Minutes - 14 Dec 2022

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 14 December 2022
Location: Held remotely via MS Teams 
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 49

Download meeting minutes (PDF 249KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Luke Barlow, AEMO
  • Jill Berry, Adatree
  • Damir Cuca, Basiq
  • Chris Ellis, Finder
  • Prabash Galagedara, Telstra
  • Melinda Green, Energy Australia
  • Chandni Gupta, CPRC
  • Rob Hale, Biza
  • Peter Leonard, Data Synergies Pty Ltd
  • Drew MacRae, Financial Rights Legal Centre
  • Greg Magill, Westpac
  • Colin Mapp, Toyota Finance
  • Deen Sanders OAM, Deloitte
  • Lisa Schutz, Verifer
  • Aakash Sembey, Origin Energy
  • Zipporah Szalay, ANZ
  • Tony Thrassis, Frollo
  • Barry Thomas, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Hemang Rathod, DSB
  • Mark Verstege, DSB
  • Vaughn Cotton, ACCC
  • Daniel Ramos, ACCC
  • Andre Castaldi, OAIC
  • Sophia Collins, OAIC
  • Zacki Assifi, Treasury
  • Karen Gan, Treasury
  • Emily Martin, Treasury
  • Kate O’Rourke, Treasury
  • Guy Richardson, Treasury
  • Nathan Sargent, Treasury
  • Peter Cebon, University of Melbourne
  • Rowan Doyle, University of Melbourne
  • Pruthvi Patel, University of Melbourne
  • Shaun (Zhong Xien) Yeoh, University of Melbourne
  • Stuart Stoyan, Fintech Adviser

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 49.

The Chair acknowledged the traditional owners of the lands upon which they met.  He acknowledged their custodianship of the lands and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal lands.

The Chair welcomed the new members as well as those who those who accepted the invitation to continue.  He noted that this is a voluntary role, and it does take time and effort and he appreciates their involvement. 

The Chair noted that the new members are: 

  • Alysia Abeyratne who is a Certified Information Privacy Manager, and Certified Information Privacy Professional who works at NAB and has advised on the CDR as a lawyer.
  • Peter Leonard from Data Synergies Pty Ltd who is a member of the NSW Government’s Artificial Intelligence Review Committee, and the NSW Government’s Information and Privacy Advisory Committee.  He is also a member and Immediate Past Chair of the Privacy and Data Law Committee of the Law Society of NSW and a member and Immediate Past Chair, Data Access, Use and Privacy Workstream of IoT Alliance Australia.
  • Drew MacCrae from Financial Rights Legal Centre (FRLC), consumer advocate who has been at FRLC since 2015, and been involved in CDR consultations since the CDR started.
  • Colin Mapp from Toyota Finance Australia (TFA) is the CDR lead at TFA and is our first non-bank lender (NBL).  He was exposed to the CDR in his former role at Cuscal.
  • Deen Sanders OAM from Deloitte is Chair of the Government’s Indigenous Tourism Fund and National Advisory Group, as well as Chair of the Business Council of Australia’s Indigenous Leadership Group.  He is Deloitte’s lead Partner for Integrity, Deloitte Indigenous, and Space Practice. He noted that it is overdue that we have a First Nations member of the DSAC.
  • Greg Magill from Westpac who sits in the Digital leadership team and holds accountability for CDR for the bank amongst other new digital development initiatives, including others working with government and agencies. He is replacing Jason Hair on the committee. 

The Chair noted that the regular updates from the Australian Competition and Consumer Commission (ACCC) will be provided by Daniel Ramos who is replacing Paul Franklin. 

The Chair noted that the Data Standards Advisory Committee Terms of Reference has been refreshed.  He noted the DSAC role is in an advisory capacity and is a vital role in the standards setting process and an important role in terms of future directions, rules and all the way through to accreditation, compliance and enforcement. 

The Chair noted that the December papers included the 2022 outcomes and outputs for the Data Standards Body (DSB), standards setting function and the inputs and contributions of the committee. 

