Minutes - 9 Oct 2024

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 9 October 2024
Location: Held remotely via MS Teams
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 66

Download meeting minutes (PDF 325KB)

Attendees

Committee Members
  • Andrew Stevens, Data Standards Chair
  • Alysia Abeyratne, NAB
  • Jill Berry, Adatree
  • Brenton Charnley, TrueLayer
  • Melinda Green, Energy Australia
  • Gavin Leon, CBA
  • Drew MacRae, Financial Rights Legal Centre
  • Colin Mapp, Independent
  • Lisa Schutz, Verifer
  • Aakash Sembey, Simply Energy
  • Stuart Stoyan, MoneyPlace
  • Zipporah Szalay, ANZ
  • David Taylor, Westpac
  • Tony Thrassis, Frollo
Observers
  • Naomi Gilbert, DSB
  • Elizabeth Arnold, DSB
  • Matthew Bowd, DSB
  • Jarryd Judd, DSB
  • Michael Palmyre, DSB
  • Mark Verstege, DSB
  • John Williamson, ACCC
  • Elaine Loh, OAIC
  • Claire McKay, Treasury
Apologies
  • Jeremy Cabral, Finder
  • Damir Cuca, Basiq
  • Prabash Galagedara, Telstra
  • Peter Leonard, Data Synergies Pty Ltd
  • Richard Shanahan, Tiimely
  • Verushka Harvey, ACCC
  • Terri McLachlan, DSB

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 66.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting.  They acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging.  They joined the meeting from Cammeraygal land.

The Chair noted that the team were progressing Maintenance Iteration 21, and the papers included updates from the Tech and CX team, particularly around standards and guidance for the consent review operational enhancement and authentication work.

The Chair noted that there had been some changes to the DSB team.  They had farewelled Ruth Boughen and welcomed Justin Li (A/Director: Operations team) and Rob Sorrentino (A/Director: Digital ID Project team).  They thanked Ruth for their outstanding contributions during their time at the DSB.  In addition, they noted a new Solutions Architect was due to commence in early November. 

The Chair noted that the current term of DSAC members, with the exception of Chandni Gupta & Drew MacRae, who had different appointment dates, completes at the end of November.  They would conduct a refresh of the members and intended to bring in some Digital ID interested and capable members, noting the reference in Minister Jones’ letter to ensure consistency with Digital ID and also consider opportunities to build upon the common elements of CDR and Digital ID to facilitate the safe realisation of high-value use cases.

The Chair noted that member Colin Mapp had advised that they would not be seeking reappointment due to a career change; and that it was Melinda Green’s last meeting as they were moving on from their role at Energy Australia.  The Chair thanked them both for their significant contributions to the committee.

The Chair asked the committee to let them, or Terri Mclachlan know if they did not wish to seek renomination for another year.

ACTION:  Members to advise the DSB if they did not wish to seek renomination this year.

One member asked that given the change in membership due to Digital ID needing to be a cohesive part of this committee, whether the Chair was thinking of having one hat per organisation or expanding the DSAC to other organisations. 

The Chair noted that there would be a single Data Standards Body (DSB) who would work for both Ministers responsible for CDR and Digital ID.  A recruitment process was currently underway for a Data Standards Chair who would be common between the two and report to the two Ministers in their independent role.  That person would bring the convergence and common use cases to life and until the end of that recruitment process (early next year) they were proceeding on the basis of what the Minister had asked about bringing to life the high value uses cases and consistency with Digital ID in the interim.

The Chair further noted that at this stage, they were not sure if they would have one person from organisation X who had an interest in both areas as there are elements of Digital ID that would not be of relevance to the DSAC, so there may be compartmentalised CDR and Digital ID “chapters” and then a common DSAC, but they had not landed on a position as yet. 

Another member highlighted the challenge of ensuring representation from organisations that had interests in both CDR and Digital ID, suggesting that the right person could sit in two different areas, and this might cause potential issues of over representation from certain organisations, emphasising the need for balance in representation and meaningful discussion.  A further member raised the question of what content the agenda would be comprised of and whether the need for this to be meaningful from both a CDR and Digital ID perspective assumed separate chapters would be needed.

Another member noted that Digital ID and CDR were about economy wide data sharing, and while it might be more efficient to separate them, queried whether that would defeat the purpose.

Minutes

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 7 August 2024 meeting.  The Minutes were formally accepted.   

