ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (18th of June 2020) - ConsumerDataStandardsAustralia/standards GitHub Wiki

ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (18th of June 2020)

When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:

Desktop or Mobile Devices https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]

Phones - AUDIO ONLY

Agenda

  1. Introductions
  2. Outstanding actions
  3. CDR Stream updates
  4. Q&A
  5. Any other business

Meeting notes

Introductions

  • 5 min will be allowed for participants to join the call.

Actions

Type Topic Update
Maintenance Banking Maintenance Iteration 03 Decision Proposal 108
Decision Proposal - Energy Decision Proposal 109 - NMI Standing Data Payloads Decision Proposal 109
Decision Proposal - Energy Decision Proposal 110 - Additional Account Holders Decision Proposal 109
Decision Proposal - All Decision Proposal 119 - Enhanced Error Handling Payload Conventions Decision Proposal 119
Decision Proposal - All Decision Proposal 120 - CDR Error Codes for Enhanced Error Handling Decision Proposal 120
Decision Proposal - All Decision Proposal 121 - Application of existing HTTP Error Response Codes to Enhanced Error Handling Decision Proposal 121
Decision Proposal - All Decision Proposal 122 - Extension of Supported HTTP Response Codes for Enhanced Error Handling Decision Proposal 122
Workshop Enhanced Error Handling - Error Structure Workshop Outcomes Outcomes in comments of Decision Proposal 119
Question Is CX research on amending consent focused more on the process of obtaining consent rather than consent management? This depends on how ‘consent management’ is defined. Rounds 4 and 5 of CX research explored how existing consents could be amended by adding/removing datasets, adding/removing uses, extending the duration of an existing consent, and the separation of collection and use. The trigger for these are expected to be an ADR requesting a consumer’s consent to amend, rather than the consumer amending an existing consent on a dashboard. On this basis the consumer is still managing an existing consent, but is probably better understood as being focused on ‘the process of obtaining consent’ for a subsequent consent.
Question What will be the registry access token lifetime (e.g. 10 mins)? Access token lifetimes are 5 minutes. This is relatively short lived as they are only used for Data Holder discovery and retrieving SSAs.
Question Seeking clarification on CBA’s position: during outage periods, failure to respond to API requests does not constitute a refuse to disclose. This is in relation to both planned outages, and incidents (unplanned outages). By nature these periods will have limited system capabilities and will not provide reliable instrumentation. Additionally, planned outages and incidents are measured through other data standards APIs. James clarified during the DH WG 14/5/2020 that Refuse to disclose applies when there is an intentional active condition that is refusing, which is why incidents and planned outages does not fit the definition of refuse to disclose. We agree with the view that planned and unplanned outages are not refusals to disclose and will not be in scope for record keeping and reporting. Please confirm in writing.

From a technical perspective the reporting of a refusal to disclose means that the request is received and is valud but the data holder (for one of a variety of reasons) refuses to provide the requested data.

During a period of system instability or outage the first part of this technical definition may not be met. The initial request may not be received or may not be able to be assessed for validity. In these situations a refusal to disclose should not be recorded. This would, however, be recorded as a period of unavailability under the NFRs if the outage was unplanned. If the outage was planned and communicated with enough advance notice according to the standards then the calls would not need to recorded either as a period of unavailability or as a refusal to disclose.

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their workplaces

  • ACCC Rules
  • ACCC CDR Register (Technical)
  • DSB CX Standards
  • DSB Technical Standards - Energy & Banking

Presentation

  • To be advised

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.

Currently received pre-submitted questions:

