The report of the Inquiry into Future Directions for the Consumer Data Right (CDR), strategically released on 23 December, states
The Inquiry was asked to make recommendations on options to expand the CDR’s functionality. This includes how the CDR could be expanded to include ‘write’ access so that consumers could not only choose to share their data through the CDR, but also apply for and manage products including, for Open Banking, by initiating payments. The Inquiry was also tasked with examining how the CDR could be used to overcome barriers to consumers conveniently and efficiently switching between products and providers, and to consider ways to ensure that the CDR promotes innovation in a manner inclusive of the needs of vulnerable consumers. Lastly, the Inquiry was asked to identify opportunities to leverage the CDR to enhance opportunities for Australian consumers, businesses and the Australian economy, and to leverage the CDR infrastructure to support productivity and a safe and efficient digital economy.
Overview of future directions and recommendations
The Inquiry has been guided by the same four key principles that guided the CDR from its inception and through the implementation of Open Banking. These are that the CDR should be consumer focused, encourage competition, create opportunities and be efficient and fair. The process of completing the Inquiry has been highly consultative. The Inquiry has considered formal submissions from 73 interested parties in response to its Issues Paper. It has also met virtually with over 300 representatives from industry, peak bodies, consumer groups, regulators, government and academia, including parties in overseas jurisdictions. Further information on consultation undertaken by the Inquiry is contained in Chapter 1. Public submissions are listed at Appendix B.
The Inquiry has reported on future directions and recommendations for the CDR in the following chapters: • Chapter 1 introduces the Inquiry’s Terms of Reference, background information, the guiding principles of the Inquiry and the key themes from submissions. • Chapter 2 presents the four future directions for the CDR. • Chapter 3 sets out the switching journey in Figure 3.1 and the role of CDR on this journey. It examines the risks and benefits of switching and barriers faced by consumers who wish to switch. • Chapter 4 outlines how the CDR’s functionality could be expanded to include action initiation, including a framework for action initiation and the action initiation process. • Chapter 5 examines how action initiation could enable customers to apply for and manage products, including initiating payments, in the banking sector. • Chapter 6 examines potential enhancements to the CDR ecosystem, including tiered accreditation, voluntary data sets, consent taxonomies and consent management. • Chapter 7 considers the consumer safeguards that are necessary to ensure trust in the CDR, including privacy protections. • Chapter 8 explores the opportunities available to leverage CDR infrastructure, including in relation to digital identity solutions, standard setting and the accreditation regime. It also looks at how the CDR can be leveraged with similar regimes internationally. • Chapter 9 outlines a roadmap for the Inquiry’s recommendations, taking into consideration initial sector assessment and priorities for implementation. Additional reference information on Inquiry matters and issues are dealt with in the appendices.
Chapter 1 – Introduction to the Inquiry
As the CDR rolls out into the banking sector, the Inquiry was announced to consider future directions for the CDR. The Inquiry has been guided by the principles of a CDR that is consumer focused, encourages competition, creates opportunities and is efficient and fair. For the digital economy to work safely, efficiently and fairly, the CDR needs to function effectively in conjunction with other frameworks and regulations, including those related to consumer protection, information security, data protection and sectoral regulation. A balanced approach to safety, efficiency and effectiveness is needed. This may involve some enhancements to existing laws and regulations.
Chapter 2 – Future Directions for the Consumer Data Right
There are four future directions for the CDR. These are: 1. Beyond data sharing, towards data-empowered consumers 2. Beyond open banking, towards an economy-wide foundation 3. Beyond a standalone system, towards an integrated data ecosystem 4. Beyond Australia’s borders, towards international digital opportunities These future directions show the ways in which the CDR should expand to strengthen the foundations of Australia’s digital economy. The implementation of the recommendations from the Inquiry should be expedited to deliver on the CDR’s benefits to Australia and Australians. Chapter 3 – Expanding the Consumer Data Right to support switching The CDR currently assists consumers to identify products that best suit their needs based on analysis of their consumer data and the range of products on the market. Expanding the CDR to help consumers switch easily and conveniently between products will provide even greater consumer benefit and, importantly, cost savings. The CDR can be used to overcome behavioural and practical barriers to convenient and efficient switching between products and providers. Encouraging consumers to use the CDR to switch and realise its benefits will require consumer trust and confidence in the system. An expanded CDR will support services that could assist with tailored product identification and switching and facilitate general management of a consumer’s data. Analysis and comparison of all available products, including bundled products, should be enabled by the CDR. The Inquiry discusses how switching in some sectors is impacted by sector-specific legislative or regulatory frameworks that may need to be reviewed to deliver the most streamlined consumer experience.
Chapter 4 – Action initiation framework
The CDR provides a secure set of channels through which accredited persons can communicate with data holders. These channels should also be opened to suitably accredited persons to initiate actions on a consumer’s behalf with the consumer’s consent. Enabling action initiation in this way would allow the CDR to facilitate a much broader range of functions, and increase the range of products and services available to consumers. The legislation that gives legal basis to the CDR should be amended to enable action initiation. Action initiation should also be governed by the Rules and Standards. As with data sharing, the suitability of sectors for CDR action initiation should be determined through a sectoral assessment process. In enabling action initiation through the CDR, the current consent framework should be maintained to ensure that the system promotes confidence among consumers. This framework should also be bolstered by enabling additional authorisation processes to allow data holders to confirm the validity of action initiation requests received through the CDR. This will help enable data holders to comply with their other obligations and protect consumers.
