The Federal Government has released its much anticipated Review into Open Banking in Australia. The Review makes 50 sweeping recommendations to implement Open Banking, including a new regulatory framework under which the regime would operate in the broader context of a new Consumer Data Right for all sectors. Partner Gavin Smith, Senior Associate Elyse Adams, Associate Leah Wickman and Lawyer Connie Ye report on some of the key elements of the report.
- In May 2017, the Federal Government announced the introduction of an open banking regime in Australia as part of the 2017-2018 budget. The Review into Open Banking (Review) was commissioned by the Treasurer to make recommendations on the most appropriate data-sharing model in order to facilitate competition and innovation in the banking sector. It was also tasked with recommending a regulatory framework and necessary instruments to support and enforce the regime.
- In November 2017, the Federal Government announced that it would legislate to create a Consumer Data Right (CDR) following recommendations of the Productivity Commission's May 2017 Data Availability and Use report (PC Report). The CDR is proposed to grant consumers across all sectors with open access to their data, as well as an ability to direct a business to transfer their data to a third party in a usable machine readable form. The PC Report originally noted that the right should first be implemented across the banking, energy and telecommunications sectors.
- Open Banking, the first instalment of the CDR, will require data holders (for example, banks) to transfer certain types of customer data to data recipients (for example, financial product comparison providers, competing financial service providers and providers of FinTech tools) at the request of the customer, as well as to give the customer access to their own information.
Of the 50 recommendations made in the Review, the following are key.
- The intention of the proposals is to make it easier for consumers to access, share, use and, importantly, derive value from their information. This includes allowing third parties to have direct access to consumers' information. The recommendations are broadly in line with the majority of recommendations made by Australian fintech players, including industry body Fintech Australia.
- The Review looks beyond the banking sector and proposes a framework to allow the implementation of a CDR across any sectors designated by Government. This includes amending existing legislation to implement the new CDR, primarily through amendments to the Competition and Consumer Act 2010 (Cth) (CCA).
- The proposed CDR model will require a multi-regulator approach, with the ACCC taking the lead and working closely with the OAIC from a privacy and confidentiality perspective. Other sector-focused regulators are to be consulted as required, including ASIC, APRA and the RBA in relation to Open Banking. This represents a new frontier for the ACCC and a substantially expanded remit.
- The Review considers the scope of Open Banking in terms of participants, products and datasets, proposing a limitation on the types of data available via Open Banking, although noting that these may change as innovation occurs. Importantly, Open Banking will apply not only to information relating to individuals, but also to businesses.
- The Review leaves certain key questions open to further debate, including in particular how 'value-added customer data' and 'aggregated data sets' should be defined so as to appropriately exclude them from the regime.
- The Review proposes several ways to safeguard Open Banking and 'inspire confidence' in the system, including accreditation of data recipients, modification of key privacy principles for Open Banking and a need for a comprehensive liability framework that allocates responsibility between participants in the Open Banking system. The Review also suggests that a Data Standards Body be established to develop the transfer, data and security standards applying to each sector, utilising the current UK data sharing technical specification as a starting point.
- The Review recommends that the regulatory costs for implementation of Open Banking be funded from general taxation revenue at the outset, as opposed to a fee-for-service model or industry-funded model.
- ADIs should consider the Review carefully and assess what internal processes and policies need to be updated or created to prepare for Open Banking generally. The Review suggests that the four major banks should be required to implement Opening Banking from the intended commencement date (which the Treasurer has indicated will be 1 July 2019), with all other ADIs to follow within 12 months. The review also suggests that the new regime will apply only to transaction data from 1 January 2017 onwards.
- FinTech companies, comparative service providers and others who will want to access Open Banking data as a data recipient should review the recommended security standards and other accreditation criteria and consider whether they can meet such standards if the accreditation recommendation is accepted and implemented.
The Review has considered the implementation not just of Open Banking but of the CDR more broadly.
Contrary to recommendations in the PC Report, the Review recommends amending existing legislation, rather than introducing a new, standalone 'Data Sharing and Release Act' that would replicate elements of the Privacy Act 1988 (Cth) and other recommendations of the PC Report. It suggests that the CCA in particular be amended to 'set out the overarching objectives' of the CDR, and it is under this Act that Open Banking (and open data regimes in other sectors) should be implemented. The Review proposed the CCA as the best candidate as it is 'the most prominent existing legislative framework that promotes decision-making in a customer and competition based framework' and, unlike the OAIC's submission that the Privacy Act should be the governing instrument of the CDR, would not 'place undue emphasis on privacy at the expense of efficiency through competition'. The CCA would set out the overarching objects of the CDR, enable the designation of a sector by Ministerial direction and create the power to set out rules and standards for implementing CDR within a sector.
The Review recommends that the implementation of the CDR in each sector would be subject to a 'hierarchy of legislative instruments' consisting of the overarching legislation for CDR (ie the CCA), binding rules that vary by sector and are enforced by the relevant regulator(s), and sector-specific transfer, data and security standards set by a Data Standards Body appointed by government.
Notably, the proposed amendments would substantially increase the remit of the ACCC. The ACCC would be the leader of a multiple regulator model, with the OAIC remaining responsible for privacy protection, and other sector-focused regulators involved as relevant (for example, ASIC, APRA and the RBA in the case of Open Banking). The ACCC would be primarily responsible for:
- drafting binding rules on open data in each sector in consultation with the other relevant regulators;
- overseeing the data standards bodies that set transfer, data and security standards for open data;
- determining the criteria for, and method of, accreditation for participants in the open data market; and
- investigating breaches and enforcing the CDR, including breaches that raise systemic competition issues but excluding breaches related to privacy or confidentiality.
