system. They said they think it is quite easy to be able to measure but the DSB needed support to be able to move forward with changes to the metrics API in order to be able to better express, and expose, that information in order to be data driven.

Frollo responded that until these were proven otherwise, they consider them failures.  The Chair also noted that to consumers these would look like failures too.

ACCC noted that as the DSAC was looking at the consent process, it was important to get visibility of the outcomes of the process. They said they thought it was an unreasonable imposition for ADRs to have to raise an incident every time there was a consent that was not completed, and they’d rather solve it systematically at the level of looking at the consent process.

One member asked whether ACCC needs a more overall perspective of the ecosystem and for example, if there’s an issue with one of the banks can they jump in immediately and deal with the issue opposed to waiting for things to bubble up – being more proactive vs reactive in nature.

ACCC noted that they had two categories of responses – the first was operational responses and the second was compliance and enforcement.  Operational responses are appropriate for a quick resolution, while compliance and enforcement responses necessarily operate on legal timeframes.  They said, one of the challenges was that the data was not visible to them, and therefore the incident management process was an important tool for them to collect data, but equally there were parts of the ecosystem where there was no data collected and having a mechanism to get that visibility was an important development.

The DSB agreed that it was necessary to look at CX metrics, and work on consent review and authentication.  They noted had the authorisation flow had been identified as an area to consider during the upcoming November workshop.

The DSB noted that they would benefit from community support with respect to CDR participants voluntarily providing details on what’s occurring. They said the Data Standard consultations around CX metrics had been around collecting details via an API but it would be useful to capture more quantitative data.  They said the detail in the Decision Proposals (DPs) were more around objective measures, which would be useful but it was much harder to answer the questions that were more qualitative; for example why had it taken so long and why the consumer dropped off.  They said this would lead them to ask further questions and conduct research to understand why consumers are dropping off at these points. 

The Chair noted that he would keep this on the agenda and it might be useful if ACCC used the consent flow as a guide and looked at the Rules and Data Standards interpretation bar of the monthly report in order to identify issues that had been reported that might be helpful. 

Treasury Update

Emily Martin, Assistant Secretary of the Markets Group at TSY provided an update as follows:

TSY noted that they were close to releasing the Exposure Draft Legislation for Action Initiation which would amend the primary legislation and the framework to enable Action Initiation.  They also said they gave an overview of the principles, the entities involved and their broad thinking of the CDR at Intersekt last week, which they said was well received.

TSY noted that they had an upcoming consultation on changes to the Rules which would include maintenance changes, and also changes that would improve small business participation.  They said consultation would also include changes in delaying reciprocal DH obligations for newly accredited non-bank lenders for 12 months.  They said these changes to improve small business participation would expand how small businesses could share their data, including with bookkeepers, consultants and accounting platform providers.  TSY noted that they would also be consulting on telco rules in the coming weeks.

TSY noted that the release of the final report of the Statutory Review was likely to be tabled in the Parliament and released publicly in the coming weeks. 

TSY noted that there had been some changes to Parliamentary Sitting Days due to the Public Holiday that was occurring, and the suspension of Parliament for the passing of the Queen. They said it was likely that the Statutory Review would be tabled out of session and released on the same day. 

One member asked if there was any timeline that TSY are working to in regard to the obligations for the telco sector?

TSY noted that there was no firm timeline as yet but it was usually at least 12 months from when the Minister made the rules. 

ACCC Update

Paul Franklin, Executive General Manager ACCC CDR Division provided an update as follows:

The ACCC noted that they were on track for the implementation of data sharing in Energy of 15 November and were working closely with the energy DH in preparation for that.

The ACCC noted that the Incident Management, Data Quality and Ecosystem Performance Working Group had now met twice, and a range of issues had been identified including:

  • Proposed Service Level Objectives for DHs and ADRs for both initial response and final resolution
  • Clarified severity ratings, review and update the service management guide to update severity descriptions and add a glossary to clarify terminology
  • Review of the problem management workflow, including revised incident categories and workflow states. This would include today’s suggestion to review the category of ‘Rules and Standards Interpretation
  • Education for participants on the problem management workflow, and levels of access for various user types
  • As discussed earlier in the DSAC meeting regarding failure of consent requests, participants would like more visibility of the outcomes of consent requests, with a suggestion that this may require consideration by the Data Standards Chair; and
  • A number of individual data quality issues had been identified, though there remains limited data available to quantify potential data quality issues. The ACCC said they were looking to opportunities to more systematically gather data to quantify those issues.

The ACCC said they were continuing to work with other CDR agencies and intended to hold the next meeting of the Working Group later this month.

Meeting Schedule

The Chair advised that the next meeting will be held on Wednesday 12 October 2022 from 10am to 12pm at the offices of ANZ which were located at 833 Collins Street, Melbourne. The Chair asked members to advise the DSB whether they would be attending in person or via VC.

 ACTION:  Committee members to advise the DSB if they are planning to attend the October meeting in person. 

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  He also thanked Tony Thrassis from Frollo for his presentation on consent failures. 

Meeting closed at 11:32