Chapter 5 – Action initiation in the banking sector
The CDR should be expanded in the banking sector to include action initiation. There should be two broad classes of actions – ‘payment initiation’ and ‘general action initiation’ – in the banking sector. Bank account-to-account payment initiation should be prioritised to leverage developments in the Australian payments industry. CDR payment initiation’s design features should enable a customer to authorise a suitably accredited person to use the CDR to initiate a payment on their behalf. Broadly, it should apply to all authorised deposit-taking institutions (ADIs) and accounts subject to CDR data sharing and have broad and extensible functionality. It should allow for competition among payment systems and the initiation of payment instructions through standardised application programming interfaces. CDR payment initiation should provide a consistent and integrated consumer experience with data sharing. ADIs may also charge reasonable fees for complying with payment initiation requirements. The allocation of liability under CDR payment initiation should be principles-based, building on existing compensation arrangements. The ePayments Code should be updated to clarify how its liability provisions apply when a third party initiates a payment. A CDR payment initiation roadmap should be published in consultation with the payments industry. CDR agencies should engage with operators of major payment systems to explore opportunities to align third party payment initiation arrangements with the CDR payment initiation design features. Once CDR payment initiation is fully in place, strong consideration should be given to prohibiting the use of third party access to a customer’s digital banking portal to make payments. General action initiation in the banking sector should enable product applications, updating details, managing products and closing a product or account. However, certain information should be explicitly excluded from change due to privacy and safety concerns. Priority should be given to product applications and establishing new customer relationships in developing general action initiation to support switching. The CDR should enable consumer-directed sharing of Know Your Customer outcomes when the reliance provisions are expanded.
Chapter 6 – Read access enhancements The CDR framework should encourage participation by consumers, accredited data recipients (ADRs) and service providers in the data economy. This means enabling the broad range of specialised services provided by participants in the data economy to flourish in the CDR, and for accreditation requirements to be calibrated according to the level of risk participants are required to manage. Where participants receive accreditation, they should be willing to provide, as well as receive consumer data at consumers’ request. The range of data utilised in the CDR environment should not be limited only to data identified in the process of sectoral designation. The CDR provides a strong framework for data sharing and standards that can be utilised for a broad range of data sets, a process that encourages the use of voluntary data sets should be developed. Consents and authorisations form the foundation of the CDR, outlining the terms on which a consumer agrees to engage with the regime. The language in these consents should therefore be as accessible to consumers and accredited persons as possible, enabling all parties to engage confidently in the system. Consumers should also be empowered to more easily keep track of their consents, making it more convenient to engage with the regime.
Chapter 7 – Consumer safeguards Additional consumer safeguards will be required as the CDR’s functionality expands to ensure consumers benefit, and their rights are protected. Key CDR data sharing consumer protections should be extended and adapted for CDR action initiation, with consumers having access to appropriate remedies if accredited persons or data holders act without appropriate consumer consent or authorisation. Additionally, the Inquiry considers that the CDR regime should oblige an accredited person to act efficiently, honestly and fairly in initiating actions. In some sectors, it may be appropriate that a higher standard apply either generally or in relation to particular actions. As existing laws and regulations and sectoral specific regulation will continue to apply to businesses that provide products and services using the CDR, the interaction and potential overlap between industry-specific consumer protections and the CDR regime should be considered when assessing a sector for designation. Consideration of the needs of vulnerable consumers, and the participation of consumer representatives, will be important in developing a safe and inclusive CDR, while consumer education will remain a crucial tool in building understanding and trust in the CDR. As action initiation will require additional data to be exchanged to realise the action, privacy and information security assessments must take place to ensure proportionate and appropriate protections are in place.
Chapter 8 – Opportunities for connecting the CDR to the data economy
The CDR of the future will require a mechanism for ensuring customers are who they purport to be. The level of customer authentication required is likely to be variable for different data sets and different actions in different sectors. A minimum authentication assurance standard, applicable to both data holders and accredited data recipients, should be developed which supports interoperability and flexibility for participants, and meets consumer experience standards. As Australia’s digital economy grows, the established framework and infrastructure supporting the CDR has potential for wider use domestically and internationally. The Data Standards Body expertise in data standards setting should be available for government data sharing initiatives, while the data safety assurances provided by the CDR accreditation process can be leveraged by regimes outside the CDR where similar data protections are required. The CDR should not seek to duplicate regulation imposed by external regulators or industry frameworks. Where applicable the CDR should align with, or recognise external accreditations held by participants. The CDR presents significant opportunities for consumers and entities providing data-driven services. Under the CDR, the additional data shared, with the consent of the customer, provides opportunities for entities to use artificial intelligence (AI) technologies for product innovation and insights into a business’s consumer base. There is a need for further guidance about transparency requirements relating to data aggregation activities such as the use of algorithms. While there are a range of different approaches in international data portability regimes, there is scope for interoperability. To further this, Australia should continue to use open international standards where available, streamline accreditation to recognise foreign regimes where appropriate and seek mutual recognition with the United Kingdom. Australia should seek an opportunity to convene an international forum and formalise existing dialogue with international policy bodies.
