Minutes - 14 Feb 2024

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 14 February 2024
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 59

Download meeting minutes (PDF 286KB)

Attendees

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 59.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting.  He acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal land.

The Chair noted that the Data Standards Advisory Committee (DSAC) Terms of Reference (TOR) have been updated to reflect some minor changes. The TOR are included in the papers as Appendix A and can also be found on our website. 

The Chair noted that a number of new members have joined the Data Standards Body (DSB) team over the last month.  Christine Williams has joined the team as the Assistant Director Cyber Assurance, Thomas Brown has joined the team as Assistant Director Policy and Assurance and Ci Ho Kang has joined Treasury as part of the 2024 Graduate Program.

The Chair noted that Tim Jasson (ACCC), Naomi Gilbert (DSB), Stuart Stoyan (Fintech Advisor) and David Taylor (Westpac) were apologies for this meeting.

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 13 December 2023 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that all Action Items were covered-off in this meeting or had been completed. 

Presentation on Consent Review

Michael Palmyre (DSB) and Jannine Horner, Treasury (TSY) provided an overview of the Consent Review proposals and community response as follows: 

The DSB noted that the Consent Review Design Paper was released in August 2023 with the consultation closing on 6 October 2023.  This tackled a number of issues that the community had raised also sought views to inform further work on the consent review. 

The DSB noted that today’s presentation will cover the current state of CDR consents, the proposed changes, the future state CX followed by a summary of responses and next steps.

The DSB said the trigger for the Consent Review was the 2022 Statutory Review of the CDR which pointed out that the ‘complex consent processes may limit participation in the CDR and contribute to consent fatigue…consent process should be monitored and adjusted to ensure benefits are being realised’ (excerpt, Finding 2.2).

The DSB said the guiding star was for organisations to provide intuitive, informed and trustworthy consent experiences to enable positive outcomes for consumers; the objective being to simplify the rules and standards to support a better consumer experience whilst also maintaining key consumer protections. 

The DSB walked through the current state of CDR consents which totalled nine required interactions for a relatively simple consent type.  They also showed the authentication flow which was out-of-scope but being looked at as part of authentication uplift.

The DSB noted that 20+ mandatory interactions were likely where the consent type became more complex, or if it were used to trigger other processes to inform or pre-populate something like a preauthorisation process etc.

The DSB noted that they conducted consumer experience (CX) research that tackled some of the issues based on the hypothesis from the community regarding interaction, information and expectations.  The research questions were “How might we simplify the consent model while maintaining an intuitive, informed, and trustworthy consent experience”. They engaged 300 participants over 3 months and also drew on past CX research.  The research suggested that they could streamline consents without undermining informed consent or trustworthiness.

The DSB noted that their first key proposal was to “Amend the bundling provisions in the CDR Rules to expressly permit ADRs to bundle consents that are reasonably needed for the provision of the requested service”. This means in practice that instead of requiring check boxes next to a number of consents, it would allow consumers to clearly indicate, with an express action, that they agree to those consents in one go. The rationale for this was that separating each consent leads to an unintuitive interaction and ostensibly provides choice, but in practice it doesn’t increase choice because you can’t continue if you don’t consent.

The DSB noted that the second key proposal was “instead of requiring a consumer to actively select checkboxes, ADRs be allowed to clearly indicate the datasets, specified users and consent durations that are essential for the service to function”.  Similar to the bundling issue, the DSB demonstrated that having check boxes next to each aspect implies choice and optionality, but in reality, it just means the goods or service can’t be delivered if those things aren’t agreed to. 

The DSB noted that the Design Paper also explored dark patterns, which are intentional designs used to undermine consumer choice with the intention of steering consumers away from the outcome that they intended to acquire. The DSB noted that they are also exploring Dark Patterns through an engagement with University of South Australia (UniSA) to help them understand how prevalent or risky dark patterns might be in Consumer Data Right (CDR), and also help inform the consent review specifications.

TSY noted that the remaining proposals in the Design Paper included:

• Withdrawal of consent information - to remove the requirement to include instructions for how to withdraw consent in the consent flow itself, and instead require these details be included in the CDR receipt and 90-day notification
• Supporting parties – introduce a requirement to identify any direct or indirect OSPs who may access consumer’s CDR data as part of the consent flow.
• Notifications and receipts – to clarify the information requirements for CDR notifications and receipts and consolidation of delivery of notifications
• De-identification and deletion by default – to adopt a deletion by default approach to redundant data handling

TSY noted that as part of the Design Paper consultation process they asked for views on future work around consent including amending consent simplification, authorisation simplification and dashboards etc. 

