ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (28th of May 2020) - ConsumerDataStandardsAustralia/standards GitHub Wiki

ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (28th of May 2020)

When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:

Desktop or Mobile Devices https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]

Phones - AUDIO ONLY

Agenda

  1. Introductions
  2. Outstanding actions
  3. CDR Stream updates
  4. Q&A
  5. Any other business

Meeting notes

Introductions

  • 5 min will be allowed for participants to join the call.

Actions

Type Topic Update
Decision Proposal Decision Proposal 119 - Enhanced Error Handling Payload Conventions Link here
Question

Will it be required that the ADR who has as a result of accumulating the multiple ADHs data respond to requests or be obligated to provide this accumulated or consolidated data to all of the respective any or all the original ADHs?

In effect if you took a traditional PFM use case would where a consumer can “see all their accounts in one place”, that a consolidated view of transaction data forms the minimum data set that is eligible for reciprocity????

I do appreciate the who question in regard to roles and privacy etc requirements on intermediaries (fully accredited or not0 and provision of data to non-accredited third parties is awaiting determination. But the question would equally apply to any ADR an accredited ADI or other entities that may accumulate multiple ADhs' data.

Under the Rules, reciprocal data holder obligations are turned on for accredited persons that are not ADIs only in respect of CDR data that is:


> Generated and held by the accredited person; and
>Generated and held in respect of a product that is publicly offered by the accredited person and generally known as one of the types in phase 1, phase 2, or phase 3 (see Clause 1.4 of Schedule 3).

That is, an accredited non-ADI will not be a data holder of CDR data that was disclosed to it under the CDR Rules.

For example, a non-bank lender who has also been accredited to operate as an ADR could be a DH for CDR data that it generates and holds, but not for CDR data that it holds because it was disclosed to it via the CDR regime.

Note that this response is concerned with non-ADI reciprocity (referred to as second case reciprocity).

Question Get Status and Get Outages (which falls under the Common API section on the CDS page, even though they are I think referred to as Admin APIs) - Are they required for Product Data Launch? MV responded prvisouly. Common APIS; are in scope when an organistion becomes a data holder, not required for PRD but required when Consumer data is exposed.
Question Is the CDS Conformance Suite repository publically available to build and run? As I noticed, the github link given in the documentation is not accessible.

To distinguish the difference between validation tools and conformance tools we provide the following clarification.

The DSB has developed two validation tools, these enable participants to validate the schema and syntax provided in the participants endpoint.

By contrast the ACCC is developing a Conformance Test Suite. The CTS will only be made available to participants in the process of onboarding to the CDR ecosystem. For Data Recipients this means you must be accredited. For Data Holders you must be registered in the months immediately preceding your commencement date for consumer data sharing.

Question In a previous meeting, you mentioned a facility you had developed to utilise product data already available. Could you please provide more information regarding where to find this facility and how to utilise it? The Product Comparator Tool can be found here
Question Can you please clarify whether wholesale products form part of product data. It was noted in the last meeting that they do not but this is not reflected in the minutes. No, Wholesale Products are not included as part of the Product Data for Phase 01
Question Are all the questions raised via these meetings and their answers logged in GitHub or do some remain solely in the meeting minutes? As the number of questions rises, being able to locate and be across all information provided is becoming problematic. Thanks for the feedback, we are looking into better means to catalogue and store these questions/ answers
Question 2.2. Number of CDR consumer complaints received for each complaint type, in accordance with your complaints handling process. Please provide more detail about complaint types

We anticipate that data holders would have a complaints handling process in place whereby they categorise CDR consumer complaints they receive in a particular way. For example, they may categorise a CDR consumer complaint to be one that relates to the availability or functionality of the data holder’s consumer dashboard, or one that relates to a data holder not providing all the requisite information when seeking authorisation, or a privacy-related complaint, etc.

However, rather than prescribing the complaint types, the current CDR rules leave it open for the data holder to categorise their CDR complaint types to align with their own complaint handling processes and report on the number of complaints for each complaint types on this basis.

