Insights + Resources

09 September, 2018

An update on open banking in Australia

Proposed changes to the Consumer Data Rights (‘CDRs’) to facilitate open banking are another example of the consumer protectionist trajectory in which Australian privacy and data regulation continues to evolve. Whilst only applying to the banking sector initially, it provides some useful indicators of the sorts of regulatory standards that modern businesses can expect.

Open banking context

As part of the government’s independent review into banking in Australia, the government has introduced the Open Banking regime. On 9 May 2018, the government announced its plans to introduce and develop the CDRs to “provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses”.

The CDRs gives “CDR consumers” the ability to control access to their data held in digital form. CDR consumers are not just individuals but may also include businesses and trusts.  The Australian Competition and Consumer Commission (‘ACCC’) proposes to make rules specifying minimum thresholds for what is considered “CDR data”, including at least information like customer names, contact details, account numbers, and direct debit details. The ACCC has released the CDR Rules Framework for a public consultation period that runs to 12 October 2018 (available for download here).

The government has announced that the banking sector will be the first sector to be regulated with reference to the CDR and, as a result, the framework of the CDR currently has a banking focus. In the initial phase, the rules will apply to the four major banks only and online customers of those banks. The revisions are intended to bring greater competition to the sector, by enabling other financial service providers to offer additional services to bank customers.

Sharing obligations

Under the ACCC Rules Framework, a data holder will be required to share CDR data with individuals themselves or accredited data recipients (‘ADRs’).

Sharing data with the consumer

The CDR Rules Framework proposes rules under which CDR consumers may request their data using online mechanisms, nominating specific data in their request.

Sharing data with ADRs

The CDR Rules Framework proposes rules under which a data holder may share CDR data with ADRs.  The process requires the consumer to give consent to the ADR, and when the ADR seeks to access the data from the data holder, there is a two-way authentication process under which the data holder authenticates:

  • the identity and accreditation status of the ADR; and
  • the identity of the consumer.

Once the consumer authorises the disclosure, the data holder then directly shares the data with the ADR.

Requirements to be an ADR

The ACCC has proposed that ADR applicants must:

  • Be “fit and proper persons” to receive the data;
  • Have appropriate systems etc to comply with the legislation, including in relation to privacy management risks (ACCC seeks stakeholder views on certification against evidentiary industry standards);
  • Have internal dispute resolution processes and are a member of an external dispute resolution body recognised by the ACCC; and
  • Hold appropriate insurances.

What data is contemplated to be covered initially

Most data provided by, or on behalf of, a CDR consumer to a data holder and held in digital form would be covered. The draft legislation provides that CDR data can include data that is “directly or indirectly derived from underlying CDR data”. The purpose of this includes enabling transformed or value-added data to fall within the CDR regime, though it also seems that—based on the Open Banking review—this would not extend to data that has undergone “material enhancement by the application of insights, analysis or transformation by the data holder”.

The ACCC proposes to make rules that initially the following minimum data be covered under the CDR protections:

  • Customer name
  • Contact details
  • Account number(s)
  • Payee lists/direct debits
  • Account-level information, including authorisations
  • Unique identifiers

What data is not initially covered

It is expected that data collected prior to 1 January 2017 will be excluded from the scope of the DR. Also excluded from disclosure to an ADR is ID verification information.

At present, the ACCC is considering whether metadata should also be included. Metadata is data which gives information about other data, and may include timestamps and geolocation data.

Expected developments of CDRs

The ACCC’s view is that failures by data holders and ADRs to comply with their obligations will have civil penalty provisions, though the Framework does not currently identify which rules will be subject to a civil penalty.

The public consultation period runs until 12 October 2018. It is expected that draft rules will be published in December 2018 and will have legal authority once the relevant legislation, the Treasury Laws Amendment (Consumer Data Rights) Bill 2018, has been passed. This is anticipated to occur in 2019.

The information above is general in nature. If you want to learn more about open banking in Australia and how it may apply to you, please contact us below.