Minutes - 13 Mar 2024

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 13 March 2024
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 60

Download meeting minutes (PDF 237KB)

Attendees

  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Jill Berry, Adatree
  • Brenton Charnley, TrueLayer
  • Damir Cuca, Basiq
  • Chris Ellis, Finder
  • Prabash Galagedara, Telstra
  • Melinda Green, Energy Australia
  • Gavin Leon, CBA
  • Peter Leonard, Data Synergies Pty Ltd
  • Colin Mapp, Toyota Finance Australia
  • Drew MacRae, Financial Rights Legal Centre Co
  • Lisa Schutz, Verifer
  • Aakash Sembey, Simply Energy
  • Stuart Stoyan, MoneyPlace
  • Zipporah Szalay, ANZ
  • Tony Thrassis, Frollo
  • Wen-Ching Un, Westpac
  • Naomi Gilbert, DSB
  • Elizabeth Arnold, DSB
  • James Bligh, DSB
  • Ruth Boughen, DSB
  • RT Hanson, DSB
  • Jarryd Judd, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • Cristina Blumberg, ACCC
  • Tim Jasson, ACCC
  • Ritu Mohan, ACCC
  • Seamus O’Byrne-Inglis, ACCC
  • Sarah Croxall, OAIC
  • Aidan Storer, Treasury
  • Richard Shanahan, Tiimely

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 60.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting.  He acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal land.

The Chair noted that the DSB has published version 1.29.1 of the Consumer Data Standards on the 28 February 2024.  This release addressed some minor defects and the release notes can be found here.

The Chair noted that UNSW had formally published a media release on the research they conducted on the Data Standards.  This is an important milestone and is part of what we do in our standard setting process and the openness in engaging independent third parties.  The media release can be found here.

The Chair welcomed back Drew MacRae from the Financial Rights Legal Centre to the committee following the hiatus in relation to the involvement of consumer representatives.  He noted that as Chair, he is obliged to appoint consumer and privacy representatives to the Data Standards Advisory Committee (DSAC), and he appreciates the role that Minister Jones and Treasury (TSY) played in getting this issue resolved.  

The Chair also welcomed Wen-Ching Un from Westpac who replaced David Taylor.  Wen is Head of Open Banking with responsibility for both Westpac’s data holder and data recipient domains.

The Chair noted that James Bligh had accepted a new role with a health business and was stepping down as the Technical Lead of the Data Standards.  He noted that it’s been an absolute pleasure working with James in the ways that he had engaged and developed these standards, which will forever reflect his contribution.  He said he was sad to see James’s leave but wished him well.  Mark Verstege, the Lead Architect of the DSB would be stepping into his role. 

James Bligh thanked the Chair and said that it’s been a joy working on the CDR and with DSAC. He said he was still keenly interested in the CDR and how it evolves and will more than likely continue to contribute via GitHub. 

The Chair noted that Richard Shanahan (Tiimely) was an apology for this meeting.

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 14 February 2024 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that a few Action Items were raised in last month’s meeting including:

DSB to reach out to University of South Australia (UniSA) to engage members in their research.

The DSB noted they have provided a briefing to the privacy representatives about the project being undertaken by UniSA around dark patterns. The conversation was very constructive with interesting questions and content shared.  They will continue to update the privacy reps as the project progresses. 

A member asked ACCC to provide feedback on i) inconsistent data from Data Holders (DHs) for energy and DHs being activated by ACCC with known issues; ii) ADR noncompliance and why aren’t they being fined; and iii) Data Quality (DQ) update. 

The member noted that ACCC had responded saying that they could not comment on this. 

ACCC responded that they did not see this forum appropriate to have those discussions and they had reached out to the member to address this out of session and bilaterally. 

Working Group Update

A summary of the Working Groups was provided in these DSAC Papers and taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by James Bligh:

The DSB noted that in terms of Decision Proposal 338, there had been some internal discussions on how to proceed, along with bilateral meetings.  A number of workshops would be set up to work through DP338.  The meetings are being scheduled and would be held over the next month or so. 