Question

Are all possible fees for a product to be included? There are many different sorts of fees, some of which are highly unlikely for the majority of consumers and could actually confuse them E.g.


> Chequebooks are an option on a number of products and there could be chequebook fees applicable but only if they decide to have a chequebook
> Service fees in uncommon situations e.g. Trace on Electronic Debit/Credit, printed Transaction Listing, Overseas Visa card replacement, Telegraphic Transfer.		 Data Holders should be representing the fees associated to the products they offer in a similar way to how they advertise products through existing channels. Where fees are publicly advertised it would be expected they would be represented in the PRD data. Banks have current obligations related to the disclosure of fees and rates for the products they offer to the market. The CDR is no different – it is simply a new channel which would still be governed by those obligations
Question Can you please confirm that Voluntary and Required Product data referred to in the CDR Rules is NOT the same as the fields shown as Mandatory and Optional in the Data Standard? i.e. all data items in the Data Standard are Required Product Data and Voluntary Product data refers to additional fields or APIs that Data Holders can decide to add if they wish.

That is correct. Voluntary and Required Product Data referred to in the CDR Rues is NOT the same as the fields shown as Mandatory and Optional in the Data Standard.

Required product data are data clusters which must be disclosed by a data holder pursuant to a valid product data request. Voluntary product data are data clusters which may be disclosed by a data holder pursuant to a valid product data request. Clause 3.1 in Schedule 3 of the CDR Rules defines required product data and voluntary product data.

On the other hand, mandatory and optional fields in the data standards are fields which respectively must and may have a non-null value. For example, where the standard has a mandatory field, data holders are required to share that field, but where they do not have the data it must be represented as a default value or an empty value as applicable.

In brief, the data cluster language in the rules relates to the type of data which may or must be disclosed by a data holder; while the mandatory/optional fields language in the standards relates to the parameters for the APIs used to request and disclose CDR data.

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their workplaces

  • ACCC Rules
  • ACCC CDR Register (Technical)
  • DSB CX Standards
  • DSB Technical Standards - Energy & Banking

Presentation

  • No Presentation this week

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.

Currently received pre-submitted questions:

# Question Answer
#1 I was hoping you could provide guidance when is the obligation date for CDS technical standards v1.3.1? I would like to request that obligation dates be included in future version releases as currently there is no clear way to tell by when we need to comply. -
#2 2.2. Number of CDR consumer complaints received for each complaint type, in accordance with your complaints handling process. -
#3 3.3. Number of consumer data requests received from accredited persons on behalf of eligible CDR consumers -
#4 Clarification of questions: 7,8,10,13,14 from 14th of May 2020 -
#5 Follow up of:

Question regarding the term “publicly offered” (clause 1.4 of Schedule 3 to the CDR Rules)

Has any guidance been provided by the ACCC regarding what is intended by the term “publicly offered?” Clarification is sought as to how this term should be interpreted.

Should CDR data holders have regard to whether a product is considered “wholesale” or “retail” when determining if a product is in scope? If so, which definition of “wholesale” or “retail” should be relied upon? Where is this further information provided by the ACCC? We need to be able to evidence our decisions for inclusion/exclusions of products. Some of our product departments are adamant that their products are not intended to be included in CDR, however when interpreting the CDR Rules there is no justification for exclusion.

-
#6 Follow up on: 1) Section 3.2 of the CDR Rules (Joint account management services) provide details about revoking accounts owner by joint account holders. How should this process happen if an individual account owner wanted to revoke 1 of 2 accounts they are sharing with the ADR:-
a. Does consent need to be fully withdrawn and then re-consent OR
b. Can individual owners also have the capability of revoking an account?		 -
#7 Question 1. The announcement stated that the application process is initially open to the fintech community and prospective data recipients can apply for accreditation at the Consumer Data Website. What is the effective date for its opening and URL. -
#8 Question 2. Who can initially apply. It continues to be stated in the Accreditation Guidelines that Unrestricted is currently the only level of accreditation. So in effect ADIs ??. Additional levels of accreditation are still to be finalised and approved. Or may other Fintechs apply yet? . -
#9 Question 3 May a Fintech Open Banking Solution provider or hosting service provider apply yet? Appreciating the details on Intermediaries and Third Parties are still being finalised. -
#10 Question 4 Would you please confirm an Open Banking Solution Provider contracted by a ADR ADIs or Fintechs be set as their endpoint connection to a DH. -

