Minutes - 15 Feb 2023

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 15 February 2023
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 50

Download meeting minutes (PDF 257KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Chris Ellis, Finder
  • Prabash Galagedara, Telstra
  • Melinda Green, Energy Australia
  • Rob Hale, Biza
  • Peter Leonard, Data Synergies Pty Ltd
  • Drew MacRae, Financial Rights Legal Centre
  • Greg Magill, Westpac
  • Colin Mapp, Toyota Finance Australia
  • Deen Sanders OAM, Deloitte
  • Lisa Schutz, Verifer
  • Aakash Sembey, Origin Energy
  • Stuart Stoyan, Fintech Advisor & Investor
  • Zipporah Szalay, ANZ
  • Tony Thrassis, Frollo
  • Barry Thomas, DSB
  • Elizabeth Arnold, DSB
  • Nils Berge, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • Rob Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Daniel Ramos, ACCC
  • Andre Castaldi, OAIC
  • Chad Batshon, OAIC
  • Emily Martin, Treasury
  • Kate O’Rourke, Treasury
  • Aidan Storer, Treasury
  • Luke Barlow, AEMO
  • Jill Berry, Adatree
  • Damir Cuca, Basiq
  • Chandni Gupta, CPRC

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 50.

The Chair acknowledged the traditional owners of the lands upon which they met.  He acknowledged their custodianship of the lands and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal lands.

The Chair noted that since the last meeting the Data Standards Body (DSB) had been busy with two Consumer Data Standards released and a number of Noting Papers which were available for review.

The Chair noted that in partnership with Treasury (TSY), the DSB would be hosting a Workshop on Action Initiation on 7 March to examine the current landscape of actions initiated through existing digital channels. 

The Chair said he looked forward to welcoming the Hon Stephen Jones MP to the March Data Standards Advisory Committee (DSAC) in March. 

The Chair noted that he was looking forward to welcoming the Hon Stephen Jones MP to the March DSAC meeting.

The Chair noted that Luke Barlow (AEMO), Jill Berry (Adatree), Damir Cuca (Basiq) and Chandni Gupta (Consumer Policy Research Centre) were apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments, and last-minute feedback on the Minutes from the 14 December 2022 Advisory Committee meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items would be covered off in this meeting or have been completed. 

Working Group Update

A summary of the Working Groups was provided and these DSAC Papers were taken as read.

Presentation on Consent continuity

James Bligh from the DSB presented on Consent continuity for Accredited Data Recipients and Data Holders as follows:

James Bligh noted that whilst he was presenting, the work had been undertaken by an interagency Working Group from the TSY Rules team, ACCC and the DSB (Elizabeth Arnold, Nils Berge) over the last couple of months in order to understand the problem of consent continuity in different scenarios.

DSB noted that the regime was scaling and the number of Accredited Data Recipients (ADRs), brands, Data Holders (DHs), the CDR Representative model to the Sponsored Accreditation and the CDR Representative to Unrestricted Accreditation were growing.

The DSB noted that participation for both DHs and ADRs was also changing due to external factors for example ADI license changes and brand ownership; mergers and acquisitions; and infosec changes.

The DSB had considered what would happen to the consents associated with brands under the CDR Rules, policy and standards and what would be the implications.  Because this had Rules, policy, enforcement and standards impact it had been a cross agency analysis. 

The DSB noted that their analysis considered a matrix of likely and possible scenarios against a set of factors, including what may prohibit the transfer, highlight technical challenges, or create a more beneficial outcome for the consumer.

Their assumptions included:

  • an accumulation of active consents should create value for a participant, but the concern was that these may not have a saleable value due to the inability to transfer them.
  • that consumers may expect continued service irrespective of ‘behind the scenes’ changes to legal structures and access models in certain scenarios but may expect to be notified or want to prevent changes in other cases.
  • loss of consent would trigger data deletion or de-identification by the respective entities in certain scenarios and this may disrupt services causing harm to the consumer.
  • where consents are broken, consumers may not go through the process to re-establish them, causing attrition and diminishing value. Where they are re-established, the ADR may not be able to access the same data or generate the same historical insight.
  • changes to DH platforms may be costly and require custom solutions to meet the expectation that such changes should not affect consents, including servicing authentication requests, data sharing requests and dashboard availability.

