24 July 2020
By Zann Maxwell, AusPayNet Policy Analyst
The Consumer Data Right (CDR) went live on July 1st 2020, with banking the first sector to be incorporated into it under the auspices of ‘Open Banking’.
This reform is intended to give consumers more control over the data that businesses hold about them. Crucially, consumers will also now be able to give consent for this data to be accessed by accredited third parties which can then use it to provide a range of innovative services and products tailored to the consumer’s personal information.
Under Open Banking, consumers will be able to share their account details, balances, transaction details, amounts spent, product information such as rates and fees, features of bank products, and personal information such as phone numbers, email and addresses. The four major banks, Frollo, a personal finance and budget app, and Regional Australia Bank have been accredited for open banking from 1 July, with other banks and businesses to follow.
The CDR is being rolled out by sector. Other sectors such as telecoms will be incorporated into the CDR in due course, with the energy sector having been designated part of the CDR by legislative instrument on 29th June.
The government is now running an inquiry into on the ‘Future Directions’ of the CDR. In particular, the Issues Paper states that the Consumer Data Right (CDR) “… could be expanded to include ‘write access’, that is enabling a trusted third party to change or add to data about a customer at the customer’s direction and with their consent, including initiating payments on their behalf.”
This expansion of the CDR to include write access is a major focus of several of the major submissions made to the Inquiry and is widely supported by them as part of the future direction of the CDR. But there is also awareness that an expansion that includes write access is likely to create scope for new risks in the areas of data security, privacy, consent and cyber security.
With the data economy an emerging sector which has not yet developed internationally agreed best practice for its management, appropriate governance arrangements for these risks are a focus of the inquiry and a number of submissions.
The payments sector and the emerging data-economy are both networked digital ecosystems that manage the safe flow people’s money and people’s data respectively. AusPayNet’s submission to the Inquiry centred around highlighting this fact and suggesting that the payments sector could provide a useful model and basis from which learnings and insights can be applied to establish the foundations of Australia’s data economy.
In our submission, we noted that if an approach modelled on the Australian payments industry were to be applied to the data economy, the requirements for its success would primarily need to involve:
Across the financial services sector a number of regulators and organisations perform complementary roles and functions including the Reserve Bank of Australia (RBA), APRA, ASIC and AFCA. It would be cost effective and efficient to leverage the licensing, accreditation, standards setting and dispute resolution processes and procedures already in place. There was consensus among some organisations which made submissions on the need for a system to manage of the risks involved in an expanded CDR (including write access) to be built upon existing governance structures across sectors rather than developing specific and siloed new ones.
Fintech Australia notes that it would have been preferable to address privacy issues through changes to the general Australian Privacy Principles, explaining that:
“Under the open banking implementation, participants will often be required to develop a CDR privacy policy and a general privacy policy, with different processes sitting behind each one. A bank and a data recipient may exchange data through existing channels and through CDR. One method of sharing that data will be subject to the CDR specific privacy regime and one will not. This leads to inherent inefficiencies and uncertainties and does not reflect how consumers conceive of the sharing of their data.”
Governance was another perspective that was discussed.
The Australian Banking Association (ABA) states that the current ‘distributed governance’ structure1 of the CDR is not necessarily fit for purpose as it evolves and expands.2
In AusPayNet’s submission, we explained our view that whilst there should be consistency across the various sectors designated by the CDR, a single regulator responsible for managing all of these responsibilities would not be able to fulfil the regulatory functions needed to support industry specific requirements, nor the broader data economy needs.
The co-regulatory model that Australia’s payments system operates under has proven highly effective because it allows the Government and the RBA to set high-level principles and broad policy objectives, while industry focuses on “operational implementation, creating innovative solutions and providing competitive offerings to business and consumers.” AusPayNet has suggested in our submission that a similar approach might also serve the data economy.
Fintech Australia echoes this sentiment, saying in their submission “our members see the greatest potential for CDR as being a ‘baseline’ of standards and infrastructure, from which expansions and innovations can be developed voluntarily and, where appropriate, formally incorporated into the CDR.”
There are several elements to a secure CDR expanded to include ‘write access’. Among others, these include data security and privacy which both came in for some focus among the submissions to the inquiry. For consumers to feel comfortable consenting to their data flowing from one data holder to another, trust in the data recipient needs to be at the same level as that in the data holder.
The ABA points out that, “Where a data recipient is not subject to the same prudential and security requirements, trust in the CDR will be impaired. Therefore, a carefully designed accreditation model must be implemented”.
There was also considerable consensus among the submissions received that many elements of the security risks should be handled with tiered accreditation models, based on the risk profile of the activities being considered and the capabilities of the parties involved.
Our submission noted that the security governance of the payments system shows that this kind of tiered model could be used at both the point of access to the CDR and also in an ongoing way through reporting architecture within a governance body.
The RBA makes the point that it will be important that these safeguards are designed in such a way that does not unduly restrict the participation of the fintech sector, which could be locked out if these requirements are too onerous. This would risk entrenching the advantage of major players and limit competition.
For its part, Fintech Australia has encouraged further tiering in an expanded CDR, and considers that “substantial changes” would need to occur to the existing accreditation regime to make it suitable.
The ABA also supports the use of a tiered accreditation model which is based on the risk profile of the activities being considered. However, it emphasises that there should be no relaxation in the Open Banking obligations for data security, privacy, or consent.
The Issues Paper also established that the inquiry will consider how customer authentication requirements for the CDR relate to other digital identification and verification processes. This is important to the future success of CDR. Having frictionless but secure ways of onboarding and identifying customers when switching accounts is key.
An effective digital identity service needs to be supported by appropriate rules, governance, technology, and legal frameworks too.
To this end, the ABA calls for a consultative approach to be undertaken with developers of digital identity frameworks, again with “… open standards encouraged within the CDR, so the CDR does not mandate standards which may not be fit for purpose in the future and could deter innovation”.
Fintech Australia support this, suggesting that a broad CDR could enable “standardised tools for ID verification, acting as an enabling technology for existing and emerging providers”.
In its own submission, the RBA references support for the Australian Payment Council’s work on the ‘TrustID’ and recommends that the Inquiry consider the role of TrustID and other digital ID services in an expanded Open Banking environment.
TrustID is in fact designed to enable just that kind of network of competing private or public digital identity solutions, and for individuals to establish their digital identity online with a preferred service provider, before using those credentials to prove who they are when interacting online with other businesses.
AusPayNet’s submission highlights the prerequisites for a successful data economy: an effective and robust governance framework and customer identification and verification.
The payments system relies upon a robust governance framework which address the key issues of governance, security, standards and compliance. This model has been tried and tested over time, as payments technology and consumer preferences have changed, and continue to change. It continues to engender trust from consumers and business alike.
Utilising this experience and leveraging existing regulatory processes and procedures not only provide useful learnings and insights, but could be a more cost efficient way of delivering a world class data economy for Australia.
You can read AusPayNet’s full submission HERE.
------
1 The ACCC is the lead regulator which is responsible for the development of the Rules, accreditation process and the register. The Data Standards Body is responsible for standards development. The Office of the Australian Information Commissioner (OAIC) is responsible for oversight of the privacy standards.
2 The ABA notes the UK Open Banking system was developed by the industry using commercial principles (as opposed to legal Rules-based principles) but points to the fact that the UK Open Banking governance structure is contained to a single responsible entity.