The Chair noted that some students from the University of Melbourne (UoM) joined the meeting today to present on the project called “HomMe”. 

The Chair noted that Stuart Stoyan (Fintech Adviser) is an apology for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments, and last-minute feedback on the Minutes from the 9 November 2022 Advisory Committee meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items will be covered off in this meeting or have been completed. 

Working Group Update

A summary of progress for 2022 on the Working Groups was provided and these DSAC Papers were taken as read.

Presentation on CDR Innovation Project “HomMe”

The DSB noted that over the last six months they have been working with the University of Melbourne (UoM) on a program called Creating Innovative Engineering (CIE) and Innovative Professionals.  Rowan Doyle and Peter Cebon run the program and are attending the meeting today.

The DSB noted that they wanted to test whether the standards were able to be grokked (understood) by people who were outside of the regime, to build awareness, to test the innovative of Greenfields innovative potential of the CDR and whether they could identify barriers to innovation. 

UoM noted that the program had been running for 6 years.  They said they go out to external stakeholders and find innovation challenges and give to groups of students who have 12 weeks to come up with a proposal on how the innovation might happen.  They said they do approximately 60 projects a year and have worked with over 100 stakeholders.  The sponsor provides a mentor who works with their team and they learn innovation and leadership along the way.

The Chair noted that he has been delighted to be involved and hopes it has been beneficial and hopes to do another one next year as the ability to engage with our future and to help them on their journey as they help us has been tremendous.

UoM noted that they would be happy to speak to any members of the committee who would be interested in sponsoring a project outside of the DSB. 

The CDR Innovation Project HomMe – Innovation Opportunities in Open Banking video was presented to the committee.  Following the video a number of questions arose:

The DSB noted that students Pruthvi Patel and Shaun (Zhong Xien) Yeoh were online and happy to take questions. 

One member was keen to have a follow-on conversation with UoM about home loans and innovation in and around the CDR as they work for one of the largest comparison sites in Australia. 

One observer asked what where the tension or friction points and was there anything fundamental that we need to address? 

UoM responded that one of the main challenges they faced was that people might not trust the data they were using and therefore they would need to address this by making sure the system was trustworthy.  UoM noted that there appeared to be a general distrust which was focused on the CDR in particular – because people are generally not aware of the CDR.

UoM provided another proposal for an application that would help people move house, because when you move house, you engage in a series of activities all of which involve the CDR (e.g. telephone company, electricity supplier, refinancing etc). UoM said the idea was for an omnibus package that lines-up all the utilities and gets new contracts.  UoM said it became clear to them that the more providers that were lined up, the more anxious people were about privacy and data spillage between the various providers and this led the students to change the proposal. 

The Chair thanked UoM for the feedback, which he said was useful for our work on action initiation (AI) because what UoM had described was potentially one of the “killer” use-cases in that environment and roll out. 

One member asked how they tackled the issue of the final list of loans – was it the cheapest or over the life of the loan? 

The DSB noted that the students haven’t built the service they have only got to the concept stage. 

Another member asked if there was any reason why they chose this use-case?

The DSB noted that the proposal UoM put forward was for the students to do anything, as long as it was of value. 

One member noted the comments about the lack of awareness of CDR and the issue of trust was interesting. They asked if there were any other privacy concerns that arose, and were they from specific sets of users or from across the board?

UoM noted that the majority of users were concerned about their personal data and a small number were open to using their data to save time.  

Another member asked if during the design thinking, did they consider how often they needed to refresh their CDR data?  UoM responded that they had not gone done to that level. 

One member asked if it is easy to understand the CDR regime and the constructs.  They followed-on by asking how would we give the consumers comfort that they’re sharing their data in a safe way? And did it depend on the demographic, and did UoM get any feedback from the privacy element?

UoM responded that they had to educate most of the users about the CDR regime when interviewing.   

