ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes (28th of January 2021) - ConsumerDataStandardsAustralia/standards GitHub Wiki

ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes (28th of January 2021)

When: Weekly every Thursday at 3pm-4.30pm AEDT
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:

Desktop or Mobile Devices https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]

Phones - AUDIO ONLY


Agenda

  1. Introductions
  2. Actions
  3. CDR Stream updates
  4. Presentation
  5. Q&A
  6. Any other business

Introductions

  • 5 min will be allowed for participants to join the call.

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may [email protected] should they have any further questions or wish to have any material redacted from the record.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.

Updates

Type Topic Update
Standards Version 1.6.0 Published Link to change log here
Standards Version 1.7.0 Proposed Link to Project Board with proposed changes here
Maintenance 6th Maintenance Iteration planned for 2021 Read about the Maintenance Iteration - If you would like to join these please reach out to [email protected]
DSB Newsletter To subscribe to DSB Newsletter Link here
ACCC Newsletter To subscribe to ACCC Newsletter Link here
ACCC Newsletter 20th of January 2021 Edition View in browser here
DSB Newsletter 22nd of January 2021 Edition View in browser here
Consultations Decision Proposal 149 - Energy Draft Feedback Cycle 1 Feedback is now open on any issue related to draft. This thread will remain open until February 12th 2021. At that time proposed changes will be incorporated and a second consultation cycle will commence. Link to consultation
Consultations Decision Proposal 145 - Strategy for Reporting & Metrics Feedback is now open for this proposal for an extended period to account for the end of year break. Feedback is planned to be closed on Friday 29th January 2021. Link to consultation
Consultations Decision Proposal 144 - Amending Consent Authorisation Flow Feedback is now open for this proposal for an extended period to account for the end of year break. This consultation window will close on ( extended to ) Monday, 1st February at 5pm. Link to consultation

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their workplaces

Organisation Stream Member
ACCC Rules Andrew Breeze
ACCC CDR Register (Technical) Elizabeth Arnold
DSB CX Standards Michael Palmyre
DSB Technical Standards - Banking Mark Verstege
DSB Technical Standards - Energy & Engineering James Bligh

Presentation

No presentation today. However we will walk through Masking of Accounts and PAN from the Consumer Data Standards today.

  • What are the data masking requirements for Biller CRNs?
  • What are the data masking requirements for account numbers?
  • We don't mask Biller CRN in our Internet Banking platform; do we need to do this for the Consumer Data Right?
  • For Transaction data, if PANs are present should we mask this information?

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.

Current received pre-submitted questions:

