Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 8 May 2024
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 62

Download meeting minutes (PDF 1.9MB)

Attendees

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 62.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting.  He acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging.  He joined the meeting from Cammeraygal land. 

The Chair noted that the papers included a forward programme which gives visibility to proposed topics that the Data Standards Body (DSB) team will present at future meetings.  

The Chair welcomed back committee member David Taylor from Westpac who had been on a leave of absence.

The Chair noted that Chris Ellis was making a career transition from Finder and was unable to attend the meeting.  He has also resigned from the DSAC due to this transition.  The Chair noted that Chris was a big supporter of the CDR, and he thanked him for his valuable contributions.  

The Chair noted that prior to the next meeting he will catch up with consumer representatives to interact about Consumer Data Right (CDR) matters from their perspective.  

The Chair noted that the Data Standards Body (DSB) released version 1.30.0 of the standard and published Noting Paper 346 – Standards Assessment Framework.  He noted that he had also attended the opening of the Standards Assessment Framework Workshop on the 6 May which was hosted at the Data61 offices, and that the work was progressing well, with constructive, collective and valuable engagement at the workshop. He flagged that another workshop would be held in Melbourne, and he encouraged members to register.  

The Chair noted that the CX Team have focused on draft standards for the Consent Review, releasing CX Guidelines for the July 2023 Rules, DP333, and DP334, finalising account origination experiment report, and conducting activities to support CDR implementation and maintenance.

The Chair noted that Chris Ellis (Finder), Drew MacCrae (Financial Rights Legal Centre) and Stuart Stoyan (Fintech Advisor) were apologies for this meeting. 

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 10 April 2024 meeting. The Minutes were formally accepted.   

Action Items

The Chair noted that the Action Items for the ACCC to invite the Digital Platform Inquiry team to a future meeting will be carried forward.  

Forward Agenda 

The Chair noted that a list of proposed topics that the DSB would present to DSAC members had been included in the papers.  

The Chair noted that the DSB would host two workshops around the Standards Assessment Framework over the coming month.  At the June meeting, he noted that they will provide an update on the feedback received, followed by a webinar session with the wider community as part of their community engagement work.  

Working Group Update

A summary of the Working Groups was provided in the DSAC Papers and taken as read.

Technical Working Group Update

A further update was provided on the Technical Working Group by Mark Verstege:  

The DSB provided a brief update on the two Consultative Groups, noting that:  

• The Information Security Consultative Group (InfoSec CG) had their first meeting on the 24 April and: 
  • agreed to meet fortnightly to progress the authentication uplift priorities; and
  • discussed the primary concerns of accredited data recipients (ADRs) and data holders (DHs), and agreed that before they got into actual solutions, the group would develop a set of guiding principles and high-level problem definition statements.
• The Non-functional Requirements Consultative Group (NFR CG) have held three meetings and are working through the problem definition statements that the group is seeking to solve, which in particular have focused on:
  • from a banking perspective, looking at future capacity planning, particularly around changes like the transition from screen scraping (SS) to Consumer Data Right (CDR) and larger participants from a data recipient (DR) perspective bringing significant load; 
  • whether current request response models are appropriate; 
  • whether NFR thresholds are appropriate; and 
  • exploring emerging issues in energy around large account holders and what issues they may bring to request loads, particularly to ensure they’re addressing AEMO capacity whilst being able to facilitate the consumer data sharing for non-individual consumers. It was noted that Origin and their vendors had been invited to the next NFR CG for further discussion.   

One member noted that, with regard to the InfoSec CG, it would be useful to explore the potential problems over the next horizon (e.g., 3 years) and what the biggest threats or vectors within our scope are for us to solve for the CDR. The member noted that they would like to understand how that complements the government’s other initiatives (e.g., scams) to get a broader picture.  

The DSB noted that they will take that on board and consider this with the InfoSec CG.  

One member asked if they could nominate for the NFR CG as they were keen to be part of the conversation.  They were also interested in sending more than one representative to the Standards Assessment Framework Workshop in Melbourne. 

The DSB noted that for the Standards Assessment Framework Workshop, due to capacity issues, there was a limit of numbers to one per organisation.  The DSB also noted that providing feedback is not limited to workshop participation and there would be other opportunities, including accessing the workshop packs available for a self-led offline session and posting feedback on GitHub or by; scheduling bilateral conversations to discuss the framework; or participating in the DSAC workshop session at the June meeting.  They noted that the DSB would present the final design framework to the DSAC in August.  

One member noted that in terms of NFR thresholds, it was better to be pre-emptive before it becomes a problem and suggested the group consider what that measure should be, beyond simply the idea of SS volumes or that volumes will grow, which necessitates a threshold increase. 

