ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (21st of May 2020) - ConsumerDataStandardsAustralia/standards GitHub Wiki
When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:
Desktop or Mobile Devices
https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.
Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]
Phones - AUDIO ONLY
- Primary Australia: +61 2 6246 4433
- Quick Dial: +61262464433,785383900%23%23
- Other Global Numbers: https://conferencing.csiro.au/Call-in.php
- Meeting Number/Access Code: 785 383 900
- Introductions
- Outstanding actions
- CDR Stream updates
- Q&A
- Any other business
Meeting notes
- 5 min will be allowed for participants to join the call.
Outstanding questions
| Type | Topic | Update |
|---|---|---|
| Clarification | The ACCC wish to clarify the answer provided for the Joint Accounts | Clarification in Appendix |
| Decision Proposal | Decision Proposal 109 - NMI Standing Data Payloads | Link to comment |
| Question |
1. When an ADI receives CDR data from an external source it becomes a Data Holder of that data (Sec 56AJ(4), and explanatory notes 1.88). a. Must this external data be included in the data provided to the CDR Consumer (when answering a direct request from the consumer)? b. Must this external data be included in the data provided to an Accredited Person (when answering a third party data request)? |
This question has two elements to address: 1. If an ADI receives designated CDR data, through any means other than the CDR, the ADI is a data holder of that data (‘first case’ reciprocity 56AJ(1)). Once the ADI is a data holder in respect of the data, the ADI is required to share that data in response to a valid request (whether under the direct to consumer mechanism or with an ADR). The timeline for direct to consumer functionality is still under consideration, and there is currently no requirement for DHs to provide functionality that facilitates consumer data requests made by CDR consumers. During the course of the meeting, a follow up question was asked about correction obligations where 3rd case reciprocity has occurred. For example, if DH1 has become a data holder under third case reciprocity with respect to data originally received from DH2, what are their obligations for corrections (e.g., how can they correct data they weren’t responsible for creating)? It is necessary to consider if Privacy Safeguard 13 (correction at the request of a consumer) applies. If Privacy Safeguard 13 applies, it is necessary to consider rule 7.15 of the CDR Rules, which outlines the steps to be taken when responding to correction requests. If Privacy Safeguard 13 does apply because DH1 has previously disclosed that data previously received from DH2, then in response to a request to correct from a consumer, DH1 must either: 3. correct the data if DH1 has the necessary information to correct or include a statement with the data, even though they were not the originating source of the data. For example, if data received from DH2 had an incorrect address for a consumer, and the consumer asks DH1 to correct that data, DH1 may be able to correct if the consumer presents them with a proof of address. 4. give notice to the consumer why a correction or amending statement is not necessary or appropriate in the circumstances. For example, this may include if DH1 is unable to interrogate the data because they are not privy to why the record was made in the first place. In these circumstances, it is recommended that DH1 advise the consumer to contact DH2 to make that correction. |
| Question | ANZ is looking for some clarity around closed accounts. It is clear based on the rules the transaction data range we are required to supply (i.e 24 months) but it is not specifically stated if Account information (account details and balances) is required to follow the same rules. We are also assuming the following are out of scope as they are not valid on closed accounts: Direct debits Scheduled payment Could someone from the rules team please comment on the points above? |
A DH is required to share ‘account data’ (as defined in the rules) on a closed account with the exception of direct debits. Closed accounts come in scope for the major banks from 1 November this year. The account data that should be shared on a closed account is that which was current at the time of the account closing |
| Question | Will there be any verification completed of the Product data provided by Data holders? A Data holder could portray a more attractive product by not providing details of all possible fees. If all Data Holders are not interpreting this requirement in the same way then it could be detrimental to those adhering to these requirements. |
The ACCC’s general approach to compliance and enforcement is as set out in the recently published joint ACCC/OAIC compliance and enforcement policy. As outlined in that policy, fostering a culture of compliance is critical to achieving the objectives of the CDR. We have a wide range of information sources and monitoring tools available to us to assess levels of compliance and identify potential breaches of the relevant legislation, including Privacy Safeguards, Rules and Data Standards. |
Provides a weekly update on the activities of each of the CDR streams and their workplaces
- ACCC Rules
- ACCC CDR Register (Technical)
- DSB CX Standards
- DSB Technical Standards - Energy & Banking
Title: Overview of the CDR Register
Presenter: Ivan Hosgood and Elizabeth Arnold (ACCC)
The ACCC will describe the basic functions of the CDR Register, how DHs and DRs access the CDR Participant Portal to become accredited or registered and subsequently onboard. The presentation will also address topics such as The CDR Registrar, Data Holder Brands, How an ADR uses the CDR Register to connect to a Data Holder, What happens when the CDR Register is unavailable, Public view of the CDR Register and Metrics.
Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.
