Minutes - 13 Dec 2023

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 13 December 2023
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 58

Download meeting minutes (PDF 229KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Jill Berry, Adatree
  • Brenton Charnley, Mastercard
  • Damir Cuca, Basiq
  • Chris Ellis, Finder
  • Prabash Galagedara, Telstra
  • Melinda Green, Energy Australia
  • Gavin Leon, CBA
  • Peter Leonard, Data Synergies Pty Ltd
  • Colin Mapp, Toyota Finance Australia
  • Lisa Schutz, Verifer
  • Richard Shanahan, tictoc
  • Stuart Stoyan, Fintech Advisor & Investor
  • David Taylor, Westpac
  • Zipporah Szalay, ANZ
  • David Taylor, Wesptac
  • Tony Thrassis, Frollo
  • Naomi Gilbert, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • RT Hanson, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Tim Jasson, ACCC
  • Aidan Storer, Treasury
  • The Hon Stephen Jones MP
  • Morgan Campbell, Senior Policy Advisor, Treasury
  • Aakash Sembey, Origin Energy

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 58.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting.  He acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal land.

The Chair noted that this was the first meeting since the annual refresh of the Data Standards Advisory Committee (DSAC), and he welcomed existing members who’ve continued and also welcomed new members Gavin Leon (CBA), Brenton Charnley (Mastercard), Richard Shanahan (Tiimely) and David Taylor (Westpac).

The Chair welcomed Nathan Sargent who recently joined the DSB team. Over the last three years Nathan had worked on CDR rules within Treasury's (TSYs) regulatory frameworks branch. Nathan will be assisting with organisational, and governance matters and building stronger connections with Treasury teams. 

The Chair welcomed the Hon Stephen Jones MP and stated that it was a pleasure to have the Minister in attendance at the meeting today. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 8 November 2023 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items were either covered-off in this meeting or had been completed. 

It was noted that the Chair had invited John Adshead (AEMO), Andrew Ferris (AGL), Mark Wallis (Skript), Julian Luton (CBA), Dhananjay Gourshettiwar (Westpac) and Jim Basey (Basiq) to be members of the NFR Consultative Group trial.

The objective of this trial was to have technical people involved who could discuss real data around non-functional requirements (NFRs) as one of the challenges in a multi-sector regime like the CDR was to get that level of granularity and specialisation. 

Update from the Hon Stephen Jones MP

The Chair invited the Minister to provide an update on his thoughts on the CDR. 

The Minister thanked members for their contribution to this important Advisory Committee and noted that their input was valuable.  He said the Government was keen to ensure that they got the technical detail right and that involved deep and meaningful engagement. 

The Minister noted that in a recent speech, he set out the direction of where they were going.  It was based around the central idea that they needed to get the framework in place and get the use cases moving. He noted that a lot of investment, public and private, had gone into building and developing the framework. The challenge now was for the advocates and developers to build the commercial models around which they could then make a business out of. 

The Minister noted that they had paused the extension to telco, super and insurance but they were continuing to do a lot of work in the background including consultations on non-bank lending (NBL), operational enhancements and screen scraping.  He noted that the CDR was the obvious alternative to screen scraping and he will be calling out to private sectors for use cases. 

The Minister noted that he was disappointed that action initiation didn’t get through Senate last week, but he saw no reason for that not moving through the Senate next year, which would provide the final piece in the framework that was needed. 

The Minister noted that he was getting a lot of feedback from businesses around the compliance burden.  He also wanted to be pragmatic without compromising the underlying standards and as real-world issues arise with stakeholders, he wanted DSAC to work through them and have a bias towards pragmatic solutions.

One member, who runs a CDR intermediary that connects companies with different use cases for different industry data sets so that can power their own use cases, noted that there were many use cases ready to go that would make consumers better off, save money and introduce great functionality.  The member noted, however, a barrier to implementing use cases lay with the CDR Rules, specifically the definition of CDR data and how slow the Rules are to change (i.e., once a year).  They said this process didn’t really work in a pragmatic way, and they asked the Minister how they would address this. 

