Minutes - 8 Jul 2020

Data Standards Advisory Committee, Meeting Minutes

Date: Wednesday 8 July 2020
Location: Held remotely, via WebEx
Time: 10:00 to 12:00
Meeting: Committee Meeting No: 7

Download meeting minutes (PDF 187KB)

 

Attendees

 

Chair Introduction

The Chair of the Data Standards Body (DSB) opened the meeting and thanked all committee members and observers for attending meeting no 7.

The Chair hopes that everybody, especially our colleagues based in Melbourne, are okay and that the return to lock down in Melbourne hasn’t caught people off-guard and unawares and his thoughts are with them.

Secondly, it has been an important period of time for the Consumer Data Right (CDR) regime as the CDR has gone live in the banking sector on 1 July 2020 and encouragingly all participants involved have made successful data transfers in the regime in the period since the 1 July 2020.

The Chair noted that along with the committee papers, we included a summary of some of the media coverage that had been made in regards to “Go Live” which highlights the level of interest and reactions.

The Chair noted that because of the move beyond Phase 1 in the banking scenario, we have taken the opportunity to refresh and adjust the composition of the banking Advisory Committee. It was noted that Phases 2, 3 & beyond will extend the regime beyond the first 4 data holders and a range of different data recipients and we have adjusted the Advisory Committee accordingly. The Chair thanked the ongoing contributions of some members and those whose terms finished and acknowledged their contributions.

The Chair noted that he attended the CDR Board Meeting on Tuesday 16 June 2020, which is Chaired by the Commissioner of the ACCC Rod Sims and the Deputy Secretary of Treasury. This meeting addressed a number of important governance type issues on the regime.

He also met with Ian Gibson from the Australian Business Software Industry Association (ABSIA) and Lisa Schutz from Verifier. He noted that ABSIA members include MYOB and Xero, and they are involved in the API economy and work with the tax office on a range of different transactional arrangements like single touch payroll. It was noted that they are putting together a paper for us with some suggestions as to where we could leverage existing arrangements and standards which could well speed the implementation process with the view of adopting potentially some standards.

The Chair welcomed Scott Farrell to the meeting as an observer and noted that it must have been very satisfying for him to see his recommendations adopted and live in operation.

The Chair wanted to also welcome Lawrence Gibbs, who is Head of Major Projects at Origin Energy who has been nominated to replace Jan Prichard on the Advisory Committee. He would also like to extend his thanks to Jan for her contributions since the formation of the Committee.

Minutes

Minutes

The Chair thanked the Committee Members for their comments and feedback on the Minutes from the 27 May 2020 Advisory Committee meeting. The Minutes were taken as read and formally accepted.

Action Items

The Chair noted that the Action Items were either completed or would be discussed later at this meeting.

Working Group Update

A summary of the progress since the last committee meeting on the Working Groups was provided in the Committee Papers and was taken as read.

A further update was provided on the Technical Working Group by James Bligh as follows:

The DSB noted that the Technical Working Group has seen a lot of activity occurring on the banking side which has an impact for the energy sector.

The DSB noted that because of the “Go Live” the technical standards are now in place and data is being exchanged which is excellent. It was noted that that process has highlighted some experiences that could be improved. For example, error handling and being more specific about certain error cases so that there is more consistency between data recipients and data holders.

The DSB noted that there has been a number of proposals and workshops held and further workshop planned which they encourage energy participants to participate in, to further cross sector engagement.

The DSB noted that the Maintenance Iteration # 3 of the banking standards has just been completed and they are about to commence Maintenance Iteration # 4. The focus for Maintenance Iteration # 4 will be on data quality, particularly around product reference data (PRD) and various aspects as they are now seeing data exchange occurring in earnest and the second tiers are starting to publish the pricing data through the PRD public API’s. They are starting to see inconsistencies across the financial institutions on how they use the standards and populate them.

The DSB noted that there has been some ongoing discussions around transition states which will serve them in good stead for the electricity sector. It was noted that the banking sector is pioneering the whole concept of evolving the standards and managing the transition from one state to the next.

The DSB noted that for the energy sector specifically, they have completed a couple of consultations - the NMI Standing Data Payloads consultation and the Additional Account Holders consultation. They have also opened a proposal on customer records and are working on proposals for generic tariff data.

