- Rapid advancements in data collection, aggregation and analytics are opening up the power of digital information to everyday users.
- This is driving a step-change in the way financial services providers and fintech businesses are seeking to add value to payments data and broader treasury management functions.
- The introduction of open banking in Australia from July 2019 will provide individuals and businesses with access to their data held by banks, and authorise secure access by trusted third parties.
The rise of open banking
Governments in many jurisdictions have sought to establish regulation within the financial services sector that delivers consumers with greater control of their own data. The cornerstone of the open banking model is consumer access to the information that financial institutions hold on them, and the opportunity to authorise access to trusted third-parties.
The rise in open banking regimes around the world seeks to address an evolving consumer demand for easier access to information, and importantly, deliver benefits through the introduction of innovative new digital services that add value to financial data.
In the UK, the Competition and Markets Authority established open banking in early 2018 on behalf of the UK Government, which was designed to provide a regulatory framework to heighten competition and innovation within the UK financial services industry.
European Union member states also introduced the second Payment Services Directive (PSD2) in early 2018, allowing bank customers to retrieve and share their account data. The PSD2 is already driving greater collaboration between banks and other digital platform providers to jointly address changing consumer demands for transparent, integrated and value add services.
The Australian Government announced that it would also introduce an open banking regime in mid-2017, which was followed by an independent review into open banking implementation. In response to the review, the Government has recently confirmed the introduction of the Consumer Data Right (CDR), ahead of the phased introduction of open banking from [July] 2019.
“Open banking provides a platform to re-energise and supercharge the customer experience, and the Consumer Data Right (CDR) regulation sits at the centre. The potential for accredited service providers to offer innovative, data-driven solutions to consumers can lead to better informed decision making and enhanced financial outcomes.”
David Scorzelli, Director FI Banks, Commonwealth Bank
ACCC sets out draft CDR rules
In September 2018, Australia’s competition regulator, the Australian Competition and Consumer Commission (ACCC), released the CDR draft rules framework for further industry consultation. This framework outlined the rules that the ACCC deemed essential to the commencement of the CDR on 1 July 2019.
While the ACCC’s draft rules remain open to industry consultation, public input and future iterations, it has provided the financial services sector with initial insight into what the industry must do in order to comply with the CDR.
Once finalised, the ACCC rules intend to regulate the application of the new consumer data right to each designated sector of the economy. It is envisioned that the rules will initially apply to the banking sector, then to energy and telecommunications, and subsequently to other sectors within the Australian economy.
ACCC draft rules – 10 key highlights
While the draft rules cover a broad spectrum of issues in relation to the CDR, some noteworthy indicative guidance included:
- Upon full implementation, all authorised deposit-taking institutions (ADIs) will be data holders (except for foreign bank branches).
- Accredited data recipients will be required to obtain a consumer's 'freely given' consent to the collection, use and sharing of data.
- The CDR applies to any type of consumer who is seeking information.
- Upon seeking a consumer's consent, a data recipient must disclose, without ambiguity, how their data will be used.
- Where a data recipient enters into an outsourcing arrangement they must ensure appropriate plans and processes are in place to manage associated risk.
- For foreign entities to comply with the CDR, they are required to appoint local agents that are liable for their principal's actions.
- Should an accreditation be revoked, the data recipient must delete consumer data.
- Both data holders and accredited data recipients will need to have a system in place for consumers to easily manage authorisations.
- Data resulting from 'material enhancement' will be excluded from the scope of the regime.
Issues yet to be resolved
In developing the rules, the ACCC’s proposes to focus only on those areas it considers essential for the commencement of the CDR in July 2019, and that prioritises benefits to consumers without compromising the security of data.
As a result, while the ACCC draft rules provide greater visibility over the future framework for implementing the CDR as a crucial component of open banking, not all issues have been addressed at this stage.
This includes clarity around rules in relation to privacy safeguard 10. The safeguard requires participants to take reasonable steps to ensure data is accurate, up-to-date and complete at the time of disclosure. Identity verification is also important, but cannot be fully considered given current anti-money laundering law reform.
Another consideration is uncertainty relating to the treatment of data that is ‘directly or indirectly derived’ from underlying CDR data. Specifically, where ‘transformed’ or ‘value-added’ data can encompass a spectrum of activities, from simple transformation of data (arithmetic or collation) through to sophisticated analysis.
These are just some of the considerations that the market may be seeking further clarity on over time, and may form a focus for the ACCC as it advances towards delivering a robust regulatory framework for the implementation of CDR.