The Minister responded that he would take this on notice. 

Another member noted in terms of driving consumer adoption, the use cases were there and when put into action, the consumers benefited.  They asked the Minister what his plans and visions were in terms of driving consumer adoption and who they were going to make accountable for this. 

The Minister responded that he would also take this on notice, but noted that from a consumer perspective, they don’t necessarily need to know for example how an engine works, they just want to drive it. 

Another member asked why Australia didn’t have an implementation entity like the UK, which could be a solution.   

The Minister responded that he was in the UK recently, but he was not yet convinced that they had a better way of doing it. It was unclear whether they are achieving better outcomes, but they were facing a lot of similar challenges to Australia.

Another member asked about the new financial advice providers that were recently announced, whether they would become trusted advisors in the CDR sense so they can obtain CDR data the same way as their counterparts did in terms of financial advice.

The Minister responded that the framework they were bringing forward ensured consumers had more avenues to access quality information and advice.  Importantly technology is neutral, and whether somebody was seeking advice from a fund or a professional planner etc. there were statutory obligations in relation to best interest duty for example.  There was a logical and scalable use case in a number of areas of advice, for example, the mortgage market, insurance market and financial products. However, it was not his intent to automatically, by statute, say that somebody who was an authorised or licenced advisor under the corporation laws by dint of that was also a trusted advisor under CDR rules.

The member responded that when they talked to businesses who want to use CDR data, they didn’t want to become an accredited data recipient in any way, shape or form as it was too onerous.  These businesses would much prefer to get the data via a trusted advisor flow, and then they would be free to do what they want i.e., there would be no more derived data issues etc.

Another member noted that they worked for a mortgage origination platform, and they were accredited but not active.  They had approx. 3% (20,000 to 30,000) of all credit inquiries flowing through their platform each month but couldn’t go active as they were dealing with some challenges including i) consent experience (lots of friction) ii) NBL which was currently being addressed and iii) derived data, particularly for the home lending use case.  The way they had to originate and share data through to other providers, banks and regulators meant under the current definition they couldn’t do that.  They believed until we addressed the derived data challenge, it was going to be difficult to take a pragmatic approach to commercialise some use cases for consumers.

Another member noted that in June 2023, the Minister stated that his priorities for the CDR were to i) increase the uptake of CDR in Australia ii) cyber security and iii) to increase awareness of the CDR in the Australian community.  They asked the Minister if those three priorities remained for 2024 and as an Advisory Committee should they be focusing on prioritising collective effort towards implementing change that had the greatest impact in these areas?

The Minister confirmed that the priorities remained the same and that the Advisory Committee should focus on these areas.

Another member noted that for both DSB and Treasury, there had been some great work and it seemed positive going forward.  They have helped just under 100 different organisations leverage CDR in various capacities and they had more scheduled for the next year. They understand the pause, which gives time to stabilise and iron out some of the kinks, but they were interested in what happens at the end of 2024, what the next decisions looked like and when Government will contribute its own data to the CDR framework.

The Minister said they had given some consideration to the Government contributing data, but his priority was to bed down what we had and demonstrate public value as there had been considerable public and private investment prior to going to another sector. 

The Chair invited a member who had been involved in transitioning their 1.3 million customers from using screen scraping to the CDR to talk.

The member noted they had made a conscious decision last year to sell CDR as a solution and the adoption had been good.  The honeypot with the volume was with NBL, as these businesses had been using screen scraping since the beginning of time.  The CDR was similar, and it was a big shift but there were some drivers that were helping accelerate this.  For example, the reliability of screen scraping services was degrading and businesses were adopting CDR as a backup.  They said it would take time to transition and the volume would then come.

