Treasurer announces funding of Consumer Data Right and commits to recommendations in open banking Final Report
Reforms designed to improve consumer outcomes, increase competition and support innovation
Implementation timeframe, trust and consumer education key issues identified by participants and commentators
Source: Treasurer's media release
Point of View
The Federal Government is implementing open banking in Australia to “…improve customer outcomes and increase competition in the financial sector.” The Government will follow the recommendations made in the Final Report of the independent Review into Open Banking, chaired by Scott Farrell.
Treasurer, Scott Morrison, made the announcement on 9 May, the day after the 2018/19 Budget, which allocated funding to develop the Consumer Data Right (CDR) framework. The ACCC, OAIC and CSIRO will collectively receive $45 million over four years to develop the framework.
While the CDR is a general right to data, and will underpin data sharing across the economy, open banking is the first use case for implementation. Energy and telecommunications sectors will follow.
Strong customer privacy protections and information security are critical features of the CDR. Privacy protections will be increased in a number of ways, e.g. through customer consent requirements, extension to protections under the Privacy Act 1988, accreditation of third parties, a strong role for the OAIC, and meaningful remedies. The CDR will require customers give express consent to their bank to share data with a third party. The customer must also give express consent to the third party separately for how the data will be used.
As lead regulator, the ACCC will govern implementation of the CDR and has an overarching responsibility to promote customer-focused outcomes and competition. At a more granular level, the ACCC will draft rules, which it will consult on soon, certify standards, create a risk-based accreditation scheme – including an ‘address book’ of accredited entities – and take enforcement action where required. It is establishing a dedicated Access to Data Unit to undertake all these functions. Furthermore, the ACCC will also have power to adjust timeframes, if necessary.
Protection of users’ privacy will be the responsibility of the OAIC, including by ensuring that rules are consistent with the Privacy Act. The OAIC will be the single point of contact for consumers with any concerns, but it may decide to allocate certain disputes to the relevant body, such as the Australian Financial Complaints Authority (AFCA), when it becomes operational in November 2018.
Data61, the data science unit of CSIRO – in its capacity as the new Data Standards Body – will be responsible for developing technical standards, that “…enable consumers to safely access data about them held by businesses, and direct this information to be transferred via APIs to trusted, accredited third parties of their choice.” The standards will cover data transfer, data formatting, authentication, security and policy application.
Andrew Stevens is the interim Chair of the body, with his appointment announced on 23 May 2018 by the Treasurer. Stevens, as an independent chair, “…will ensure the standards maximise the benefits for consumers and are developed in consultation with technology firms, and consumer and privacy groups.” Data61 will provide support through an Advisory Committee. On 24 May, Data61 announced it was seeking expressions of interest for membership (in a personal capacity), with nominations due 8 June 2018. Update: initial members were appointed on 29 June for period of 12 months, including Andy White, COO of AusPayNet.
Open banking will be phased in from July 2019, when customers of the major banks will be able to begin using their CDR. They will have the right to safely “access data about themselves in a readily usable form and a convenient and timely manner” from the major banks and “direct that this information be transferred to accredited, trusted third parties of their choice
Initially, customer data on credit and debit card, deposit and transaction accounts will be available. Mortgage data should be available by February 2020 and data on remaining products (as recommended in the Final Report) by July 2020. All other banks will be required to make data available 12 months later than the major banks.
Treasury will consult on the design of the legislative framework, primarily with amendments to the Consumer and Competition Act 2010 and the Privacy Act. In anticipation, the Australian Payments Council is analysing possible effects of potential legislative changes to the Australian Privacy Principles.
A number of commentators and industry participants have remarked on the Government’s timeframe. Indeed, the Government itself notes it “…has set a challenging but realistic timeframe…”
Mike Booth, Open Banking Response Lead at EY, commented in February that “Perhaps the biggest issue for banks is that most implementation… will occur within 12 months of the final Government decision…. These timeframes will be especially challenging for banks with complex legacy technology landscapes.” Echoing this, Chris Michael, CTO of the Open Banking Implementation Entity (OBIE), said in a workshop on 9 May that working across banks’ different “back-end plumbing” was a challenge in the UK.
Fintech Australia welcomed the Government’s decision to “…introduce open banking reforms from mid-next year.” And both the ACCC and OAIC welcomed the reforms. Mr Michael encouraged collaboration and transparency when developing the open banking framework. The OBIE coordinated collaboration between around 2,000 stakeholders, with equal weighting given to banks and third parties. The OBIE uses a public forum to get early feedback on versions of specifications, which speeds up the process. Furthermore, the OBIE publishes all documentation and API specifications.
