Open Banking takes shape
The features of Open Banking in Australia are now emerging, with the recent release of draft legislation and a proposed framework for the governing rules.
Open Banking will require banks to securely share a customer’s banking data to the customer and approved third parties nominated by the customer, such as competing banks, comparison services and providers of financial management tools.
The Federal Government announced in May its intention to proceed with the recommendations of the Review into Open Banking. Open Banking will be phased in. Under the current timetable:
Major banks will have to make data available on credit and debit card, deposit and transaction accounts by 1 July 2019 and mortgages by 1 February 2020.
Data on all products recommended by the Review will be available by 1 July 2020.
Other banks will be required to implement Open Banking 12 months after the major banks.
Central to the Government’s plan is a general Consumer Data Right (CDR). Banking will be the first sector of the economy subject to the CDR, under Open Banking. Other sectors such as telecommunications and energy will follow in the future.
Draft legislation for the CDR, The Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth) (the CDR Bill) was released for comment by Treasury on 15 August 2018. Submissions have now closed.
Who will regulate CDR?
The CDR Bill describes the roles that will be played by existing and new regulators under the CDR regime.
ACCC: The ACCC will make consumer data rules for designated sectors of the economy. The rules may deal with the disclosure, use, accuracy, storage, security and deletion of CDR data, accreditation of data recipients, reporting and record-keeping, and incidental matters. They can also deal with the charging of fees for disclosing CDR data. The ACCC released a framework for the consumer data rules on 12 September 2018 invited submissions from interested parties. The framework document outlines how the ACCC will go about making the rules and has a summary of the content of the proposed rules.
Data Recipient Accreditor: The Data Recipient Accreditor will accredit persons who have the right to receive consumer data.
Accreditation Registrar: The Accreditation Registrar will establish and maintain a Register of Accredited Data Recipients.
Data Standards Chair and Data Standards Body: The Data Standards Chair will make technical data standards. These may cover the format and description of CDR data, the disclosure of CDR data, the use, accuracy, storage, security and deletion of CDR data, and any other prescribed matters. The data standards will be deemed to be a contract between each data holder of CDR data to which a data standard applies and each accredited data recipient. The Data Standards Chair may delegate the Chair’s functions or powers to staff of the Data Standards Body. Mr Andrew Stevens is the interim Chair and CSIRO’s Data61 is intended to be the Data Standards Body.
Information Commissioner: The Information Commissioner will have the power to enforce CDR data privacy safeguards (see below on these) and will be given the function of making guidelines in relation to the privacy safeguards, promoting understanding and acceptance of the safeguards, and undertaking educational programs to promote the protection of CDR data.
Minister: It will be the Minister who decides to designate sectors of the Australian economy that will be subject to the CDR. Before doing so, the Minister will have to consider the likely effect and regulatory impact, and consult with the ACCC and the Information Commissioner. The Minister will also have the power to appoint the Data Recipient Accreditor, the Accreditation Registrar, the Data Standards Chair, and the Data Standards Body.
Consumer protection and enforcement
There are some important provisions in the CDR Bill to protect consumers and enforce the new law and rules.
Misleading and deceptive conduct: There will be an offence of misleading or deceiving a person into believing that a person is a CDR consumer for CDR data, or that a person is making a valid request for the disclosure of CDR data under the consumer data rules, where the person does so knowing that the conduct is misleading or deceptive, or likely to be. This prohibition could catch fraudsters, for example, who pretend to be a consumer in order to access CDR data. The CDR Bill will also create a civil penalty which, unlike the criminal penalty, will not require the person to mislead or deceive knowingly.
Privacy safeguards: The CDR Bill sets out 12 privacy safeguards which are similar to the Australian Privacy Principles. A CDR participant will have to comply with these safeguards. The CDR Bill also extends the mandatory data breach reporting provisions in the Privacy Act to an accredited data recipient that holds a consumer’s CDR data.
Rules enforcement: The consumer data rules may specify that some of the rules will attract a civil penalty if they are breached.
What the consumer data rules will look like
The consumer data rules proposed by the ACCC will require data sharing to occur via APIs in accordance with the standards developed by the Data Standards Body and will limit data sharing to current customers of a bank who access and use online banking. The datasets will only extend to digital data. Identity verification assessments will be excluded, and in the first version of the rules, data sharing would not be subject to fees.
Three key concepts in the rules will be:
Consent: The consumer’s consent to the data recipient collecting and using the data.
Authorisation: The consumer authorising the data holder to share the data with the accredited data recipient.
Authentication: The process by which the data holder verifies the identity of the consumer who is directing the sharing of their data, and the identity of the accredited data recipient.
The proposed rules on consent will allow consumers with a joint account to give consent to shared joint data where they have individual authority to transact on the account. The rules will require accredited data recipients not to make consent a precondition to obtaining other services which are not related to or dependent on the sharing of CDR data. Consent will have to be unbundled from other directions, permissions, consents or agreements. It will not be preselected or deemed by silence. There will be rules to help provide consumers with a straightforward consent withdrawal process. Consumers will also be given a right under the rules to make requests for direct disclosure of their CDR data to themselves.
Authorisation rules will require data holders to clearly communicate to consumers what they are authorising that data holder to do. The authorisation standards will be subject to consumer testing and provide for multi-factor authentication. Consumers will be able to authorise specific, one-off requests or authorisations which persist over time, with a proposed 90 day time limit for a persisting authorisation.
In respect of accreditation of data recipients, the ACCC proposes a single general tier of accreditation. Accreditation will be conditional on the applicant being a fit and proper person with appropriate and proportionate systems resources and procedures to comply with the legislation, rules and standards, and with an internal dispute resolution process and holding appropriate insurance. The rules will also cover when an accredited data recipient will be able to disclose data to an outsourced service provider. Outsourcing arrangements will have to be disclosed to the consumer during the consent process.
The ACCC proposes to recognise the Australian Financial Complaints Authority as the EDR scheme for all CDR participants.
The consumer data rules will include a requirement for data holders to make generic product data available via an API, in accordance with standard set by the Data Standards Body. This will assist product comparison services.
Consumers are sceptical, for now
Open Banking is frankly a reform driven by business rather than consumers, with the Government backing the idea because of perceived competition benefits.
It’s reported that a recent consumer survey by Accenture found two thirds of Australian consumers are not willing to share financial data with non-bank third parties, and some consumer groups have expressed concerns about the potential misuse of the CDR, but a new class of “nomad” banking customers may be more willing to use the CDR to move around their banking and related services.
The Australian model for Open Banking is closely modelled on a UK regime which was rolled out in January 2018, about 18 months ahead of the first start date for the Australian scheme. It will be interesting to see the take-up rate in the UK and whether Open Banking becomes useful and accepted over time.
Patrick Dwyer and Kathleen Harris
Legal Directors