The DSB noted that ACCC had published guidance on Consent continuity and transfer of ADR Software Products which stated where things currently stand and the consensus of all the agencies working together.  The published guidance stated:

  • Under the CDR Rules, certain categories of consents are given by consumers to accredited persons, including affiliates, or CDR representatives. The CDR Rules do not provide for these consents to be transferred to a different accredited person.
  • The CDR Rules also do not provide for consents given to a CDR representative in the course of one CDR Representative arrangement to be transferred to a new CDR Representative arrangement, or to be relied upon after the arrangement ceases.
  • In order to give effect to the CDR Rules, the ACCC will not permit the use of a Data Recipient Software Product (DRSP) by a legal entity other than the legal entity that first registered the DRSP. In addition, the ACCC will not allow the same DRSP to be used by an entity that changes from a CDR Representative Arrangement to Sponsored or Unrestricted accreditation.

The DSB wanted to highlight the clear guidance as participants were making investment decisions around which models they choose, how they became an ADR and how they participated in the regime etc. because if they were not aware of these restrictions this could hinder their investment plans and business models they were engaging with. 

The DSB noted that if a participant changed from the CDR Representative model to an accredited level, they could not continue accessing the same consents they had under the representative model.

The DSB noted that more specific guidance relating to DHs was being drafted in order to convey that it was not permissible under the Rules to port authorisations to a new entity or system (e.g. in ING’s case, or through an acquisition); or break/revoke the authorisation to facilitate porting, before it was due to expire, if the consumer didn’t choose to withdraw it themselves. 

One member asked if amending a consent as a DH was not done arbitrarily, but with reason was that okay, or should some consultation on that guidance be considered before it came out, because they felt that DHs had an appreciation for circumstances that the regulators may not? 

The DSB noted that there is a difference between guidance, which was clarifying what the Rules and the Data Standards actually said and consulting on new Rules and Data Standards.  This was guidance.  They did note that there were many good reasons why an ADR may want to take their consents and move them across different models, but this was currently not available. This was the same for the guidance that’s being established for DHs.

The member responded that even though this was guidance, that it would have an impact on practical implementations, and invited the ACCC to discuss this offline.  

Another member asked about the statement where the ACCC would not allow the same DRSP to be used by an entity that changed status accreditation and the guidance, which said if a DRSP registered by one entity could be used by a different legal entity, this could enable the new legal entity to use the existing consents given to the other entity and managed by the DRSP, which didn’t seem to match.

The DSB noted that ACCC have said it’s possible to allow a software product to be managed by someone else, but they won’t permit it.  They said the ACCC was taking the conservative position that they won’t allow that to occur under their function as Registrar. 

The member noted that this position, and its subtly was difficult.

Another member noted that just changing one thing for a DH could have benefit and/or impacts to the ecosystem, including the DSB, and a conversation around roadmaps might be suitable.  They also noted that there was nothing in the guidance to say that an ADR could not withdraw a consent.

The DSB noted that the question of whether an ADR could arbitrarily revoke consents had not been looked at mainly because it hadn’t come-up as a value proposition.  They said they would also take this question on notice as they should cover this off as well.

ACTION:  DSB to explore ADRs arbitrarily revoking consents

One member asked if the DSB had thought about this as being analogous to other scenarios where there is a transfer of legal responsibilities or legal rights from one company to another via an acquisition?

The DSB noted that the analysis completed had been around the Rules, Data Standards and policy positions currently allow not whether it was desirable.  They said this was the current guidance on the current position, not necessarily where it should be. 

One member noted that from a Non-Bank Lending (NBL) perspective, it caused them concern about who they would partner with going forward in order to become an ADR because it may restrict them later on if they’ve got bad performance or service, because if they wanted to change partners, they may lose all their consents and add cost to their solutioning.

The DSB noted that they were talking about authorised consents. Business models that were focused on once-off (like lending applications) were far less impacted by this because there was no ongoing consent to transfer.  They said somebody who was seeking to become an ADR or use the CDR to foster a business model with ongoing relationships and data sharing as part of the functional business model, however, needed to carefully choose their representation model, sponsorship model or full accreditation model and consider exactly how they proceed and their legal structure underneath that.