The DSB showed a prototype of what the future state could look like incorporating the consent review changes. The prototype included app-to-app and authorisation uplift.  They noted that instead of the 9 mandatory interactions it brought it down to 1 and based on what is reasonably needed for the service to function. For the authorisation flow, the idea is that with FAPI 2.0 and rich authorisation requests you can tailor it more to the use case based on what the ADR needs as opposed to having optionality that might have implications for the use case to actually function.

TSY noted that have received 20 responses to the consultation with strong support for streamlining the consent process and improving the consumer experience. Stakeholders generally supportive of the specific changes proposed in the Design Paper and future work to simply authorisation and authentication flows seen as critical to improved uptake. They are currently working on the development of draft rules and proposing to release for consultation in Q2 2024. 

One member noted that in terms of collecting consents and the difference in timelines. They have collected data from the Frollo app using screen analytics. They see that without a disclosure consent it takes on average 1 min 24 secs to collect the consent. The authorisation takes 4 mins 18 sec. From an end-to end flow perspective the consumer may need to deal with multiple Data Holder authorisations which adds more time and when a disclosure consent, is added it takes around 3 mins for the combined collection and disclosure consent to be collected instead of 1 min 24 sec. They suggest that we need to think of the consent in the context of the end-to-end flow not just the ADR or DH part.

The DSB noted that it was very clear from the submissions that there are other aspects of the consent flow, not just the ADR side, which needed to be considered and prioritised.

One member asked when this would be implemented for energy compared to banking.

TSY noted that they would be asking for feedback on the timing needed for implementation as part of the consultation process and noted that there is no proposal to treat the two sectors differently.

One member asked if there had been any consideration around the sequencing of this change, especially in light of other potential changes around authentication and a transition to FAPI 2.0.

The DSB noted their assumption was that FAPI 2.0 and authentication uplift matters to Data Holders in terms of implementation. The first phase of the consent review was focused on the ADR side changes and intended, in principle, to be backwards compatible.

One member asked who was ultimately accountable for the conversion of a consumer through the process?

The DSB noted that it was a complicated question around accountability, but it was definitely a collective responsibility given that the consent flow is done by multiple parties, not just a single party.  TSY agreed and from their perspective, they were keen to make sure the Rules and framework facilitated that as much as possible.

The member responded that it would be great to bring the conversions to surface and hold it as a KPI and jointly make improvements and collectively working towards it.

The DSB noted that they were talking to ACCC about getting the data flowing through to them so they could get better insights into the drop-off rates. 

The DSB noted that the first NFR Working Group kick-off meeting is scheduled for next Thursday. They would welcome any issues the group should consider, and timings of consent is something they could talk about.

One member reflected that this was a great example of where a consumer advocacy group could be engaged without having onerous capacity obligations.  Noting that a consumer advocacy group had withdrawn from the DSAC because of their capacity challenges.

The DSB noted that they had held a targeted roundtable with consumer advocates prior to their withdrawal. The roundtable included organisations from 9 community sectors. 

The Chair noted that arrangements had been made for two consumer reps to rejoin the DSAC with the support of TSY and the Minister. The memberships would commence from the March meeting.

One member asked for an update around whether the DSB could mystery shop to take some burden off the ADRs.

The DSB noted that internally they did mystery shop, not as an ADR but as a consumer using various implementations. They also noted that they had received feedback through the Maintenance Iteration meetings of a request for the DSB to become a DH as well.  They were currently planning for the year and this item was included but they noted that this would be in a test environment as real bank accounts were required. 

One member wanted to clarify that the proposal in the consent paper around dark patterns was still being considered and wouldn’t form part of the suite of proposed changes to the Rules.

The DSB noted that nothing had changed around the dark patterns’ proposal in the consent review. UniSA had been engaged to do an Independent Health Check and some of the questions for this work focused on whether the specific patterns in the design paper were correct, whether others should be considered, and what the landscape looks like etc.

The member asked whether there was an opportunity to support or feed into this research, and whether this report would be available for review. 

The DSB noted that they would reach out to UniSA to see if they were willing to engage with members as part of their research.  They also noted that the report would be made publicly available.

ACTION: DSB to reach out to UniSA about engaging DSAC members in their research

One member asked for an update on the Operational Enhancements paper. 

