Minutes - 12 Jul 2023

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 12 July 2023
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 55

Download meeting minutes (PDF 210KB)

Attendees

Chair Introduction

Barry Thomas, the Assistant Secretary of the Data Standards Body (Chair) chaired the meeting and thanked all committee members and observers for attending meeting # 55.

The Chair acknowledged the traditional owners of the lands upon which they met. He joined the meeting from the Wurundjeri Woi-wurrung and Bunurong Boon Wurrung peoples of the Eastern Kulin and pays respect to their Elders past, present and emerging.

The Chair noted that version 1.25.0 of the Standards had been published and the Maintenance Iterations are continuing.  The CX Team has released the Authentication Uplift Comparison Report which will be foundational in their work over the coming months. 

The Chair noted that the majority of the DSB team is made up of contractors and the DSB has recently completed a procurement round resulting in the re-engagement of our existing team of contractors. 

The Chair noted that Andrew Stevens the Data Standards Chair is an apology for this meeting.  Committee members Chris Ellis (Finder) and Deen Sanders OAM (Deloitte) and Observer James Kelly (TSY) are also apologies for this meeting.      

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 21 June 2023 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items were either covered-off in this meeting or had been completed. 

Working Group Update

A summary of the Working Groups was provided and these DSAC Papers were taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh as follows:

The DSB noted that version 1.25.0 of the standards has been published which included Maintenance Iteration # 15 (MI15) and changes arising from metrics and NFRs.  They are due to promote the Workshop on NFRs in Sydney, hosted by Data61 which will be held on 18 August.  NAB had kindly offered to host the Melbourne workshop in late August. 

The DSB noted that they have an open consultation on non-bank lending (NBL) and a Consultation on the use of Last Customer Change Date (LCCD) in the CDR for the energy sector.  They expect this to be the first consultation to understand the issues with an expectation of further consultations. 

The DSB noted that in this release of the standards they have taken the telco standards and moved them to a “Candidate” standard which is a stable standard, but not binding.  They said this will not change unless a decision proposal goes to the Chair which gives implementers relative confidence to implement to that standard.  They said it also allows the DSB to keep it documented without having it on the main standards page with the other binding standards.  They said they intend to do the NBL standards in a similar way by publishing a draft standard in a subset. 

The DSB noted that they have published a set of ‘Experimental’ standards to explore Action Initiation design assumptions.  They said they had been discussing this approach internally for a long time and had decided to move ahead as a way of exploring future directions without creating an expectation that the experimental work they are doing is in any way an indication of policy intent.

The DSB noted that they continue to plan for the next quarter. They said the engineering team are fleshing out testing documentation, test data manufacturing and upkeeping the artefacts with the changing standards.  They said they are in discussions with the ACCC participant tooling team around how they can collaborate around their mocks etc.  They said in version 1.25.0 of the standards they also link to ACCC published deployment schedule. 

One member asked in regard to Decision Proposal 288 – Non-Functional Requirements Revision and the GetMetrics Future Dated obligations.  They asked if there was any update on their request to push this back by one release cycle so that version 4 Future Dated Obligations are aligned with Y24 and version 5 aligned with Y24 # 2.

The DSB noted that they have responded to this as part of the consultation. They said they had moved back the second milestone in response to the feedback.  They said they didn’t move the version 4 milestone because of the impact on the tranche # 3 retailers in energy who would have had to deploy with one version and then three months later deploy a different change.  They said the other reason was that the demand for the data is fairly significant so they deliberately structured version 4 to make it relatively easy to implement based on the feedback they received.

One member asked about what consultations were coming up in the NBL sector. 

The DSB noted that they published Noting Paper 292 – Approach to developing Data Standards for the Non-Bank Lending Sector which included the approach and the schedule.  They said they didn’t receive a lot of feedback so they are proceeding with that approach.  NBL will basically be the banking standards - they will not create a NBL set of standards, with variations.  They said the key differences will be around the addition of “buy now pay later” (BNPL) products and any specific variations required to support NBL. 

The same member noted that in the NBL sector, there are not large transactional volumes – a user may do one payment per month/quarter, and therefore in terms of transaction volumes, the consumer behaviour is different to the banking sector. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that the focus over the last month has been the authentication work with Noting Paper 280 remaining open for community discussion.  The fourth report has also been published online which contains summaries and comparisons of all the recent CX research conducted on this topic, including an improved Redirect with One Time Password (OTP) flow; App/Web to App with Biometrics; Decoupled with QR Code.    

The DSB noted that App/Web-to-App was the best performing model when it came to System Usability with a score of 82.88, followed closely by Redirect with One Time Password, which scored 82.61. Decoupled scored slightly lower at 74.29, but this is still an above average score.

The DSB noted that they will present on the authentication uplift topic at the CDR Implementation Call on Thursday 13 July.  They said this session will cover the key findings and opportunities from the CX research along with a brief overview of the DSB’s approach to CDR authentication uplift. 

The DSB noted that they are working on an initial Decision Proposal to consult on the step-up and waterfall authentication approach which they hope to publish soon.