The Chair thanked Rowan Doyle, Peter Cebon, Pruthvi Patel and Shaun (Zhong Xien) Yeoh from UoM for the fascinating presentation.

The DSB noted it had been a pleasure working with the UoM.  The DSB also noted that they had volunteered to do this next semester and Hemang Rathod had volunteered to be a mentor. 

Technical Working Group Update

The further update was provided on the Technical Working Group by James Bligh as follows:

The DSB thanked those who have provided feedback to the recommendations from the Information Security Independent Health Check, and noted there had been good engagement around a number of topics as well as some practical suggestions. 

The DSB noted that the intent of the response document was to look at an acceptance of a number of recommendations contingent on further research. 

They noted in terms of “Recommendation 9 – CDR lock”, that this was effectively an “opt-in” mechanism for data-sharing and they are not recommending putting this into the Data Standards without doing additional research, which would require collaboration with other CDR agencies and public consultation. 

The DSB noted for each and every recommendation they have identified an appropriate change mechanism e.g. change request (CR) that they would consult on through a maintenance iteration (MI); or through a Decision Proposal (DP).

The DSB noted in terms of feedback on the authentication uplift and the calling out of alignment to credential level two which is part of the Trusted Digital Identity Framework (TDIF) documents.  The DSB noted for low sensitivity data, a single factor like one time password (OTP) would be appropriate, but for anything where there may be harm or damage to the consumer then credential level two or above would be required. The DSB said consulting on that proposal through a DP would be how they would make sense of the change from an implementation perspective, and not just from a consumer experience perspective.

The DSB noted that there are a number of recommendations around the register, which had some general support, but no specific feedback for those recommendations.  

The DSB flagged that they would be looking at the uplift of the register standards in support of AI, which would then be identified as appropriate in CRs.

One member noted about the approach moving forward with some of the recommendations, particularly on Recommendation 7 in Decision Proposal 258 around defending attacks.  They suggested there was a need to consider how we give feedback because if the security teams are talking through what is appropriate, it may be comprised in a public forum, consequently, there would be a need to consider how participants give sensitive feedback.

The Chair noted that in earlier work establishing the information security profile, exactly the same issues were raised and although he had a commitment to Data Standards development being entirely open, however, he didn’t want to broadcast potential vulnerabilities. 

The DSB noted that back in 2019 they had a lot of bilateral meetings particularly with the major banks and their security teams, where they agreed what would be said publicly in order to ensure that the Data Standards were not comprised. 

One member noted that some of the sectors (like banks) already participate in security exchange via the Australian Financial Crimes Exchange so that could be a potential opportunity to connect into particularly around payments initiation.

The member asked whether the independent assessment assessed the CDR portal as well, and if not, would that be considered as part of the final recommendation 32 on future assessments?

The member also asked if there was an opportunity, in terms of DPs, to bundle those outcomes potentially with the next sector go-live, which would seem sensible from an implementation for a lot of the participants.

The DSB noted that when they do the independent assessments, they carefully scope it out and have certain accountabilities.  They said the register standards are in their scope but the implementations by each of the individual banks, AEMO, Australian Energy Regulator (AER) and the CDR are not in their remit.  They said the independent assessments inevitably bring out risks on other participants in the ecosystem, which they pass on.

The ACCC noted being a government designed and operated system they are subjected to the information security manual (ISM) and they rigorously and routinely audit their cybersecurity capability, as well as having a cybersecurity team in place.  They noted that Treasury (TSY) in its capacity as lead-agency, had overarching accountability for the whole program. 

One member asked about the “CDR-lock”. Based on the learnings they had seen from the recent security breaches; they’ve also heard of a lot of credit bureaus seeing consumers putting bans on their files and they said it felt like there was an opportunity for the DSAC to think about how the CDR lock could be aligned with the ban mechanism. 

The DSB noted that this issue was fundamentally a policy and a CDR Rules question and it would be good to involve the Office of the Australian Information Commissioner (OAIC) and TSY in the discussions about the CDR-lock. 