The Last Customer Change Date (LCCD) Workshop was being held on 19 March to identify risks associated with using LCCD in the Consumer Data Standards (CDS) to improve sharing of energy usage data.  This workshop was to specifically understand the risks to consumers, data privacy, energy retailers and data recipients before we proceed to look at standards changes. 

The DSB noted that in terms of the Simple Account Origination Experiment, Basiq have recently presented their prototype to the group and the CX Team have created some good artefacts exploring how consent could work in this environment along with some experimental standards.  The next steps are to create insights and generate a report which would hopefully be tabled at the next DSAC meeting. 

InfoSec Consultative Group

Mark Verstege provided an update on the InfoSec Consultative Group as follows.  

The DSB reached out to stakeholders and the wider community seeking nominations for the InfoSec Consultative Group.  Twelve nominations were received, and the proposed members are currently being assessed before being forwarded to the Chair for approval.  Meetings would be held fortnightly.

Discussion on Authentication Uplift

Mark Verstege from the DSB provided an update on the Authentication Uplift as follows: 

The DSB noted that in this month’s DSAC paper, they provided a Noting Paper on Authentication Uplift (DP327) which seeks advice and guidance from DSAC members which will help guide the InfoSec Consultative Group around authentication uplift so they can understand how they might address some of the feedback received during consultation particularly where there was conflict. 

The changes proposed in DP327 were from a number of consultations and community requests for change which led to several drivers for change:

  • Stronger customer authentication controls
    • The threat landscape had significantly changed since 2019.
    • Updates to ACSCs Information Security Manual (ISM) and NISTs Digital Identity Guidelines recommend Multi Factor Authentication (MFA) be deployed
  • Improved consumer experience
    • Feedback from DSAC members including Finder, Frollo, TrueLayer and Basiq indicating that authentication flows such as ‘App2App’ perform significantly better than the ‘Redirect with OTP’ flow leading to fewer dropouts during the consent flow.  
    • CX research indicating improvements to the consumer experience.

DP327 posted a number of proposals, some of which included:

  • Increasing credential levels and looking at pathways to elevate on the basis of the risk profile.
  • Opening up the range of methods that Data Holders (DHs) could choose to authenticate with from within the requested Trusted Digital Identity Framework (TDIF) Credential Level, which would remove the restriction to only support OTP and possibly align with natively what might be offered by retailers via their apps.
  • Improvements to the redirect with OTP flow based on their previous independent health check by Dr Vanessa Teague.
  • Improvements to the interaction flow by permitting App2App interaction flows for enhanced consumer experience and requiring App2App within a fallback framework.
  • Requiring the use of an authenticator that satisfies CL2 or above for online customers whilst retaining provisions for CL1 authenticators for offline customers.

Feedback received included:

  • Support for improvements to the redirect flow and support in moving towards App2App.
  • Some support in improving or uplifting the credential levels, with differing views from DHs who wanted a more principles-based approach to credential levels as opposed to ADRs. Timings and the transition roadmap in particular the original obligations dates which were being imposed from November 2023 were not achievable. ADRs suggested ways to deploy or implement the standards in a non-binding fashion so there could be evidence collated on conversion rates.

The DSB noted that since the DP327 consultation, they had engaged  and Excelium Consulting Pty Ltd to provide the 2024 Independent Health Check, which would focus on authentication. Excelium have strong experience in TDIF rules and requirements and also broader cybersecurity experience and their advice aligns with other external recommendations including NIST and the Australian Signals Directorate (ASD’s) Essential Eight around adopting MFAs. 

The DSB was now seeking advice from the DSAC around how they navigate some of the divergent advice received from the experts and externals before progressing with drafting the authentication uplift data standards including:

  • Consumer Experience – how we balance leaving implementation to the discretion of the DH against the evidence we have on App2App and its benefits. That is, what level of evidence would be required to support mandation or prescription of an approach?  Or alternatively, whether the use of App2App would benefit from a voluntary standard to collate further evidence toward introducing a binding standard.
  • Authentication Controls – read access currently has a single risk profile under CL1 and move to stronger authentication for write. However, why should the Chair not increase the controls to meet minimum baseline security requirements, such as MFA, for personal information? Should the Chair consider a more fine-grained approach to authentication?