The DSB noted that CX research and analysis for Action Initiation was continuing.  They said research preparation was currently underway to explore A/B testing options for payment initiation and Action consents to open new products/services. 

The DSB noted that in collaboration with the technical team, a decision proposal on utilising the Last Consumer Change Date (LCCD) was being drafted to follow NP307. They said this paper outlines options for CX standards to facilitate the sharing of historical energy data from previous retailers.

The DSB noted that the publication of the Consent Review Design Paper and the accompanying CX research report were still pending further approvals.

The DSB said they had been in a planning phase following the recent Budget announcements, and the CX team expect to be busy for the next 6 months facilitating a range of consultations. They said these would likely include accessibility standards uplift; authentication uplift; any v5 rules standards work; NBL data language standards; consent review progression; consultation in relation to screen scraping and CDR; and Action Initiation use case consultations.  They said these items will progressively be added and phased in the DSB's public future work plan.  

One member noted they’ve been having some engagement on insight notifications via SMS.  We have a set of [CDR] Rules that are very prescriptive about what has to be done, but how to supervise and manage those rules in practise was a different matter.  They said the issue for SMS notification of insights is that every single insight has to be listed fully; when it gets too hard, maybe SMS is not an appropriate channel.  They suggest we reverse our thinking and say that SMS is an appropriate channel for communicating notifications. The information provided should reflect what is reasonable in all the circumstances for giving a notification including the fact that SMS is a limited mechanism and consumers are time poor.

They asked whether we continue saying how we’re going to run the user experience defined by CDR Rules that were written a while ago, or do we start to enforce those Rules via a reasonableness test?

They noted the example in the responsible lending space of their reasonableness test, and in these guidelines, ASIC talks about reasonable in all the circumstances and concepts of scalability.   They hate the fact that we might chuck out SMS notifications just because we’ve got black letter law that says something heavily prescriptive.  They would prefer that we didn’t have to keep engineering user journeys based on law and also not to have to take reengineering the law in order to create a good user journey.  They asked whether there is enough trust in the ecosystem to start to be more flexible.   

TSY noted there has been a lot of work around consent following the consent review consultations last year, including focus on consent CX, and asked how we can make things more efficient and streamlined, while ensuring consent is informed. 

TSY noted it is useful to hear these perspectives and get a sense of how it applies at the user end and what the right balance is around prescription versus principle-based requirements.  They said they would be happy to follow up directly with the member to drill into some of those issues in more detail.

TSY also noted that the CDR is evolving and they are mindful that if they keep changing and tweaking things regularly, they were conscious of the compliance aspect and what that could mean for data holders (DHs) which was something they needed to balance.

The Chair noted that it is the DSB’s role to make the rules work, but they have a long-standing history of doing a lot of CX research and it is still very useful to talk to the CX team as they are keen for detailed specific suggestions on how things may be improved. 

One member asked for clarification on whether CX was saying we shouldn’t be looking at fixing the consents, but removing them or changing the rules so we don’t need them.  They noted there’s far too much friction within insights and what happens and the rules needs to be looked at. 

The member noted they would like to see some flexibility on how they communicate based on what is reasonable in the circumstances.

They noted when you use the insights pathway you have to notify the person of all the insights they shared. The principle is that they need to be notified and we should maybe have a construct of low, medium and high sharing.  

One member noted that it comes down to usability. They said if usability was not there, it created friction. As the CDR ecosystem is evolving, the biggest inhibitor is that it’s just really hard for ordinary people.

The Chair noted that it was interesting to be in the design conversations and coming from a use perspective you generally reached one conclusion but when you looked at it from the perspective of how bad actors may arise, you then take an entirely different view and it was very difficult to make them meet up.

The member noted that we’ve been running “live” for quite a while and there had been limited examples of bad actors and nefarious events happening.  What do you do to open it up to drive mass adoption, because if we’re afraid of what might happen in the event of mass adoption then this is a 20-year journey.

Another member understands the need for a balance and not overwhelming the consumer completely.  They said they were cautious of the idea of using “reasonable” as the test because that can be interpreted in so many different ways. What reasonable was for the user vs business would be different.

They also noted that if we had a principle-based approach, whatever was being done needed to be in the interest of the user.  They said if you were able to open up the system as a DH or ADR and if there was a way to build into the framework the likes of ACCC saying you are serving the interests of the consumer, we might end up getting there.  They also said we needed to find a way to not overwhelm consumers as they needed to have the absolute confidence that whatever result or decision was being made as a result of their data, it was not exploiting or manipulating them.

The DSB wanted to highlight the fact that they had been having discussions around principle vs prescription and the difficulties around that. They said hearing perspectives on not just that it should be done, but how it should be done is the step they thought was missing.  They also said with a shared understanding this could help and they encouraged specific examples from members on how it could look if they were to do this. 

One member noted that sometimes having too much prescription can be lazy regulation, and there was a definite trade-off with ease-of-use by consumers and innovation.  They said it was good that the CX team did a lot of research as often we’re regulated by regulators who don’t do that research and just put their views out there. 