Another member noted they’d invented a bilateral version of this prior to CDR where they’d use single touch payroll data.  In terms of the investment required to use government data, they’d run proof of income in a frictionless privacy-by-design way without any regulatory change or government overhead. The positive was that there was a light touch version which was totally harmonised to CDR, which would be a win for all, including NBL.

The member noted that with the recent Statutory Review, the Government was looking at their contributions in the second half of 2024, and they thought there were some wins that could happen faster, which would be good for all participants in the CDR.

The member also noted that the derived data was a real issue, as they were effectively trying to run a very high integrity twin privacy system for all the raw data but that throttles those willing to share it in the way that it needs to.  They asked the Minister if they would consider bringing in Government data earlier.

The Minister responded that they had thought about this, and it was under consideration. 

Another member asked the Minister how he saw the CDR playing a role as part of the National Anti-Scam Centre (NASC) scam agenda. The member noted that PayTo was a key part of the payment reforms which were currently underway and noted that PayTo and payment initiation are not the same thing. They also asked what work was being undertaken by TSY to make sure that they were laying the ground rules for when payment initiation regulations get through Senate.

The Minister responded that TSY was focussed on a lot of things at the moment, including looking forward to post 2024 and what action initiation looked like. The Minister said that in terms of scams, over the last two decades, the momentum in payment systems had been around development and reform, and this had made us more efficient and productive, but this means that within the payment system there would be more friction.  It was not about slowing everything down, but it was definitely about a risk-based analysis of certain transactions and where we might need to slice some off-ramps.

The Chair noted that based on the CX research to date, consumer representatives and others had said that a level of friction was quite important to get the consumer to consider what they were doing at the time. 

Another member noted that banning screen scraping outright and then hoping CDR works would be a very challenging approach.  CDR needs to thrive because CDR was better from a consumer friction, consumer benefit, organisation or user perspective.  But the CDR was not quite there yet in terms of being a better system. However, they encouraged making the CDR much better than screen scraping because then everyone would migrate to the CDR because it was a better solution.

The Minister noted that in his view you needed to offer more carrot than stick.

The Chair thanked the Minister for attending the meeting and taking questions from the DSAC.  He hoped that it was useful to hear from the people who were at the centre of the implementation and invited him to future meetings.  The Chair wished the Minister well for the holiday season and looked forward to engaging in the New Year.

The Minister responded that on behalf of the Government he wished the best to the Chair, the committee, the staff and families over the Christmas period. 

The Minister left the meeting at 11:00.

Working Group Update

A summary of the Working Groups was provided and these DSAC Papers were taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh:

The DSB noted that it has been a very busy year for the team including:

  • 8 changes to the Standards (1 x patch release), which created a variety of future dated obligations set against our published schedule of dates
  • 16 Decision Proposals:  2 not resulting in change; 4 relating to Maintenance Iterations; 5 for new sectors; 1 to accommodate the C&I customer in the energy sector; 2 for NFRs and operational issues; 2 that were requested by the community
  • Better ways to interact with the community including improved ways with consultations, standards management
  • Greater focus on tool development
  • Establishment of the NFR Consultative Group
  • Development of the “simple account origination experiment” as a new way to develop and test experimental standards

The DSB noted that a focus for next year would be information security and authentication uplift.  They were discussing the best way to meet the information security requirements and make sure they had a stable and secure ecosystem and improving the CX experience whilst minimising the change and cost to participants as much as they could.

The Chair noted that the authentication uplift consultation had been incredibly valuable and unlike many of our consultations, there were differing views in the authentication uplift area.  For example, some data holders said that what others were proposing would take authentication beyond the authentication methods and standards and procedures that were used in their primary channels.

The Chair noted that the question of the obligation was now with him to establish industry best practice and the implications of all of this for offline customers. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre:

The DSB noted that the CX teams focus has been on enhancing the usability, usefulness and adoption propensity of the CDR.  The key programmes of work included the consent review, action initiation considerations and authentication uplift.

