Herbert Smith Freehills’ update on the implementation of the Consumer Data Right (CDR) in Australia following the return of the Coalition government at the federal election.
The Government announced on 26 November 2017 that the CDR would be introduced into the banking, energy and telecommunications sectors. Since that date, the Government, related bodies and industry have worked towards implementing this regime. Earlier this year, we published a briefing paper that outlined the “state of play” and the steps that have already been taken to implement the CDR in Australia. The paper also analysed key CDR issues and defined CDR concepts. As a brief snapshot, the CDR provides ‘CDR consumers’ (both individuals and businesses) with a right to access, and direct data holders to provide to accredited data recipients (ADRs), information held about that consumer by a data holder. The CDR regime, structured as a tripartite framework of legislation, rules and technical standards, aims to ensure that this information is accessed, and transferred to ADRs, in a safe, effective and efficient manner as directed by CDR consumers.
Earlier this week Prime Minister Scott Morrison confirmed the Government’s commitment to implementing the CDR regime and refocussing on the National Innovation and Science Agenda. This commitment was reflected in the recent appointment of Victorian Senator Jane Hume as the Assistant Minister for Superannuation, Financial Services and Financial Technology. Assistant Minister Hume has overseen inquiries into the CDR regime as the current Chair of the Senate Economics Legislation Committee and has previous experience in the banking and financial services sector at Deutsche Bank and Australian Super.
While FinTech and innovation have been broadly recognised in the 2018-19 Budget, this is the first time that FinTech has been formally recognised by way of a dedicated Ministry role, emphasising the Government’s commitment to progressing CDR implementation and other data-related initiatives. Before the election, Treasurer Josh Frydenberg re-iterated the Government’s focus on innovation and the CDR, emphasising that the core CDR bill would be reintroduced after the election. Assistant Minister Hume has announced that her objective is to pass the CDR regulatory and related instruments within her first 100 days in office, reinforcing the Government’s commitment to implementing the CDR.
Regulatory status updat
The Big Four Banks are preparing to commence sharing generic product data in pilot testing on 1 July 2019 (Pilot Phase). The Pilot Phase includes a confined data set relating to credit and debit cards, deposit accounts and transaction accounts. The technical mechanism used to share the data sets is an application programming interface (API) that has been developed by the Data Standards Body (DSB), in association with CSIRO’s Data61. New data-sets can be provisioned through the API in accordance with a release schedule, and Banks outside the Big Four Banks will provision data on a later release schedule.
The next phase of CDR implementation is scheduled to commence on 1 February 2020, when the Big Four Banks are scheduled to start sharing specific subsets of customer data. The details of additional data sets are being worked through by the DSB, Data61 and the industry, and will sequentially be made available following this date.
Although Prime Minister Scott Morrison expressed his desire this week to quickly progress the CDR regime implementation, the Government has not yet finalised the CDR regulatory framework. A status update for each of the key regulatory instruments is set out below.
The Treasury Laws Amendment (Consumer Data Right) Bill 2019 (the Bill) was introduced in Parliament on 13 February 2019, but lapsed when the federal parliament was dissolved on 11 April 2019. The Bill needs to be re-introduced into Parliament, and this is anticipated to occur in July or August. At this stage, it is still unclear if the Government will seek to amend the Bill before reintroducing it.
While the anticipated introduction of the Bill in July or August means that the legislation will not be passed before the Pilot Phase commences on 1 July 2019, later phases can still occur on time. The Government’s commentary indicates that rapid implementation of the CDR regime remains a key objective.
On 14 June 2019, the Treasury released the revised draft Open Banking designation instrument for consultation (Designation Instrument). The Designation Instrument is made under subsection 56AC(2) of the Competition and Consumer Act 2010 (Cth), and sets out the classes of data that are included and excluded from the CDR regime.
Interestingly, this revised draft Designation Instrument includes purchase payment facility related data, and excludes certain types of “credit information” as described in section 6N(d), (i), (j) and (l) of the Privacy Act 1988 (Cth), and “new arrangement information” within the meaning of subsection 6S(2) of that Act.
The revised Designation Instrument also addresses an outstanding matter by excluding “materially enhanced information”. Before this exclusion, there was concern that ADRs may be unable to determine whether data they receive is source data or enhanced data, which impacts data quality and integrity. This exclusion clarifies (to some extent) when data is considered to be “materially enhanced”. The consultation period on the Designation Instrument ends on 12 July 2019.
The ACCC released the exposure draft CDR rules on 28 March 2019, with consultation closing on 10 May 2019. We are yet to hear anything further from the ACCC on the progress of the rules’ development.