The DSB noted the importance that next steps be grounded in a tangible approach and that they were working with DRs and DHs to undertake further analysis. 

One member noted that the push for the NFR work was for future volumes and that people can’t get their use case over the line as there are currently constraints.  They stated one way of eliciting the need for volume would be to take a use case perspective and put forward those which would not work because of threshold volumes today.

The Chair noted that the Consultative Groups are invaluable and were developing well. He thanked those who had nominated and participated in the groups.   

Consumer Experience (CX) Working Group Update

A further update was provided on the Technical Working Group by Michael Palmyre, noting that:  

• The Standards Assessment Framework Workshop was held on Monday and was a great workshop with lots of energy and good conversation.  
• The DSB had been working with Treasury (TSY) internally to draft rules and draft data standards related to CX to progress the consent review work and they were on track to publish in Q2 standards for consultation. The Deceptive Patterns Assessment (formerly known as Dark Patterns Assessment) by University of South Australia was progressing well and key deliverables had been shared internally.  The DSB noted that UniSA had been looking at the landscape of deceptive patterns, implications and how they might be categorised, which would be useful for broader thinking on deceptive patterns, not just in relation of CDR, and the next step was assessing how vulnerable the CDR might be to those deceptive patterns. 
• The report on the account origination experiment was being finalised and would be published as a noting paper on GitHub for community comment in the next couple of days.  The DSB noted that key findings and outputs included the success of various flows that were tested using a Fogg Behaviour Model as an artefact to demonstrate from the CX research the propensity from consumer participants to adopt the use case. 
• The DSB had been workshopping issues with ADRs relating to authentication and authorisation, arising via CR628, and analysing metrics data in relation to drop off rates and points, with further information provided in the presentation (Item 4 – Drop off and data collection issues).  
• The DSB team had finalised CX Guidelines for business consumer statements, business consumer disclosure consents, and amending authorisation dashboard details. The DSB noted that a recent implementation highlighted further queries with the amending authorisation functionality, and they had worked with other CDR agencies to provide rapid clarifications to the community and updates to the CX Guidelines to assist DHs with their 1 July 2024 obligation dates.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read.  

The Chair noted that the DSB’s Engagement Manager would provide an update on Stakeholder Engagement at the next meeting.  

ACTION:  DSB to present on stakeholder engagement at the June meeting.  

The Chair noted that upcoming workshops included the Standards Assessment Framework Workshop # 2 (Melbourne) on 14 May and the Decision Proposal 338 Workshop (virtual) on 21 May 2024.

Drop off and data collection issues

Michael Palmyre from the DSB presented on drop off and data collection issues, noting that:  

The DSB had had a number of engagements over the past few years which have highlighted barriers to ADRs collecting data from DHs.  Recent community input and analytics highlighted critical issues on the DH side, particularly in authentication and authorisation flows, but also in relation to account access.  While the consent review proposed to focus on these and other issues in a second phase of work, the first phase of the consent review had been limited to ADR side improvements. 

Of the 22 submissions to the consent review, 72% had supported future work on consent, with a strong emphasis on authentication and authorisation improvements. These points were made by ADRs, DHs and industry bodies. Within bilateral consultations, feedback had similarly emphasised that further work on DH authorisation processes would be necessary to improve consent completion rates.  

Analytics from various sources further suggested that around 25-60% of consumers do not complete the DH process with around 30-50% of those drop offs occurring during the authentication process, and some data sources suggesting this may be high as 89%.

Targeted ADR Working Groups on consumer drop offs had validated, refined, and expanded on these points. Five ADRs had highlighted drop off sites and barriers that include authentication; profile selection; account selection and availability; non-individual and secondary user settings; and UI issues and divergence. 

Some key opportunities that feedback and discussions had touched upon to date included:  

• Authentication 
  • Authentication Uplift [standards]
  • Error Messages [standards]
  • User Messages [standards] or [guidance]
  • Completion Benchmark [standards] or [enforcement]
• Authorisation 
  • Simplification [standards] and [rules]
  • Characteristics specification [standards]
  • Error Messages [standards]
  • UI Standardisation [standards] or [guidance]
  • Unavailable Accounts [standards] or [rules]
  • Support ID [standards] 

The DSB flagged that next steps were to undertake further exploration, particularly on:

• To what extent these issues form a core part of barriers to data collection
• What other issues exist contribute to data collection barriers to CDR 
• Whether the potential solutions specified in the paper should be explored further and/or prioritised
• What alterative solutions exist that can help barriers to data collection
• How data collection might be measured, and success defined.  