The Chair noted that the Rules required him to establish best practice authentication approaches and when the DSB did the initial independent security review with Vanessa Teague they were advised that single factor authentication and relying on one time password (OTP) based authentication was no longer best practice. They said they were in the process of identifying what is best practice so they could ensure its implemented and/or they can demonstrate it is already implemented. 

One member agreed that we need to look at more fine-grained rule sets around read as we need think about privacy and uplifting the level of security around personal data.  They also asserted that there would also be a push back on mandating App2App as a lot of DHs don’t have online apps, for example in the NBL sector.

The DSB noted that their recommendations proposed a fallback framework where if the customer had a DH app installed on their smart device, then the interaction flow must be App2App, otherwise where the DH does not provide App2App, allowing a falling-back to the existing ‘Redirect with OTP’ flow.

One member noted the need to consider the counterfactual of credential sharing with third party advisors and the security risks that screen scraping, and credential sharing creates. They asked about the need to devise a more secure CDR system and whether the CDR was displacing consumers to a much less secure environment.  They also noted that industry-best-practice varies from sector to sector, for example the collection of financial services was potentially more sensitive if unauthorised and gives malicious actors the ability to make your life difficult. 

The Chair asked the member to come back with more detailed comments around the cross-sector use case where a consumer consents to a use case that involves banking and energy data and does the complexity and the sensitivity increase with each new sector.  The member agreed to provide further details when providing feedback to the consultation.  

One member noted that customer authentication was an existing customer process in the banking sector which is regulated via principles-based outcome focused standards and guidance from APRA, specifically and they were cautious about the standards being very prescriptive or mandated as it could have unintended consequences about how the customer is integrated into the banking processes, even where they are not a CDR customer.

The DSB asked the member to consider the credential levels that are defined in TDIF and whether it is principles-based enough or whether the is still deviates from guidance under CPS 234.

One member noted in terms of best practice, they didn’t believe that credential levels or security itself was getting in the way of completing consents, they said it was the implementation and CX of the security standard.  They also noted that the privacy of peoples’ data was not solely based on authentication and its uplift.

One member said they appreciated the complexity and the importance of this topic, but they would need time to respond and work with various internal stakeholders before they could provide comment.

One member asked why was this being treated as a higher priority over other things, such as drop-offs?

The Chair responded that there were a number of reasons, from best practice authentication being an obligation in the Rules; an independent health check saying that authentication was no longer ‘best practice’; and that this specific line-item was funded in the budget for their activities, in line with government policy. In the wider context outside of CDR, protection for consumer data was a high priority for the government.

Another member noted that this would also go a long way to addressing drop-offs which was a big area of uplift. 

The DSB acknowledged the research and evidence out of the UK with a marked improvement in consumer conversion rate when they went to App2App, with a 33% increase compared to existing web flows.

One member asked when there was a complex situation with divergent views, how we make a decision as a whole to go ahead with implementing a particular path? They noted that to facilitate decision-making, there needed to be greater visibility of laying out the various options, like how to integrate and reference App2App, but more broadly, such as whether to standardise or adopt a principle-based approach; cross-regime considerations; the impact to customers; cost and timing of implementation.

The Chair responded that in the last meeting, there was a detailed discussion on DP338 and one of the actions taken, which was informed by the discussion and cost assessment, was for the DSB to develop a draft list of objectives and outcomes expected from the CDR so that he can evaluate and demonstrate the way in which all Data Standards related decisions were considered and made, and if they had addressed all these principles.  He said he would present a draft to the CDR Board, so they understood what he was doing and why.

Non-functional Requirements (NFR) Consultative Group

A summary of the NFR Consultative Group was provided in the DSAC papers and taken as read.

The Chair noted that the minutes from the meeting on 22 February 2024 were included in the papers for the committee’s information. 