Action Items

The Chair noted that the Action Items had either been completed or would be dealt with that day. 

Forward Agenda

The Chair noted that a list of proposed topics that the DSB would present to DSAC members had been included in the papers. 

Letter to the Chair from Minister Jones

The Chair discussed the letter from Minister Jones, highlighting the Government's expectations for the Chair's performance and the operation of the DSAC.  Key points included focusing on high-value use cases such as borrowing decisions, energy switching, and accounting services to small businesses.  They also mentioned the importance of addressing information security, consent drop-offs, and the authentication uplift work as part of information security.

One member discussed the concept of experiments in the context of the CDR, specifically mentioning the importance of including experiments on rules in addition to standards.  They suggested an experiment on consent drop-offs, which would include considerations of rules, should be prioritised to address the issue effectively.

One member enquired about the context of the Minister’s reference to an experiment around real estate agent applications in the letter. 

The DSB clarified that it was internal work exploring the synergies between Digital ID and CDR, focusing on how both ecosystems’ current frameworks could support rental applications.  This work was preliminary and aimed at identifying opportunities for these systems to work together more effectively, particularly in minimising data usage by leveraging both ecosystems.

Another member expressed surprise and concern about the potential for real estate agents to access consumer data through the CDR.  They emphasised the importance of ensuring that consumer safeguards were in place to prevent misuse of data, especially in contexts where real estate agents were not allowed to obtain information through traditional credit reporting systems.  They highlighted the need for preliminary input from consumer groups and other stakeholders to address the risks associated with such use cases.

The DSB noted that they are currently working on prioritisation of experiments and their intention with future experiments was to highlight the factors, similar to the Standards Assessment Framework (SAF), that needed to be considered before moving ahead with an experiment.

One member raised concerns about the scope of the CDR in relation to the Government's reset and the focus on specific high-value use cases.  They questioned whether the narrowed focus on certain use cases, such as borrowing decisions and energy switching, might limit the potential for broader economy-wide data sharing.  They suggested that while prioritising use cases is important, it should not jeopardise the potential for a more generalisable set of data sharing capabilities that could emerge from the market's innovation.  They emphasised the importance of maintaining a balance between focusing on high-value use cases and allowing room for the market to identify and develop new use cases within the framework of the CDR.

The Chair noted that the effect of the Minister’s letter and the application of the SAF would be a significant narrowing of scope of their activities and those of the committee.  They noted that in the context of lowering the costs of compliance, the scope of use cases is significantly narrowed to those items listed in the letter, and that there would be less change involved on significantly fewer use cases.  

One member expressed concerns about the narrowed focus on specific high-value use cases as outlined in Minister Jones's letter, suggesting it might limit broader economy-wide data sharing. They emphasised the importance of experiments on the use cases to determine what the benefits of the use cases were and wanted to understand the incremental benefit of doing work in CDR for these use cases.  

One member expressed support for the Government’s reset in that the narrowed focus on specific high value use cases provided a clear direction and the opportunity to demonstrate tangible value from the CDR. 

One member raised several points regarding the strategic objectives for the CDR, emphasising the need for clarity on targets and suggested setting clear benchmarks for consumer participation, API calls, account switching etc to define success.  They also inquired about updates on rule changes to enable the DSB to implement those changes and suggested that the CDR should consider a broader definition of switching to encompass more use cases beyond energy switching (e.g. mortgage and account switching).

TSY noted that they were optimistic that they would have the version 7 package, which included operational and consent rules updates, finalised shortly.  They noted that the timeline for further rules consultations, including the NBL package with minor updates to it, was expected to go out for consultation and conclude before Christmas, aiming for completion early in the new year dependent on a number of factors.  They encouraged suggestions from stakeholders for changes to the rules to support use cases and address cost concerns for consideration, which would be considered in version 9.

TSY noted they would provide further information to stakeholders in the near future about possible consultation timeframes to support the development of changes that could be included in the version 9 package.  

One member asked TSY for confirmation as to whether the CDR Strategic Review paper and the scope of products were scheduled for this quarter. 

TSY noted that they had undertaken a targeted consultation around scope of products and that advice was currently with the Minister.  They noted that the outcomes of this consultation would be included in the draft rules that were due to go out for consultation in version 8 alongside NBL, which would be due to complete before Christmas.  They added that the consultation was a quick review, focussed on what products may need to be removed before non-bank lenders had to build. However, TSY expected there would be further consultation to understand other areas where costs could be reduced.  