Another member noted that there were other elements of the legal framework that put different obligations on participants in the system. They provided the examples of the financial advice and investment market models where there was almost a positivist obligation on providers in that space to apply information they had about consumers in the context of particular considerations or recommendations for things like financial advice. They said in these examples, the obligations or the data might be a long standing one and was relevant to future considerations around the construction of things like financial advice.

The DSB noted that the analysis was targeted on CDR authorisations and collection of consents and what the member was referring to had been covered in lots of other guidance that had been developed over the years relating to ongoing use of data for other legal purposes that had been collected under the CDR but had now got another intent, and this guidance did not change any of the previous guidance.

The member clarified that they were calling out nuances such as that, in certain circumstances, the institution must use the data they had collected to inform their decision making. The member requested a use case along these lines be drafted in order to provide future guidance that considers these obligations.

The DSB then presented the other findings of the analysis, as follows:

  • Any changes to the OSPs that are involved after a consent has been given may warrant communication to the consumer (not a current obligation).
  • Changes such as a takeover of the legal entity of the accredited person or changes to the details of a DRSP may trigger an accreditation review before those changes are permitted.
  • If a DH makes changes to their implementation without due care, they have the potential to disrupt consents, harming the value of the service provided to the consumer by the ADR.
  • Determined that participant naming may be important to consents (current and historical) and that name changes (including legal entity, brand and software product) may need to be considered carefully, including history of changes to participants over time.
  • Consumer experience is important in the selection of DH brands (with respect to naming) and how the consumer would then find dashboards to review current and historical authorisations (for example, if they were split across different platforms with different names due to customer segmentation or infosec configuration and upgrades.)
  • Some scenarios may involve complex technical migration to be successful:
    • potential changes to CDR Register relationship and lifecycle model
    • CTS requirements
    • consideration to Data Standards including infosec, PPID, ID permanence etc.

The DSB said given the feedback from the DSAC members, that issues had clearly been raised, and that they believed more detailed guidance would be helpful, but wanted to know how urgently different scenarios, or “participant pathways”, were needed to be explored.

The slide deck which included the full list of “Other Findings” and “Next Steps” was provided as an attachment to the minutes. 

One member noted that when there were a lot of merger activity acquisitions, particularly in the mutual sector, it was interesting because if a consumer determined they wanted to change bank, there was a general awareness their transaction history and account information wouldn’t be migrated. They said therefore if a consumer initiated a change of bank, they felt that it would be okay that consents would need to be recreated. They said, however, if a bank chooses to merge with another bank, their data would be migrated and history continues, and they expected that those consents should also be migrated and continue to operate. They noted that core banking systems operate very differently under CDR and bespoke and migrating consents would be interesting and challenging.

One member noted if there were going to be Rules changes in the future would the DSB be speaking to actual consumers to get a sense of what the consumers would be expecting to be done with their consents?  They also said it was important that consent was the central, and only consumer protection embedded in the CDR system and therefore caution was necessary when exploring this territory.

The DSB responded that they always sought consumer feedback and consumer experience was a critical aspect of this.  They noted that there would be certain circumstances which could be anti-consumer not to allow the consents to move and other circumstances where it could be anti-consumer to allow the consents to move; and other circumstances that could be grey-areas where consumers should be notified to allow the movement.  They suggested that creating tools for the regulators to handle this complexity may be worth considering.

One member noted that he wanted to suggest three categories of issues to assist with the framing of the problem i). the accredited person position (from one rep to another or to a different structure etc.) and concerns or boundaries ii). the DH and their brands and if were changes to their systems were required and other impacts to them; and iii). technology platform issues during migrations.  

The member noted that as an ADR, at the moment being able to withdraw a consent was sometimes the only way to solve a technical problem, and then recreate the consent and re-establish the tokens that are required in order for data retrieval to occur.

One member noted that this was a good topic for 2023 and should be looked at by the DSB and CDR agencies. 

Another member noted that it was important to get a consumer perspective but it is also important not to over complicate it. They said if an entity had the ability to transfer a service from a merger and acquisition, they didn’t want consents getting in the way. They said consent, privacy and the consumers ability to control data are important, but that we are not far away from having real impact on services that people are receiving via CDR, and therefore managing these consents shouldn’t override broader commercial relationships that existed between an institution and its customer.

One member noted that in terms of the ACCC guidance, they would be keen to feed into that from a DH perspective and provide some concrete examples.  They said they understood that the guidance is not the Data Standards or the law, but in the context of such a new regime, many participants rely on this guidance for interpretation.