TSY noted they were working through the measures that were consulted on in the 2024 Operational Enhancements Design Paper and were looking at which to take forward to draft Rules.  This was running in parallel to the Consent Review Design Paper, with draft Rules to go out for consultation at the same time, subject to the Minister’s decisions.

The Chair noted that at the last meeting the Minister’s emphasis on the intent “to get the use cases moving and adoption up” and the Chair emphasised that the operational enhancements would make a particularly importance difference. 

Bank account standard changes – Decision Proposal 338

The Chair noted that the DSB would present on bank account standards changes (DP338), which follows DP306. This originally started with feedback from the ADR community as well as the ACCC in relation to the ability to compare product reference and other account-based products and to evaluate compliance and other activities that the ACCC requested. 

The Chair also noted that along with Naomi Gilbert (DSB) he met with the Australian Banking Association (ABA) who raised concerns in relation to not only the proposal, but the governance of all standards changes that he oversees.  He said the meeting was very constructive.

The DSB noted that over the last two years there had been a lot of changes raised around product reference data and account detail by various stakeholders. These were quite minor and either raised via the Maintenance Iteration process or not prioritised at all.  In late 2022, the significant home loan rate rises, and the magnitude of the changes made it valid to accommodate them as a single change to provide significant value to home loan comparisons.  There was a number of drivers supporting this which amounted to the establishment of DP306, which was followed by candidate standards and then DP338.

The DSB noted that DP338 drew a lot of feedback from the banking sector, the ABA and the Customer Owned Banking Association (COBA).  A letter was sent to TSY, which promoted the meeting between the Chair and ABA.

The DSB stated they are seeking advice and feedback on how to progress the changes in DP338 in light of the feedback received, including the cost benefit analysis, especially with limited visibility of costs. They are also seeking feedback more generally on their consultation process and improvements.

One member said they understood that there were some concerns about the cost benefit analysis, the time it took to implement and the volume of work.  We should acknowledge that like every software product we are in the “alpha” or “beta” stage.  There would always be updates and changes, and always be finite resources.  A prioritisation framework to determine what is most important, as we don’t have a scorecard or defined KPI measures and until we work that out, we will keep going in circles.

One member noted that instead of looking at costs and benefits, we should be looking at use cases and what data they need, as our key success criteria. 

One member had reviewed DP338 and noted the tension between data improvements and costs. They said a litmus test should be in place for providing a more standardised representation of home loans, deposit rates, pricing and discount, as without those changes, use cases are limited.  They noted the real litmus test is whether the CDR as a whole, can support the costs it requires against the overarching benefits of standardisation and the removal of opaqueness. They noted that DP338 was quite large and advised that perhaps the prioritisation needs to be about what particular pieces of data would be the most advantageous, which in this case, could be rates reverted to, discounted period, etc. 

The Chair noted an absent member’s feedback to this discussion, which was that these changes are a critical element of existing, not future, use cases and data is currently inhibiting their development and use. 

One member noted that this issue was not just for the DSB that there were other dimensions such as policy drivers and that the DSAC needs a view of the dimensions and framework against which standards changes are initiated and measured, to support the Chair in making those decisions.  They believed that there is a need to develop a framework as a group. 

The member also gave feedback around the items in DP338, noting the complexity of some, and advising that they should be pulled out into a separate consultation. This would provide the member time to undertake an impact assessment and give them adequate attention. 

One member noted that with DP338, this is an opportunity to test recommendations flowing from the Heidi Richards’ work.  From a capacity to deliver perspective, it was quite a big bet on the Data Holder side of the ecosystem to execute. The member queried whether DSB should take this opportunity to take stock and look at how it improved the process.  They suggested considerations of a more staged approach to DPs with key milestones discussed at DSAC; using specialised working groups for complex DPs; review GitHub processes; and adopting change windows.

The Chair noted that Heidi’s work presented a range of improvement opportunities, which he is working on with TSY.  He noted that two in particular were progressing:

• One being to consider whether two change windows per year is an appropriate way of proceeding.  He said the technical people spoken to so far were strongly against that because it increases the complexity and the criticality of those windows rather than a more agile approach.
• the second is around the process for decision proposals.  The Chair noted that there appears to be a range of misunderstandings as to how the DSB operates and various people changes in organisations, but he noted work is already underway and committed to making improvements and changes in the visibility provided around background information and explanation of Decision Proposals, what evaluation is undertaken, the decision points and stage gates.

The Chair noted that there was no reason to not proceed with DP338, it was more around how we proceed. 