The Chair noted that they had heard the feedback in relation to reducing cost, and the Minister had reaffirmed that feedback and the Government’s direction in relation to expectations as to the performance of their role.  They also noted that the work on the SAF had been completed, and there was limited use case potential and categories which would be applied when using the SAF.

The Chair noted that a draft Noting Paper on cost and change considerations was included in the papers in response to the Heidi Richards CDR Compliance Cost Review Report, highlighting the dilemma between reducing the number of change events and providing sufficient notice for changes.  They noted that the paper outlined feedback from engaging on this topic, including consensus being that fewer fixed change events were not strongly supported, and the emphasis was on the notice period for changes rather than the frequency of change events.

The Chair asked for feedback on the Noting Paper by Friday 11 October prior to intending to publish the paper the following week.

The Chair noted that they would also respond to Minister Jones letter, including the Noting Paper and reference how they will give effect to the SAF.

Working Group Update

A summary of the Technical and Consumer Experience Working Groups was provided in the DSAC Papers and was taken as read.

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Deceptive Patterns

Michael Palmyre from the DSB provided an update on the work related to deceptive patterns in the CDR ecosystem.  They noted that deceptive patterns were a design pattern that might undermine or subvert a service user’s ability to make an autonomous and informed choice or decisions.

The DSB noted that this work had progressed from what was initiated in 2022, when they engaged the Consumer Policy Research Centre (CPRC) to extend their standards consultation with one of the recommendations being the need for standards on deceptive patterns.  A further two consultations were conducted in relation to the consent review where deceptive patterns were proposed as a problem space to be explored to balance potential risks of undermining choice associated with simplifying rules and general obligations for the CDR and the process of giving and managing consent in authorisations.

The DSB engaged the University of South Australia to do further analysis on deceptive patterns, the risks in CDR and the form and appropriateness of standards before progressing solutions in the consent review work.  The first report, Patterns in the Dark, had been published and the second report, which aimed to pressure test the CDR for vulnerabilities to deceptive patterns, had also been completed. Key findings from the report included:

  • Metadata Use: Concerns about metadata acquired through CDR being used to target consumers outside of CDR with deceptive patterns.
  • Design Choices: Instances where CDR-compliant design choices might still manipulate consumer behaviour, undermining informed choice and control.
  • Business Practices: Potential manipulation by businesses using knowledge of a consumer's CDR arrangements, such as consent expiration, to influence consumer decisions.

The DSB mentioned that whilst the CDR had protections against many deceptive patterns, these were often optional guidelines rather than mandatory requirements. The report also reviewed regulatory landscapes beyond CDR, noting that while there were initiatives to address deceptive patterns, there might still be gaps in focus and enforcement capabilities within the CDR context.

The DSB noted that next steps included publishing the second report, conducting internal reviews of live CDR implementations to identify any existing deceptive patterns, and to consider whether issues were widespread in practice.  They noted this work was not intended to be released publicly, but would inform next steps in understanding where authentication, authorisation and consent may be undermined, noting a general preference for wider regulatory changes to address these issue as opposed to a CDR specific response.

The Chair invited Drew MacCrae from FRLC to present also on this topic. 

Drew MacCrae initially noted that they were surprised at the approach University of South Australia took in respect to using AI and were not sure if that was the most ideal approach. 

Their presentation on deceptive patterns focused on the potential for these patterns to be implemented within the CDR ecosystem.  They highlighted three examples of where deceptive patterns could potentially be used, such as in the context of trusted advisors, withdrawing consent, and enlivening consumer protection rights against financial abuse.  They suggested that while the CDR rules and standards might have allowed for certain practices, there could have been operational dilemmas that arose when trying to implement those in a way that avoids deceptive patterns.  They also noted the absence of standards on the extent of information provided to consumers and on consumer right to protect themselves from financial abuse.  They proposed communication and clarification as potential solutions to these dilemmas, emphasising the importance of clear and transparent practices to prevent the misuse of data and to ensure consumer protection within the CDR framework.

The Chair sought feedback from the committee about the review of live implementations and how far they should progress before they paused and took stock. 

