On Friday, 9 February 2018, Treasury released the Review into Open Banking (the Report).
Open Banking is the application of the comprehensive “Consumer Data Right” recommended by the Productivity Commission in its 2017 report on Data Availability and Use to the banking industry.
However, the framework and recommendations in the Report have been designed so that they can be leveraged by other industries when applying the Consumer Data Right, so take note of the below regardless of your industry.
The Report contemplates a layered regulatory approach involving:
- amendments to the Competition and Consumer Act 2010 to enact the Consumer Data Right for sectors which can be later specified, the first of which is banking, with energy and telecommunications to follow next; and
- development of Rules and Standards to facilitate the application of the Consumer Data Right to specified sectors.
The principles on which the Report are based are consistent with expectations, that is that Open Banking should be:
- customer focused;
- encourage competition;
- create opportunities, including to support the FinTech sector; and
- efficient and fair.
So how do these principles translate to recommendations for applying the Consumer Data Right to the banking industry?
The key points are as follows:
- The ACCC is to be the key regulatory body, supported by OAIC, including with respect to complaint handling.
- Technical Standards are to be determined by a new “Data Standards Body” (in conjunction with regulators). These standards would include transfer standards (including with respect to access frequency), data standards and security standards.
- Standardised API-based sharing mechanism is to be used, leveraging UK technical specifications, including the redirect-based authorisation and authentication flow.
- APIs limited to read-only access. Write access, which is required for payment initiation-style services (and is required by EU’s PSD2) is outside the scope of the Consumer Data Right and Open Banking.
- Data shares to be free of charge.
- Participants (ie data holders and data recipients) are to be accredited – with ACCC setting the accreditation criteria, which may be graduated based on the type of data they receive and hold.
- Data recipients must be subject to the Privacy Act. This has implications for offshore based organisations. “Passporting” offshore accredited data recipients (eg those whitelisted under the UK open data regime) is noted as something which ACCC should consider once the regimes in both jurisdictions are established.
- Relevant data includes:
- customer-provided data;
- transaction data for certain account types; and
- product data, eg in respect of fees and charges.
Importantly the following data is not in scope:
- data supporting ID verification or which would increase the risk of ID theft;
- aggregated data and data that results from “material enhancement” through application of insights, analysis or transformation. However, subject to amendment of AML laws – the outcome of an ID verification check is required to be shared.
The point at which transformed data falls outside the regime (ie just how much transformation is required) will need to be explored further.
- All ADIs (but not branches of foreign banks) are subject to the regime, which includes a breach reporting regime.
- Reciprocity: Non-ADI participants (eg recipients of data) are also to comply in respect of data they receive through the regime and also data which is transaction data or its equivalent (eg data relating to payment of monies which they are facilitating). As part of the accreditation process, the ACCC should determine what constitutes “equivalent” data.
- Informed, explicit consent is required from the customer for data shares and the ability to revoke access should be easy. Amendments to the Privacy Act are suggested to firm up the consent requirements in connection with Open Banking.
- Small businesses are to be protected, including through access to internal and external dispute resolution services for confidentiality disputes, similar to those offered in respect of privacy for individuals.
- Principles-based liability framework to be established, which would allocate liability to the wrong-doer, not other participants in any data share. Importantly, the example principles are consistent with the position that a bank sharing data to a data recipient is not liable to the data recipient for inaccuracies in that data (but should be responsible to the customer for correction of records).
- No additional legislative controls to prohibit screenscraping or similar practices.
- For the 4 major banks, a 12 month implementation period is proposed from the date of the Government’s final decision in respect of the regime. For the remaining ADIs, a further 12 month period is initially proposed.
As you can see, there is much to be done in that 12 month period to get regime up and running, including legislative amendments, new rules, including with respect to accreditation, establishing new bodies, new technical standards and implementing the IT infrastructure to support the regime. Of course, much of this detail is still to be worked through and submissions are called for by 28 March 2018.