TSY noted that Ms Richard’s targeted assessment gave them valuable information around understanding how industry stakeholders plan and build for change in Rules and standards. TSY noted that in light of stakeholder feedback they are reviewing their rulemaking processes.  No report would be published but they would make sure that stakeholders were informed of changes they would be making in the way they do things. 

One member noted that there is often not a feedback loop to help participants understand the technical or guiding principle, or broader range of products that any given proposed changes would support. They also noted that there is no hierarchy of factors, like APIs being extensible, moving a lever in a given direction, or ACCC enforcement needs. They noted that a lot of effort is put into trying to assess and understand rationales by trawling through GitHub.

One member left the meeting, but as they left, noted their concerns around the feedback on DP338 that related to implications to the NBL sector and the proposed plan to integrate NBL into Banking data standards. They noted that NBL data requirements would add further complexity to this conversation (as per prior feedback from the sector on DP318).

The DSB noted that the majority of changes to date were in support of a designation, or minor containable changes, as opposed to DP338 and the previous authentication uplift, which presented completing complexity of many changes. The DSB invited feedback on specific constructive ways they could consult better, for example, running targeted workshops to balance and synthesise arguments where there is greater complexity.

One member was very supportive of the direction of DP338.  They noted the Minister’s previous comments around screen scraping and the need for the CDR to be a viable alternative, to which DP338 directly relates They would also be also supportive of bringing back workshops.

One member thought that we’ve reached the point where the current community-based approach, which have led us to success, won’t work any longer going forward.  They thought we needed a scorecard or defined KPIs captured in a framework for making decisions going forward.

One member suggested that DP338 be broken down into smaller components and look to delivering the highest value items. 

One member suggested that for DSAC discussions and to assess changes holistically, , it would be helpful to include in any given paper, the type of content similar to today’s paper, including  what it is trying to solve for, how it links to the policy objective, and how these changes would enhance the ecosystem as a whole.

Working Group Update

A summary of the Working Groups was provided and these DSAC Papers were taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh:

The DSB noted that NFR Consultative Group’s first meeting is being held 22 February and an update will be provided at the next meeting. 

They noted that there are 7 members in the group consisting of:

• Mark Wallis - Co-Founder and CTO @ Skript
• John Adshead - Product Owner CDR & CDP @ AEMO
• Julian Luton - Senior Enterprise Architect @ CBA
• Dhananjay Gourshettiwar – Chief Engineer, Open Banking Program @ Westpac 
• Andrew Ferris - CDR Manager @ AGL
• Jim Basey - CTO @ Basiq and
• Harish Krishnamurthy - Software Architect @ ANZ.

Information Security Consultative Group Trial

Mark Verstege from the DSB presented on the Information Security Consultative Group Trial (InfoSec) as follows: 

The DSB noted that they had outlined a proposal for establishing the InfoSec Consultative Group and they have taken the same approach to the nearly created NFR Working Group. 

The DSB noted that late last year they consulted on the authentication uplift DP327 along with a complementary noting paper which looked at beyond the first phase of authentication uplift including modernising some of the user experiences and the authentication flows, future directions around authentication globally, and also from an Australian Government perspective.  Excellent feedback was received, which was valuable.

The DSB noted that they are also looking at rich authorisation and FAPI 2.0 adoption, which is at the final review with the OpenID Foundation, before moving to implementer’s draft. It has gone through the formal security analysis which was funded by the Data Standards Chair. Last year they completed an independent health check around the infoSec profile, and they are now doing one for cyber security with advisors, Excelium.  DSB noted they were also keen to include the advisors in discussions with the community.

Considering the feedback on engagement and visibility, the DSB said they felt a consultative group would offer a more targeted avenue to engage with industry and enable faster progress on working through contested issues.

The DSB noted that the consultative group wasn’t intended to be a closed room decision making forum but was intended to provide feedback into the existing processes. 

The DSB noted the formation of the group would include representatives from TSY, ACCC and OAIC and they were calling for nominations, firstly with DSAC members, and then the wider community. Some of the criteria for membership was noted as: a desire and willingness to actively contribute; active CDR participants who have subject matter expertise in InfoSec or the CX for security and identity; experience with OpenID Connect or OAuth from a security perspective; balance between data holders, and ADR and vendors that provide solutions for them. 

The DSB noted that they would be seeking approx. 12 representatives for an initial 6 meetings before reporting back. They invited any interested members who to reach out to the DSB with their nominations. 

A number of members put forward nominations. 