One member raised concerns about consent drop-offs, highlighting the operational challenges faced when consumers intended to authorise their consent but were unable the complete the process.   They mentioned that despite providing evidence of consumers' intent to succeed through surveys, responses to raised tickets often attributed drop-offs to consumers changing their minds, which they found unsatisfactory.  They emphasised the need for a faster resolution to address consent drop-offs effectively and suggested that setting success metrics for consent completion rates could be a potential solution.  They also mentioned considering reaching out to consumers to encourage them to raise complaints where appropriate, indicating the significance of addressing consent drop-offs for improving consumer experiences in the CDR ecosystem.

The member also noted that when ACCC were reviewing JIRA tickets, that they should consider whether they could accept the fact that a data holder was telling them they wanted to close a ticket because they were accepting the fact a consumer has just changed their mind, when ADRs understood otherwise.

One member expressed concerns about the potential for deceptive patterns to be exploited, especially in relation to security vulnerabilities and data. They urged for careful consideration and assessment to ensure consumer protection, emphasising the high potential for action initiation to expose underlying vulnerabilities, particularly in the energy sector.

One member discussed the sensitivity and challenges related to vulnerable customers, especially in the context of joint account holders and the potential for financial abuse.  They highlighted the importance of considering how to inform data holders of threats to ensure the safety of vulnerable customers without compromising their privacy or safety.  

The Chair noted that they had to determine whether the changes could be considered critical and were therefore needed based on the scale of the risk, which required more than a theoretical analysis.  They asked members if they were comfortable to proceed with options 1) Publication, 2) Desktop Assessment and 3) Review of live CDR implementations OR whether they would prefer to stop at option 2) Desktop Assessment, before considering live implementations.

A number of members noted that they were happy to proceed with options of 1 to 3. 

The Chair noted that the general consensus was to proceed with options 1 to 3.

The member noted that they had been promoting app2app as a voluntary standard because it would give data holders an opportunity to better their current authentication and authorisation flows without having to fix their own if that was a better approach.

One member noted that it would be good to check if consent drop off had anything to do with deceptive patterns.  They also noted the balance between prescription and principles in the context of CDR, particularly focusing on the need for a principle-based approach to address the complexities of authentication and consent.  They suggested picking a key deceptive pattern and really hacking those and working through them and then developing some prescription with the principal.

One member noted that the need to focus on enforcement as there were a lot of issues occurring but there was no follow through and enforcement, which led to the behaviour continuing without any consequences.

Authentication Uplift Proposed Approach

Mark Verstege from the DSB presented on authentication uplift, focusing on enhancing the security and user experience within the CDR ecosystem. Key points included:

  • Establishment of the Information Security Consultative Group which was aimed at addressing authentication uplift (Decision Proposal 327) based on industry feedback on practicalities and the 2022 Independent Security Health Check recommendations.
  • Current single-factor authentication was deemed insufficient, with varying drop-off rates and security concerns.  The goal was to improve security, reduce drop-offs, and align with best practice security requirements.
  • Report recommendations covered an uplift to multifactor authentication (MFA), consideration of a data sensitivity framework, having risk-based assessment for appropriate credential levels which aligns to broader industry recommendations and advice from the Australian Cyber Security Centre and NIST which defines that personal information be shared under a minimum assurance level of 2, or MFA.
  • Whilst addressing the range of necessary enhancements and enabling Data Holders that wish to move to strong authentication to do so, a focal point for the CG was to consider unlocking new consumer experiences. The uplift involved enabling more modern authentication experiences, such as Redirect to App to help enable alignment to existing digital channels.
  • There were three groups of changes being proposed and consulted on under authentication uplift:
    • Enabling Redirect to App for seamless redirection to a data holder's app for authentication, potentially improving connection success rates significantly. 
    • Changes to raise the minimum baseline security, adopting a risk-based data sensitivity framework, making the standards more principles based, and addressing credential levels to enable methods that fall within levels. 
    • Decoupling authentication as a way of separating the consent flow from the authentication and ensure the consumer stays in control. However, the CG has identified ways to enable decoupled flows in many situations solely be lifting the ceiling and leaving it up to participants to use this approach.

The DSB noted that next steps included consulting on these packages of changes through a Noting Paper outlining the full approach, and individual Decision Proposals, the first of which was intended for consultation in Q4 2024.  This would be followed by consultation on the minimum baseline security focused on addressing OTP in Q1 2025, then FAPI 2.0 uplift in Q2.

The presentation underscored the importance of aligning with best practices and industry standards, such as the Trusted Digital Identity Framework (TDIF), to ensure the CDR remained secure and user-friendly while accommodating the varying maturity levels across sectors.