The work over the last year includes:

  • Over 23 dedicated consultations and engagements with both industry and consumer advocates, including a roundtable on the consent review
  • CX research with over 1000 consumer participants since 2018 with over 600 hours meeting one on one to get deep rich insights, focusing on the problem space and needs of consumers in relation to CDR
  • The making of new CX standards in support of the July 2023 CDR Rules
  • Relaunch of the CX Guidelines website for improved performance, discoverability and accessibility to assist participants with CDR implementation ad best practice consent model design 
  • Wrapped up the Consent Review Design Paper consultation
  • CX research and public consultation on a Hypothetical Future State of CDR which was presented at Intersekt

The DSB wanted to call out to the committee and community more broadly to recognise that despite the pause of the expansion to other sectors, there are high levels of enthusiasm and commitment from members and community to improve the CDR which has been fantastic.

One member noted that the summary of achievements by the DSB in 2023 was unbelievable and showed how much work had been done across a lot of complicated areas. They congratulated the team. 

They also noted that in terms of Decision Proposal 333 and recognising that DP333 was about the obligation that needed to be fulfilled as a result of the rules that got changed last year. There are two problems between the rules and the CX team which are:

  • The situation where the Rules allow you to have a collection consent for 12 months and a disclosure consent for 7 years. There was a misalignment in terms of allowing an accounting platform to get that type of data to replace bank feeds and it would mean refreshing those collection consents all for the one disclosure consent, which was problematic.
  • In terms of business disclosure consents, how would you make sure that a person selects a business account? 

TSY thanked the member for feedback and responded that he would reach out to them for more information around that issue.

ACTION:  TSY to reach out to member around the two issues around DP333

One member asked what the process was for moving forward around the Consent Review Design paper and any rough dates for when they should start to see the final recommendations and Rules.

The CX Team responded that they were looking at that now and progressing internally. But as it was a TSY led piece of work they would leave with TSY to respond in terms of timing.

TSY noted that there had been rich feedback on the consent review and operational enhancements design papers, and they were working through what would be taken to the draft Rules stage for consultation. Dependant on Government decisions, TSY is working towards having a draft Rules package ready for consultation in April next year.  In terms of recent TSY consultations, the non-bank lending rules package has been prioritised.

One member noted that it would be good to understand the general feedback from TSY’s perspective and whether there were any consistent themes.

ACTION:  TSY to provide an update to the DSAC on the feedback received on the Design papers at the February 2024 meeting.

One member asked whether future work would include the alignment between PayTo and payment Initiation? 

The DSB responded that the analysis and CX research conducted had definitely considered different modes of action and payment initiation.  The question around the priority and timing was a policy question for TSY.  The work that the DSB was doing was experimental given that we were in the “pause phase” in terms of the CDR expansion and with the action initiation bill still being considered but not passed.

One member was interested in the DSBs thoughts around adjacent moving parts to the consent proposal for example FAPI 2.0, authentication and action initiation and how all these pieces would have an impact on their ability to implement consent and making consent changes multiple times.

The DSB responded that this was a broader question and not just for the CX team, but the consent work had been a priority and they had attempted to scope that as well as possible so that accredited data recipients (ADRs) could voluntary implement those changes and that it was backward compatible.

The DSB noted that in terms of FAPI 2.0 and authentication uplift they did relate to data holders (DHs) and there was a question on how consultations could progress and be prioritised in a way that was sustainable to implement. Government priorities would need to be taken into consideration and would determine the way forward.

The Chair said that it was tempting to look at the CDR as just a read and data portability scheme rather than an action initiation and payment initiation as well as read scheme.  The question on what was required in terms of data quality, simplified consent flow and completion and the designation of relevant data sets so that the use cases can be populated was really interesting.

One member wanted to highlight one difference between screen scraping and open banking – screen scraping had one party and open banking had two parties.  When you have one party in control it was much easier to control the flow. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Issues Raised by Members

No issues were raised this month. 