Consumer Experience (CX) Working Group Update

A further update was provided on the CX Working Group by Michael Palmyre: 

The DSB noted that CX team are continuing collaboration with the technical team and the community on how to approach CDR authentication uplift. The work was not only about security but around CX, reducing the drop offs and increasing consumer and organisational adoption and use cases in CDR was an important part of the puzzle to address. 

The DSB noted that CDR was also a viable alternative to screen scraping and given the governments consultation last year, auth uplift helps achieve greater parity in terms of consumer experience. 

The DSB noted that the Action Initiation Experiment for mortgage refinancing has been going well and they are looking to wrap up shortly with a report and findings.  They have identified some barriers to the use case being done today, but there are also some possibilities around how it could be done right now, not necessarily in an ideal way, but with the CX research findings, they want to highlight in the report what opportunities there are now for that use case to be enabled now and what we can face into in order to improve that use case being realised through CDR.

The DSB noted that they are working closely with TSY to progress the Consent Review proposals to draft rules and standards to be consulted on in Q2 2024. Draft standards will also be consulted on in tandem.

The DSB noted that there have been a few releases of the CX guidelines to align with the July 2023 CDR Rules last year.  Further releases to reflect the DP333 and DP334 are expected shortly. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Issues Raised by Members

Threats to the CDR

The Chair noted that a number of items have been raised by members and he provided time in the agenda for members to raise their concerns and risks.

One member noted that they had heard through different channels that the Non-bank Lending (NBL) designation might be delayed. There are businesses that are investing, including their own, and engaging with the NBL sector and they would like to understand if NBL in DHs is proceeding. 

TSY responded that they had briefed the Minister following the draft Rules consultation last year and the Minister had not yet made a decision. TSY said that the intention when bringing new sectors into the CDR is to allow adequate time for entities to prepare, with the first obligation date typically no earlier than 12 months after the Data Standards are made. While TSY cannot pre-empt the Minister’s decision, based on that logic there would not be any CDR obligations this year. 

The member responded that creating announcements and putting out hypothetical dates creates industry inertia. That then had led to a lot of expenditure and resources that were expended and roadmaps that people committed to.  They said it was quite disruptive and if we were now pushed to next year, and with elections coming up, what happens is we then go into caretaker mode, and nothing happens as a result.

TSY noted their concerns and advised that they would pass on the feedback. 

One member asked that as we are leading into an election year and we have had some delays, it becomes more important to ensure there is clarity around what we are actually trying to achieve and when we are going to achieve it by.  They also noted that they struggled with feedback around what the tangible results are, and we should focus on results that deliver and drive consumer benefit.

One member noted that they would like to raise a number of threats to the CDR which are already impacting the program.  They noted that there is an incredible amount of negativity around the CDR currently, and ADRs don’t get the same access to the Minister as, for example, ABA and requests are continually turned down.  In this environment, success metrics are more critical which they have been promised previously by TSY, but these have not yet come about. The Minister being slow to make rules or respond, and screen scraping continuing to be valid, with no end in sight, put the CDR in jeopardy.

The Chair summarised the member’s views as being that the rate and pace is too slow; what our objectives are and what we are trying to achieve is unclear; and access to DHs is differential at the Minister’s office level with a lack of adequate access to ADRs. 

One member noted that this is our future as a nation and an absolutely critical infrastructure, and a lot of our operational challenges come down to the structural challenge of split accountabilities in the CDR.  They would like to see someone in one of the organisations involved to be accountable for operational outcomes which would solve a lot of issues, or at least get them prioritised in the right order.

The member also noted that a quick win would be single touch payroll which would make everyone’s life a lot easier, much simpler to implement and would make financial services more effective.  It also does not require the full oversight of the DSB to get it done. They still believed that the Statutory Review of the CDR Report was a really good roadmap and maybe the simple thing would be to have a scorecard on that. 

