Open Banking: What's in and what's out
Open Banking is coming soon. There are complicated regulations about what information is included and what is excluded. For data holders required to disclose information, and accredited persons seeking to obtain that information, following these regulations is important.
The regulations are in the Competition and Consumer (Consumer Data Right) Rules 2019 (the “CDR Rules”) issued by the Australian Competition and Consumer Commission, currently awaiting approval from the Minister, which include special provisions for the banking sector (in Schedule 3), and in the Consumer Data Right (Authorised Deposit Taking Institutions) Designation 2019 made by the Minister on 4 September 2019 (the “Designation Instrument”).
Here is a high level overview of some of the parameters for information regulated by Open Banking.
Information covered: The Designation Instrument defines 3 kinds of information (user information, product use information and product information). It excludes “materially enhanced” information and some types of credit information. The Designation Instrument also sets out which bodies are data holders affected by Open Banking.
Products affected: Deposits, loans and purchased payment facilities are specified in the Designation Instrument. Products are also classed into phase 1, phase 2 and phase 3 products in the CDR Rules for the phased introduction of Open Banking.
Required and voluntary data: The CDR Rules distinguish between data that must be given on request (required) and information that may be given on request (voluntary).
Product data and consumer data: The CDR Rules also differentiate product data (generic product information) and consumer data. There are required and voluntary categories of both product and consumer data.
Types of consumer data: Under the CDR Rules, consumer data is divided into 4 kinds: customer data, account data, transaction data and product specific data. These categories are mainly relevant to what is required consumer data, and what is voluntary consumer data. Customer data has additional data fields for when the person operates a business. Some types of customer data are neither required or voluntary.
CDR consumers: Consumers must meet criteria to be eligible to request Open Banking data: at least 18 (if an individual), with an open account that is accessible online. These criteria are set out in the CDR Rules.
Joint accounts: There are special provisions in the CDR Rules relating to joint accounts. Data holders have to provide a service for joint accounts to jointly make data requests, and to authorise accredited persons to access their data and revoke these authorisations, and also for the account holders individually to revoke these requests or authorisations.
Older data: The Designation Instrument specifies 1 January 2017 as the earliest day applicable for beginning to hold information. In the CDR Rules, account data is excluded from required customer data if it relates to a direct debit authorisation where the account is open, but the direct debit occurred more than 13 months ago, or to a direct debit authorisation where the account is closed. Transaction data is excluded from required customer data for open accounts when it is more than 7 years old, and for accounts closed more than 24 months ago, or where it is more than 12 months old on an account closed for less than 24 months.
Transitional provisions: There is a phased introduction of Open Banking. The big 4 banks start earlier. There is a matrix in the CDR Rules explaining the timeframes for the rollout of Open Banking, depending on the institution and the product types (phase 1, 2 and 3 products).
If you need assistance navigating your way through Open Banking, we can help.
Patrick Dwyer and Kathleen Harris
Legal Directors
Click here to subscribe to our email list for news, comment and analysis