Many have cited that Australia should take heed of the UK experience, observing that the implementation timeline set by the Competition and Markets Authority (CMA) was very short, resulting in a ‘lacklustre’ launch. Indeed, six of the nine banks mandated by the CMA to provide datasets by 13 January 2018 were not ready on time.
Mr Michael noted that the UK launch date was effectively the start of an ‘informal beta’ phase, as no testing occurred prior. Banks were building “right up to the wire” and the Financial Conduct Authority (FCA) had not authorised any third parties before the launch date. In contrast, the Regulatory Technical Standards (RTS), which cover how data should be shared between banks and third parties under PSD2, set out an explicit 6-month period for testing before go-live in September 2019. Accordingly, he recommended that Australia set a formal beta phase and ensure that both banks and third parties are ready to go at launch.
Banks in the UK were tasked with developing both ‘read’ and ‘write’ access standards over a period of slightly less than 12 months. According to Mr Michael, ‘write’ access added much complexity in the development of open banking in the UK. In Australia, ‘write’ access is out of scope, although it could be considered post-implementation.
While the OBIE drafted standards in line with the draft RTS (which were finalised in March), it developed the UK standardised API specifications itself. The Farrell Report recommended leveraging the OBIE’s work by using the UK’s technical standards and standards on customer authentication and authorisation as a starting point for the Australian framework.
Referring to the OBIE’s experience, Mr Michael recommended developing more-granular standards, which would be less open to interpretation by banks. He noted that global consistency is helpful and regulatory dialogue is important. He added that the OBIE views the UK-Australia Fintech Bridge positively.
Trust is critical for open banking to succeed. The system and its participants must be trustworthy. To achieve this, the Government has stipulated rigorous standards, strong privacy protections and information security. Mr Michael recommended that Australia implement GDPR-like legislation.
The Government seeks to address such risks and ensure customer protections through an accreditation scheme and ‘address book’, where only trusted and accredited recipients will be permitted to access data. Third parties will need to meet requirements set by the ACCC, while ADIs will be automatically accredited. Similarly, the CMA mandated a ‘directory’ in the UK. Mr Michael opined that the Open Banking Directory of authorised entities is essential. He explained that it establishes trust between participants and gives customers the means to know who they are dealing with. In addition, it introduces efficiencies to the system.
Express consent is crucial to engendering trust with consumers, including the ability to revoke consent. It allows them to have control over their own data. Nonetheless, according to Mr Michael, a balance needs to be struck, to ensure that consumers have sufficiently granular consent choices without being confused. Further to this, he advises against screenscraping as it gives third parties unrestricted access to customer data without adequate consent.
While a trustworthy system is necessary, it is not sufficient. Consumers must perceive the system to be trustworthy. As noted in the Farrell Report, “Customers will only use open banking if they understand and trust it.” Moreover, consumers must in the first instance know that open banking exists.
The ACCC and The Government has planned for an education program initiative leading up to the July 2019 launch, and has already released the CDR Fact Sheet. As Deloitte puts it, “None of the developments that regulators are hoping will result... will be achievable without a strong buy-in from consumers.”
In the UK, a number of surveys indicate that the majority of Britons are not aware of open banking. Crealogix, a German fintech providing digital architecture for neobanks, reports that 64 per cent of consumers had not heard of open banking, and just 14 per cent knew what it was. ING-backed Yolt, an authorised third party in the UK, found that only 22 per cent of respondents were aware of what the new regulations are. In a September 2017 survey, the UK consumer watchdog, Which? found that 92 per cent of consumers were unaware of open banking.
A factor in trust between participants is liability. To whom liability falls in the event of a breach has been a key challenge for open banking in the UK. “How do banks ‘open up’ after being responsible for protecting consumer data for so long?” The FCA has outlined liability in its Approach to payment services and electronic money under PSD2, and the OBIE has designed a dispute management system for third parties and banks, although it is voluntary. In Australia, Treasury will include ‘clear liability principles’ in its forthcoming consultation on legislative design.
The Final Report observed that “Success in the work on digital identity in Australia will have substantial benefits for the effectiveness of Open Banking.” Indeed, the Australian Payments Council continues to work on a private digital identity framework that would be interoperable with the Government’s own Trusted Digital Identity Framework. ForgeRock, which recently ran an information session on open banking at AusPayNet, described the benefits of digital identity within open banking, noting that “managing customer identity…. is ‘super critical’ to success”.