One member wanted to raise the issues of consent drop-offs.  They raised tickets for consent drop-offs, and it was at the point where the DHs tell them that there is not enough information for them to go-on and they wanted to close the ticket.  They said this onus-of-proof can’t be placed on the ADRs – and this has been raised with the ACCC.  They queried whether ACCC wanted the tickets closed and if they did, whether the member and others should open another ticket the next day when it occurs again and continue thus. 

ACCC noted that they will need to take this on notice as they don’t have the details and will come back to the member before the next meeting.

ACTION:  ACCC to provide an update to Member around consent drops offs and raising tickets prior to the next meeting.

The Chair also asked ACCC to provide any operational performance data on that issue which would be useful.   

ACTION:  ACCC to provide Operational Performance Data around consent drop offs.

One member noted that we are talking about fine tuning things overall and considering how far we have got, they think it’s a great achievement that we should be proud of. However, they noted that we are at the stage where we need to be going into these meetings with a set of KPIs and metrics.  They suggested we start with anything and fine tune until we end up with a set of metrics of what’s important. 

One member noted that consumer confidence needed to be central and if consumers didn’t have confidence, they would not be engaged which is a risk.  They flagged that there was a question mark around the future of the CDR, present in the discussions in the media over the last 6 months, and that the uncertainty around future government support and political risks needed to be taken into account.  They also wanted the CDR to be in embedded into other fields, for example the buy now pay later (BNPL) space.  They also reiterated the call for KPIs, which they noted they had been requesting for years. 

One member noted that the need for a score card as quantitative measures are critical to demonstrating success.  They noted that without this we were not enabled to demonstrate how and why CDR was worth persevering, and how the DSAC was assisting to achieve that success.  They agreed that a good starting point would be to look at the Statutory Review of the CDR and work out a scorecard against that review and what metrics would support the definition of success.  They reiterated the notion that these issues have been raised in meetings previously with no action. 

Another member agreed that the Statutory Review of the CDR Report would be a great starting point. They noted that the CDR was much more of a privacy protective regime than others and that it would be great if it were possible to disrupt some of the opacity of other data-broking markets with this consumer-led data scheme.  However, they acknowledged that there were tensions around some of the Rules which had maybe swung a little far to the other side.

One member noted that the single touch payroll was referenced by inference in Recommendation 1.1 of the Report, and it was the single best-piece of data to solve the buy now pay later (BNPL) problem as it did not need any data standardisation because its already standardised by the Australian Taxation Office (ATO). They noted that Equifax had asserted a 10-year monopoly on much single touch payroll data, demonstrating the poor behaviours of the data broker market.  They noted that without taking action and reform through the CDR, a data monopoly on citizen data was being enabled.

One member asked if anyone were against derived data because this is one of the reasons that there has not been more CDR adoption.  They also noted that if anyone else worked in a company who had hundreds of millions of dollars of budget, built products and didn’t have success metrics, they would be fired.  They asked if someone (TSY) could come back with a draft success metrics before the end of the year. 

One member noted that the DSAC was an Advisory Committee, which was different to the CDR’s Board.  They wanted to know what is reported at the Board level, whether there were a set of KPIs and operational metrics and if so, whether it was appropriate that these be shared with this committee. 

The Chair noted there are a range of operational metrics that the ACCC make available on their website and that from time to time, there is other yet to be published data, that they discuss.  He noted that one of the Statutory Review recommendations was that given the turnover of staff in various agencies, that the CDR strategies and objectives should be restated and redefined.   His understanding was that this hadn’t been completed.

The Chair noted that one of the challenges was that this was a Data Standards Advisory Committee (DSAC), and he was the Data Standards Chair.  He had always been prepared to open discussions around issues about Rules, compliance, and enforcement (with the support of the other agencies), but there was a level to which they are constrained by their Terms of Reference. However, these issues were important and the DSB was going through a process to define the criteria that they use in relation to the evaluation of standards proposals.  These could potentially be applied and used for Rules decisions and the framework for metrics and other performance indicators. 

One member noted that from the collective group of stakeholders that were actively involved in not just this Advisory Committee but the CDR itself, there was an absolute desire to be able to see more performance metrics and more operations guidance around the actual performance of the CDR so they could help. 