The DSB agreed that combining some outcomes would be a good idea as there was a lot of stuff happening and there’s a lot of new sectors and how these changes are sequenced is critical, from not only a proposal perspective but also from a community perspective. 

One member noted that there was not a lot of input about the energy sector, and it’s a very different concept because the way energy companies know their customers.  They said there are a few existing controls that could be built-upon but caution would be needed around AI.   

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that they had provided an update and a 2022 summary, which was extensive.  Some key things they wished to call out. 

The DSB noted that the Consent Review was progressing well and they ran an interactive workshop with over 100 participants on 22 November 2023 followed by a consumer advocate roundtable on 29 November 2023.  A summary of the workshop contributions can be found here, and a summary of the feedback can be found here.

The DSB and the TSY had developed a design paper to seek feedback on the rollout of the CDR to the non-bank lending (NBL) sector. 

The DSB noted that there had been low levels of engagement for v2 of DP267, which related to telco data language standards.  They said they had extended the consultation period pending finalisation of the Rules to allow further time for feedback.

The DSB noted that the accessibility review which was conducted by PwC’s Indigenous Consulting and the Centre for Inclusive Design had been published.  This report outlined the review’s key recommendations and recommended an uplift of the accessibility Data Standards as well as CX artefacts and the capabilities of the DSB. 

The DSB noted that Noting Paper 280 on CX of Authentication and general authentication uplift work had been published.   They said this would focus on CX research being conducted to support the uplift of technical and CX standards for authentication and is expected to include the preliminary scope for CX research into authentication uplift, which had centred on stronger methods of customer authentication and cross-channel authentication experiences.

The DSB noted that the CX team had increased from four to seven and capacity had increased significantly.  For example, they had engaged just under 700 unique consumer participants in research which is more than a 250% increase to previous years.  They had also engaged around 1000 in total over the years since 2018 whilst seeing an uptick in terms of standards, consultation, design papers, noting papers, engagements guidelines development etc.  They took the opportunity to thank everyone for their patience when requesting feedback for consultations and papers etc. 

One member asked in regard to the PwC report, what is the plan for further issues of accessibility as there seems to be a lot more to unpack in relation to different communities not just for accessibility?

The DSB noted that this was a core part of the CX work and the report was a useful check-point from an independent organisation.  They said the accessibility review’s focus to begin with, was to be technical and the intention was to conduct this type of review on a regular basis. 

Prioritisation for Consultations

James Bligh addressed the outstanding Action Item on prioritisation of consultations and work for the next year.  The bulk of the work can be seen in the Future Plan.

The DSB noted that they have items in the backlog which they will not be targeting in the Jan-Mar quarter unless things change or they get feedback indicating they should. For the items labelled BAU these are the activities the DSB do all the time like Maintenance Iterations.  The engineering team will continue to align the engineering artefacts with the latest standards, and the engagement team will continue with implementation calls, support portal and visual productions. 

From a sector perspective, the DSB had two specific items for the telco sector.  To continue the Telco standards and the Accessibility data in Telco.   

The DSB noted that version 1.22 of the standards would be released next week and they would incorporate the updates from this quarter from the holistic review that had been provided by telco. 

The DSB noted that there is a specific consultation in relation to CX about accessibility data in telco. This was a data cluster that had been identified in the Designation. The DSB said they had feedback from OAIC and CX research that they needed to understand and get the voice of the effected people.  The DSB said they are thinking about reaching out to Vision Australia and Deaf Australia to get specialist accessibility advice.

The DSB noted that for the Energy sector, most changes will be made through the maintenance cycle.  The DSB said they are considering finalising with a consultation on commercial and industrial (C&I) customers, but they hadn’t finalised this as yet. They said that AEMO have however indicated that they would be proceeding with adding the market settlement and transfer solutions (MSATS), the last customer change date.  They said the addition of that field to MSATS would allow for the sharing of usage data that’s held by AEMO across retail ownership boundaries within certain constraints if consented to by the customer.  They also said the existence of that field in MSATS doesn’t trigger sharing to occur so they would need to also consult on the related Data Standards and potentially even CDR Rules in order to facilitate this. 