The ACCC reiterated that the guidance reflected the current state of play. ACCC invited members to provide any useful scenarios to the ACCC as scenarios were useful for giving life to the guidance.

TSY noted that it had been useful to hear the policy, Rules, guidance and technical perspectives and    note the importance of the topic, particularly the observations around consent and the role that consents played at the heart of our regime. 

The OAIC noted the importance of consent.  They stated they were here to help with early engagement on the Privacy Impact Assessment (PIA) work as privacy was the CDR’s core value proposition for the consumer. They noted that the CDR was complex and nuanced but they believed they had the mechanisms and tools (e.g. dashboards and notifications) to deal with these issues. 

The Chair thanked all members for their input on this important topic and active discussion which had been very helpful. 

Technical Working Group Update

The further update was provided on the Technical Working Group by James Bligh as follows:

The DSB noted that in terms of the DSB Quarterly Plan, they were progressing well with the Jan-Mar quarter and there was quite a lot going on.

The engineering team had set-up quarterly objectives and key results (OKRs) and Maintenance Iteration # 14 had commenced.  There was also a lot of preparatory work for NBL, telco, and action initiation.

The DSB invited members to look at the Plan and provide comments either out-of-session or at the next DSAC.  They noted that at the next DSAC they would be seeking feedback about what they needed to prioritise for the next quarter.

ACTION:  DSB to seek feedback at next DSAC about prioritisation of Apr-Jun Quarter Plan.

One member noted that the Future Plan was very useful but asked if the DSB had thought about prioritising further ahead?  They noted that large organisations for example, have investment pipelines well into the middle of 2024. 

The DSB replied that they had a strong desire to do that, but they are order takers.  They noted that there was an active conversation around an integrated plan for the regime and they thought that would be the mechanism to facilitate this request.

The Chair amplified this view, in terms of a desire to do this, and the role of the integrated schedule in this.

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that the DSB and TSY were collaborating on a Design Paper on the first phase of consent model simplification following the closing of Noting Paper 273 in December. They received good feedback and engagement at the consumer advocate Roundtable and the workshop.

The DSB noted that a CX research report for the consent review was being finalised for publication and would include feedback around concepts of supporting parties and analysis around parallels in jurisdictions like General Data Protection Regulation (GDPR) where there were requirements to notify consumers if sub-processes, which was the equivalent of “supporting parties”, change.

The DSB noted that the CX data language standard Decision Proposal 267 was being left open indefinitely, pending the finalisation of the telco rules.

The DSB noted that a separate Decision Proposal on telco accessibility data was planned to consult on the proposed treatment of telco accessibility, product and consumer data in the technical and CX standards. They said they would welcome feedback from all stakeholders, not just from the telco sector as the intention was to be sector agnostic.

The DSB noted that Noting Paper 279 on accessibility uplift recommendation was open for feedback. A DSB response to PwC Indigenous Consulting and the Centre for Inclusive Design’s recommendations was pending. 

The DSB noted that Noting Paper 280 was published in response to requests from DSAC members to share the DSB’s approach and scope for authentication-uplift research. They said they had received some excellent feedback, which validated the intended approach.  The thread would be kept open so ongoing discussion can occur. 

Two CX research reports have been finalised and linked to the NP280 thread and explored things like the current state of identity issues and Web-to-App and App-to-App authentication, which had been proposed a few times. They noted that it was not their intent to have a bespoke CDR approach, but they were trying to understand where they might need to propose amendments to the Data Standards in order to accommodate other approaches to authentication.

The DSB noted that another round of CX research was underway in order to consider support for Decoupled Authentication and a ‘waterfall authentication’ approach, which had been raised by a DSAC member previously.

The DSB thanked Biza for the change requests for CX guidelines, which were progressing well and was a cross agency effort.  They said they were expecting knowledge articles to be published as a precursor and they are developing a process to then amend the CX guidelines, which would enable the CDR agencies to contribute.

One member requested vis a vis Noting Paper 273, instrumenting the flow as they said they were a little blind once they collected the consent and redirected it over to a bank to authorise.  They said at the moment, as an example, there was no way to give a customer, or bank any information about consent issues when they occur.

The DSB noted this request, and undertook to follow-up with the member.