The DSB agreed to share the slides and the above questions to DSAC for consideration, with member feedback welcome via contact@consumerdatastandards.gov.au. 

ACTION:  DSB to circulate the slides and questions to DSAC members.

One member noted in terms of joint accounts and instructing customers to navigate through JAMS to DOMS, this was no longer required. However, they noted that the customer can “unselect” and opt “do not share” their account and it wouldn’t be eligible. 

One member suggested that voluntary CX optimisations be explored in more detail. The noted that based on data in the slides, they have healthy completion rates, but had prioritised capacity to make further improvements.  However, the flagged that half of their drop offs relate to the one-time password step, and they were making optimisations this quarter to improve their completion rates, the results of which they would be happy to share once live. 

They also noted that any simplifications made around multi-party sharing needed to be discussed and agreed at a policy level, to ensure we are keeping within the privacy and security principles. They also suggested more exploration of app2app, as this would have impact to customer authentication in regular banking app usage. The suggested that it would help with CDR completion rates but may have unintended consequences in terms of complexity for implementation in the banking app and change the pattern for customers in day-to-day banking experience. 

DSB noted in terms of the consideration of app2app in authentication, this was subject to the InfoSec CG discussions. They also acknowledged multi-party sharing and that they were relaying the thinking from ADRs to policy teams as a lot of this was not standards as ADRs often focused directly on the outcome, which ensnares a lot of issues regardless of whether policy, rules or standards.  The DSB also noted that they would be keen to receive the OTP improvements and findings once they go live.

One member noted the importance of familiarity, given the need to consent for multiple banks several times in their use cases for both lending and money management or Personal Financial Management (PFM). They also noted that they had conducted a number of surveys and one of their questions is around where and why customers changed their minds.  They stated that they would try to provide those results on a monthly basis to see if improvements were being made.

One member also noted the importance of familiarity for trust. and that we can have a level of differentiation but still have consistency for consumers as the way in which they ordinarily interact with their bank. 

They also noted that for SS, there is an easy flow with less drop offs, but they queried whether the DSB had found use cases where consumers saw enough utility to justify them undertaking multiple steps.

The DSB noted that on consistency and familiarity, they had noticed the tension on what it means to be consistent: whether it’s contextual and consistent with existing processes of a bank, or whether it’s consistency across banks in the context of CDR.  On the second point on whether any use cases demonstrated enough utility for consumers to undertake more steps, anecdotally, for lending there appeared to be higher completion rate as people don’t want to get into debt, compared to things like budgeting where there’s a less pressing need to complete the flow.

One member noted on consistency, when a customer logs into their banking channel this may not be consistent with what’s available under CDR as they may choose not to see accounts on their internet banking channel.  There have been discussions around replicating that if you can transact, you can share, (that is not the case) and the difference on customer expectations. 

The Chair noted that the DSB would circulate the presentation and seek responses to the questions.

Update on UNSW and other related reports

RT Hanson and Christine Williams from the DSB provided an update on the UNSW and other related reports as follows:  

The DSB noted that they had commissioned UNSW to undertake research on managing cyber threats and risk management in 2022, for which they produced two reports: “Considerations for managing cyber threats to the Consumer Data Standards: A report to the Consumer Data Standards Chair” and “Risk management for the Consumer Data Standards: A report to the Consumer Data Standards Chair”.  

They recommended a number of items, including the establishment of an Assistant Director for Cyber Assurance role, to which the DSB recruited Christine Williams.  

The DSB noted that subsequent work had been commissioned, from PwC Indigenous Consulting, to further develop other recommendations from the reports, and that this work was currently being finalised and would be published. The DSB noted that this included a review of the Chair’s risk management approach, consideration of a cyber security advisory panel, data sensitivity and authentication framework.  

The DSB noted that they had also commissioned two Independent Health Checks (IHC) – one on Deceptive Patterns and the other around the Standards’ Security Profile.  They noted that the Security Profile assessment would provide extensive input to the work to uplift authentication, with the current assessment intended to produce external expert guidance that would be incorporated in the uplift before draft standards are published. They also covered that the Deceptive Patterns assessment would respond to UNSW’s recommendations to scan the threat landscape for different types of threats.  The DSB noted that IHC were due to be completed before Q3 2024. 

The DSB noted a number of activities currently underway which progress action against specific recommendations from the reports.  Some highlights of the analysis included:  

• 364 recommendations had been received relating to the Data Standards or the activities of the Data Standards Chair
• Of those 364 recommendations, 67 related to privacy (65 of those driven by privacy impact assessments), 52 related to risk management, 47 related to cyber security and 45 related to action initiation.
• The remaining recommendations consisted of a variety of fields including strategic issues and smaller issues.  
• Noting that a number of external reports had now produced recommendations, further analysis was underway to take a more strategic approach to addressing key improvements.  