# Question Answer
#1 Follow-up for:
Question regarding the term “publicly offered” (clause 1.4 of Schedule 3 to the CDR Rules) What is the ACCC’s view of the term “publicly offered?” Clarification is sought as to how this term is intended to be interpreted.
The ACCC considers ‘publicly offered’ to mean products that are generally advertised and available to customers as ‘standard form contracts’, including that they have terms and conditions that are subject to low levels of negotiation, if any. The ACCC understands this will often align with products that are made available in respect of a bank’s retail banking operations, as opposed to its wholesale banking operations. ‘Publicly offered’ does not necessarily mean the product can be acquired by any member of the public – the product may be subject to eligibility requirements. For example, a business overdraft may be publicly offered but not available to individual consumers.
#2 Follow-up for:
    Questions for ACCC around Product reference data timeline obligations -
    • 1) Could you please clarify if Non-major ADIs can commence sharing PRD data for phase 1 products "prior to 1 July 2020" if ready?
    • 2) And if yes, would this automatically trigger any changes to other swim lane obligations (for PRD phase 2 and/or Consumer data)?
    • 3) Also, are we required to advise/inform the ACCC of the exact go-live date?
1) Yes, you can commence sharing PRD prior to 1 July 2020. 2) No, this does not affect swim lane obligations for PRD phase 2 or consumer data sharing. 3) There is no express requirement to notify the ACCC of the exact go-live date if you elect to share PRD early. However, please note that reporting obligations under rule 9.4 will commence from the date you begin sharing PRD. For example, if a bank chooses to commence sharing PRD from 1 July 2020 (rather than from 1 October), it will be expected to report from 1 July 2020.
#3 Would an ADR’s SSA issued for July go-live contain future dated scopes that are not currently supported (e.g.: Scheduled payments and direct debits)? Answered in Issue 243
#4
    If it would, what behavior is expected when in authorization flow an ADR requests a scope that is currently not supported?
    • Should the ADH accept the request; or
    • Should the ADH reject the request; or
    • Should the ADH allow the request if there are other valid scopes, but ignore scopes currently not supported?
Answered in Issue 243
#5 If it won’t, then do we expect ADRs to submit a new SSA when additional scopes are introduces? Answered in Issue 243
#6 Clarification In regard to accreditation of and ADI or possible and Intermediary. The Guidelines make reference to certifications or assurances by a third party of CDR requirements such as Information technology and Disputes. Can an ISO 27000/1 Internal or external auditor or a PCI QSA provide the assurances? If so do they or an entities internal or external auditors require to have completed some additional training or certifications for CDR to prior to providing these or their existing qualifications accepted? Question taken on notice
#7 Follow-up on the following question:

Question 4 Would you please confirm an Open Banking Solution Provider contracted by a ADR ADIs or Fintechs be set as their endpoint connection to a DH.

  1. A an AAS (As a service ) provider of an application developed that would be hosted and provide ADH and or ADR capability for and ADI , Intermediary or other entity. Do they need to be identified and included in the Consent sent to an ADH?.
  2. As an Intermediary who has developed and application itself with capability to provide ADR and or ADR capability for use by itself and deliver products/applications
    1. directly to consumers. In this case would only the Intermediary Id be included consent to and validated by an ADH.
    2. To act as the middleman between a single or multiple ADHs and an ADI or other entities. Is the only Intermediary required to be shown or verified to the CDR Register and not the end recipient ADR of the consumer data? So and ADR can be masked or sit behind and Intermediary away from an ADH?

The difference being the entity solution providers or Intermediaries may have one or many ADH/ADRs clients being different to an Outsourced solution provider who may be directly identified by separate records in the CDR for each of their client ADH or ADR.

Question taken on notice
#8 Could we confirm the process for getting some assistance with the PRD comparison tool? Lodge an issue on the Repo located here
#9 ACCC updated on 21/5 that the Full Accreditation process would take approx. 3 months and the Streamlined Accreditation process would take less. What is less? ie a month, a week? The streamlined accreditation process is anticipated to take no more than 4 weeks, subject to completeness of information provided.
#10 Is there any update on when the Conformance Test Suite will be available? Original ETA is Sept. is that still on track?

The Conformance Test Suite (CTS) will be available for Data Recipients to on-board from September 2020. CTS capability for the major Data Holders to test compliance with November changes will be available in October 2020. CTS capability for Data Holders to on-board will be available later in 2020.

The ACCC acknowledges some Data Holders will want to participate early, if that’s the case please email [email protected] to express your interest.

#11 The ACCC FAQ’s say “The CTS will only be made available to participants in the process of onboarding. For Data Recipients this means you must be accredited.” Does this mean that an intending Data Recipient needs to be accredited before the CTS is made available to them and that conducting the CTS is not a requirement for Accreditation? Correct, undertaking conformance testing via the CTS is a requirement of the CDR Registrar in order to make a participant active on the CDR Register.
#12 The ACCC has also asked that intending Data Holders hold off commencing the registration process until the months immediately preceding your commencement. Does this mean 2 or 3 or more months prior to commencement?

This request was made in the initial stages of launching the CDR ecosystem as new features to improve the user experience are planned.

Industry will be notified when these features are available.

