Tuesday, 30 April 2019

In May last year, the Commonwealth Government announced that it would introduce an overarching Consumer Data Right (CDR), starting in the banking sector with the phased implementation of ‘Open Banking’ from 1 July 2019.

While the starting dates for the CDR have since changed, the ambition of the program remains unaltered, with the ACCC already engaged in preliminary discussions to extend the CDR beyond banking to the power and telecommunications industries.

So, what is Open Banking/CDR? What is the potential impact of this on Ultradata clients? And what is Ultradata doing about it?

Anthony Voigt, General Manager of Innovation, has written the following article for us to help explain more.Open Banking Project

The Consumer Data Right

The CDR is a plan to provide all Australian consumers with a right to safely share the information they currently hold with businesses. Australian consumers will be able to safely share their information with accredited others they trust. As expressed by the ACCC:

“The Consumer Data Right (CDR) will provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses; and to authorise secure access to this data by trusted and accredited third parties. The CDR will also require businesses to provide public access to information on specified products they have on offer.”

This right will be enshrined in legislation.

Why do this? The key policy objective is consumer benefit. That is, the CDR is planned to provide consumers with better and more cost-effective products and services.

How will this occur? Through:

  • better access to product comparison information (allowing business to create targeted offers and consumers to compare these offers more easily); and
  • new and improved services (from either existing industry participants or new entrants) through enhanced solutions based on the wider access to data enabled by the CDR.

Again, to quote the ACCC:

“CDR is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services.”

The first industry where the CDR is to be implemented is banking. The CDR in the Australian banking industry will do two things:

  • require all Authorised Deposit-taking Institutions (ADIs) to share standard information about their consumer banking products (‘product reference data’); and
  • allow all consumers to share their own banking data (‘consumer CDR data’ e.g. balances, transaction histories, loan data, etc.) with trusted third parties.

Many other countries have already introduced a form of Open Banking or are planning to do so. But Australia is, so far, unique in planning to extend the idea across multiple industries through the CDR. The next industry off the rank is power, followed by telecommunications. Others are expected follow; ultimately the CDR is planned to apply economy-wide.

How will the CDR work?

The simplest way to understand the CDR in banking is through the diagram below.

CDR Work

There are three parties:

  • Consumers: individuals, businesses, etc., who have banking accounts
  • Data Holders: ADIs
  • Accredited Data Recipients: third parties that have been accredited by the ACCC as being suitable recipients of consumer data.


The process will work like this:

1. The Consumer will provide consent to an Accredited Data Recipient accessing their data (e.g. a budgeting app wanting to access banking details).
2. The Accredited Data Recipient will request this data from the Data Holder (the consumer’s ADI).
3. The Data Holder will start the process of confirming this with the consumer by first authenticating them.
4. The Data Holder will then obtain the consumer’s authority to release the data.
5. Finally, the Data Holder will then release the data to the Accredited Data Recipient.

In its initial form, the CDR will support ‘read only’ access. This will allow Consumers to provide Accredited Data Recipients with the authority to access the Consumer’s CDR data and to use it for an authorised purpose (e.g. in a 3rd party app).

The ability to support ‘write’ access may be considered at a later date. Should this be forthcoming, this will allow Consumers to authorise Accredited Data Recipients to make changes to their banking records (e.g. to update information or possibly even initiate payments).

The potential impact of the CDR

To understand the potential impact of the CDR we need to consider the two capabilities that will make it possible.

The first is the supporting framework of legislation, rules, regulations, standards and compliance obligations being established. A large number of Commonwealth bodies are actively progressing the creation of this framework, including the ACCC, Treasury, the Office of the Australian Information Commissioner and a CSIRO offshoot, Data61. In addition to this work, a large number of industry participants (one of which is Ultradata) are actively engaged in the consultative process surrounding the framework.

The second capability supporting the CDR is technological. The underlying technical framework is Application Programming Interfaces (APIs). APIs are software capabilities that allow the efficient, scalable and secure transmission of data between systems. They are commonly utilised across many, if not all large-scale technology solutions including those delivered by Ultradata. APIs are now so widespread that it would be hard to find any large or modern system that does not use them. If you have an app on your phone, it uses APIs.

APIs can be either private (e.g. to support in-house system data exchange) or public (e.g. many government databases are being opened through public APIs and the Google Maps APIs can be accessed by anyone). As more and more systems become supported by APIs, so too does the opportunity to utilise the data and functions delivered by those systems. Distributed data and functionality, supported by APIs, is a hallmark of modern system development.