The DSB noted that this activity may trigger rich authorisation, which was something that had been on their backlog for four years, and was possible because there was granular authorisation with scopes.  They said this, however, may need rich authorisation, which would almost certainly be needed for AI. 

The DSB noted that they had a couple of items marked for AI (Fine-grained consent and Exploratory workshops for AI) and they were in discussions with the TSY policy teams in order to ensure they were synchronised. 

The DSB noted that they would need to prioritise the backlog items like CDR participant representation and NFRs.  Register metadata had been pushed into the second quarter because of capacity. 

One member noted that they thought last customer change date (LCD) was a really bad idea and the date that AEMO indicated for implementation of tier one retailers on 30 May 2023 was too early, because there were a lot of retail operations and processes that go behind it with associated risks, and they would be writing to TSY again about that.  The member also noted that in terms of AI, for the payment use-case and those sorts of AI interactions, it may not be suitable and they’ve already seen teething problems with extending the current data sharing into energy. They requested a forward view from TSY about what else might be coming into that space and how they could work through the Data Standards in the most effective way to avoid problems later down the track.

The DSB said in regard to the LCD that they’ve had a discussion with AEMO about their go-live date for the date filed to be populated within AEMO does not need to align and probably should not align with our incorporation into the Data Standards and into the CDR regime as a whole.  They said it would also have no value when it first goes-live because it would take a number of months to start being populated as move in and outs occur.  They said the earliest that they anticipated any change being implemented would be the end of next year (2023). They said they would do a consultation on this in early January and encouraged everyone to provide feedback. 

TSY noted that in terms of the work they are doing on AI and payment initiation, there could be different use-cases for AI apart from payments. They said the framework had been set-up such that all actions had to be first declared by the Minister.  Payments may be the first action, because that was one of the recommendations from the Inquiry into Future Directions for the CDR Report, but there hadn’t been a government decision as yet.  Treasury has begun work on policy issues and the specifications, and how the CDR Rules and Data Standards for general AI could work across different possible actions.

The DSB noted they had also discussed the need to understand actions beyond just banking and the purpose of those workshops was not to develop the Data Standards, because there was a lot of work on the CDR Rules and the policy-side and around designation, but to understand existing process architecture.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

The Chair noted the exponential increase in the engagement that comes through the involvement and inclusion of more sectors into the CDR. He thanked the team that was involved in the engagement.

Issues Raised by Members

The Chair thanked all members who had tabled discussion items.  

Presentation by Adatree “One month of CDR Energy go live”

Jill Berry from Adatree presented on “One month of CDR Energy go live” as follows:

Berry noted that open energy had been live for a month and she would like to talk about some learnings that had found during that time.

Learning # 1: Clear production communication channels/accountability were not in place

  • Introduction of secondary data holder (AEMO)
  • Issues raised - DH told Adatree to sort out with AEMO
  • Inability for Adatree to raise ticket with AEMO
  • Raise with ACCC directly, they all had a meeting

Learning # 2: Production didn’t work as expected/required

  • After 2.5 years of going live, the ACCC did not require full CTS (and/or require a full external audit) before allowing DHs to go live
  • Certain energy datasets unavailable
  • Complicated relationship with primary and secondary DHs
  • Could another ADR get usage data? We have to develop a customer API for it
  • Who would have known if this wasn’t tested and raised by us?
  • This directly relates to the NFRs that Biza raised previously
  • Missing PVT, which has been raised every meeting

Learning # 3: There was not a common understanding of expectations

  • Lack of transparency/knowledge of who was going live and what quality
  • Understanding exemptions and delays sooner
  • Rectification/exemptions schedule vs what actually happens
  • Impact to ADRs actually building to the regulatory timeframes
  • What was Optional standard vs mandatory rules?
  • Remove ability for there to be ambiguity/questions of interpretation (applied to both DHs and ADRs)

An example for banking was where mandatory data fields were not being made available.  Refusing to disclose this data impacted the viability of many promising CDR use-cases. They noted that it was mandatory in the Rules but was optional in the Data Standards which was problematic.