The DSB noted that there will be a workshop held on the 21 July 2020 which will focus on retailer data to obtain input which will be jointly led by the Technical and Consumer Experience (CX) Working Groups. The Technical Working Group will focus on actual data sets that retailers will be the data holder for (like billing data, account & customer data) and the CX Working Group will focus on data cluster language (the language presented to customers during the consent process) which is a critical aspect of creating a standard, understandable consent. This workshop is open to all. The workshop will be recorded so that they can treat it as a public submission and replay it back on GitHub for the community to review so they can use the feedback for modifying and setting the standards.

The DSB noted that they are looking to do Version 1.4.0 of the standards as there has been some changes that have come out of the July “Go Live” which will be released sometime in the next couple of weeks.

A further update was provided on the CX Working Group by Michael Palmyre as follows:

The DSB noted that similarly they have been focused on a lot of ongoing issues stemming from banking but obviously related to CDR in general. The big milestone for them was closing off the Stage 3 CX research and the final report which can be found on the website.

The DSB noted that CX Stage 3 Research covers two rounds (4 & 5) and focusses on the amending of existing content. In energy, it is talking about consent the first time that it happens and these rounds are looking into the future i.e. three, six, twelve months after that original consent has been established. It also looks at what does it look like when a consumer goes to amend that consent to add or remove a data set, extend the duration to remove a user and so on. They have also asked how that amendment of consent can happen, especially in a way that could be simplified without compromising the quality of consent.

The DSB noted that moving forward the work on amending consents and the research outputs are being used to inform the ACCC and the technical standards internally around what we could do in a forward looking way to simplify consent, but also support the amending of consent.

The Chair has asked the CX Lead to provide a brief presentation on those findings at the next meeting and also encouraged members to look at the report on the website.

ACTION: CX Lead to present the CX Stage 3 Report Findings at the next meeting

The DSB noted that they are continuing work on amending consent, as there are a few issues coming up around accounts. They will conduct some more consumer research on adding and removing accounts from an existing consent and some flows related to that. They will also be doing some CX work on some of the items in the proposed Rules Framework for energy.

The DSB noted that there is workshop coming up on data language where they will be posing some of the data cluster permission language and groupings to sense check them and get participants at the workshops to collaborate and propose some alternative ways forward if they come up, or to validate their thinking so they can put those into the energy prototypes that they can test going forward. It was noted that they do have some additional workshops planned with issues that they would like to conduct research on and they will publish dates and focus of the workshops soon.

The DSB noted that they also have some updates to the CX Standards and Guidelines that will be published as part of the version 1.4.0 release.

The Chair thanked the Technical & CX Leads for their updates and the ongoing work that they are doing which is much appreciated and has built a strong foundation for the “Go Live”.

ACCC Update

Bruce Cooper from the ACCC provided a general update as follows:

The ACCC noted that in regards to “Go Live”, all four banks and two data recipients are in and everyone has successfully managed to share real consumer data, which is both a relief and an achievement. In regards to the amount of activity, at the end of last week there were seventy consents in place. There has been just over a thousand calls on “get accounts API”, just over a thousand on “get bulk balances” and over three thousand on “get transactions” which are good outcomes.

The ACCC noted that there has been some press about real consumers using CDR to obtain real loans which is good.

The ACCC noted there is a good level of interest in becoming accredited as a data recipient. To do that you need to submit an application to have access to the portal. They noted that they have had close to 50 entities seeking access to the portal, which need to be verified before they are given access. It was noted that just over ten have been granted access so far.

The ACCC noted that they hope to have at least another ten or more data recipients accredited by the end of the year.  They will need to submit accreditation applications with all the relevant information before they gain access to the conformance test suite, they will then need to pass that testing before being granted access to the register.

The ACCC noted that work is continuing at pace on the conformance test suite and they will have a minimum product which they will start to work on more actively with people in August. They are aiming to have that done for September.

The ACCC noted they should publish soon the Rules Framework for energy which will set out their preliminary position on important issues that will apply CDR to energy.

The ACCC also wanted to emphasise that this is a single CDR, and they are not building two completely separate things, and this should become clear from the energy Rules Framework consultation document which will be open for submissions until 28 August 2020.