Answer provided

Ticket # Question Answer
232 Till Nov 2021, Consumer data requests made by eligible CDR consumers are out of scope. The regulatory report excel sheet has an entry for this which will likely be 0. 3.2. Number of consumer data requests received from eligible CDR consumers Is there a plan to update the sheet removing this entry or do we as Data Holders send this value as 0 when we report this to ACCC? Thanks for your query. Two cells above the item you refer to, the reporting form includes the following guidance: - If a type of consumer data request is not relevant for the particular reporting period, for example, direct consumer data requests from eligible CDR consumers are not yet phased in under the rules, leave the relevant section blank. All data holders should use the approved reporting form until further notice, including following all of the drafting guidance it contains. Please let us know if this is useful. CDR Support Portal Article
395 we are interested in the thinking and history behind the definition of eligible cdr consumer in the rules. The requirement for a customer to be a holder of an open account means that a primary use case (ie credit checks/loan origination) will not be available for some customers with respect to given Data Holder/s. Further, what is the logic in requiring the DH to expire consents if/when a consumer becomes ineligible via the current rules - it appears to be both an impost on the DH to satisfy and a sub-optimal CX (I would presume they would, by and large, expect/prefer the sharing to continue). The concept of an ‘eligible’ CDR consumer relates to the class of consumers who can share data under the CDR. For individuals, it captures customers of the data holder who are over 18 and have at least one open and online account. These customers will have online credentials with a data holder through internet or mobile banking. The purpose of this is to enable data holders to leverage those existing online credentials, for example when it comes to authentication in the CDR – making the experience of using the CDR a digital one. Due to the definition of ‘consumer’ under the Act, without the concept of ‘eligibility’ in the Rules data holders would be required to share CDR data for a broader range of their customer base, including those who have not activated online banking and those who are former customers. As noted at paragraph 3.1 of the Rules Framework, the ACCC recognises the utility of providing former (and wholly offline) customers with the right to access CDR data, however, these were not considered a priority class of consumers for the initial implementation of the CDR in light of issues such as consumer authentication. A consumer who seeks to open an account with a new provider will be able to share their CDR data from any data holder with whom they are eligible at the time. We note that consumers are also able to share data from closed accounts for a certain period of time (see here) – provided they are still eligible for that particular data holder (i.e. have at least one open account). The requirement for authorisation to expire when a consumer ceases to be eligible follows the rationale above, i.e. once a customer has closed all of their online accounts with a particular data holder, they no longer have an ongoing digital relationship with the data holder or any active credentials through which they could be authenticated. Therefore, any authorisation to continue disclosing expires at the same time. We note your view that an inability to share from certain data holders has the potential to impact use cases such as loan origination. We welcome feedback on this issue and, as noted in the Rules Framework, are keeping this issue under review with a view to the appropriate next steps. CDR Support Portal Article
403 An FAQ Answer for "User visibility of the profile scope" was recently posted on the CDR Support Portal, which we were a bit confused by. The answer implied that the "profile" scope should not be disclosed by the Data Holder unless the request also includes basic customer data cluster (common:customer.basic:read) or detail customer data cluster (common:customer.detail:read). Does this mean that if an ADR requests the profile scope by itself, the Data Holder should not grant it? The last part of the FAQ Answer also had this comment. Can you please clarify this? 'Note also that the ADR has a responsibility to request the essential claims they wish to receive via UserInfo, such as given_name, otherwise they must not be returned.' Thanks for the question, the article User visibility of the profile scope is accurate in it's description of the usage of profile scope. The current consequence is that the profile scope can only be accepted if it is in association with one of the CDR customer read scopes. This is so ADRs and DHs don't unintentionally introduce situations where consumers don't comprehend they are sharing personal information in the short term whilst this consultation is being conducted. The Data Standards Body will consult on this gap and look to remediate in Maintenance Iteration 6. CDR Support Portal Article
449 The CDR Rule 9.5(4) states that the copies of records to customers must be provided 'in a form (if any) approved by the Comission for the purpose of this rule'. Has the form been approved? If yes, where is it available? If not when should we expect to have it? I am aware of this answer https://cdr-support.zendesk.com/hc/en-us/articles/900002708306?input_string=customer+copies+of+records, however it is not clarifying the form in which the records must be provided? CDR Support Portal Article
465 We are seeking clarification on data masking requirements for Biller CRNs matching the format of a Credit Card PAN, returned as part of the GetPayeeDetail API endpoint. Should a data holder not currently mask Biller CRNs matching this criteria on their existing online banking channels, is there a requirement to apply this masking in the Open Banking API response? The answer to a similar query raised via GitHub indicates masking is not required in this scenario: https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/259 If the CRN is a Credit Card PAN then it should be masked using the MaskedPANString format. CDR Support Portal Article

Response pending

Ticket # Question Answer
107 Answer in progress
139 Answer in progress
174 Answer in progress
189 Answer in progress
196 Answer in progress
203 Answer in progress
209 Answer in progress
214 Answer in progress
221 Answer in progress
225 Answer in progress
232 Answer in progress
244 Answer in progress
250 Answer in progress
256 Answer in progress
257 Answer in progress
259 Answer in progress
261 Answer in progress
263 Answer in progress
265 Answer in progress
268 Answer in progress
283 Answer in progress
290 Answer in progress
291 Answer in progress
292 Answer in progress
293 Answer in progress
299 Answer in progress
301 Answer in progress
303 Answer in progress
308 Answer in progress
310 Answer in progress
311 Answer in progress
312 Answer in progress
318 Answer in progress
319 Answer in progress
321 Answer in progress
323 Answer in progress
324 Answer in progress
329 Answer in progress
331 Answer in progress
333 Answer in progress
334 Answer in progress
335 Answer in progress
336 Answer in progress
337 Answer in progress
338 Answer in progress
339 Answer in progress
340 Answer in progress
341 Answer in progress
346 Answer in progress
347 Answer in progress
350 Answer in progress
351 Answer in progress

Question and answers

# Question Answer/ Action