Chapter 9 – Consumer Data Right Roadmap
The Inquiry recommendations have identified a broad range of initiatives that play an important role in the future success of the CDR. To enable effective implementation and maximum benefit to consumers, the path forward must be planned with an understanding of which CDR components complement one another, and what costs are likely to be incurred by participants. An integrated CDR Roadmap must be developed signalling the major steps to be taken as the CDR develops to enable investors in the data economy to prepare accordingly. Engagement with stakeholders will remain a priority as the CDR grows. This includes consultation with external reviews and consultations relevant to the data economy within and outside government. Post implementation reviews will enable lessons from implementation to feed into the ongoing work as further sectors and capabilities are introduced to the CDR.
The Inquiry's recommendations are summarised as ...
Chapter 1 – Introduction to the Inquiry
Recommendation 1.1 – Balanced approach to safety, efficiency and effectiveness The Consumer Data Right should be developed to be safe, efficient and effective. A balanced approach is needed to realise meaningful benefits to consumers and grow participation in the data ecosystem.
Recommendation 1.2 – Clarity in relation to other laws and regulations The Consumer Data Right operates in conjunction with other laws and regulations, including sectoral regulation. However, amendments to these other laws and regulations may be required to enable the benefits of the Consumer Data Right to be fully realised. Similarly, the Consumer Data Right may enable new behaviours and practices which may warrant a government response through other laws and regulations. Consumer Data Right development and operational processes should identify emerging behaviours and practices of concern and refer them to appropriate policy makers and regulators. Government should articulate with clarity when a response should occur through the Consumer Data Right or other laws and regulations.
Chapter 3 – Expanding the Consumer Data Right to support switching
Recommendation 3.1 – Analysis and comparison of bundled products Analysis and comparison of bundled products should be facilitated by the Consumer Data Right. The Data Standards Body should consider the most appropriate and efficient method to better enable product reference data about the range of services available, including bundled products, to be provided to consumers and accredited persons.
Chapter 4 – Action initiation framework
Recommendation 4.1 – Action initiation through the Consumer Data Right The Consumer Data Right should be expanded to enable third parties, with a consumer’s consent, to initiate actions beyond requests for data sharing. This expansion should build on trust developed in the system through the successful operation of the regime in enabling data sharing.
Recommendation 4.2 – Framework and sector designation powers for action initiation The expansion of Consumer Data Right functionality to include action initiation should be implemented primarily through amendments to Consumer Data Right framework in the Competition and Consumer Act 2010. These amendments should delegate powers to the Consumer Data Right rule maker and Data Standards Chair where appropriate. The amendments should set out the associated powers for the making of Rules and Standards and enable the designation of actions within a sector by the Minister.
Recommendation 4.3 – Sector assessment for action initiation Sectoral assessments should be required prior to the designation of action initiation in a sector. The process for conducting a sectoral assessment for action initiation should be analogous to that for data sharing. Sectoral assessments for action initiation should consider particular classes of actions based on the matters in subsection 56AD(1) of the Competition and Consumer Act 2010 , adapted as required. Additionally, the sectoral assessment should consider sector-specific regulatory barriers that may prevent action initiation from being facilitated safely, efficiently and effectively, and the digital maturity of the sector to implement action initiation. The OAIC should also consider specific classes of actions when assessing potential privacy and confidentiality implications of designating a sector.
Recommendation 4.4 – Alignment between the Consumer Data Right and sector-specific regulation When conducting sectoral assessments, consideration should be given to whether regulatory and legal changes are required and appropriate to enable action initiation within a sector.
Recommendation 4.5 – Action initiation process Action initiation through the Consumer Data Right should be based on the existing consent, authentication and authorisation processes currently used for data sharing, with appropriate amendments.
Recommendation 4.6 – Supported instructions for action initiation Action initiation in the Consumer Data Right should only enable an accredited person to initiate actions which the consumer is already able to perform with a data holder. Action initiation should not be used to force data holders to perform actions which they would not otherwise offer, or which are prohibited under other regulation. This principle should be used to steer consideration of what actions are designated for action initiation.
Recommendation 4.7 – Exclusion from action initiation Certain actions that are deemed to be of significant risk to consumers’ security or privacy should be excluded from being able to be actioned through the Consumer Data Right. Such actions should be determined through consultation with industry and consumer representatives during the sectoral assessment and implementation within a sector. The updating of passwords is an example of one such excluded action.
Recommendation 4.8 – Accreditation for action initiation The accreditation regime should be extended to include tiered accreditation for action initiation, with those actions posing greater potential risk to the consumer requiring higher tiers of accreditation.
Recommendation 4.9 – Accredited persons’ interactions with other regulatory regimes As sectors are designated for action initiation, the relevant sectoral regulators should examine whether additional guidance or education material should be provided to assist persons seeking accreditation understand how the services they propose to provide using the Consumer Data Right could be treated under existing regulatory regimes. Prospective accredited parties should be encouraged to consider these issues.
Recommendation 4.10 – Consent to send instruction and consent to initiate action Accredited persons should be required to obtain access and usage consents to initiate actions for consumers. These consents should be voluntary, express, informed, specific as to purpose, time-limited and easily withdrawn.
Recommendation 4.11 – Consent processes and consumer experience Action initiation consent processes should be subject to Consumer Experience Standards and Guidelines to ensure that processes produce genuine consent. The Data Standards Chair should consider additional safeguards which balance the need for security with consumer experience where appropriate.
Recommendation 4.12 – Ongoing consent arrangements Consumers should be able to provide consents to accredited persons to initiate actions on their behalf on an ongoing basis, within the consent’s time limit. Additional safeguards should also be considered for inclusion in the Rules.
Recommendation 4.13 – Restrictions on unnecessary actions The Rules should restrict accredited persons to only being able to request access consents for actions that are relevant to the provision of a service.
