CDR: What's next?

By Valeska Bloch
Banking Consumer law Data Technology Telecommunications

In brief

The release of the exposure draft of the CDR legislation marks the start of a tight turnaround in order for the legislation to be passed in March 2019, particularly as the details and associated instruments have yet to be released. The CDR regime has been advertised as producing a wide range of benefits for consumers, but the real test of whether and how these benefits will be realised will come when Open Banking commences in July 2019. Expect to see lessons learned from Open Banking applied in the energy and telecommunications sector, and in the way in which businesses seek to utilise and capitalise on this greater access to consumer data, by developing new products and new channels through which to engage consumers.

Key takeaways

  • Timeframe for rollout of governing framework. Consultation on the draft legislation ended on 7 September 2018, and the Australian Competition and Consumer Commission's (ACCC) rules framework (which will outline the structure and content of the proposed rules) is expected to be released around 10 September 2018. We also expect that the memorandum of understanding between the Office of the Australian Information Commissioner (OAIC) and the ACCC, which will set out how the regulators will work together and divide their responsibilities, will be released relatively soon. The Government's intention is that the final version of the legislation will be released in December 2018 and receive royal assent in March 2019.
  • Timeframe for banking, energy and telecommunications sectors. Open banking is scheduled to commence from 2019, with major banks being required to make credit and debit card, deposit and transaction accounts data available by July 2019. After open banking, the CDR regime will be rolled out to the energy and telecommunications sectors.
  • Future sectors. While the Treasurer has the power to designate other sectors, given the enormity of the existing task and resourcing constraints, he is unlikely to do so until after implementation of the CDR regime in the energy and telecommunications sectors. Treasury has not confirmed which sectors will follow, but, based on the high quantity of regulated information and friction involved in transferring providers, the sectors could include superannuation, insurance, digital platforms or health.
  • While the full impact of the CDR regime won't be known for another couple of years, it will hopefully lead to the entrance of innovative participants who utilise their existing data sets in conjunction with CDR data to improve customer experience and develop insights.

Timing and implementation

CDR legislation

Consultation on the exposure draft of the legislation ended on 7 September 2018. The ACCC is expected to release the Rules Framework around 10 September, which will contain an outline of the structure and content of the proposed rules, as well as the phased approach to implementation. The Rules Framework will also set out, and seek feedback on, how the ACCC proposes to address particular issues in the CDR Rules. Feedback on the Rules Framework will be open for a month, and stakeholder forums will occur between 24 September and 9 October.

Treasury has indicated that it intends to release a final form of the legislation around December, with the aim of achieving royal assent in March 2019. This timeframe is ambitious, particularly in light of the recent cabinet shifts.

Open banking

The timelines for the first implementation of the CDR regime, open banking, follow a similarly ambitious timeline, with the first tranche of information required to be made available by major banks from July 2019. That said, when the United Kingdom implemented open banking earlier this year, six major banks missed the implementation deadline, despite being given a 18-month lead-in period.

In addition, setting the timeline for implementation is likely to be the simple part – the most challenging aspect of the regime will be fostering a comprehensive data sharing ecosystem that functions properly at each of these milestones. Among other things, this will involve developing and implementing common data standards and APIs for data transfer mechanisms, and finalising critical access and security issues such as identity mechanisms.

Future sectors

While it isn't currently clear which sectors will follow energy and telecommunications, it is clear that the consumer data right will spread to other sectors. Some potential candidates – based on the types of products they offer, the regulated nature or conformity of information across the sector, and the friction involved in transferring between service providers – are:

  • Superannuation and insurance. Both these sectors are likely to seek to become accredited data recipients of information under open banking, are highly regulated and have come under recent scrutiny.
  • Digital platforms. The explanatory memorandum uses social media as an example of the implementation of the CDR regime in a number of places. Given the huge amount of data that social media companies hold, and their expansion into the payments space, social media could be a strong candidate.
  • Loyalty programs. As a sector, loyalty programs are highly dependent on the collection of detailed and historical data, and it is difficult, if not impossible, to transfer points or status between various programs.
  • Health. The health sector was a key focus of the Productivity Commission's report on Data Availability and Use. However, individuals already have rights under some state-based legislation to transfer their health records and it is likely that health insurance could be covered by an insurance sector designation. Accordingly, the Government may be hesitant to designate the health sector, given the controversy when implementing the My Health Record system.

While Treasury has indicated that it is unlikely to designate any new sectors until after implementation of the energy and telecommunications sectors, it has also suggested that if it sees a large number of entities from a particular sector applying to be accredited data recipients, the ACCC could create data rules requiring that certain data sets held by accredited data recipients be treated as CDR data, where those data sets will be the same as, or a subset of, the data sets in the original designation.

The ACCC can conduct the assessment of whether these reciprocal data sets should be the subject of data rules by itself and without consultation, provided that the data sets are the same kind of data that has already been covered in a designation. As an example, if the original designation of CDR data captured all deposit and transaction account data that ADIs hold, and a large number of social media entities became accredited data recipients and received this information, the ACCC could create a data rule that all deposit and transaction account data that accredited data recipients hold is also CDR data. In doing so, the CDR data that accredited social media entities obtained from ADIs as well as any other deposit and transaction account data that the social media entity held (eg for a transaction account held with the social media entity) would be considered CDR data and caught by the CDR regime.

Iterative approach

One benefit of implementing the CDR regime sector by sector, and on the basis of specific categories of CDR data, is that the Treasurer and the ACCC can learn from the successes and the failures of the earlier sectors to ensure that the regime functions properly. The draft legislation enshrines this reflective approach, by requiring the Treasurer to cause an independent review of Part IVD of the Competition and Consumer Act 2010 (Cth), which contains the CDR regime, before 1 January 2023.

Looking forward

New applications

For businesses, we expect that easy access to greater quantities of detailed customer-specific data is likely to lead to a more intimate understanding of customers and their preferences (including through combining non-financial data with transaction records). This should also lead to the provision of new products and the development of new channels to engage with customers. Digital entrants like Monzo have been using customer data to enhance a customer's experience – with budgeting and spend tracking features. In the UK, HSBC is trialling an app that provides customers with consolidated bank data based on accounts that they hold across multiple banks.

Read access vs write access

From a technical perspective, the Open Banking Report proposed that the initial technical specification be limited to read-only access for recipients, but flagged the possibility of allowing write access for CDR data in the future. In practice, the distinction is that where write access is provided, the recipient, instead of merely viewing data, will be able to transform and vary it, including potentially transacting on behalf of the underlying CDR consumer. Eg an online merchant may offer an API to purchase products directly through a merchant's direct online banking portal, without requiring any intermediaries, such as electronic payment provider intermediaries or the bank's own website.

In the UK, the open banking API is designed to allow write access as well as read access (such that data transferred to recipients can more easily be used). Australian banks have raised security concerns about write access, but there are also significant potential benefits to come from reducing friction in customer on-boarding. The distinction between read and write access has not been addressed in the draft legislation, and, as a result, currently would permit write access to CDR data but leaves it open for the data standards, or particular data rules, to limit certain data sets to read-only if determined necessary.

Digital identities

The CDR – beginning with Open Banking – also potentially paves the way for the development of individual digital identities, like those adopted in Estonia and that are in development in Singapore, and have been flagged by the Australian Digital Transformation Agency, such that individuals will be able to prove who they are in a digital environment (and avoid cumbersome verification of identity processes). This will likely result in even greater growth in online transactions, as they become more convenient and more secure, including the growth of online platforms for communications, but that also incorporate features facilitating peer-to-peer transactions.