Open Banking – Open Everything


Open Banking – Open Everything

Much has been written about the move towards ‘Open Banking’ in Australia and the impact it will have for both banks and their customers.

It is opportune to review and examine where we are at in Australia regarding implementation of this major new initiative. Especially given the fact that one of the core pieces of legislation, The Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), failed to pass through Parliament before the election.

The heading says it all; eventually consumers will be able to request that their data be given to accredited persons. This is the ‘consumer data right’.

The first cab off the rank is the banking sector. Next will be the energy sector. Telecommunications is proposed to follow and then other sectors.

Component Parts of Open Banking

To implement Open Banking in Australia there are a raft of areas where laws must be implemented and amended, and standards developed and implemented, including:

  1. Legislate that customers effectively own/control the data that institutions hold about them and can direct that their data be provided to third parties
  2. Determine the way institutions will deliver this information
  3. Recipients need to be accredited and obliged to deal with the information in specified ways
  4. Develop data standards to be observed when data is transferred
  5. Amend Anti-Money Laundering law to address the risk of identity theft 

The Consumer Data Right

Central to Open Banking is what is referred to as the ‘consumer data right’.

The Consumer Data Right requires that data which is held by a business about a consumer must be disclosed at the direction of the consumer to accredited third parties This right, the ‘CDR’, will be implemented by the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth).

The Consumer Data Right aims to give customers greater control over their own data and provides more choice about how consumers manage their money and from where they want to receive services. This is explained in the Explanatory Memorandum accompanying the Bill.

The Consumer Data Right will eventually apply across a wide range of business sectors

While the Consumer Data Right is currently most often talked about in the context of the banking sector, it has a much wider application.

At the beginning of a report delivered to the Government in December 2017 by Treasury, the wider scope of the Consumer Data Right was highlighted:

In the Forward –

Open Banking is part of the Consumer Data Right in Australia, a more general right being created for consumers to control their data, including who can have it and who can use it. Banking is the first sector of the Australian economy to which this right is to be applied and Open Banking is the way that this is to happen. More sectors of the economy are to follow and Open Banking needs to work together with them to form a single, broader framework.

In the Executive Summary –

Since the Review was given its original Terms of Reference, the Government announced that it will introduce a Consumer Data Right. The Consumer Data Right will provide consumers with rights to direct that a business transfer data on the consumer to a third party, in a usable machine-readable form. The announcement stated that implementation of the Consumer Data Right will be prioritised in relation to banking, energy and telecommunications data. Open Banking is the implementation of the Right in relation to banking data and that the design of the broader Consumer Data Right will be informed by the findings of the Open Banking Review.

Origins of Open Banking

Open banking has its genesis in the European Union.

In 2015, the Council of the European Union passed into law the Payment Services Directive 2 (‘the PSD2‘), which came into force in January 2018, with the intent it be adopted into the national laws of EU members.

The PSD2 requires banks to provide secure access, through application programming interfaces (‘APIs’) to a consumer’s account data when requested by the customer.

Open Banking was adopted by the UK after a report by the Competition & Markets Authority’s Retail Banking Market Investigation Report issued in 2016  (the ‘UK Report’) highlighted the difficulties faced by smaller banks trying to compete with larger banks. The UK Report is a comprehensive document – 766 pages in length!

The report identified the existence of various barriers to customers when searching and switching between banks. The report found that ‘a substantial proportion of customers [were] paying above-average prices for below-average service quality’.

The recommendations of the UK Report on Open Banking have now been implemented. It is now mandated that customer data held by Britain’s nine largest banks must, at the request of customers, be handed over to ‘regulated providers’.

The Retail Banking Market Investigation Order 2017 (UK) implements these changes. This Order was issued in exercise of a power contained in the Enterprise Act 2002 (UK).

The Open Banking Implementation Entity (‘OBIE’) was established and charged with the task of implementing the changes. In early 2019 the OBIE reported that it had identified that there are 67 regulated third party providers in the UK

Surprisingly, take up by customers of Open Banking in the UK has been slow. A report by PwC Australia titled, ‘The Future of Banking is open: How to seize the Open Banking Opportunity’ (2018) identified relatively low awareness by customers, coupled with minimal press coverage and a lack of marketing by banks as reasons why take up of the opportunities has been limited.

Development of Open Banking in Australia

In July 2017, the then Treasurer, the Hon. Scott Morrison MP commissioned a review to make recommendations on how best to implement Open Banking in Australia. The report (Open Banking Review Report) was delivered to the Government in December 2017.

The Open Banking Review Report highlighted the importance that Open Banking be ‘customer focused’ and should encourage competition to allow consumers to make better choices when researching products and services.