The Chair enquired about the possibility of applying the SAF to the ongoing work of authentication uplift, specifically asking if there were enough information to draft up the analysis and assessment of the problem and restate the need for change.

One member commented on the recommendation to align with the TDIF, emphasising the importance of being selective in how this alignment was approached.  They supported a principles-based approach, noting that TDIF itself was very prescriptive and evolving alongside the Digital ID legislation.

One member emphasised the need to consider authentication that was operationally effective and to remember that the counterfactual was screen scraping, which was a full password compromise.  They also noted that not everyone had an app, so they wouldn’t want to see second class citizens in CDR because they didn’t have an app. 

Items raised by Members for discussion

Lisa Schutz from Verifier presented on bank account verification and focused on operational challenges when implementing this process through CDR. They emphasised the need for clear communication and potential non-technical solutions to address these issues.

Two main dilemmas were highlighted:

  1. In bank account verification, balance is not required, and consumers may not want to give it, but Data Recipients must receive it as part of the data cluster.  This poses risks of unnecessary data transfer and access and is at odds with privacy by design.  A way to resolve this was to enable the Data Recipient to ask for a given cluster by specify their retrieval of only x fields, to which the Data Holder could say they are providing bank account balance.
  2. When potential users of the Data Standards looked at the API, they asked about the data quality, i.e. the assurance of data quality and interpretation by data holders. Regarding customer data, it is unclear how to know whether a bank account name is going to be correct. In part this comes to how Data Holders and Recipients interpret different fields, and there is a mapping by intermediaries which is needed, suggesting this is a communication solution.  A way to resolve this was to have quality comments on a field level which could be done by having Data Holder specific meta files for high traffic fields, where they can provide additional context around how they had implemented the rules for extra transparency.

They suggested that resolving these dilemmas could significantly facilitate the use of CDR for bank account verification, especially in fraud mitigation contexts.

ACCC Update

John Williamson, the Director of Technology Architecture & Design, in the Solutions Delivery & Operations Branch of the CDR Division at the ACCC provided an update.  These covered various aspects of the CDR, including guidance revisions, compliance matters, new representative arrangements, and technology updates:

  • The accreditation guidelines had been updated to reflect version five of the rules and updates around the Get Metrics reporting.
  • Additional metrics had been added to the performance dashboard, including the ability to download some of the visible data.
  • Published the Consumer Data Right compliance review of product reference data: ACCC observation paper on 13 September following the review of the 20 data holders that represented the banking sector.
  • Published a new version of the Compliance Update and Regulatory Bulletin (CURB) on 25th September.
  • Published changes regarding software product descriptions on the product register which would help the customers understand the software products that were available on the ecosystem.
  • 10 new rep arrangements in August and September commenced with 4 ending in the same timeframe.

One member enquired about guidance around when a new software product would be necessary, a question that was taken on notice at the 7 August meeting. 

The ACCC acknowledged this and stated that the team had been in contact with the member out of session on this topic, and they noted the importance of providing clarity on this matter to ensure compliance and facilitate understanding among CDR participants. 

The member also mentioned that the OAIC had been conducting a review of outsourced service providers, for which they were requesting day-long meetings for input from the community.  They noted the importance of highlighting the significant time and resources involved in compliance activities in the context of the CDR.

Treasury Update

Claire McKay, Assistant Secretary of the Data and Digital Policy Branch, Digital, Competition and Payments Division at Treasury provided an update on several key areas as follows:

  • Process steps regarding rules changes had been outlined earlier in the meeting.
  • They had planned an Engagement Forum for 2 November, and they would provide further details in due course.
  • The Minister had flagged that they would be willing to consider changes to the rules, particularly to support use cases and the cost elements.  They noted that TSY will come back to stakeholders with a process outlined for changes to be considered in version 9 of the rules.  They also flagged TSY was happy for stakeholders to reach out with any suggested changes early so they could start considering early in the process. 

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 13 November 2024 from 10am to 12pm.  

Other Business

The Chair commented on the launch of ANZ Plus’ new feature that allowed customers to have a comprehensive view of their banking arrangements across different banks, leveraging the capabilities of the CDR. 

ANZ noted that the uptake had been strong with a significant number of customers using ANZ Plus since its launch, indicating a positive reception and interest in the platform’s capability. 

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting. 

Meeting closed at 11:58