One member noted some files they see as mandatory to pass on if they held the data, but if they didn’t hold the data, there’s nothing to pass on so that could be the reason why it’s optional somewhere and mandatory elsewhere and they didn’t see these fields as fundamental.  

Adatree responded that the interpretation being taken by the DHs was in clear contradiction of the Rules, because it was explicitly outlined in the Data Standards.  As DHs were made to address their ongoing instances on noncompliance, Adatree said the DSB should consider how these requirements could be made clearer in order to prevent such interpretations being taken in future.

Learning # 4: There was no Trusted Advisor (TA) equivalent

  • Energy use-cases related to saving money on accounts, or switching to solar
  • The CDR Data Boundary was a major barrier to better consumer outcomes
  • Sharing CDR data to know where you lived, information on energy usage and get solar panels
  • Solar installers ultimately needed to see information about the consumer – they were not TAs, this was low-risk data and consumers ultimately wanted to leverage CDR for switching
  • CDR insights didn’t meet every data need
  • Privacy safeguards overrode utility

Learning # 5: There was energy downtime

  • AEMO had schedule of downtime – impacting usage data
  • How was this communicated to DHs, ADRs, Reps and end consumers?
  • Why was this acceptable? 

Suggested actions       

  • ACCC/TSY Post-mortem
  • Test full dataset(s) before Go Live.  Please stop putting the burden on ADRs
  • Create register of clarification questions for ADRs & DHs

Adatree asked if anyone was interested in testing their own energy data, because they would be happy to look at this in their developer portal and they could whitelist you for it. 

One member noted that the CTS was not meant to cover everything, which was why testing is one of the things they had been pushing for a long time, partly because the ACCC had been saying it was an obligation for DHs to test beyond CTS. The problem was that, as an ADR, they go to a DH that became live and the first thing they struggle with is the dynamic client registration (DCR) going wrong. They said the whole Production Verification Testing (PVT) mechanisms was missing. 

They also noted in regard to optional data, that it was a transparency issue because the CDR Rules stated that if the DH had the data, they had to show it, but it was specified as optional in the Data Standards, but they – as an ADR – didn’t know if the DH had it and therefore, they had had to build around this.

Another member noted that there were two streams here, the operational and the pathway stream which was about the TAs. They also said they kept coming-up with the same issue where they were placing a whole lot of additional controls and accreditation overhead on recipients and that kept getting in the way.  They said the first place this got in the way was in banking with the whole ecosystem around accounting packages and that’s why the TA pathway was invented. They said it also got in the way for brokers and third parties and that’s why the insights pathway was created. They then asked, why not just extend the insights pathway to insights related to those use-cases?  They then said the bigger question was that these barriers were going to keep coming-up and there should be proportional overheads for ADR, so was the CDR’s purpose to avoid screen-scraping or was it to create a whole new privacy overlay?

One member noted that from a privacy perspective, they didn’t see the TA concept as an off-ramp for CDR privacy safeguards because at the time when this concept was conceived there was a Privacy Impact Assessment (PIA) undertaken and the TAs in the banking space were considered to be safe because they either had fiduciary duties or other requirements which met the privacy safeguards. They said if the CDR was going to extend these concepts to other areas, they expected that there would be a similar sort of assessment. 

The DSB noted that on the testing topic, they had an engineering capability that could assist in that area but that had held back. They’d provided documentation, schemas, post collections and tools but not testing regime for the Data Standards as a whole as they had received feedback previously that this was an area that the private sector was filling, and they did not want to undermine a private sector market solution. They said they could redirect their engineering capability to look into this as part of the QA process.