The ACCC noted that they will also be holding a webinar on the energy Rules Framework as part of the consultation process in early August. They welcome submissions to the consultation and attendance at the Webinar. If people have specific questions that would like to raise, they can do so via the ACCC CDR mailbox.

One member asked ACCC what are the key areas they are most eager for stakeholder input on?

The ACCC noted that one of the important issues is the authentication process. They have got a couple of authentication maps in the consultation paper and they have a preferred approach, but they are seeking industry views on how that will work.

They noted that there is a wide coverage of issues in the paper, but another one they would like to highlight is accreditation and they are looking at how a lower tier accreditation might be accommodated in the regime. They would also like input on the idea of a unified dashboard and the client interface and how that might work for the CDR in energy.

One member noted that if anyone would like to provide input on a principles framework for consent as they are concerned that at the moment, there is a black letter law approach to consent which we needed to do for round one. They like the idea that over time, there might be different authentication and consent processes, specific to particular use cases because as we evolve we could come to the point where we've got a principal-based approach, which tolerates different models and different situations.

One member endorsed that as an idea and noted that this is an example of a strategic issue about standards that they think the Advisory Committee should have a conversation about.

The Chair noted that the CX Lead’s point earlier about the number of people (280) who have been involved in CX research, there are about forty or fifty who've been involved in multiple iterations. He noted that it is interesting how their understanding is advancing in the authentication and consent areas particularly.

One observer supports what has been said and notes that there are actual principles expressed in various existing rules about consent being explicit and informed, do you think those principles are sufficient or do you think they need to be more detailed? Or, is this more of a case of the principles are okay but we just need to be less singular or uniform or prescriptive about how we do consent?

The member noted that they think the principles are fine but they haven’t looked into what extra ones you would need. They noted that the way credit scoring works right now would fail our CX because it's map-based authentication with an on-screen consent which works perfectly well for credit reporting. They suggest that we will probably need one or two extra principles, and what that would allow is the ability to, in different situations, be more responsive. They noted that they think energy would be the perfect time to look at it as we have the opportunity to be flexible.

The member also noted there are other models that authenticate and gather consent that are operating now, and they think for maximum flexibility and use, it would be great to just start to abstract above those.

Another member noted that authentication and consent is the area where the CDR has the most value to offer. They get concerned when people use phrases like “principles-based” because the Privacy Act, which has been the biggest barrier to people being able to get access to their own data, is principle-based. They noted that the reason why they like the CDR regime is because it creates a clear process where a data holder can know that providing the data isn't breaching the Privacy Act which can’t be achieved in the energy sector through any other pathway. They also noted that if you go down the principles base for consent path, that’s how you wind up with things like the mess in consent that the digital platforms have. They noted that there is a middle ground, where we need to take the approach with the CDR that in this controlled environment, we can develop the world of authentication and consent in ways that still remain quite well controlled, but don't become barriers to innovation and services.

Another member noted that we have talked a lot about authentication and the different models that have been presented and we are in a phase where we're trying to align with banking and learn from what's working there and to consider things that would need to be different in energy. Are we saying that we aren’t having that discussion broadly enough?

ACCC noted that the existing consent framework was always designed to be extended. At the moment, there isn’t fine grained control on the data you can provide access to, and that's something that they want to include in the rules as soon as they can. They have also talked about having common data sets for standard use cases and that will also provide another avenue for allowing slightly more flexible consent processes. These are not currently provided for in the rules or standards, but they are looking at both as they would be of use in banking and energy.

The Chair noted that one of the major changes that we're implementing with the CDR is a transformation of consent so this is a central point. There are some things that service providers in the outside CDR world would review as consent that consumers wouldn't view as consent and some that are borderline. He noted that we need to look at what consents are currently in use/common practice in Australia, because some of those are going to be insufficient in his view, and they should over time be withdrawn and removed from the marketplace. He noted that we have particular obligations on us in relation to explicit, informed, complete consent and for very important reasons.

The Chair noted that the ACCC & DSB need to do some research to identify a range of different, commonplace “consents” and to consider whether these are really consents or are one-sided conditions of operating account (and whether these two options were different in the Consumers mind).

He also noted that one of the findings in the CX Research (Phase 3) was that consumers are digitally operating, but many are not in energy so it is worth having a look at consent because of some of those differences and the opportunities that this will give us. He noted that the DSB and the ACCC will jointly look into this.

