In brief 10 min read
In preparation for the implementation of the first phase of the Consumer Data Right (CDR) on 1 July 2019, the ACCC has released draft CDR Rules for consultation. The draft rules detail how the CDR will function across all designated sectors in practice, including how data is to be shared, the criteria for accreditation, dispute resolution requirements and privacy safeguards. They also contain rules that are specific to the banking sector. This article provides an overview of the draft rules, the key changes made since the release of the Rules Framework in October 2018 and the Rules Outline in December 2018 and the key issues left open for further consideration.
- The ACCC has clarified ADIs will not be required to share any 'derived data' as part of the Open Banking regime. This is despite Treasury's earlier indication that the intent of the broad definition of CDR data was to avoid organisations exploiting a loophole in the regime by transforming the data even marginally. However, it remains to be seen whether value-added datasets might still be captured for other designated sectors.
- The ACCC has finally determined that reciprocity obligations will automatically apply to the Big Four banks from July 2019 (in respect of product data only), all accredited ADIs from February 2020 (in respect of both product and consumer data), and to all other ADIs and accredited 'data holders' of banking product data or consumer data from July 2021 (in respect of product data and consumer data). That is, from these dates, those holders of designated CDR banking data will be required to share the product data and consumer data that they hold in response to a valid request. ADIs will also be required to comply with reciprocity obligations before those dates where they voluntarily elect to participate in the CDR scheme early.
- The draft Rules mandate a new requirement for data holders and accredited recipients to offer an online consumer dashboard to CDR consumers for making data access and transfer requests. Additionally, accredited persons will only be able to request and receive data on behalf of a consumer if they have entered into a contract with the consumer to supply goods or services using their CDR Data.
- In relation to the method of data transfers, the draft Rules appear to be inconsistent with the latest draft of the Data Standards released by Data61. While the ACCC's draft Rules Framework and the current Data Standards contemplate all data sharing occurring via APIs, this appears to have been superseded by the online service mechanism and a requirement for consumer data and product data to be delivered in human-readable and machine-readable form, respectively.
- There are also prescriptive requirements in relation to ensuring the security of CDR data held by accredited recipients under privacy safeguard 12. These resemble the robust security obligations mandated under APRA's new Prudential Standard CPS 234, which will apply to APRA-regulated entities from July this year. This is yet another signal of the increasing regulatory scrutiny around the need for robust cybersecurity frameworks and mechanisms to detect, respond and notify in the event of a data breach (for more on this, see our publication, Trend Watch: what the top 10 cybersecurity trends mean for your business).
- The consultation on the draft CDR Rules is open until 10 May 2019. Submissions can be made via the ACCC's consultation hub.
The ACCC has finally determined that reciprocity obligations will automatically apply to the Big Four banks from July 2019 (in respect of product data only), all accredited ADIs from February 2020 (in respect of both product and consumer data), and to all other ADIs and accredited 'data holders' of banking product data or consumer data from July 2021 (in respect of product data and consumer data).
That is, from these dates, those holders of designated CDR banking data will be required to share the product data and consumer data that they hold in response to a valid request. ADIs will also be required to comply with reciprocity obligations before those dates where they voluntarily elect to participate in the CDR scheme early.
- The introduction of reciprocity obligations follows Treasury's strong endorsement in its final Report into Open Banking for accredited data recipients (such as fintechs or non-bank credit providers) to also be required to share equivalent CDR data. As such, while non-ADIs will be able to become accredited data recipients of designated banking information under the CDR regime, reciprocal data holder obligations will not apply to them until July 2021.
- The ACCC has indicated the staggered approach to reciprocity is largely a workload issue and reflects the fact that ADIs, as the first designated industry, are already working to develop APIs and other data sharing technologies; while other sectors are still slightly behind.
Once an industry is designated under the CDR regime, data holders must disclose 'Required Product Data' and 'Required Consumer Data'.
Required Product Data means primary CDR data unrelated to individual consumers (ie general product information) relating to the eligibility criteria, terms and conditions, price, availability or performance of a product.
Required Consumer Data means primary CDR data specific to a consumer that comprises:
- customer data (eg, name, contact details)
- account data (eg, account number, account name, opening and closing balances)
- transaction data (eg, date of transaction, description of transaction, categorisation of the transaction) or
- product specific data for a product the consumer uses (eg, name, price, features).