The CDR is built on APIs. A large amount of the work undertaken to date has been the establishment of a series of standards describing the APIs needed to support the CDR in the banking industry, and ultimately in other industries too. This work is now well-progressed. An initial version of the APIs has been established and iterative refinements will be added regularly.

So what can market participants do with these APIs? Well, a great deal. Think about the two categories of data that will be supported by the CDR mentioned earlier: product reference data and consumer CDR data.

Widespread availability of product reference data is designed to allow consumers to compare and contrast competing product offers – and to find the best deal. Instead of having to make sense of different offers that often can be expressed in diverse (or sometimes confusing) ways, consumers should be able to use product comparison tools and services that provide clarity like never before. In theory, all of us as consumers should benefit from this.

Supporting this will be the ability of consumers to share their own banking data (consumer CDR data) with trusted third parties. This will allow consumers to consent to their banking data being shared with a range of solution suppliers.

The policy objective here is competition. The widespread adoption of Open Banking is designed to facilitate new products, services, solutions and competition; all designed to enhance the value that consumers derive from their banking. In theory, it may even introduce a new way of banking in which we rely on a variety of third-party tools, potentially supplied by a range of different suppliers, to manage and optimise our finances.

The impact of the CDR for ADIs

ADIs need to consider the impact of the CDR in two areas.

Mandatory obligations
All ADIs will be obliged to participate in the CDR regime in their role as Data Holders. In this capacity they will be required to:

  • share generic product reference data via standard APIs;
  • support standard authentication and authorisation processes that will apply when a consumer consents to sharing their data with an Accredited Data Recipient;
  • make consumer CDR data accessible via standard APIs (once this is authorised by consumers);
  • provide one or more ‘dashboards’ that will allow consumers to view, manage and revoke authorisations;
  • enable consumers to access their CDR data directly;
  • abide by a range of compliance obligations; and
  • provide periodic mandatory reporting on CDR delivery and compliance.

Opportunities

ADIs also need to think about how they might want to access the opportunities that will become available under the CDR.

Most notable among these is to consider what opportunities exist by becoming an Accredited Data Recipient. ADIs will be offered a streamlined accreditation process for becoming an Accredited Data Recipient, so the work involved will be relatively straight-forward. Once accredited, ADIs can offer enhanced CDR-enabled products and services to their customers as easily as any third party.

Examples of these opportunities include account aggregation and obtaining detailed information about a customer’s existing loans to streamline loan applications. Ultradata has a draft list of over 200 potential use cases which may benefit from access to CDR consumer data.

When will Open Banking commence?

For a variety of reasons the CDR timetable is fluid and has already changed a number of times. Furthermore, due to delays in progressing the supporting legislation it is likely that the timetable will change further.  Things will also depend on the results of the forthcoming federal election.  That said, the current timetable is:Open Banking Timeline

Note: See above. It is likely that this timing will change.

Ultradata Clients are classified as ‘Subsequent Data Holders’ and so the current timing proposes that they will be required to participate in the CDR regime as Data Holders from 1 July 2020 (note: for a limited product set initially).

ADIs also have two other options:

  • they can seek to participate in the CDR regime as Data Holders earlier than 1 July 2020; and
  • if they become Accredited Data Recipients before 1 July 2020 they will be deemed a ‘Reciprocal Data Holder’ and be obliged to participate in the regime not just as a Data Recipient but also as a Data Holder.

The merits of adopting either option would need to be carefully considered.

What is Ultradata doing about Open Banking?

Ultradata initiated an Open Banking project in mid 2018 and has been actively involved in the program ever since.

We have actively participated in industry consultation programs and have made submissions regarding API standards and customer experience workflow methods. We also have representatives regularly attending industry consultation forums and workshops.

We have also initiated an Open Banking Client Advisory Group which includes representatives from seven clients. Given the rate of progress and change in the CDR program, the Client Advisory Group currently meets every three weeks.

Ultradata has also identified the need for at least four workstreams and is progressing each of these as appropriate:

  • API frameworking, mapping and set up, to support our clients' Data Holder obligations under the CDR regime;
  • the establishment of suitable API deployment framework/infrastructure;
  • authorisation interfaces and management dashboards for consumers along with reporting and related functions for clients; and
  • legals, compliance and commercials.

Note: a fifth workstream (or more) may emerge if/when Ultradata decides to create Use Cases in support of our clients acting as Accredited Data Recipients.

If you would like to know more about Open Banking or the CDR more generally, some useful links are:


And if you would like to know more about Ultradata’s approach please don’t hesitate to contact us.