ACTION: DSB & ACCC to do some research to identify a range of different commonplace consents and report back to the committee at a future meeting

One member noted that there is a broader issue generally throughout the CDR of the extent to which we tell people how to do things versus principle-based requirements and flexibility. They noted there's a problem with pure principle-based, that is the reason we've gone down the path we have so far in terms of authentication processes for example, as they saw what happened in the UK. They noted that there is a broader issue which is the balance between flexibility versus certainty and enforceability and they think it works just as much at the standards level, the rules and the Act.

The Chair wanted to extend his congratulations to the ACCC on what they have achieved in terms of where we got to in July.

Treasury Update

Daniel McAuliffe from Treasury provided an update as follows:

Treasury noted that the big achievement is that the Designation Instrument (DI) has now been signed for the energy sector. They noted that all the powers for the regime in relation to the electricity model data sets and to some degree the gas products, has now been turned on. They hoped that this will provide certainty about what the “outer limits” of what the CDR could apply to in energy are, especially for the ACCC & the DSB’s work.

Treasury noted that they had good participation on the public consultation from stakeholders, especially considering people were distracted with things like COVID, and the quality of submissions was very good. They made some changes to the DI following the consultation as people were concerned that various terms were too broad which they have tightened up. They also made some significant changes to the Explanatory Statement which will hopefully provide a few examples of what is and isn't materially enhanced data and what is out. The system does support voluntary provision of data through the CDR pipes and the materially enhanced exception only applies to what you can be forced to hand over.

Treasury also noted that there were some submissions that came in late which had some examples which would've been great to include, but they didn't make their way into the Explanatory Statement unfortunately.

Treasury noted that in parallel to the consultation on the text on the instrument, they also consulted on the Privacy Impact Assessment (PIA). This consultation was done by independent consultants KPMG who made a series of recommendations which are on the Treasury website. Also, on the website is the agencies responses to each of those recommendations. It was noted that largely those recommendations were directed at things that we need to make sure we do properly down the track at the standards stage, or the rules. The agencies have undertaken to make sure that those things are looked at and examined properly as part of those responses. Other KPMG recommendations raised were about the Designation Instrument around clarity and explanation which they were actioning already as these issues had been raised by stakeholders separately via the consultation.

Other Business

The Chaired invited Scott Farrell, who is attending the meeting as an observer, the opportunity to say a few words.

Scott Farrell thanked everyone who has provided submissions to his inquiry on the “Future Directions for the Consumer Data Right”. He noted that there have been quite a lot of submissions which he hopes they can publish very shortly.  They are also going into public consultation in the next couple of weeks which will be held virtually.

Scott Farrell noted that a number of people have, in addition to making public submissions, emailed him their thoughts in relation to areas they think we need to have in mind going forward.

Scott Farrell noted that they have progressed quite a way and an example of that is their connection with a number of other systems around the world which are developing. He noted that New Zealand is also due to come out with its CDR consultation paper shortly. attributes.

Scott Farrell noted that similar to the “Review into the Open Banking in Australia” Inquiry, this CDR inquiry has raised a myriad of issues that seem to be falling into place and forming a narrative that makes sense. He encouraged members to reach out to him via email if anything is worrying them as this is important for us and our country.

One member asked if there are any interesting thoughts or ideas that have come through so far that you could share.

Scott Farrell noted that the things that have been discussed today are very similar in relation to the idea of using consent whatever way you want, and he sees this as a lawyer, this will play out in GDPR noting that people often cannot understand what they are consenting to under GDPR because it was written by lawyers.

Scott Farrell also noted that the point has been raised around authentication and identification and probably the biggest theme of the CDR in his legal view, is it is an information transmission system and it's not designed to replicate regulation of the endpoints any more than the RBA regulates the provision of banking services because all the money goes through its banking system. He sees this as a very important system creating value for this country but it's role is not to replicate everything else that exists.

The Chair thanked Scott Farrell and advised that there is an open invitation for him to attend any of the future meetings.

Meeting Schedule

The Chair advised that the next meeting will be held remotely on Wednesday 12 August 2020 from 10am to 12:00pm.

Closing and Next Steps

The Chair thanked the Committee Members and Observers for attending the meeting.

Meeting closed at 11:00.