Data Standards Chair Advisory Bodies

RT Hanson from the DSB provided an update about Advisory Bodies as follows: 

The DSB noted that as part of the annual governance review of the DSAC, they had reviewed the Instrument that governs the DSAC to simplify some of the current prescriptiveness.  Some changes include:

  • Reduced minimum number of meetings per year
  • Allowed an SES officer to Chair the DSAC on the Chair’s behalf if he was unavailable

The DSB noted that the Chair was also establishing a number of ongoing bodies to enhance the DSB’s current consultation processes as there were a number of increasingly critical risks and issues that require strategic discussion and input.  These included the following bodie

  • The Digital Trust Advisory Panel (DTAP)
  • The Non-Functional Requirements (NFR) Consultative Group
  • The Information Security Uplift (Infosec) Consultative Group

The DSB was currently trialling the NFR Consultative Group, and they would hold six meetings in the new year.  The DTAP was recommended to the Chair by the UNSW in their 2022 Threat Report which was tabled at the DSAC October meeting.  Further information would be provided as we move forward on this.

The DSB noted that the DSAC plays an integral role to the Chair’s providing advice of the Data Standards and the addition of these new bodies would not change the way that the DSAC operates or functions.

Treasury Update

Aidan Storer, Assistant Secretary, Market Conduct and Digital Division (MCDD) provided the TSY update: 

TSY noted that the priority coming out of the recent consultations was the NBL Rules package which they were hoping the Minister would made a decision on soon.  They were also working towards what they would take forward to the draft Rules stage from the Design Papers. 

TSY noted in terms of screen scraping, the Minister was very much in line with some of the feedback they’d received through consultation, and they were close to providing advice to the Minister in relation to that.

ACCC Update

Tim Jasson, the Executive Director of the Consumer Data Right Division at the Australian Competition and Consumer Commission (ACCC) provided an update:

The ACCC congratulated the DSBs massive amount of work delivered this year, especially with the added challenge of two changes in leadership over the course of the year. 

The ACCC noted that their teams would be taking a very well-deserved break with the Technical Operations team having reduced staffing from the 15 December to 7 January. They were also on a change moratorium from 8 December to the 14 January.  The onboarding team would also be unavailable for participant onboarding and product activations from 15 December to 7 January.

The ACCC noted that the Performance Dashboard had been updated to version 5 and they would welcome feedback.

The ACCC noted that on the November energy update, all energy data holders with November 1 obligations were either active or had an active exemption which is a huge achievement.

The ACCC noted that they had had some big changes during the course of the year including:

  • 2 x updates of the Performance Dashboard
  • Update to the website to Drupal 10 changes to support the new CMS
  • 9 new data recipients had been activated and 13 energy retailers for the 1 November obligations
  • 17 data holders activated over the course of the year and 62 data recipients’ software products
  • 154 different changes made over the course of the year
  • Dynamics migration to bring them up to industry standards and improved security posture
  • Developer portable made available
  • Welcomed Lauren Wright, the new General Manager of Compliance and Enforcement Branch
  • Published a new compliance and enforcement policy for CDR in collaboration with OAIC
  • First issue of CURB (compliance update and regulatory bulletin)
  • Regulatory guidance published and information and readiness made available for the November obligations for energy

The ACCC noted that in terms of 9.4 reporting, the Commission had still not made a decision on publishing that information. At this stage they were not able to provide an indicative date on when this would be published.

One member asked if there were any plans to update the search function on the CDR website as it was difficult to search for a software provider under an ADR for example.  It wasn’t obvious for an everyday consumer.

The ACCC confirmed that it was on the work plan for next year and they would provide an update at the next meeting in regard to timing.

ACTION:  ACCC to provide update on when the CDR website will be refreshed to include better search functionality at the next meeting

The Chair, on behalf of the team passed his thanks onto to Tim and all his colleagues at ACCC.

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 14 February 2024 from 10am to 12pm. 

Other Business

No other business was raised. 

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  He wished everyone compliments of the seasons.    

Meeting closed at 11:40