One member noted that the scope of this forum was around the Data Standards as opposed to the breadth of the CDR program, but that the comments that had been raised were perfectly understandable and reasonable and it speaks to this forum being the best available vehicle for participants to raise concerns.  They wondered if there was a gap within the CDR given these questions get raised here, even though this group is unable to resolve them. 

The Chair noted that the Commonwealth Bank of Australia (CBA)was a contributor to a piece of research that Deloitte Economics (John O’Mahony) published (Consumer Data Revolution) which talked about consumer data, the CDR and a range of issues.  The Chair noted that it could be interesting to invite Deloitte to the next meeting to discuss with members and asked members if they would support this. 

One member noted that the report was a Deloitte piece of work and CBA contributed a level of funding to support that.  They noted that they would not have any concerns with Deloitte attending a meeting.  

ACTION:  The Chair to invite John O’Mahony from Deloitte to a meeting to discuss the Consumer Data Revolution Report. 

The Chair noted that he has had discussions with Australian Banking Association (ABA) and raised the prospect of them attending a meeting to understand how we operate as an observer.  He asked the committee if there was a reason they shouldn’t be invited. 

One member agreed it would be great but mentioned that from an ADR perspective they don’t have the Ministers ear and they’d hope that anything discussed in this forum wouldn’t be used against them.  They noted that there must be equal fairness. 

The Chair noted that, if accepted, he would ensure that they would attend as an observer, and it would be under Chatham House rules.

ACTION:  The Chair to invite the secretariat from ABA to a future meeting. 

Treasury Update

Aidan Storer, Assistant Secretary, Market Conduct and Digital Division (MCDD) noted that TSY had no further update this month.

TSY noted that they were still working with the Minister’s office around next steps from various consultations undertaken in the second half of 2023.  They were also working on a package of consent review and operational enhancement draft rules with the intention of consulting in Q2, subject to the Minister’s approval.

TSY noted that following a TSY-commissioned review of CDR compliance costs they were reviewing some of their internal processes for the making of CDR rules.  

ACCC Update

Tim Jasson, General Manager, Solution Delivery & Operations Branch of the Consumer Data Right Division at the Australian Competition and Consumer Commission (ACCC) provided an update:

ACCC wanted to echo the sentiments on James Bligh.  He noted that James’ contribution to the CDR and commitment to working with the ACCC would be missed. 

ACCC noted that they had delivered a solution to automate the access request process in the Register portal which will hopefully mitigate some of the potential manual handling areas.  They had deployed enabling capabilities to ensure it aligns with the latest cloud technology.  ACCC noted that they had uplifted the ADR reports (9.4 reports) at the back end in preparation for version 5 of the CDR rules. 

ACCC noted that in terms of compliance and enforcement they had begun assessing responses from the 5 CDR principles and working out next steps.  They had commenced follow up and analyses on the annual rules 9.4 reports which were due end of January.  They noted that at end of February, 261 reports had been received, with 1 outstanding and that insights would be provided via the right channels in due course.

ACCC noted that they had published new guidance with the term “consumer data request” being clarified and their expectations regarding reporting on these requests under the 9.4 rules.  They had also published guidance on ACCC’s expectations regarding the information data holders should provide when they’re self-reporting compliance gaps for inclusion on the rectification schedules.

The Chair asked if any 9.4 data ever been published by the ACCC?

ACCC responded stating that the ACCC’s CDR Committee ultimately decide whether to release that data and none have been released to date.

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 10 April 2024 from 10am to 12pm. 

Other Business

One member noted that the Digital Platform Services Inquiry 2020-25 around data brokers was due 31 March 2024, and suggested that we invite the ACCC’s Digital Platform Inquiry team to the next meeting to report on how the March 2024 Interim Report might impact the access to single-touch-payroll data going forward.   

The Chair agreed that this was a good idea and asked ACCC to extend an invite to the relevant team to present. 

ACTION:  ACCC to reach out to the relevant team to invite them to present outcomes from the March 2024 interim report

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

Meeting closed at 11:45