Recommendation 4.14 – Authentication requirements by data holders Data holders should be obliged to authenticate consumers prior to requesting action initiation authorisations. Authentication requirements should be reviewed by the Data Standards Body to ensure they reflect the risks associated with action initiation.
Recommendation 4.15 – More explicit requirements for accredited persons to authenticate customers The Consumer Data Right should include explicit requirements for accredited persons offering action initiation enabled services to authenticate customers in circumstances where there is an ongoing provision of service to that customer. These requirements should be based on international standards on authentication processes.
Recommendation 4.16 – Authorisation to take a specific action Whether the taking of a particular action should require a specific authorisation to be given to a data holder should depend upon the nature of the action requested and other factors, such as the value of the transaction and existing practices and processes in the sector. These requirements should be enabled in the Rules and specified through the Standards.
Recommendation 4.17 – Data holders to require explicit consumer authorisation to accept instructions Data holders should only progress actions initiated by accredited persons when they have received the consumer’s explicit authorisation to do so. The Data Standards Body should investigate the benefits of enabling fine-grained authorisation for specific action classes, with recommendations being driven by consumer experience and security considerations.
Recommendation 4.18 – Obligation to act Data holders should be obliged to progress actions initiated by an accredited person for which the consumer has provided a valid authorisation to the same extent as they would otherwise be obliged to progress such an action were the request provided directly by the consumer through another channel. Data holders should not be able to discriminate based on the channel through which the instruction was received.
Recommendation 4.19 – Existing data holder obligations Data holders should remain subject to any requirements imposed on them by other regulatory regimes and measures may need to be built into the Consumer Data Right to facilitate this. The Consumer Data Right should similarly contain provisions to assist data holders in managing commercial risks, such as fraud, when assessing actions initiated by accredited persons on the consumer’s behalf. Data holders should remain capable of conducting reasonable step-up authentication measures to ensure the validity of any requests. The way in which these measures are conducted should be commensurate to the risk of the action being requested and not detract from the rights of access granted to accredited persons.
Recommendation 4.20 – General liability for action initiation For action initiation, the general liability framework should extend the principle underpinning the operation of section 56GC of the Competition and Consumer Act 2010. This will protect data holders from liability when acting in compliance with the Consumer Data Right regime in response to an action initiation instruction for which they have received the consumer’s authorisation to accept. For the avoidance of doubt, the data holder continues to be subject to any regulatory or legal obligations that would otherwise apply if the instruction had come directly from the customer.
Recommendation 4.21 – Notification of action initiation In designing the Consumer Data Right framework, processes should be included to enable consumers to be notified when an action is initiated on their behalf by an accredited person.
Recommendation 4.22 – Cessation Accredited persons should be required to cease acting on the consumer’s behalf through the Consumer Data Right when they no longer have a valid consent. Accredited persons should be required to communicate this cessation to the data holders to whom they could previously send actions.
Recommendation 4.23 – Record keeping
Accredited persons and data holders should be required to keep records of the actions that were initiated through the Consumer Data Right, as well as records of the consumer’s consents and authorisations.
Chapter 5 – Action initiation in the banking sector
Recommendation 5.1 – Designation of the banking sector for action initiation The banking sector designation under the Consumer Data Right should be extended to include action initiation, including payment initiation. The designation process should include thorough regulatory and privacy impact assessments and detailed consultation on the designation instrument prior to a final decision by the Minister. The banking sector designation should specifically set out the classes of general action initiation and payment initiation that should be supported.
Recommendation 5.2 – Prioritising bank account-to-account payments Bank account-to-account payment initiation through the Consumer Data Right should be prioritised so its design can be coordinated with developments in the Australian payments industry and to expedite the benefits it can bring to customers.
Recommendation 5.3 – Bank obligation to support Consumer Data Right payment initiation Consumer Data Right payment initiation should apply to all authorised deposit-taking institutions subject to the mandatory data sharing obligation under Open Banking. These authorised deposit-taking institutions should be obliged to provide access to third party payment initiation and process any valid payment instruction received from an appropriately accredited person through the Consumer Data Right, as if it had been provided by the customer through any other digital channel. Banks should continue to be subject to existing obligations placed on them by other regulatory regimes.
Recommendation 5.4 – Broad and extensible payment instruction functionality Consumer Data Right payment initiation functionality should be broad and extensible, including the list of payment functionality in Table 5.3A. Both payer and payee payment initiation should be enabled to initiate payments (with consumer consent), to allow flexible ongoing payment initiation consents and authorisations, and permit step-up authentication by the customer’s authorised deposit-taking institution when required. Payment-related action functionality, such as registered payee management, should complement payment initiation functionality and be considered part of general action initiation.
Recommendation 5.5 – Coverage of accounts Consumer Data Right payment initiation should apply to the bank accounts in Table 5.4 that ordinarily support payment functionality for customers. The Consumer Data Right should not require authorised deposit-taking institutions to provide new payment functionality in the accounts provided, only a new channel for using existing functionality exercisable with the customer’s authority.
Recommendation 5.6 – Competition in the payments system The Consumer Data Right payment initiation should be designed to allow competition among payment systems in order to improve consumer outcomes. By enabling flexibility in implementation, Consumer Data Right payment initiation should leverage future developments in the payments system.