ACTION:  The DSB to follow up with member in terms of instrumentation and resolving issues

One member asked whether the DSB was looking at the Digital Identity Framework the government was working on and whether there was an opportunity to simplify and uplift authentication experience through this framework.

The DSB noted that they were quite aligned with the Trusted Digital Identity Framework (TDIF) requirements, which was currently going through a round of revision.  They also said the American standards (National Institute of Standards & Technology [NIST]) that the TDIF relies on, was also going through a round of revision. They said they had intentionally remained aligned with TDIF and intended to remain so. 

One member asked whether it was time to think about an Operational Working Group as operational themes that cross different aspects of implementation had been presenting themselves.  And they said this had ties into the operational metrics, traceability and interoperability with TDIF and Digital ID etc. This view was supported by another member, who noted they were disappointed that the Statutory Review didn’t support an Implementation Entity, which they believe was necessary.

The Chair noted that the question around an Operational Working Group was a good one, and they would think about it and come back with an update at the next meeting.

ACTION:  DSB to provide an update on the Operational Working Group at the next meeting  

One member noted that in terms of the paper on authentication, from their perspective they were keen to focus more on the methods and methodologies for authentication. They said they had a lot of experts within their teams and they would be keen to be part of that conversation. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

The Chair noted that in partnership with TSY, the DSB would be hosting a Workshop on Action Initiation (AI) on 7 March in order to examine the current landscape of actions initiated through existing digital channels.  He said this was an important event for AI.

One member noted that they would be keen to discuss a separate consumer workshop which would be useful.

The DSB responded that the focus of the AI workshop was to understand how existing payments services were facilitated separately to the CDR in order for them to understand existing business process.  A customer focussed workshop once AI Rules were drafted was something to be discussed with TSY.

Issues Raised by Members

The Chair noted that no issues were raised by members for this meeting. 

2022 Retrospective

The Chair asked members for feedback on things that were good, and things that could be improved as we were looking to improve everything that we do.

One member noted that there were some great things that happened last year in CDR and often we focussed on the problems and didn’t give ourselves recognition for the work that had been done.  They provided some examples: getting energy live on time, achieving lots of Future Dated Obligations (FDO’s), broadening/more diversity on the DSAC and getting Financial-grade API (FAPI) over the line. 

They also noted that that the DSAC was burdened with carrying all the things that didn’t fit anywhere else, which was often why we end up talking about Rules, OAIC’s guidelines, Production Verification Testing (PVT), the volume, frequency and the timelines around Data Standards etc. 

One member noted that the DSAC worked but we got dragged into Rules and other conversations and perhaps we should have had a little less of that given the time. They said the key areas we covered were great, such as Data Standards, consent, data quality and processes. They suggested some further areas to look at, including Data Standard efficiencies (e.g. get transaction and get transactions details); the gentleman’s agreement of not naming participants when raising issues and whether this should continue; the need for an aligned roadmap; and the Operations Working Group.  They also noted that Elizabeth Kelly did not adopt the Open Banking Implementation Entity (OBIE) construct, but this needed to be discussed again; because it is missing in the ecosystem.

The Chair noted that the minutes are made public so it was more than the DSAC participants who had access to them. He said the DSAC started-off with a protocol of not naming the person raising the issue, which has widened to not naming particular participants in an organisation, especially because some of whom were not present to defend their side of the story.  But he said he was not averse to reviewing this position.

One member noted that they were new to the DSAC and they deeply admired the technical-depth and specificity that members bring to the conversation and the details in the minutes. But they said they would like to raise caution about spending time swimming in the detail, because we could miss the larger story and what it is about. They suggested for 2023 that we should check-in with where we are in the journey, and reflect on what may have been missed in the over-arching narrative or purpose.

Another member noted that having an OBIE like implementation forum would be timely; as would a roadmap from all CDR agencies beyond open finance, including a target state and the framework on deciding FDOs. They noted that the DSB receives feedback from participants around impact assessments on being able to meet implementation dates; but moving ahead they would like to have another look at the change management processes, especially for breaking-changes.  They emphasised the importance of this by enumerating the broad range of sectors now involved, including utilities, telecommunications, open finance, and AI. 