One member noted that they had another step called Business Verification Testing (BVT), which may be the missing process.

One member noted that we were in a respectful standoff between public and private sector around PVT. They said we just need to say that we would do it, or not do it because everyone’s reticent or reluctant to invest in building a capability, and thereby produce clarity and certainty.

One member noted that they had a self-service tool that could be used but the issue was not the tool, the issue was the DHs didn’t choose to do testing at that point in time.  They said when there was an error, when you look at the issues management, there was no governing law that said they’ve got to fix something in a particular time. 

ACCC noted that on the CTS, their position had been that they were not in a position to underwrite the tech of DHs in that fulsome way. They said they had supplemented the CTS over time with mock tools and the sandbox but they would take the PVT issue on. They had a proof of concept that they had been working on and would work with a small group of willing participants and have something tangible by the February 2023 meeting. 

ACTION:  ACCC to convene a meeting with interested DSAC members to demonstrate the PVT proof of concept and to provide an update at the next meeting

One member noted that as a DH they had spent a lot of money in testing and in the beginning, they did pairing-up to do pre-production testing before they went live. 

Treasury Update

Kate O’Rourke, the First Assistant Secretary CDR Division, TSY provided an update as follows:

TSY noted that the Action Initiation Bill was introduced into Parliament on 30 November 2022.  After passage of the bill, there will be further regulatory work developing ‘declarations’, CDR rules and standards.  

TSY noted that they had published a Non-Bank Lending Design Paper jointly with the DSB which discusses rules and standards designs issues. The agencies are holding a follow-on session to discuss the paper and were keen to have people interested in the topic attend. 

TSY noted that they had a CDR Rules maintenance process and noted the suggestion made earlier by Adatree’s on the value of post-mortems.  They said they would continue to look at how things were going and tweak them in relation to the Rules or policy. 

ACCC Update

Daniel Ramos, the General Manager, Solution Delivery & Operations CDR at ACCC provided an update as follows:

ACCC noted that the launch of the Energy sector on the 15th of November was a significant milestone for the program.

The ACCC had granted a time-based exemption to Energy Australia, which was available on the ACCC website as well as the Rectification Schedule  which outlined all areas of full or partial exemption granted by the ACCC.

The ACCC noted that the 5th session of the Incident Management Data Quality and Ecosystem Performance Working Group was held on the 7 December where discussions centred on Service Level objectives with focus on resolution times across incident severity levels. They noted there were no enforceable SLAs between participants with respect to resolution of incidents.  The ACCC provided participants with an update on the recent changes they made to the Service Management Portal and the progress with the Data Quality Project, which was run within the ACCC team on the compliance side. 

The ACCC Registrar activated one new DH (Wise Australia Pty Ltd), two DR’s (Westpac banking Corporation and Verifier Australia Pty Ltd) and seven DR software products (Myprosperity Pty Ltd from Yodell, CDR Broker Access, moneyGPS from Accuracy from Adatree, Account Aggregation from NAB, Money Partner from Frollo and Rate Tracker Pty Ltd from Yodlee) and 12 CDR reps.

The ACCC noted that they expected to announce some regulatory outcomes by the end of the calendar year.  Accreditation and regulatory details are made by the Commission, and so Ramos said he could not announce the details until finalised. 

ACCC thanked the group for the year and the constructive engagement throughout the year and wished everyone a merry Christmas.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 15 February 2023 from 10am to 12pm. 

Other Business

The Chair noted that at the February meeting the DSAC may spend some time - about 45 minutes - allowing members to share any reflections on what they’ve learnt, any insights for the CDR and improvements. 

ACTION:  Members to share 2022 reflections at the February 2022 meeting

The Chair confirmed that Minister Jones will be joining the March DSAC to provide some general feedback.    

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  

The Chair sent his compliments of the season and thanked everyone for everything they had done and the trusting way they had done it. 

Meeting closed at 12:05