The review report made many recommendations on how best to implement Open Banking in Australia; some 50 recommendations in total.

Implementing Open Banking in Australia

Government and the regulators are initially working with the four major banks; Westpac, Commonwealth Bank, ANZ and NAB, to implement the open banking initiative. Other banks will follow in due course.

Timetable for Implementation

The timetable for implementation of Open Banking in Australia is as set below. However, the timetable has been changed a number of times and further changes are likely.

Data to be made available:

  • 1 July 2019 – Testing of the open banking system will commence with product reference (generic) product data required to be shared by the four major banks.
  • 1 February 2020 – The four major banks and reciprocal data holders (i.e. ADIs who are accredited data recipients) will be required to make available to consumers all phase one (including consumer, account and transaction data relating to credit and debit cards, deposit and transaction accounts) and phase two (mortgage products) data.
  • 1 July 2020 – All remaining product data will be required to be made available to consumers by the four major banks and reciprocal data holders, including business finance and personal loans. Subsequent data holders (i.e. ADIs other than initial data holders, foreign bank branches or reciprocal data holders) will be required to share CDR data in respect of phase one products.
  • 1 February 2021 – Subsequent data holders will be required to share CDR data in respect of phase two data.
  • 1 July 2021 – Subsequent data holders will be required to share CDR data in respect of phase three data.

Progress of legislation to implement the Consumer Data Right

The Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) was introduced into Parliament in February 2019. However, the legislation failed to pass before the election and the bill lapsed in April 2019.

No doubt the Bill will be reintroduced when Parliament sits again.

ACCC’s role in designing draft Rules for the Consumer Data Right

As stated earlier, rules must be developed to establish the framework and business rules under which institutions will be required to deliver up the information they hold about a customer.

These rules are being implemented via amendments to the Competition and Consumer Act 2010,with the Australian Competition and Consumer Commission (ACCC) being the responsible government regulator. The ACCC is working in a coregulatory model with CSIRO Data61 and the Office of the Australian Information Commissioner to implement the CDR.

The ACCC released the draft Competition and Consumer  (Consumer Data Right) Rules 2019  for industry consultation on the 29 March 2019. The consultation period ended on the 10 May 2019.

Privacy and consent

Consumers’ privacy will be protected under the Privacy Act and it is evident that there will need to be strict adherence with security standards. The Act will be extended to bind all accredited data recipients, such as small to medium sized enterprises who may normally be exempt from these requirements. Refer to the Treasury Laws Amendment (Consumer Data Right) Bill 2019, Section 56EQ.

Consumers will need to give their consent as to when and how their data will be transferred and used – refer to draft Competition and Consumer (Consumer Data) Rules (2019) issued by the ACCC.

The draft rules contain specific privacy safeguards, including the requirement for consent to be ‘voluntary, express, informed, specific as to purpose, time limited and easily withdrawn’. The draft rules also provide that consent and authorisation will automatically expire after 12 months. Consumers will have a range of options to seek redress where the privacy protections are breached.

Accreditation

Under the new legislation, it is not proposed that customer data be handed direct to customers – instead the data will be handed to ‘accredited recipients’. It is contemplated that there might be differing levels of accreditation depending on the risks associated with the data.

The ACCC will determine the criteria for accreditation. It is proposed that accreditation application guidelines, criteria and conditions may be imposed – see draft rule 5.9. In the note to draft rule 5.2 it is evident that initially there will be one general level of accreditation, with the ACCC proposing additional levels of accreditation in subsequent versions.

Technical Specifications for data Transfer

Standards will also be developed by the CSIRO’s Data61, outlining how data will be transferred between parties. These standards will be based on the UK’s Open Banking Technical Specifications and will determine how data should be transferred by APIs. The Data Standards Chair must make a standard in relation to authorisation, which must provide for multi-factor authentication requirements refer to draft Rule 8.11.

Identity Theft and Financial Crime

An issue identified in the Open Banking Review was the risk of identity theft where verification of identity data is easily available in ‘a packaged electronic form’. At page 39 of the report on the Review, it was recommended that;

If directed by the customer to do so, data holders should be obliged to share the outcome of an identity verification assessment performed on the customer, provided the anti-money laundering laws are amended to allow data recipients to rely on that outcome

This approach would require amendments to Anti-Money Laundering laws to allow for reliance on the outcome rather than the identity data to be sufficient verification.

Conclusion

Open banking still has a way to go before it is implemented.

Extension of the customer data right to other industry sectors is still to be developed.

We hope this is all worth the effort.

We trust that we do not end up with the same experience as in the UK as noted in PWC’s report which determined that the relatively slow take up of open access to data rights was due to low customer awareness, minimal media coverage and a lack of marketing.