The Chair noted that a lot of progress had been made in relation to the Risk Management Plan, Framework and Strategy.  They noted that as the threat applies potentially across rules and standards they were working with TSY and noted that TSY are the lead on this piece of work.  

The Chair asked the DSB to come back next time, listing the 364 items into categories and providing an update on whether they are complete or not, taking into consideration not exposing the threat landscape and sensitive information.  He noted that he would like this to be tabled quarterly at DSAC meetings. 

ACTION:  DSB to provide a list of recommendations, the status, and accountability.

One member noted it would be great to have visibility of the items appropriate to share and their progress.  In terms of cyber security, they noted that it would be good to understand what forums in the CDR ecosystem discuss cyber security and where accountability sits.  They noted that this forum is potentially not the right forum and beyond the InfoSec CG, they noted there was a lack of clarity as to which group has accountability to look at cyber security for the CDR and prioritise the work. 

The DSB noted that they were also looking at a Digital Trust Advisory Panel which could have a larger remit in this space and would reach out to the member for a conversation offline.  

ACTION:  DSB to reach out to member to discuss relevant fora. 

Success metrics discussion 

Jill Berry, the CEO from Adatree presented on CDR Success Metrics as follows:

They noted that over the past three years, the group had talked about what success metrics are, what happens if we didn’t have them and why they’re important. 

They noted that some of the reasons success metrics were needed were to: 

• Connect the work that is being done to the goals that we want to achieve as a CDR program
• Align on what success is, quantitatively
• Better prioritise the tasks that needs to get done
• Assess strategy & resource efficacy
• Make smarter, unemotional business decisions
• Identify weakness
• Rapid feedback loop

They noted that two meetings ago everyone agreed they were critical, and all industry participants were asking for it.

They focused on a number of issues occurring where there are no success metric and why we should care right now, including:

• Increased reputational risk – why keep investing and adding more industries? Why should ADRs keep participating? 
• No confidence for further participation – we need a north star of what success is and how it relates to consumer success 
• Unable to measure actions – is our time and money making the difference we want?
• Unable to prevent or mitigate problems 
• No agreeance on what success looks like
• Unable to objectivity prioritise
• Suffer in uncertainty and lack of self-efficacy

They noted that the CDR’s objectives talk about ambitions, but don’t say how we would actually get there, which is a problem. 

They noted the importance of goals, as they drive adoption and participation, which justifies DH engagement, consumer awareness, more recipient participation, and supports the government feedback loop.

When defining success, they noted that you need to have an ambition statement; key priority initiatives; and quantifiable measures. They noted that if the CDR were a company, it would have an ambition statement; prioritisation framework; report regularly, communicate transparently; measure and feedback loop and celebrate when goals are hit. They encourage TSY to do this.  

They noted that whilst there has been an incredible amount of progress in the CDR, no one was talking about it and much of it was not measured.  

Their thoughts on five potential pillars of success were: business uptake; consumer engagement and value; business participation; regulator focus and efficacy; and technology.

They noted that some examples of the problems and opportunities related to these five pillars were:

• “business uptake” – many companies being interested, but few participating; minimal migration from SS to CDR; barriers to entry being higher than intentioned; access model growth not being transparent; unknown satisfaction scores across participants, particularly given loud voices don’t represent all voices; and no visibility of live use cases.
• “consumer value and engagement” – utilisation by consumers reflecting engagement and value; Australians being better off with money saved, more suitable products and better outcomes; and Australian public having low awareness and understanding of CDR.
• “business participation” – recipients being more innovative and creating operational efficiencies when engaging with the CDR; recipients having to address consumer issues at first call; implementation costs not reflecting the benefits; and adequate internal training for CDR responses/issues.  
• “regulator efficacy” – very slow feedback loop and change, inhibiting adoption; lack of visibility for rectification of issues; sentiment of favouritism for industry engagement; complaints not seeming to go anywhere; and limited consequences for breaches introducing weak links.
• “technology” – software products taking a long time to go live; consent capacity preventing some major recipients from going live; DHs being compliant with standards; and responsiveness of participants in portal with regard to issues. 

In terms of next steps, they encouraged TSY to commit to having and creating an ambition statement and setting consumer focussed goals and success metrics for CDR.  They put forward that leadership for the CDR needed to be top-down from TSY and included publication of the commitment and plans and having regular transparent reporting with a rapid feedback cycle to meet the goals.  