Recommendation 5.7 – Accreditation for payment initiation Only an appropriately accredited person should be allowed to initiate payments through the Consumer Data Right. An assessment should be conducted by the Consumer Data Right rule maker to determine whether additional requirements to the unrestricted accreditation tier should be placed on those seeking to initiate payments, including how information security and insurance requirements should be adjusted. This assessment should also consider whether different tiers of accreditation for payment initiation could be enabled.
Recommendation 5.8 – Standardised payment initiation application programming interfaces Authorised deposit-taking institutions should be obliged to receive a Consumer Data Right payment initiation instruction from an appropriately accredited person through a standardised application programming interface. Consumer Data Right agencies should engage with operators of major payment systems to develop Consumer Data Standards for bank account-to-account payment initiation that are, as far as possible, not specific to a particular payment system. The NPP API Framework, the UK Open Banking standards and standards used for international payments should be used as important reference points for developing these standards.
Recommendation 5.9 – Cost of providing payment initiation Authorised deposit-taking institutions should be entitled to charge for complying with Consumer Data Right payment initiation requirements. The ACCC should be empowered to intervene if unreasonable fees are charged.
Recommendation 5.10 – Consent-driven payment initiation Consumer Data Right payment initiation should require the explicit consent of the consumer regarding the types of payments that are being enabled, and the purposes for which these payments are being allowed.
Recommendation 5.11 – Authentication requirements for payment initiation Authentication requirements for authorised deposit-taking institutions and accredited persons engaged in payment initiation should be determined based on an assessment of the risks inherent to payment initiation, as well as the need for consistency in the consumer experience.
Recommendation 5.12 – Fine-grained payment initiation authorisation Consumers should be able to provide some level of specificity to their banks when authorising them to accept payment initiation instructions from an accredited person through the Consumer Data Right. The level of specificity required should be determined in the Rules and Standards.
Recommendation 5.13 – Consistent and integrated consumer experience Consumer Data Right payment initiation should be designed to integrate into the rest of the Consumer Data Right to provide a consistent experience for consumers. Subject to consumer experience testing by the Data Standards Body, this should include the ability to provide consents and authorisations for data sharing, action initiation and payment initiation through a single process. Consumer Data Right agencies should engage with operators of major payment systems to support the alignment of payment consent mechanisms with the Consumer Data Right’s consumer experience standards and guidelines.
Recommendation 5.14 – Allocation of liability and supporting fraud mitigation The existing compensation arrangements between the bank and the customer, including under the ePayments Code where it applies, should continue to apply to payments initiated through the Consumer Data Right. For the purposes of applying these arrangements, the conduct of the accredited person should be taken as being akin to the conduct of someone who the bank and customer have agreed can operate the account on the customer’s behalf. An accredited person should be responsible for losses arising from its own conduct, including when they result in an unauthorised payment from the consumer’s bank account. In this case, to the extent that the bank (because it has compensated the customer for the loss) or the customer suffers a loss from the unauthorised payment then they should have a direct right of action for compensation from the accredited person. The ePayments Code should be updated to further clarify how its liability provisions would apply when a third party initiates a payment. Consumer Data Right information security requirements should be updated for payment initiation and to support fraud mitigation processes.
Recommendation 5.15 – Consumer Data Right payment initiation roadmap A Consumer Data Right payment initiation roadmap should be published, informed by consultation with the payments industry and interested stakeholders, to set clear expectations and drive the implementation of Consumer Data Right payment initiation. The roadmap should particularly draw on the timetable in the New Payments Platform’s Roadmap as a critical development in the Australian payments infrastructure.
Recommendation 5.16 – Opportunities for alignment in implementing Consumer Data Right payment initiation In implementing Consumer Data Right payment initiation, authorised deposit-taking institutions should meet the recommended design features. CDR agencies should engage with the operators of major payment systems, including the New Payments Platform, to explore opportunities to align third party payment initiation arrangements with those recommended for Consumer Data Right payment initiation. This should be conducted with a view to facilitating the utilisation of those arrangements by banks to meet their Consumer Data Right payment initiation obligations, so that implementation is expedited and compliance costs are minimised.
Recommendation 5.17 – Payments through a third party access to digital banking portal Once Consumer Data Right payment initiation is implemented by authorised deposit-taking institutions, strong consideration should be given to prohibiting the making of a payment through third party access to digital banking portals. This should be considered as the implementation of the required design features for Consumer Data Right payment initiation nears full implementation and becomes widely accessible on reasonable terms to consumers and accredited persons.
Recommendation 5.18 – General action initiation in the banking sector General action initiation in the banking sector should enable product applications, updating details, managing products, closing a product, ending a customer relationship, and other associated general actions. These include general actions that support payments referred to in Recommendation 5.4. Certain information should be explicitly excluded from being subject to change through Consumer Data Right action initiation due to concerns for consumers’ privacy and safety. These classes of information should be identified through regulatory and privacy impact assessments, and through consultation with industry and consumer groups.
Recommendation 5.19 – Prioritising product applications to support switching To support the streamlining of switching, product applications and establishing new customer relationships should be prioritised in the phased implementation of general action initiation in the banking sector. The Consumer Data Right rule maker should determine the order of prioritisation of general action initiation in consultation with consumer groups, the banking sector, accredited persons and other stakeholders.
Recommendation 5.20 – Sector-specific regulation Relevant regulators, including ASIC, should provide guidance as to how the provision of services by an accredited person using Consumer Data Right data sharing or action initiation could impact upon whether the accredited person needs to obtain additional licences.