Only data captured in digital form is captured. Customer data relating to minors is not required to be shared.
- The categories of CDR data required to be shared in banking have largely been consistent throughout the consultation.
- However, the draft CDR Rules clarify CDR data in the banking sector extends only to primary data – ie, it excludes information that is wholly or partly derived. This will address the concern expressed by many stakeholders during the roundtables held last year, that they would be required to disclose transformed or value-added data.
- Notably, though, the definition of CDR data under the draft legislation still includes 'derived data'; so it is possible value-added datasets might still be captured in respect of other designated sectors.
- Following concerns raised in the consultation, CDR Data relating to minors has also been excluded from the regime.
Data holders are required to provide an online service that can be used to make Product Data or Consumer Data requests and disclose the data requested.
The online service must allow:
- Product Data to be disclosed in machine-readable form;
- Consumer Data to be disclosed direct to consumers in human-readable form; and
- Consumer Data to be disclosed to an accredited person on the consumer's behalf in machine-readable form.
Data must be disclosed in accordance with the Data Standards governing the technical and security processes for data transfer, as prescribed by the Data Standards Body, Data61.
A Data holder can refuse to disclose Product Data or Consumer Data in the circumstances (if any) set out in the Data Standards. A Data holder can also refuse to disclose Consumer Data if such a disclosure would create a real risk of serious harm or abuse to an individual, or damage the security or integrity of the technology systems used by the Data holder. Refusals to supply Consumer Data must be notified to the ACCC within 24 hours.
- The method for the sharing of CDR data has evolved since the ACCC's draft Rules Framework, which previously required all data sharing to occur via APIs. This appears to be due to concerns expressed by stakeholders about privacy and security risks for data recipients, and contrasts with the UK Open Banking regime, which specifically requires the nine largest UK banks to share data with authorised third parties using secure open APIs at the customer's direction.
- That said, the current draft of the Data Standards released by Data61 in December 2018 still contemplates data sharing occurring via APIs – so it will be interesting to see whether the next draft of those Standards amends that position.
Consumers can authorise accredited data recipients to request and receive data on their behalf.
To facilitate consumer data requests made via accredited persons, Data holders and accredited recipients must each provide consumers with an online service known as a consumer dashboard:
- The accredited person's consumer dashboard enables consumers to manage requests for CDR data and associated consents. For example, it will specify when the consumer gave consent, what CDR data is covered and if the consent is current.
- After a Data holder has received a consumer data request from an accredited person on behalf of a consumer, the Data holder's consumer dashboard enables the consumer to manage authorisations to disclose CDR data. For example, it will specify which accredited person is authorised to receive CDR data, which CDR data is covered and whether the authorisation is current.
Additionally, accredited persons can only request and receive data on behalf of a consumer if they have entered into a contract with the consumer to supply goods or services to the consumer using their CDR Data. The contract must provide the consumer with an ability to terminate.
Collection of data by accredited persons is subject to the data minimisation principle – accredited persons must collect no more data than is reasonably necessary to provide goods or services under contract with the CDR consumer.
- Data holders and accredited recipients will be required to invest in the creation of consumer dashboards in accordance with the data standards.
- The requirement that the accredited person be in a contractual relationship with the CDR consumer is a new development since the Rules Outline. The requirement ensures accredited persons will only be permitted to receive data on behalf of consumers where their contractual relationship has been formalised.
Accredited persons must be accredited by the Data Recipient Accreditor (which is currently the ACCC).
The draft CDR rules contain only one general level of accreditation ('unrestricted level'). To be accredited at the 'unrestricted level', a person must:
- be a fit and proper person;
- have adequate practices and procedures in place to manage CDR Data and information security risks;
- have internal dispute resolution procedures that meet the requirements of the rules;
- be a member of a recognised external dispute resolution scheme in relation to CDR consumer complaints; and
- have adequate insurance to be able to compensate CDR consumers for losses arising from a breach of relevant laws relating to management of CDR Data (except ADI or PPF providers).
The Data Recipient Accreditor can consult with other government agencies in considering accreditation applications, and may impose conditions on accreditation. Decisions to refuse accreditation can be appealed to the Administrative Appeals Tribunal. All accreditations must be notified to the Accreditation Registrar for noting in the Accreditations Register.