Treasury also released a second version of the Privacy Impact Assessment on 1 March 2019, which incorporates stakeholder feedback received in response to the first version of the PIA.
The DSB, in association with CSIRO’s Data61, published an updated working draft of the standards on 31 May 2019 (Updated Draft Standards). The Updated Draft Standards incorporate feedback received following the earlier draft standards that were released on 20 December 2018. In this update the DSB describes the progress of each of the four work streams (API Standards; Information Security; Consumer Experience; and Engineering). Importantly, the DSB released an updated version of the draft API standards, and an updated version of the information security profile. The Product Reference Data Standards, part of the API standards work stream, have been finalised and published so they are in a workable format for the Pilot Phase of the CDR regime. Feedback on the updated standards was due on 21 June 2019, with a final version anticipated to be published shortly.
In response to previous feedback, the Consumer Experience Working Group (CX Group) will liaise with the ACCC and OAIC to develop educational guidance material for:
• CDR consumers to understand and trust the data sharing arrangements under the CDR regime; and
• ADRs to understand interface requirements, IT security issues and the need for adequate insurance.
These materials will provide further clarity to consumers, and businesses engaging with the CDR regime. The DSB has also committed to continue working with energy sector stakeholders to examine strategies to effectively operationalise the CDR regime for CDR consumers who wish to access their energy data.
Outstanding issues and required development
In its recent update, the DSB highlighted the following outstanding issues that require further development before the CDR rules framework can be finalised:
a) Consent flows: Phase 1 of the research run by the CX Group analysing consumer consent identified accessibility issues for disadvantaged or vulnerable people, due to a disconnect between understanding valid consent, which requires a psychological or emotional connection to the proposal, compared to mere ‘permission’. The CX Group will continue to consult consumers about consent-gathering tools, incorporating an analysis of different design mechanisms, to develop effective consent flows.
b) Joint accounts: The issue surrounding informed consent extends to the use of joint accounts. The CX Group will continue to navigate agency issues and outline who has access to and control over different data sets, especially when data is collected about joint activities.
Any outcome by the CX Group will also need to be technically capable of adoption by the Big Four Banks, and eventually other banks, for them to be able to provision the relevant data in a meaningful way. Many banks are balancing legacy systems and slow development lead times with their CDR requirements.
c) Pilot testing: The DSB has discussed the upcoming Pilot Phase testing period. Participants reasoned that Pilot Phase testing is not feasible without settled legislation, rules and standards. Similar concerns have been raised about the utility of using synthetic data for pilot testing purposes, and about sharing Product Reference Data, especially if these data sets are shared much earlier than other data sets captured by the CDR regime.
Despite these concerns, Treasury alerted the Big Four Banks last week that the timeline for implementation will not be amended and that they will be expected to share generic product data on 1 July 2019
d) Revocation of consent: CX Group research into informed revocation of consent demonstrates that consumer understanding is varied based on the personal characteristics and background of the consumer, as well as “connection to and understanding of the value proposition”,1 and time of engagement. The CX Group will continue to explore mechanisms for consumers to effectively revoke their consent to data sharing if required.
e) Accreditation process: The ACCC conducted a survey to determine how many stakeholders would be interested in becoming an ADR. Of the 60 respondents, 56 expressed interest in becoming ADRs. The accreditation register and platform is currently being built by Oakton. Further information about whether accreditation levels will be tiered in the CDR rules is yet to be provided.
Industry is also interested in the effect of a data breach on an ADR’s accreditation, the degree of testing during the accreditation process, and the level of monitoring.
There appears to be a trade-off between increasing the use and uptake of the enriched data, and the need to maintain a controlled and secured recipient base. It will be interesting to observe how this is practically achieved, and in any case implementation of the accreditation process in the open banking context will provide a validated process for future industries as the CDR regime expands.
Consultation on the draft CDR rules has also raised a series of outstanding matters, such as reciprocity, integration with existing APRA prudential standards, dispute resolution, and consumer protections. An impressive breadth of responses indicates that the wider professional community has taken an interest, and the feedback adds a valuable dynamic and diverse contribution.
The number and complexity of outstanding issues demonstrates that the Government has significant work to complete before the CDR regulatory framework is finalised. Despite these hurdles, the Government has expressed a clear desire to quickly implement the CDR regime. Businesses are encouraged to consistently engage with developments and work towards operationalising their CDR capabilities, particularly because the CDR implementation timeline appears unlikely to be further delayed.