One member noted that this work was a great cry from the heart which they endorse fully.  They stated that an easy response would be to say that we’re a Standards advisory group and looking at metrics goes beyond the role of standards, but that in his view this would be an incorrect response.  They suggested that the DSAC needed to test the envelope of what this committee does to get some momentum behind consideration and refinement of the success metrics within a manageable timeframe.  They wanted to boldly test that envelope and requested that if there were a problem for TSY, ACCC or the DSB in doing so, that this be called out quickly.  The member requested that if the work were already being done elsewhere, that it be determined where to have this conversation, if not at this committee. 

The Chair noted that a portion of this fits in the ToR and his legislative scope of operation, however, that the policy and future directions for CDR sit with TSY and invited TSY to address this.  

TSY noted that they’re interested in industry views on this and have had bilateral conversations with Adatree.  They noted that more recently, there has been a particular focus around implementation costs and how the CDR can run in a cost-effective way which impacts all participants, however they are also thinking about benefits and success metrics.  As part of that, they noted the need to balance costs with the benefits that are being derived from the CDR and it is helpful to better understand what these benefits look like in the form of consumer uptake but also use cases.

TSY also noted that they have to work with the government of the day about what is made public in this space.  They flagged that they were interested in hearing from stakeholders and happy to have further conversations with stakeholders on what they see as success for the program. They noted that they would also like to see participants continue to promote benefits and the good news stories.

The Chair expressed that he believed there to be value in a first step of assembling a small working group to work collectively on this in a non-public way initially to see what they found.  

One member noted that they are supportive and acknowledge this it is a complex problem and would be happy to participate in this conversation.  

Adatree agreed that this was a CDR issue, and not for one agency to own.  They posited that this could be something the CDR Board might be able to drive. 

The Chair noted that the CDR Board is advisory in nature and not a governance board.  They noted that the Board could advise TSY that this is a good idea, but nothing would happen realistically unless TSY were wholeheartedly on board. 

One member noted that we were not the first jurisdiction to explore this and wondered if TSY have connected with other global jurisdictions around measurements. They appreciated, however, that it is not like for like and other jurisdiction have different concepts.  

The Chair noted that the challenge is that other jurisdictions are less developed in this area than Australia, however, that this doesn’t mean we shouldn’t do another scan of their success metrics.  

TSY noted that they have been talking to international counterparts in this space, with countries who have open banking regimes, to understand how their regimes operate and to share learnings. They noted that their engagements had found that no one has got the regime ‘right’ and there are many challenges and trade-offs in implementation. 

The Chair noted that the success metric discussion had been ongoing for some time now, and we haven’t made enough progress in the program. He did, however, thank TSY for their response and offered his support in taking this forward through TSY and other organisations as this was a critical point. 

Treasury Update

No update provided this month.  

ACCC Update 

Tim Jasson, General Manager, Solution Delivery & Operations Branch of the Consumer Data Right Division at the Australian Competition and Consumer Commission (ACCC) provided an update as follows:

In terms of the outstanding Action Item, they were working with the Digital Platform Inquiry team on timing to present the outcomes of the report to the DSAC.  

In early April, HSBC Australia paid two infringement notices totalling $33K for eligibly contravening the CDR rules, which was an important data quality outcome with continued focus on this area. 

On 6 May, ACCC published their observations around the CDR Compliance Review of CDR Representative Principles, with the report available on their website.   

ACCC published revised guidance for DHs on the treatment of blocked or suspended accounts, clarifying that CDR consumers who are temporarily unable to access accounts online remain ineligible. 

ACCC held their quarterly planning session at the end of April to map the delivery plan for the coming quarter. The focus will be on technology uplift and meeting new Rule 9.4 reporting requirements introduced with version 5 of the CDR rules. 

They will also be looking at website updates to improve browse and search functionality on the public facing register which was a request from the DSAC a number of meetings ago.   

The most recent Compliance Update and Regulatory Bulletin (CURB) was published in April, which can be subscribed to here.  

One member asked if the March Interim Report for the Digital Platforms Inquiry was on time. ACCC noted that they are typically on time but would confirm back with the member on this.  

Another member noted that it was his understanding that the ACCC sent it to the Minister on 31 March and it was with the Minister, and due to be published on 10 May.  

One member asked about the fines, noting that unlisted companies’ fines are 1/10 of a listed company, and queried why unlisted companies were less of a risk and why they attracted lower fines.   

ACCC noted that this was a broader Commonwealth penalty policy which they wouldn’t comment on.  
The Chair noted that if they could bring anything back on this next time, it would be appreciated.  

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 12 June 2024 from 10am to 12pm.  

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting.  

Meeting closed at 12:05