The strong accreditation process and criteria for CDR participants has been consistent throughout the consultation process. The criteria has been further supplemented since the release of the draft Rules Framework through the introduction of minimum requirements for information security under the rules around privacy safeguards.
While the draft CDR rules contain only one level of accreditation, it is anticipated that subsequent versions will incorporate other accreditation levels, including levels that accommodate business models that use third party intermediaries to collect and/or hold CDR data.
When a CDR consumer consents to an accredited person collecting and using CDR Data, the consent must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
The consent process must be easy to understand and comply with the data standards. The process must enable the consumer to actively select the types of CDR data and uses they are consenting to.
Consents must be able to be withdrawn at any time. Consent expires at the earliest of the following:
- when it is withdrawn;
- 12 months after consent is given;
- if the consent was for collection of CDR data on a single occasion, after the CDR Data has been collected; or
- if the consent was for collection of CDR data after a specified period, at the end of the specified period.
Accredited persons must notify consumers every 90 days that an ongoing data sharing arrangement is in place.
The time-limited duration of consent has been increased from 90 days to 12 months, in order to support important use cases. This amendment was made on the basis that accredited persons would be required to regularly notify CDR consumers that the consent provided was still current, and findings by the Data Standards Body as part of their consumer engagement and testing that such a short turnover for consent did not align with consumer expectations and may lead to poor customer experience.
The draft CDR Rules outline a number of requirements which supplement the privacy safeguards outlined in the draft legislation, including:
- a requirement that accredited persons maintain a CDR policy, which includes a list of outsourced service providers and information about internal dispute resolution processes;
- a requirement that accredited persons and data holders update the consumer dashboard in respect of data collected or disclosed;
- authorisation for the use and disclosure of CDR data by an accredited data recipient; and
- requirements around the quality of CDR data provided, correction of CDR data, and information security.
Schedule 1 of the Draft Rules provides further detail in relation to privacy safeguard 12 – security of CDR data held by accredited data recipients. It prescribes a rigorous security regime that accredited data recipients must follow that goes above and beyond what is required by the APPs. For example, it imposes:
- a requirement for minimum information security controls;
- a mandate for the establishment of a formal governance framework for the security of CDR data;
- the need for recipients to clearly document practices and procedures, including specific responsibilities of senior management;
- an obligation on recipients to maintain an information security policy; and
- annual testing requirements for internal CDR data security response plans.
The ACCC is still considering further rules which would permit disclosure of a consumer's CDR Data by an accredited person to another accredited person (eg, an intermediary), or to another person entirely (eg, a consumer’s accountant, lawyer or financial counsellor).
Data holders and accredited persons will be required to keep and maintain detailed records of complaints, consumer data requests, authorisations and authorisation withdrawals by CDR consumers, and disclosures of CDR data.
Data holders and accredited persons are required to prepare and submit twice yearly reports to the ACCC and the Information Commissioner on CDR complaint data and goods or services offered to CDR consumers using CDR data.
Businesses will need to ensure they have appropriate processes in place for complying with the reporting and record keeping requirements.
At present, the draft CDR Rules have not specified the rules that will be subject to civil penalties.
The ACCC has indicated it is still considering which rules will be accompanied by a civil penalty.
It is imperative businesses prepare for the commencement of the CDR and take appropriate action to ensure their internal processes comply with the requirements of the regime, particularly given the foreshadowed penalties that may be associated with a breach of the rules.
The ACCC has regularly commented that its role is not to act as an 'internal compliance department' 2 , and businesses should not wait for the ACCC to uncover compliance problems before they are addressed.
With consultation open on the draft CDR Rules until 10 May, it appears that the ACCC is still welcoming industry feedback and participation before the final Rules are published. This is occurring at the same time as the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (the legislation that will establish the overarching CDR framework) has been introduced into, but not yet passed by, the House of Representatives. We are also still waiting for an updated draft of the technical Data Standards from Data61, which will hopefully reconcile some of the apparent inconsistencies now contained in the draft Rules.
With the pilot program for the Big Four Banks and the requirement to share the first tranche of product data going live in July this year, timing seems tight – and affected organisations will need to invest quickly in CDR-compliant systems if they hope to keep up.
- Australian Government, Report of the Review into Open Banking (December 2017), Recommendation 3.9.
- See eg R Sims, (2013), ACCC, 'Chairman's address: Law Council of Australia' https://www.accc.gov.au/speech/chairmans-address-law-council-of-australia.