The Chair agreed with the major impact from AI, due to its complexities, on this and then suggested this was again pointing back to the integrated schedule and the timing of that. He also said the operations element needs to be reflected adequately in the integrated schedule as well as the development rollout of new functionality, sectors and data is important.

One member asked if we were thinking enough about the customer adoption phase and was that within our scope?

One member noted in terms of energy retailers, it had been quite complex and there was an interplay of Rules guidance as well as Data Standards and energy retailers were still grappling with the last consumer change date, which basically enables ADRs to get hold of a greater amount of electricity metering data for customers. They said this was complex and there were many discussions between the DSB, TSY and Australian Energy Market Operator (AEMO) where assumptions were made on practicalities, which would be best consulted on.  They said they were concerned by the timeline for implementation; and they thought their learnings should be applied to the telco sector.

One member noted that he had worked in complex technical regulatory competition regimes for about 40 years and the CDR was right up there in terms of complexity.  They said we should have as a guiding star, whether we as an organisation are thinking enough about reducing complexity, and recognising the complexity of itself as a barrier to entry. They said this regime was fundamentally about reducing barriers to entry, competition and consumers moving between services and we have a key role in endeavouring to reducing complexity. They said on the CX side, great work had been done about managing complexity from the consumer viewpoint, but we may not have been as good at reducing complexity on the supplier side. They said they worried that too much of our guidance was paraphrasing and synthesising the various regulatory instruments rather than moving to scenario-based examples and practical things for new entrants to engage with this complexity of the CDR, on the supply-side.  They thought the CDR provided better guidance than other Commonwealth programs, but felt that we could lift our game.

One member noted that TSY and ACCC updates were at the end of the DSAC meetings and we tended to run out of time to have a healthy discussion on important topics. They wondered if we could schedule those updates to earlier in the meeting in order to allow healthy conversations with them. They also suggested there may be value in having a regular monthly update on success metrics. 

The Chair suggested bringing those updates earlier in the meeting to road test this suggestion at the April meeting, because of Minister Jones attending the March meeting.

One member noted that they would like to see the Operational Working Group up and running, a Strategy (strategy review is a good framework) for a considered direction of where we might be going, and accountability for the whole. 

One member noted that they have been advising on CDR from a privacy perspective for the last couple of years and they think there had been a level of complexity inherent in the regime.  They said as a practitioner in the space, they relied heavily on the guidance and the interpretation and what’s published by regulators.  They said therefore it was incumbent on participants to feed into this guidance with their practical perspectives from the operational side.  They also said they supported a consideration of the broader narrative and strategy of the CDR, and what may be being missed at the moment, as well as saying they supported an OBIE.  They thanked the Chair for the opportunity to be part of the DSAC.

The Chair thanked all the new members for the contributions they brought with their fresh-eyes.

One member noted that the CDR needs to become a better mouse trap.  They said now was the time to shift the focus towards an outcome’s focus, and on what we were tangibly delivering for consumers and the benefits we were providing that were enriching lives economy-wide.  They said if the CDR didn’t become a better mouse-trap then something else may come along. They said we should be incredibly proud of what we had achieved but we need to focus on the actual impact we’re having on the economy, the benefits we were providing to consumers, and how we drive that home to be able to deliver the vision we set up 5 years ago to create the data infrastructure for our economy.

One member noted that this was a highly valuable forum and there was an intangible benefit of the work that goes on outside of this forum in terms of the connections that we had as advocates.  They thought this forum should be strategic and operational and the trick was to get the balance right. They said they would like to revisit the metrics and successes.  They also mentioned that different sectors were at different maturity phases, which brought a certain set of issues, which needed to be balanced out.

The Chair thanked members for their feedback and for volunteering with the DSAC. He also noted that everybody involved has taken a national interest mindset to what we were doing and it was incredibly impressive and something that we didn’t take for granted at the TSY, ACCC or the DSB. 

Treasury Update

Kate O’Rourke, the First Assistant Secretary of the Consumer Data and Digital Division (CDDD) at TSY thanked the group for their reflections to the workings of this committee which they said was really helpful for TSY to hear. 

TSY noted that they had other forums like the Implementation Advisory Committee and Strategic Forums on policy issues, and they would apply a similar reflection to make sure they are the best they can be as well. 

Emily Martin, the Assistant Secretary of the CDDR at TSY provided an update on the Action Initiation Bill.