ACTION:  Members to nominate people to join the InfoSec Consultative Group Trial

One member asked whether there would be an overlap with the Digital ID Framework.

The Chair noted that the CDR and CDR standards were on a convergent path with Digital ID and Digital ID standards. 

Consumer Experience (CX) Working Group Update

No further update was provided on the CX progress this month. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Issues Raised by Members

A number of items were raised by a member who was seeking an update on the consent review, operational enhancements, screen scraping consultations and action initiation workshops.  These items were covered in agenda Item 3 (Presentation on Consent Review) and Agenda Item 8 (TSY update). 

Treasury Update

Aidan Storer, Assistant Secretary, Market Conduct and Digital Division (MCDD) noted that TSY had no further update this month.

One member asked for an update on the road map for various consultations, including what was currently with the Minister and an update on NBL. 

TSY responded they had put advice to the Minister in relation to the NBL draft rules package and had briefed him on the outcomes of the screen scraping consultation.

TSY noted on the operational enhancements and consent review design papers, they were still working through stakeholder feedback and considering what measures would be taken through to draft Rules to be consulted in the next quarter, subject to the Minister’s decisions. 

A member asked for an update on the Action Initiation Bill, which had been introduced in the Senate in March 2023. TSY noted that the Bill has been listed on the Senate calendar several times but has not been debated, and therefore has yet to be passed. 

ACCC Update

Steph Homewood, A/g General Manager - Solution Delivery & Operations of the Consumer Data Right Division at the Australian Competition and Consumer Commission (ACCC) provided an update:

The ACCC noted that they completed the latest round of quarterly planning over the last month, and they had a great run of features for PI. They thanked the DSB for attending the planning session. 

The ACCC noted that in terms of their website and functionality, they were implementing the ability to browse, filter and search by representatives and brands on the public facing register, which would be delivered by April 2024 along with a number of other enhancements to the register, which were on the backlog.

The ACCC noted that they had published a new edition of CURB in December, including findings from stakeholder consultation on the active data holder rectification schedule and a range of guidance on Rules for business consumers, some new fact sheets and revised versions of the compliance guides for banking and energy data holders.

The ACCC noted that they continue to monitor retailers with obligations and as at 31 Jan 2024, had 15 energy data retailers activated, including one on the 4 Dec 2023, and had granted 7 exemptions.  In January they activated one new banking data holder and five new software products. 

One member noted that for energy there were varying levels of inconsistent data from garbage to quality coming out of the data holders.  These data holders were being activated by ACCC even with these known issues. The member asked the ACCC what steps were being taken to rectify this. 

The member also noted that OAIC recently published a Summary Report of Consumer Data Right Assessment 4, which examined whether 3 ADRs (including one CDR principal with CDR representative arrangements) were compliant.  This report showed that Fiskil were not assessing the representatives, not asking the questions of where the data went and what protections were in place and therefore non-complaint.  The member said that they believed this showed a double standard in the CDR market as data holders who had been found non-compliant received fines and were named and shamed.  They asked the ACCC where the fines, suspensions and naming and shaming for representatives were.

The member lastly requested that something be done about data quality as it was critical.  They noted that last year there was an RFQ from ACCC about data quality, but it was deemed too expensive, and the only data in the market regarding quality of screen scraping versus CDR data currently comes from BASIQ. 

ACCC noted that they understood their frustration but their compliance team was not on the call today so they would take these questions on notice.  They suggested that the compliance team attend the next meeting to answer those questions directly.

ACTION:  ACCC compliance team to attend the next DSAC meeting to discuss compliance around data quality

One member noted that for all of the CDR data they had ingested over the last month, they had taken the CDR specifications and schemas and logged in real-time the compliance elements in terms of who had satisfied as per the standard and who had not, in an anonymous format.  They were hoping to bundle them together for specific institutions; and they offered to make this data available.

The Chair noted that the data quality score was not consistent across the 22 x banks which indicated a possible interpretation, and compliance issue rather than a standards question.   

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 13 March 2024 from 10am to 12pm. 

Other Business

One member noted that the CX team were developing the CX Guidelines stemming from the July 2023 Rules changes.  They asked when it would be released, and whether there is any “MUST” or “MAY” as there will be data holder dashboard implications.

The DSB noted that the “MUST” already exists in the Rules and the Standards, including the Standards that were made in December 2023.  They will not be introducing any new requirements, just clarifications with options on how to improve.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

The Chair noted that he would work with the DSB in relation to feedback on DP338 and on improvements to processes. 

Meeting closed at 12:00