Meeting the Challenges of Open Banking & Consumer Data Rights in Australia (Part 1)

Part 1: An introduction to CDR and Open Banking

This is Part 1 of a two-part series looking at how Financial Services Industry (FSI) organisations can respond to Consumer Data Rights (CDR) and Open Banking in Australia. Part 1 will give an overview of CDR & Open Banking while Part 2 will detail the challenges faced by FSI organisations when they try to respond to these new regulations.

Introduction

The new Australian Consumer Data Right (CDR) will give individual consumers - you and I - the right to safely access certain data about them held by businesses. It will also let us direct that our information be transferred to accredited, trusted, third parties recipients. Open Banking is the first step in the CDR journey, with energy and telecommunications sectors coming next.

Open Banking is the application of the Consumer Data Right in the banking sector. It is a government and regulator-led scheme which mandates that banks share consumer data in a machine-readable way when customers request it. As a result of Open Banking, consumers will be able to access and safely transfer their banking data to trusted parties. The overall goal is to reduce the friction of changing financial service providers and to spur innovation. Open Banking is part of the move toward an “Open Data” and an “Open API Economy”, where services are exposed as APIs to other internal departments, partners, or public developers.

The Consumer Data Right is designed to improve the flow of information in the economy, encouraging the development of new products and applications that reach more consumers and are better tailored to their needs. For general information on CDR, please see Consumer Data Right and Consumer data right (CDR)

The CDR will run on open technical standards managed as detailed at Consumer Data Standards Australia. The CDR standards are maintained by CSIRO's Data61 as the technical advisor and provider of operational support. The Open Banking APIs, defined by Data61, are published on Github. The work of standards development is conducted in close consultation with the Australian Competition and Consumer Commission (ACCC) as lead regulator of the Consumer Data Right, supported by the Office of the Australian Information Commissioner (OAIC). 

Consumer Benefits

According to the Treasury’s fact sheet, Consumers should benefit from improvements in existing products and services as well as completely new ones such as:

• Comparison tools for credit cards and mortgages, with product recommendations tailored to consumers’ actual spending and repayment patterns;
• Comparison tools to assist small businesses to identify better business lending products, taking into account historical borrowing needs;
• Budgeting tools that show consumers all their financial products on one screen and help them better manage their finances by providing insights into current spending habits;
• Analysis tools that look at a household’s past energy use to help them choose a better energy plan;
• Analysis tools that use the level and timing of a household’s energy usage to help them to determine the net benefits of investing in solar power and the size and type of system that would best suit them
• Comparison tools that help consumers locate the best mobile phone and internet service provider deal for them, based on their actual mobile phone and internet data usage.

Types of Data That Will Be Shared

There are four types of information that will available under Open Banking:

• Product data. Information about banking products such as rates, fees and features. This data can be accessed through publicly accessible APIs.
• Customer data. Personal information about you such as your phone number, email address and home address.
• Account data. This includes information about specific accounts such as balances, direct debits and regular repayments.
• Transaction data. Transaction data is information about the transactions on your account, including how much you spent and where you made the transaction.

Key Rules & Their Impact

An Accenture Consulting paper provides an excellent summary of some of the Consumer Data Right rules, of which the following are noteworthy:

• D) Consent / authorisation management. Data holders and data recipients will need to obtain customer consent before customer data can be shared.
• E) Consumer dashboard. Data holders and recipients will need to create a consumer-facing dashboard showing all data-sharing authorisations (active and historical) that the customer has given. The dashboard should also record the disclosure of data.
• F) Right to correction. Data holders and recipients must correct any CDR data which a consumer deems incorrect or redundant. They must respond to requests for rectification within 30 calendar days
• G) Open and transparent data management. Data holders and recipients must have a CDR policy on data management that is independent of any existing privacy policy. The policy should be easy to understand and drafted in a way that promotes consumer engagement.
• I) Quality and security of data. Data holders and recipients must ensure that the CDR data being shared is accurate, current and complete for the purpose for which it is held. Recipients must also undertake adequate precautions to ensure data security.

The paper goes on to analyse the likely impact of the new rules on both technology and people & processes, as reproduced below.

Notice the largest expected challenges relate to sharing customer data, obtaining consent & managing authorizations, providing the customer dashboard and supporting the correction & quality of data. 

The legislation also requires that participants must “give notification to the Australian Information Commissioner of an "eligible data breach” as defined in section 26WE of the Privacy Act.”

Participants Involved and Typical Data Flows

The ACCC defines the CDR Framework based on three types of participants:

• CDR Consumer - A consumer, as defined in the CDR rules, who is able to make a request for disclosure of CDR data to themselves or to an accredited data recipient.
• Data Holder - A person who holds designated CDR data and is required by the CDR rules to disclose product and consumer data. Data Holders must ensure that CDR data relating to consumers is disclosed to Accredited Data Recipients and to cease sharing data where the accreditation of a data recipient is either suspended or revoked by the ACCC. Data Holders require functionality to facilitate Metadata Update requests from the ACCC as per the Consumer Data Standards. 
• Accredited Data Recipient - A person that has been granted accreditation by the ACCC and is able to collect, and receives, CDR data about a CDR consumer from a data holder with the consent of the consumer.

The diagram below (from the GitHub repository) illustrates the data flows between parties

Rollout Timeline

The timeline below (from the Deloitte Open Banking article) shows some key dates

Key timeline notes:

• On 9 May 2018, the Australian Government agreed to the recommendations of the Open Banking Review, both for the framework of the overarching Consumer Data Right and for the application of the right to the banking sector.
• The Government had decided to phase in Open Banking with all major banks making data available on credit and debit card, deposit and transaction accounts by 1 July 2019 and mortgages by 1 February 2020. Data on all products recommended by the Review will be available by 1 July 2020. All remaining banks will be required to implement Open Banking with a 12-month delay on timelines compared to the major banks.
• By 1st July 2019, three of the four big banks voluntarily provided access to product data for credit and debit cards, deposit accounts and transaction accounts. 
• The Consumer Data Right (CDR) legislation was passed on 1 August 2019, which gives customers control of their data and enables them to share it with third parties.
• Consumers will be able to direct major banks to share their credit and debit card, deposit account and transaction account data with accredited service providers from 1 July 2020 (recently adjusted from 1 Feb 2020). Consumers’ mortgage and personal loan data will be able to be shared after 1 November 2020.
• The Australian Competition and Consumer Commission (ACCC) will be empowered to further adjust time frames if necessary. 
• CDR will be expanded in July 2020 to include Energy. The CDR for Energy will be launched in July 2020 will be different from Open Banking since the APIs will integrate with AEMO, the current trading platform. Telcos will also be included in 2021.
• On 25 Sept 2019, a group of 10 financial services companies (selected out of 40 orgs who submitted an EOI) met with the big four banks and the ACCC as part of the pilot program for Australia’s Open Banking regime, the first test of the new Consumer Data Right. The pilot aims to begin testing the sharing and integration of financial data in the lead up to Open Banking’s official launch in July 2020. 

Relationship to Similar Legislation

As the Accenture paper notes: “The CDR echoes PSD2 with its requirement that banks open up their customer account information to third parties. It also incorporates several aspects of the GDPR, including the right to data rectification, active consent/authorisation management and data minimisation measures.” The table below summaries key areas of overlap and differences:

Conclusion

This Part has provided a review of the new CDR & Open Banking regulations.

Part 2 will detail the challenges faced by FSI organisations when they respond to these new regulations.