Recommendation 5.21 – Identity verification assessments The Consumer Data Right should support consumer-directed sharing of Know Your Customer outcomes to the extent to which reliance is allowed on that outcome, in the event that proposed amendments to the reliance provisions in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 are passed by Parliament.
Chapter 6 – Read access enhancements
Recommendation 6.1 – Consumer Data Right to support specialisation and a sophisticated data ecosystem The Consumer Data Right should support the specialisation of services to allow businesses to design their own business models, promote innovation and support a safe and efficient digital economy.
Recommendation 6.2 – Outsourced service providers The Consumer Data Right should allow third parties to collect and disclose data on behalf of an accredited data recipient under an appropriate outsourcing arrangement without separate accreditation. The accredited data recipient would retain liability, and the outsourced service provider would need to comply with existing Standards.
Recommendation 6.3 – Accredited data recipient to accredited data recipient transfers The Consumer Data Right should allow transfers from an accredited data recipient to another accredited data recipient with customer consent, including transfers via arm’s length intermediaries to an accredited data recipient.
Recommendation 6.4 – Authorised representatives CDR data should be able to be released to a CDR-authorised representative of an accredited data recipient, with the customer’s consent. The authorised representative should be able to hold a lower tier of accreditation, in light of the principal accredited data recipient providing data access, taking on liability for Consumer Data Right compliance and taking on responsibility for putting in place arrangements to ensure compliance. The design of arrangements should have close regard to the role of authorised representatives under the Australian financial services licensing regime.
Recommendation 6.5 – Data holders to receive CDR data from their sector The Consumer Data Right should allow data holders to receive CDR data relating to their sector from other data holders and accredited data recipients without requiring additional accreditation.
Recommendation 6.6 – Providing CDR data outside the system to regulated parties The Consumer Data Right should allow regulated third parties operating outside the Consumer Data Right ecosystem to receive varying levels of data with the consent of the consumer, with reference to the level of regulation of the recipient. This access should include transfers of CDR data or derived data for regulated activities or for regulatory compliance activities at the customer’s direction.
Recommendation 6.7 – Data for low risk public benefit uses The Consumer Data Right should allow non-accredited parties operating outside the Consumer Data Right ecosystem to receive varying levels of data with the consent of the consumer, subject to appropriate restrictions, if they provide low risk services for public benefit.
Recommendation 6.8 – Insights to non-accredited persons The Consumer Data Right should allow non-accredited third parties operating outside the Consumer Data Right ecosystem to receive, from a data holder or accredited data recipient, lower risk insights data derived from CDR data.
Recommendation 6.9 – Cross-sector application of reciprocity The Consumer Data Right principle of reciprocal obligations of an accredited data recipient to respond to a consumer’s data sharing request should not be limited by the scope of sectoral designations at the time of accreditation. Accredited data recipients should be obliged to comply with a consumer’s request to share data which is the subject of a sectoral designation as well as equivalent data held by them in relation to sectors which are not yet designated.
Recommendation 6.10 – Identifying equivalent data Equivalent data should exclude materially enhanced data and voluntary data sets. Equivalent data applicable to a person seeking accreditation as an accredited data recipient should be identified by the accreditor during the accreditation process. Identification of equivalent data should be subject to the same principles which apply to the selection of data sets through the formal sectoral assessment and designation process. Guidelines on the identification of equivalent data should be published by the regulator.
Recommendation 6.11 – Exclusion from reciprocal data sharing obligations Accredited data recipients should be excluded from reciprocal data sharing obligations if they are below a defined minimum size.
Recommendation 6.12 – Accreditation criteria The accreditation criteria should not create an unnecessary barrier to entry by imposing prohibitive costs or otherwise discouraging suitable parties from participating in the Consumer Data Right. A tiered, risk-based accreditation model should be used to minimise costs for prospective participants.
Recommendation 6.13 – Tiering of accreditation Regulation of the Consumer Data Right should be able to allow tiering of accreditation requirements based on factors, including the risks associated with the accessible CDR data and the activities that could be undertaken with it.
Recommendation 6.14 – Inclusion of data The process and criteria for clearing or disallowing new Consumer Data Right data set standards should not discourage or exclude the provision of any data sets that are suitable for use in the Consumer Data Right. This should include data sets within a designated sector that have not been designated, and data sets from sectors not designated.
Recommendation 6.15 – Process for introducing voluntary data sets The Data Standards Chair should be able to approve standards for new voluntary data sets developed using different pathways. These pathways should include design by the Data Standards Body under a fee-for-service model upon request, industry-led design, or individual firms introducing bespoke data sets. There should be a set period of time that the Data Standards Chair has to clear or disallow any standards that do not meet the specified criteria or benefit consumers.
Recommendation 6.16 – Guidelines for voluntary data sets Guidelines should be provided outlining specific criteria that new data sets and their associated standards need to meet for inclusion in the Consumer Data Right environment.
Recommendation 6.17 – Maintenance of industry designed standards Standards for voluntary data sets introduced to the Consumer Data Right by industry participants must be maintained by industry participants. The Data Standards Chair should have the right to disallow such standards if they are not maintained to the level required.
Recommendation 6.18 – Ongoing consumer experience research The Data Standards Body should continue to conduct ongoing consumer research in a consistent, principled way that is reflective of the needs of consumers, accredited persons and data holders. Where appropriate, the findings of this research should be given legal effect through recognition by the Rules or Standards.