Current received pre-submitted questions:
| # | Question | Answer |
|---|---|---|
| #1 | A consumer, on their consent, may share payee data with a 3rd party. This involves the bank account details of persons other than themself and these others will have no idea this data is being shared. What consideration has been given to the privacy of these persons (ie the payees)? | - |
| #2 | Is there any requirement, guidance, or expectation of the amount of consent history that should be available for display to consumers (ie via consumer dashboard)? | - |
| #3 | Is there any intention to provides any CX guidelines or other CX work relating to the consumer direct request service? |
At this stage there is no intention to provide CX Standards or Guidelines relating to direct consumer access. DP089 proposed the following: The DSB is currently recommending that only technical standards for the direct request service be defined and that the consumer experience is left to the competitive space for the data holders to determine. The consultation was closed with the following note: As this standard is heavily influenced by policy considerations the final recommendation will only be made after inter-agency consultation has also been conducted. CX work relating to direct consumer access will depend on this recommendation and the proposed compliance dates. |
| #4 |
Question regarding the term “publicly offered” (clause 1.4 of Schedule 3 to the CDR Rules) Has any guidance been provided by the ACCC regarding what is intended by the term “publicly offered?” Clarification is sought as to how this term should be interpreted. Should CDR data holders have regard to whether a product is considered “wholesale” or “retail” when determining if a product is in scope? If so, which definition of “wholesale” or “retail” should be relied upon? Where is this further information provided by the ACCC? We need to be able to evidence our decisions for inclusion/exclusions of products. Some of our product departments are adamant that their products are not intended to be included in CDR, however when interpreting the CDR Rules there is no justification for exclusion. |
- |
| #5 | CDR - Reporting form for data holders (rule 9.4) - v.1... (question is continued in Appendices) | - |
| #6 | ANZ are looking for some clarification around the CX implications of the concurrent consent/linked consent which are discussed in decision proposal 99 for joint accounts. It would be great to know when work will begin on this topic? | - |
| #7 | Are the changes passed in Maintenance Iteration 3 expected to impact July, or will the obligation for those be a later date? | - |
| #8 | During the Data Holder Working Group 07/05/2020 there was a question about whether a security review will be conducted prior to go-live, but no answer can be found in the minutes. Will a security review be conducted? If is, is this likely to be prior to go-live? | - |
| #9 | - | |
| #10 | - |
- TBA
| # | Question | Answer/ Action |
|---|---|---|
| #Template | - | - |
Other business
- TBA
- Continuation of Question #5
CDR - Reporting form for data holders (rule 9.4) - v.1
I wish to clarify the format in relation to this report format for fields 2.2, 4.2 and 4.3. These appear to be similar requirements but are shown differently in the reporting form.
| 2.2. | Number of CDR consumer complaints received for each complaint type, in accordance with your complaints handling process. |
So in relation to the fields above are you expecting the below format?
| 2.2 Complaint type 1 | 99999 |
| 2.2 Complaint type 2 | 99999 |
| 2.2 Complaint type 3 | 99999 |
| 2.2 Complaint type 4 | 99999 |
| 2.2 Complaint type 5 | 99999 |
| 2.2 Complaint type 6 | 99999 |
| 4.2. Please set out each of the CDR Rules or data standards relied upon to refuse disclosure of that data. | |
| 4.3. For each CDR Rule or data standard identified in response to item 4.2, please state the number of times you relied on that particular CDR rule or data standard to refuse to disclose CDR data. |
So in relation to the fields above are you expecting the below format? (CDR Rules or data standards = Reason) 4.3
| 4.2 Reason 1 | 99999 |
| 4.2 Reason 2 | 99999 |
| 4.2 Reason 3 | 99999 |
| 4.2 Reason 4 | 99999 |
| 4.2 Reason 5 | 99999 |
| 4.2 Reason 6 | 99999 |
As the reasons for refusal are dictated by the CDR Rules & the data standards, would it be better to list all the possible reasons and then we just complete the number for each? This will make it easier for us to complete and easier for you to utilise the data as your data would all be in the same format and consistent.
- Clarification for Joint Accounts
The rules require data holders to provide individually authorise functionality (‘one to authorise’), but it is optional to allow consumers to choose between individually authorise (‘one to authorise’) or co-authorise (‘two to authorise’). The ACCC’s position on joint accounts is as per point one. I.e.:
| Jack JAMS setting | Mary JAMS setting | Can Jack's DH disclose CDR Data on the joint account? | Can Mary’s DH disclose CDR data on the joint account? |
|---|---|---|---|
| N | N | N | N |
| Y | N | N | N |
| N | Y | N | N |
| Y | Y | Y | Y |
For completeness, we note that the difference in Schedule 3, clause 4.2(1)(a) and 4.2(2)(b) is that in the former only the joint account holder requesting the good or service completes the authorisation process (the JAMS election allowing that both account holders are able to authorise individually and at any time, having already been made by both account holders in respect of the account). However, in the latter, clause 4.2(2)(b), if both consumers elect to ‘co-authorise’, both must complete the authorisation process to allow sharing on that account at that particular time. The ACCC encourages data holders to build to the latter, and offer consumers the ability to ‘co-authorise’ sharing. To illustrate this through the current example:
| Jack JAMS setting | Mary JAMS setting | Jack is the person receiving a good or service. | Mary is the second joint account holder | |
|---|---|---|---|---|
| Under a 4.2(1)(a) election process or 4.2(2)(b), where both JA holders have chosen to ‘individually authorise’ sharing | Y | Y | Jack individually authorises sharing on the joint account | No action beyond the JAMS election is required of Mary |
| Under a 4.2(2)(b) process where both JA holders have chosen to ‘co-authorise’ sharing | Y | Y | Jack must authorise the sharing on the joint account and CDR data must not be shared until Mary has authorised too | Mary must also authorise the sharing on the joint account |
- TBA