TSY noted that on the 9 February the Action Initiation Bill was referred to the Senate’s Economics Legislation Committee who have called for public submissions.  Submissions are due by the 6 March and the committee will report by the 23 March.  They encourage people to have their say on the bill.

TSY noted that the Bill was introduced into the House on 14 February, supported by the opposition and referred to the Federation Chamber for debate.  After a short period of debate, the House of Representatives passed the Bill on 15 February.

TSY noted that it was great to see the progress on the Bill and they looked forward to seeing the Senate’s Report, and ultimately the Bill through the Senate as well.

One member asked if there was a summary of the changes between the Exposure draft and the current Bill and whether all the issues raised were addressed. 

TSY noted that changes were made between the Exposure draft and the final Bill. TSY noted changes were also made to the Explanatory materials to clarify a number of areas where submissions raised issues or sought further clarification.  In particular there were some issues raised in terms of privacy and concerns around smaller businesses not being subject to the same privacy safeguards.  TSY agreed to follow-up with the member.

ACTION:  TSY to follow-up with the member on changes that were made to the Action Initiation Bill.

TSY noted that they were working very closely with the DSB on AI, and they would be happy to have a follow up workshop for consumer groups. 

Aidan Storey, the Assistant Secretary of the Regulatory Frameworks Branch from CDDD at TSY introduced himself.  He has recently joined the team, previously heading up the TSY office in Perth. He noted that the meeting had been very useful and enlightening particularly around the Rules space, which fell within his branch.  He said he was looking forward to observing and providing feedback down the track.

ACCC Update

Daniel Ramos, the General Manager, Solution Delivery and Operations CDR at the ACCC provided an update as follows:

The ACCC noted that since the last DSAC meeting in December the ACCC Registrar had activated 12 software products, mostly from Basiq but one from Adatree. The software product “Waave” was deactivated as a software product of Adatree because it was activated as an ADR in its own right.  Software product “Capital Road Services” was made inactive (previously a software product of Basiq) because the representative arrangement ended on the 31 December. The ACCC had activated one new ADR, which was Bank of Queensland with their money management product under the Virgin Money Brand.

The ACCC noted that in terms of an update on Product Verification Testing (PVT).  Following a conversation at the December meeting, ACCC met with interested members offline to get an understanding of the topic.  They uncovered a range of issues, including: no shared definition of some of the terms they use; some related to PVT; and others related to more general issues or issues that overlap, such as data quality and the definition of certain terms in the Data Standards (e.g. term “Optional”).

The ACCC noted that a lot of issues were raised at that meeting and they felt that a useful next-step would be to meet with participants individually.  They said that so far, they had met with seven entities and had a few more to go. 

They said the feedback received was that the majority of participants see value in a PVT testing like capability.  They said, however, there was an open question whether the ACCC should play that role or whether it should be filled by the market organically, or indeed whether there was a hybrid approach for the ACCC to undertake a Request for Information (RFI) type process and gauge the interest of community members.  They said there was an obvious disclaimer that ACCC or any other CDR agencies would require funding for this, that they did not currently have.

The ACCC noted that production test accounts came-up a lot with various restrictions and constraints depending on the sector.  They said they hadn’t appreciated some of those nuances. They said there was a general knowledge that challenges existed but they were not CDR specific challenges, but rather challenges with enterprise software delivery in these sectors.  They also said they heard a clear message to increase the attestation obligations of DHs beyond CTS, and a separate but related message to increase the regularity where they might undertake that sort of testing.

The ACCC noted that they would provide a summary of the issues raised and next steps at an upcoming DSAC.  They also said they had extended an invite to members who are interested in this topic to reach out for further discussion. 

ACTION:  ACCC to present at the next meeting on PVT and other issues raised from 1:1 meeting

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 15 March 2023 from 10am to 12pm. 

The Chair noted that we were planning to hold the May meeting in person in Melbourne.  He asked if any member was interested in hosting that meeting, to please reach out to the DSB.

ACTION:  DSAC members to reach out to the DSB if they are interested in hosting the May meeting

Other Business

The Chair noted that Minister Jones was scheduled to attend the March meeting and he would ask the Minister to provide an update to the DSAC on where he is at on the current and future of the CDR, and where we can help both directly and indirectly, which would be followed by questions from members.   

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  

Meeting closed at 12:01