Recommendation 6.19 – Consumer Data Right dictionary The Data Standards Body should include as part of the Consumer Experience Standards, a non-exhaustive dictionary outlining, in plain English, definitions of common terms used in Consumer Data Right consents. For usage consents, this should include common understandings of purposes.
Recommendation 6.20 – Industry recommended and endorsed consents Industry and consumer groups should be encouraged to develop and endorse standard wording for Consumer Data Right consents for specific purposes, and accredited persons should be permitted to display these endorsements in their consent processes through icons, descriptions, links or other appropriate methods.
Recommendation 6.21 – No mandated central consent collection A central body should not be mandated to collect all consumer consent and authorisation information created by participants in the Consumer Data Right system.
Recommendation 6.22 – Sharable consent information Consent and authorisation data should be designated as CDR data to facilitate the secure provision of centralised consent management services at the consumer’s direction. Consultation should be undertaken before determining who should be required to share this information, so as not to unduly increase barriers to entry into the system.
Recommendation 6.23 – Limited action initiation for consent management Consumers should be able to authorise an accredited person to perform certain actions in regards to Consumer Data Right consents and authorisations on their behalf as a Consumer Data Right action. Consultation with industry and consumer advocates should be conducted prior to the full scope of actions being determined.
Recommendation 6.24 – Privacy impacts of sharing consent information Prior to the designation of consent and authorisation information, the potential privacy impacts of facilitating the transfer of consent data should be separately reviewed. This process should pay special attention to the needs of vulnerable consumers.
Chapter 7 – Consumer safeguards
Recommendation 7.1 – Interaction with sector-specific consumer protections The interaction and potential overlap between industry-specific consumer protections measures and the Consumer Data Right regime should be considered when assessing the potential to designate a sector for data sharing or action initiation, with any barriers or conflicts between the regimes appropriately resolved.
Recommendation 7.2 – Suitability of persons for action initiation Regulatory settings for accreditation should enable the accreditor to take into account all matters relevant to the applicant’s suitability to initiate actions of the type proposed. Requirements on persons seeking accreditation to advise the types of goods or services they propose to offer or, in the case of accredited persons, offer, consumers using CDR data should be extended to goods or services offered to consumers that involve the use of action initiation.
Recommendation 7.3 – Remedies where instruction sent without a valid request If an accredited person sends action initiation instructions without obtaining a valid request from the consumer or complying with relevant Rules, consumers should have the right to take action against the accredited person. Other remedies (including civil penalties and suspension or revocation of accreditation), should also be available.
Recommendation 7.4 – Remedies where data holder does not have authorisation If a data holder acts on action initiation instructions without having obtained the consumer’s authorisation to do so, the consumer should have the right to take action against the data holder. Other remedies (including civil penalties) should also be available.
Recommendation 7.5 – Extending consumer protections for action initiation Consumer protections in Part IVD of the Competition and Consumer Act 2010 and the Rules, including the prohibitions on holding out and misleading and deceptive conduct in relation to consumer consent, should be extended or adapted as appropriate to apply to action initiation, with appropriate and proportionate remedies available.
Recommendation 7.6 – Action initiation and accredited person’s obligations to consumers Where an accredited person seeks, or has been granted, a consumer’s consent to initiate actions with a data holder, the accredited person should be obliged to act efficiently, honestly and fairly in relation to initiating actions. In some sectors it may be appropriate that a higher standard (or additional obligations) apply, either generally or in relation to particular actions. This should be considered during sectoral assessment and rule making processes, and subject to consultation. If the accredited person fails to meet the standard of conduct required of them, the consumer should be able to take action against the accredited person. Other remedies (including civil penalties and suspension or revocation of accreditation) should also be available.
Recommendation 7.7 – Monitoring impact on vulnerable consumers The impact of the recommended reforms on vulnerable consumers in designated sectors, including the availability and suitability of services offered and any trends in Consumer Data Right complaint data received, should be monitored to assess whether any regulatory settings require adjustment. The ACCC should be responsible for this monitoring. Additionally, an evaluation of the impact of the Consumer Data Right system on the wellbeing of vulnerable consumers should be completed 24 months after action initiation’s commencement. This assessment should be led by government in close collaboration with consumer representatives and industry.
Recommendation 7.8 – Consumer education program CDR agencies should coordinate the development and implementation of a timely consumer education program for new Consumer Data Right designations. Participants, industry groups and consumer advocacy groups should also be invited to participate, as appropriate, in developing consumer awareness and education activities.
Recommendation 7.9 – Encouraging innovation that benefits vulnerable consumers The Government should explore options to encourage the creation of products that use the Consumer Data Right to benefit consumers, including the establishment of a grants program to support developers to design and build such products. Government should seek input from consumer representatives and those providing services to vulnerable consumers in doing so.
Recommendation 7.10 – Encouraging consumer representation in developing the Consumer Data Right The Government should explore ways in which interested consumer advocacy groups could be supported to contribute their expertise to the development of the Consumer Data Right and CDR-enabled products. This could include the engagement of consumer representatives in drafting guidance for accredited persons on the design of CDR-enabled products, which take into account vulnerable consumers’ needs.
Recommendation 7.11 – Protections for action initiation instructions to be considered in the privacy and security assessments The privacy impact assessment and information security assessment should consider appropriate protections, proportionate to the risks involved for action initiation authorisation, consent and instruction data and, if warranted, identify protections that need to be put in place. Information security protections for action initiation authorisation, consent and instruction data should be proportionate to the risks presented by misuse of this data. The assessments should occur before the legislation is settled to determine what should be captured in the primary legislation, the Rules or Standards.