This proposed role represents a new frontier for the ACCC. While the ACCC has advocated for greater consumer access to data1, its ability to facilitate access is currently limited. In particular, the Australian Consumer Law prohibits businesses from misleading consumers relating to consumer data, or in the case of standard form contracts, imposing unfair terms relating to consumer data. However, the CCA does not contain any positive requirements on business to provide customers with access to data.
The Review also recommends a possible expanded role for the OAIC by granting the OAIC the power to handle complaints regarding both individual privacy and confidentiality for businesses, along with related enforcement powers. Currently, the OAIC only has powers in relation to personal information of individuals; no protection of business information (that is not also personal information) is provided under the Privacy Act.
The Review suggests that all customers holding a relevant account in Australia should benefit from Open Banking due to increased transparency and competition, including less financially literate sections of the population. Open Banking services will be available to small and large businesses as well as individuals.
Noting that the parameters of both datasets and participants will change over time with innovation, the Review recommends that the following datasets should be in-scope for the implementation of Open Banking:
- information provided directly by customers to their banking institution ('customer-provided data');
- data generated as a result of transactions made on a customer's account or service for certain banking products ('transaction data'); and
- information on products and services that banks are under an existing obligation to publicly disclose ('product information').
This recommendation essentially limits the scope of Open Banking to information that customers should generally already have access to in the open market, albeit currently in a haphazard way. Rather than giving customers a right to access additional information, the purported aim of making these datasets expressly available through Open Banking is to make it easier for customers to access, share, use and derive value from this information.
Expressly excluded from the Open Banking proposal is data resulting from the efforts of the data holder, including value-added data and aggregated data sets. However, there is a suggestion that a confirmation of the result of an identity verification assessment should be shared via Open Banking, although the actual data involved in the verification should not be shared. The Review suggests that while the result of identity verification is a 'value-add', sharing such confirmation information would be in the interest of 'Know-Your-Customer' requirements. The Review suggests current anti-money laundering regulations be updated to ensure data recipients can rely on such verification confirmation received from a third party.
The Review acknowledges that while Open Banking may present an increased risk to the security and privacy of customers' banking data, focusing disproportionately on managing these risks could delay or undermine its introduction. Further, Open Banking is more to likely involve an increase in the degree of risk rather than any changes to the type of risk. The process of designing the system therefore requires a balance of addressing those risks and realising the opportunities available.
As noted above, it is proposed that the ACCC would be responsible for determining the criteria for, and method of, accreditation for participants in the open data market, including in relation to non-ADI participants in Open Banking. The Review proposes that ADIs will not require accreditation to engage in Open Banking services.
Privacy and confidentiality
The Review recommends that all data recipients (including small businesses that are not currently required to comply) be required to comply with the Privacy Act. The Review also recommends that the transfer and handling of data under Open Banking should require the customer's informed, express and time-bound consent. This goes above and beyond what is currently required by the Privacy Act. While the Review details at length several 'privacy protection modifications' based on the existing Australian Privacy Principles, it is unclear if the Review recommends amending the Privacy Act directly to give effect to these modifications, or enshrining the modifications in some other instrument. As the Privacy Act currently only protects the information of individuals, and as the modifications are seemingly intended to apply to all customers using Open Banking, including corporate customers, it would seem that a separate legislative instrument capturing these modifications would be required to ensure these protections apply to all customers, and not just individuals.
As businesses do not currently benefit from the protections of the Privacy Act, the Review recommends that business rely on existing common law and equitable principles relating to confidentiality. It is recommended that small businesses be given access to internal and external dispute resolution services for confidentiality disputes, but does not extend this to large business. Large businesses will be required to seek compensation for breach of confidentiality through the court system at their own expense and with the risk that any awarded remedies will not be realised. While it is unclear how often large businesses will make use of Open Banking as customers, this exclusion from the proposed separate dispute resolution process may not entice such businesses to engage with Open Banking as customers.
The Review recommends that a comprehensive, principles-based liability framework be established on the premise that participants are liable for their own conduct in relation to data, but not that of other participants. The Review sets out various case studies and compares where liability would lie under each of the privacy law framework, banking law framework and suggested Open Banking liability framework.
Having a clear liability scheme would encourage participation in Open Banking. It would also reduce, if not completely remove, the need for data holders and data recipients to bilaterally negotiate and contract for liability risks. This framework would need to be binding in order to have the desired effect; however the Review does not recommend where the framework would sit and whether the liability scheme would be enforced through private actions and/or the ACCC or another regulator.
The Review recommends that the regulatory costs for implementation of Open Banking be funded from general taxation revenue at the outset, as opposed to a fee-for-service model or industry-funded model. This recommendation is based on Open Banking forming part of the broader CDR, which will benefit the public sector, as well as the difficulty to estimate the average cost until Open Banking is well-established. It is unclear what costs data holders and data participants may be able to recover for implementing Open Banking, and how such costs would be recovered. The Review also recommends that the funding arrangement be revisited as part of the post-implementation review, as a more refined cost structure may be possible.
The Government will now make a decision on whether to proceed with the Review's recommendations. If it does, it is anticipated that the major ADIs will need to commence compliance within 12 months of a Government announcement.
- See, for example, The ACCC’s approach to colluding robots.