#13 Does this also mean that the CTS wont be made available to a Data Holder until after they are registered? Correct, a Data Holder must be registered in order to commence on-boarding.
#14 Follow-up on: Regarding the announcement on the CDR dates for non-major ADI’s moving out to July ’21, will the ACCC be releasing a new Phasing table to confirm obligation dates for:
  • PRD - Phased products (1,2,3)
  • CDR - Phased products (1,2,3)
  • CDR – consumer type (individual, joint)
  • CDR – account status type (open, closed)
  • DTC – direct to consumer obligations
    Question taken on notice
    #15 Follow-up on: If a non-major bank chooses to make their Product Reference Data API public on their website prior to the 1st of October (PRD phase 1 obligation date). Does the reporting period start from the date when the API is made public or does the reporting period only start from the 1st of October? Reporting obligations under rule 9.4 will commence from the date you begin sharing PRD. For example, if a bank chooses to commence sharing PRD from 1 July 2020 (rather than from 1 October), it will be expected to report from 1 July 2020.
    #Template

    Notes

    • TBA

    Question and answers

    # Question Answer/ Action
    #1 Can you confirm if and when the Product Reference Data ‘comparator’ website will support V2 of the product APIs ? Or more fully support multiple concurrent versions as per the issue 17? The Banking Products Comparator Tool currently supports preferred for x-v value and minimal for x-min-v value.
    #2 Last week's minutes do not have answers to the logged questions. When do these get updated? Written responses are being worked on.
    #3 Question for Mark/James - We would like to confirm the version of the Product APIs - based on swagger version in the basePath, it would be /v1/ but the product endpoint should support header x-v as 2, so can the version in URI and product endpoint header be different?
    #4

    Question around concurrent consent: There are a couple of places in the pdf attached to the issue 99 on consumerstandards github that talks about concurrent consent that can be present at a time.

    “To be clear, if a cdr_arrangement_id is not provided then a new, concurrent consent is established in addition to any existing consents. Existing consents are unaffected. If a cdr_arrangement_id is provided then, upon successful authorisation, the data holder would revoke the existing consent associated with the provided refresh token. In addition, the expiration of sharing would be calculated as the addition of the specified sharing duration to the expiration time of the current consent rather than to the time of authorisation. This would allow for an existing consent to be extended for the full twelve-month allowable period.”

    "A CDR Arrangement ID MUST be bound to only one active consent at a time but may have no active consent".

    Does that mean there can be multiple active consent at a time for a customer for the same software product?

    Also, can we get a practical example to illustrate how that duration calculation could look like?

    Question taken on notice
    #5 Can you please confirm the go live date of the ACCC registry? Will there be a mock or pre-prod env for testing? The CDR Register is live. The ACCC is working on a Test Strategy that will replace the Assurance Strategy used to inform Industry Testing. When information is available it will be released via the CDR Newsletter.
    #6 Can non-major banks whom are not going live till July 2021 obtain an early read only access to the Register in order to verify their internal solution? The ACCC is working on a Test Strategy that will replace the Assurance Strategy used to inform Industry Testing. When information is available it will be released via the CDR Newsletter.
    #7 We have reviewed the PRD APIs of the 4 majors. It appears that they may not be disclosing all fees that may apply to a product but rather those fees that are unavoidable (e.g. a monthly admin fee) and event/service based fees that are more common. Event/service fees that are less common seem to be excluded. While we can see some merit in that approach, it is not clear to us that it is strictly supported by the relevant legislation, rules and/or standards. Is it the ACCC’s view that all possible fees that may be incurred, however remote a possibility, must be included in the PRD? If not, what fees do or do not need to be included? Does the ACCC intend to amend the standards or issue formal guidance in relation to this issue? Question taken on notice
    #8 Is the 2-3 months required for DH to register what you want? We would want to maximise the period that we have access to the CTS. Can we start the process say 5 months out from our go live so that we get a good three months of testing time..... The ACCC is working on a Test Strategy that will replace the Assurance Strategy used to inform Industry Testing. When information is available it will be released via the CDR Newsletter.
    #9 with regard to closed accounts data sharing - what is the expectation for an account that was authorised for data sharing and is closed after sharing is initiated? should the sharing continue? Question taken on notice
    #T

    Other business

    • TBA

    Appendices

    • TBA

    Next Steps

    • TBA
    ⚠️ **GitHub.com Fallback** ⚠️