ACCC unsure how consumers will receive their data under impending mandate
The Australian government has published the initial guidelines governing the upcoming Consumer Data Right (CDR), with the Australian Competition and Consumer Commission (ACCC) focusing mostly on defining what must be shared and by who, with how a consumer can get their hands on their own data still unclear.
The Rules Framework, published in September, stipulated that all data-sharing activities be conducted via APIs; however, the Consumer Data Right: Rules outline [PDF] concedes this isn’t exactly practical for a consumer.
“The ACCC has changed its position in light of feedback that it is not practical for consumers to receive their data through APIs and due to the added security risks of this approach,” it wrote, saying its position changed after receiving 55 submissions from entities such as the big four banks, telcos, energy and utilities providers, Australian state information commissioners, and online finance firms such as Paypal.
It doesn’t offer an alternative at this stage, but has stuck to its API mandate for organisation to organisation data-sharing.
Originally, the rules were meant to be determined by the end of last year, but the ACCC opted to publish the rules outline instead. It said it has shaped the outline under the assumption the exposure draft of the Treasury Laws Amendment (Consumer Data Right) Bill 2018 will be passed in the first-half of 2019.
The CDR is touted by the federal government as allowing individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it. The first cab off the rank is finance by way of a new open banking regime.
From July 1, 2019, product reference — generic — data must be made publicly available by “initial data holders” and all other CDR data must be made shareable by no later than February 1, 2020, .
The watchdog has classed the big four banks — Australia and New Zealand Banking Group (ANZ), Commonwealth Bank of Australia (CBA), National Australian Bank (NAB), and Westpac Banking Corporation — as initial data holders.
The four giants currently hold approximately 95 percent market share of the entire Australian finance industry.
See also: NAB keeps its cool over Open Banking implementation | Westpac predicts Open Banking to cost AU$200m to implement | BT Security concerned open banking presents a ‘conundrum’ for mitigating risk
Authorised deposit-taking institutions (ADIs) who are accredited data recipients will be known as “reciprocal data holders” from February 1, 2020. As explained under the outline for reciprocal data holders, this means that ADIs wishing to receive CDR data will be required to share CDR data from this date, providing they have a valid request from a consumer.
ADIs can also apply to be a data holder from February 1, 2020.
“Reciprocal data holder obligations will ultimately apply across sectors, with data sharing between sectors once each sector is designated,” the ACCC wrote. “Therefore, entities from a sector other than banking will be able to become an accredited data recipient and receive CDR data but reciprocal data holder obligations will only apply to them once their relevant sector is designated.”
The ACCC added that an accredited data recipient must present each consumer with an active choice to give consent, and consent must not be the result of default settings, pre-selected options, inactivity, or silence.
They must also provide consumers with a straightforward process to withdraw consent and allow them to withdraw any consent provided at any time and without detriment.
Consent and authorisation will automatically expire after 12 months, which was extended after consultation from the original 90-day proposed duration. However, accredited data recipients must remind consumers every 90 days that an ongoing data sharing arrangement is in place.
An accredited data recipient must also provide a consumer-facing electronic dashboard that provides details of the consumer’s current and historic consents.
The ACCC and the Office of the Australian Information Commissioner (OAIC) will monitor compliance with the continuing obligations of the data holders through an audit and compliance program.
The data to be made available under the first wave of the CDR is separated into product tranches, with phase one covering savings accounts, call accounts, term deposits, current accounts, cheque accounts, debit card accounts, transaction accounts, personal basic accounts, GST and tax accounts, and credit and charge cards.
Phase two will include residential mortgages, investment mortgages, and mortgage offset accounts which will be required to be shared from February 1, 2020, and be fully in place exactly a year later.
Phase three will include most kinds of loans, leases, and lines of credit, overdrafts, cash management accounts, pensioner deeming accounts, retirement savings accounts, trust accounts, and foreign currency accounts, and data holders have an initial date of July 1, 2020 to begin sharing.
Under all phases, information from all accounts active on or after January 1, 2017, will be available, even if currently inactive. Offline and former customers will come within the scope in a subsequent version of the rules, the ACCC said.
According to the ACCC rules outline, customer data, at a minimum, includes: the consumer’s name, which may include a business name and numbers such as an ABN or ACN; as well as the consumer’s contact details, which may include phone numbers, email addresses, and physical addresses.
Customer data also includes information the consumer provided to the data holder at the time of opening the account that relates to the consumer’s eligibility to acquire the product.
In relation to business consumers, customer data may include the type of business, establishment date, registration date, organisation type, country of registration, and whether the business is a charitable or non-profit organisation.
Consumers covered by the CDR rules must be 18 years and over, with minors removed from the guidelines with the latest review.
Individual and joint accounts will be in scope from the commencement of the CDR, with multi-party accounts such as those held by large companies and associations, partnerships, trustees, joint ventures, and self-managed super funds, still being “considered”, the ACCC wrote.
The ACCC may grant a data holder a temporary exemption from obligations under the Rules, where the ACCC considers it appropriate to do so.
Transaction data, at a minimum, is to include the date, merchant identifier, amount debited or credited, description, and categorisation such as transport, health, entertainment, or social.
The ACCC said it does not propose to define “transaction metadata” in addition to the data described as being transactional for the first version of the rules, and will give the issue “further consideration for a subsequent version of the rules”.
Generic product data will be required to include, at a minimum, data on: product type; name; and pricing, features and benefits such as discounts and bundles, terms and conditions, and customer eligibility requirements. In addition to the same data required under the generic banner, consumer product data will include fees, charges, and interest rates.
Where privacy is concerned, there are a total of 13 privacy safeguards, covering the management of data, collection of data, disclosure of data, quality of data, its security, and the ability to correct incorrect information.
Data holders and accredited data recipients will have a separate CDR policy, with the former required to include a list of outsourced service providers, the nature of their services, and the CDR data that has been disclosed to them.
Accredited data recipients must also give consumers the option of dealing with them anonymously or by pseudonym.
The policy will authorise an accredited data recipient to use CDR data for the purposes of which the consumer has provided valid consent, and will authorise an accredited data recipient to use CDR data for the purposes of which the consumer has provided valid consent.
It will not require or authorise an accredited data recipient to disclose CDR data to a non-accredited recipient, even at the direction of the consumer.
Data holders must also destroy “redundant” data.