One member noted that, in terms of compliance around prescription and principle, if there was too much prescription the sector complains about too much red tape and if you moved to principles, then they complain they need more guidance, so they said the answer was that you do both, have some principles and make sure there’s enough prescription for people to understand.

TSY noted that we often talked about how difficult it was to achieve the balance between consumer protection and allowing innovation and the smooth consumer journey and the safety and security we expect from this system.  They said from a policy perspective, they would never achieve the perfect balance as there’s always trade off one way or the other, but to get closer to that perfect balance, they continued to work with the DSB and through their consultation processes.

TSY also noted that on principles-based regulation versus prescription they’ve had to build a lot of the safety mechanisms into this scheme because those protections didn’t exist in an economy wide way. They said in a scheme like this it may be hard to go straight to principles but that may be the end goal you wanted to achieve with a really mature and well-developed ecosystem.

One member noted that it’s been a good conversation with some practical things raised and there the longer-range stuff.  They said we needed to remember that this is a regime to provide people access to their own data in safe rails and every use case was also governed by consumer law.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

The Chair noted that they took Stakeholder Engagement within the DSB very seriously and the DSB’s role was not to create standards but facilitate their creation. They said the DSB was doing some internal work with large language models (Chatbots) and it would be some time before they are ready for prime time as they were immature products but it was incredibly useful to use the tools internally.

Issues Raised by Members

The Chair noted a member raised an item for discussion about feedback received around the design Rules in NBL.  He noted that TSY would provide an update on this as part of their regular update. 

Treasury Update

Emily Martin, the Assistant Secretary of the Market Conduct and Digital Division (MCDD) at TSY provided an update as follows: 

TSY noted that they had been speaking to the Assistant Treasurer’s office following his CEDA address on 7 June around the CDR’s priorities and forward work plan.  They said the Minister was keen to do some discovery work and analysis around the regulation of screen scraping.  TSY said they planned to do a formal consultation around this in the next few months to understand the landscape, how it is used and what are the issues of the CDR being a viable alternative to screen scraping, drawing on recommendations from the Statutory Review of the Consumer Data Right.

TSY noted that they were working on a consultation paper on the Strategic Direction of Action Initiation (AI).  They said it was at a high level and intended to set out the issues that needed to be considered as they embarked upon the policy and design work for AI following the Budget. They said they did not intend to implement AI in the framework over the next two years but they had the authority to go ahead with detailed policy and design work.

TSY noted that in terms of the outstanding Action Item around consent continuity, which was initially raised at the DSAC in February, that they’ve had discussions with the DSB and ACCC and those discussions have evolved around the range of scenarios that had been identified and what the implications could mean for the standards, rules and policy.  They gave examples of identified scenarios on the ADR side, including where software products are transferred, ADRs change outsource service providers, CDR representatives change principals or become accredited, and CDR affiliates change their sponsor.  They also said on the DH side, there’s a question around continuity of authorisations in relation to mergers or acquisitions, movements of consumers between DH brands, and in the future as we bring in NBL, the scenario of NBL transitioning to becoming an ADI.

TSY noted that ACCC had provided some guidance around some of these scenarios including consent continuity in the transfer of ADR software products, requirements on DH to avoid breaking consents and authorisation when making changes to their systems and clarification on an ADR changing an OSP did not affect the CDR consent provided by the consumer. 

TSY noted there was no decision on how they would take this work forward yet, as it was a question of priorities.  They said there was a lot of thinking about whether these changes could be progressed incrementally and what those areas of priority could be. They said they were also talking to the other CDR agencies and would welcome further comments from stakeholders on this issue.  They said they would be happy to have bilateral conversations.

One member noted that it would be useful for TSY to publish a list of the scope of the things that they have looked at. 

TSY responded that they were happy to have bilateral discussions and the member should reach out to them on this.

Another member noted that they submitted feedback a couple of months ago about consents as they have had two clients who were their representatives that went to become ADRs.  They said they spoke to ACCC about this and this wasn’t catered for, so it would be useful for TSY to review this feedback.

ACCC Update

Daniel Ramos, the Executive General Manager (Acting) of the Consumer Data Right Division at Australian Competition and Consumer Commission (ACCC) provided an update as follows:

ACCC noted that in terms of DP288, they were working on a transition plan to support participants, as well as the work that they needed to do because there is a relationship between changes to GetMetrics and the CDR performance Dashboard. They were finalising their plan before they shared it with the DSAC and publicly through GitHub. 

ACCC noted that they have had two DH brand activations – “Unloan” brand of CBA and “Emmy Bank” brand of BOQ. There were two ADR activations – “Liberty Financial” and “Cuscal” for My CDR Data which reflected the transfer of my CDR data from Regional Australia Bank (RAB) to Cuscal. They said RAB’s version was removed from the register, and there was also nine ADR software product activations. 

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 27 September 2023 from 10am to 12pm. 

Other Business

No other business was raised. 

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  

Meeting closed at 11:06