Chapter 8 – Opportunities for connecting the Consumer Data Right to the data economy
Customer authentication in the Consumer Data Right
Recommendation 8.1 – Support for development of authentication solutions interoperable with the Consumer Data Right The Consumer Data Right should continue to be developed in a manner that encourages the use of interoperable authentication solutions, based on compatible international standards.
Recommendation 8.2 – Minimum assurance standard for authentication to apply to data holders and accredited data recipients The Data Standards Body should develop a minimum assurance standard for authentication applicable to both data holders and accredited data recipients. The standard should support interoperability and flexibility for participants, provided minimum assurance standards and consumer experience standards are met. The standard should include provision of safe harbours for existing authentication requirements for current data sets and functions.
Recommendation 8.3– Minimum assurance standard for authentication to include a risk taxonomy and matrix As part of the minimum assurance standard for authentication the Data Standards Body should develop a risk taxonomy and risk matrix against which assurance levels for particular data sets and Consumer Data Right functions in each sector can be determined with a degree of consistency. This taxonomy and matrix should form part of the minimum assurance standard used to inform the level of assurance required, noting that other considerations will also factor. It should consider the nature of data, likelihood of harm to consumers if data is misused and other key factors that the Data Standards Body considers appropriate. This should be developed in consultation with industry and consumers. Leveraging standard setting and the Data Standards Body
Recommendation 8.4 – Standards setting for data held by government The Data Standards Body should be available as a source of expertise in developing and maintaining data standards that other government initiatives, regulatory regimes and information technology systems could adopt. It should also be available as a central point for engagement in relevant international data setting fora.
Leveraging the accreditation regime
Recommendation 8.5 – Leveraging the Consumer Data Right data safety licence The ‘data safety licence’ and supporting register should be available to meet equivalent requirements in other regimes, in a way that is consistent with best practice cybersecurity risk management and broader cybersecurity frameworks.
Recommendation 8.6 – Aligning data safety accreditations As an alternative to broader use of the ‘data safety licence’, or as an interim step (or in relation to international regimes), efforts should be made to align similar data safety ‘accreditations’.
Recommendation 8.7 – Recognising external data safety accreditation Where external data safety accreditations align with Consumer Data Right requirements, these could be recognised by the Consumer Data Right or at least enable their ‘accreditation holders’ to go through streamlined Consumer Data Right accreditation.
Linkages with the AI Ethics Framework
Recommendation 8.8 – Guidance on artificial intelligence ethics in the Consumer Data Right Further guidance about transparency requirements relating to data aggregation activities such as the use of algorithms, the importance of privacy by design and the application of relevant ethical frameworks, including the AI Ethics Framework when utilising AI technologies for data within the Consumer Data Right regime should be included in a future version of the Privacy Safeguard Guidelines. In addition, the OAIC should consider, in consultation with the Consumer Data Right rule maker whether it may be appropriate to include consideration of these matters in its future assessments program. Linkages and interoperability with international data portability regimes
Recommendation 8.9 – Using open international standards where available Open international standards should be used as a starting point for Consumer Data Right rules and standards where available and appropriate.
Recommendation 8.10 – When diverging from open international standards Where divergences from open international standards are proposed, the reason for this should be clearly articulated during consultation, giving stakeholders a chance to comment on whether alignment or divergence would be the most appropriate course.
Recommendation 8.11 – Streamlined accreditation The registration system for accredited data recipients (including underlying rules) should be updated to include a clear procedure for accreditation under equivalent foreign regimes to be considered (as appropriate) in meeting some or all of the requirements for participation in the Consumer Data Right.
Recommendation 8.12 – Seek mutual arrangement with the United Kingdom Australia should approach the United Kingdom with the prospect of creating a mutual bilateral recognition regime. This should include a process for identifying differences in registration requirements so any additional requirements in either regimes are clearly articulated.
Recommendation 8.13 – Engage with New Zealand Australia should engage with New Zealand as it considers whether and how to develop a consumer data right including to explore options for mutual recognition of licensing for participants.
Recommendation 8.14 – International forum The Government should seek opportunities to convene an international forum for policy makers considering, designing, implementing and maintaining consumer-controlled data portability regimes. In the interim, Australia should formalise existing relationships by establishing a quarterly dialogue with international policy bodies commencing with the United Kingdom, New Zealand, India and Singapore.
Chapter 9 – Consumer Data Right Roadmap
Recommendation 9.1 – Sector assessments with product reference data Sector assessments and designation instruments should be able to focus solely on product data where the opportunity exists for product data already available outside the Consumer Data Right to be introduced to the Consumer Data Right system.
Recommendation 9.2 – Prioritisation of Inquiry recommendations Recommendations should be prioritised primarily based on the benefits they will provide consumers, including their contribution to new products, participation in the ecosystem, consumer protection and ease of implementation. Recommendations that can be progressed without legislative amendments should also be prioritised.
Recommendation 9.3 – Integrated Consumer Data Right Roadmap The Government should create an integrated roadmap for the implementation of the Consumer Data Right, in collaboration with stakeholders in the private and public sectors. This roadmap should focus on key external projects in their implementation phases that will impact the Consumer Data Right.
Recommendation 9.4 – Post-implementation review A post-implementation assessment of action initiation and payment initiation should be conducted approximately 24 months after the commencement date and report to the Minister with recommendations.