Notes

  • Stream Updates:

  • ACCC Rules Stream

    • Draft rules consulted on are now handed to Treasurer for review and sign off
    • Removed draft rule on CDR Logo; this will be covered under normal Trademark and licensing steps as part of onboarding
    • Link to latest updates for Rules are located here
    • Latest communications can be found here

  • CDR Register Team

    • RAAP released on Tuesday 26th of May 2020
    • Newsletter contains latest details and news

  • CX Stream Update

  • The CX Workstream is currently working with CPRC to set up a work plan and scope for their work in supporting community sector and consumer advocate consultation

    • Part of that work includes an audit of the standards and guidelines to assess how well the cater to existing consumer needs and expectations, including the needs of those experiencing vulnerability.

  • We have commenced R5 research on amending consent.

    • Preliminary findings from R4 suggest that:
    • Participants were able to recall their previous consent terms with a high level of accuracy
    • Recall ability improved as participants gained familiarity with the Consent Flow through repeated interactions
    • All participants had medium to high levels of trust and benefit in the use case and process; this either stayed the same or increased for most participants (82%) after repeated interactions with the Consent Flow
    • Certain components and steps in the re-authorisation flow could be simplified without compromising trust or the quality of consent
    • We will putting out more detailed findings after we complete Round 5 research

  • We will soon be putting out a consultation on amending consent, including how this might be simplified.

  • Technical Work-stream

    • Standards 1.3.1 has been released - only small corrections no build implications

Question and answers

# Question Answer/ Action
#1 Is a copy of the draft rules that have been submitted to the treasurer (with the changes) available for download/can we obtain a copy? No, not at this time.
#2 Confused. Do data holders also have to be accredited before getting the CDR logo for consent flow? (ie. specifically authentication and authorisation process) Answered in call by ACCC.
#3 We'd like to know if there is an update on this question from last week: ""To be eligible to share data, each joint account holder needs to be over 18, and be the account holder for an account that is set up in such a way that it can be accessed online. If one joint account holder sets up their online access to the joint account, it could be argued that both joint account holders will be “account holders for an account that is set up in such a way that it can be accessed online” (i.e., it is accessible online, but only to the account holder who set up access). Is it the intention of the rules to capture joint account holders accounts where the second joint account holder is unable to access the account online?" Answer continues to be discussed internally
#4 Have the amendments to 4.25 gone through unchanged or have they been removed? These have been kept.
#5 Is there a demo/recording available of the current state of CX to understand the flow from the point of view of the various entities envolved - customer, ADR, DH ? There is no recording currently available, but you can view the current wireframes/flow of the Consent Flow on our website. It is in the point of view of the consumer, but it does outline where the ADR and the DH sit in the Consent Flow. You can view that here. A more detailed response may be provided to you next week.
#6 Can banks engage digipass or push notification instead of OTP for first level of authentication of customer ? Also, Some of the read only transactions need additional level of assurance as per our banking standards though the regulatory did not mandate this for read-only transactions. Are banks allowed to do additional level of authentication for some of the read-only transactions? Answered by Data Standards Body on the call
#7 Could you please share if there is a recording of the data61 webinar which was held on 26th. Page containing a link to the recording can be found here
#8 Is pushed authorization a mandatory requirement for all data holders? Standard says "From November 2020, Data Holders MUST support Pushed Authorisation Requests via the pushed authorisation end point".It also says "If a Data Holder does not support Pushed Authorisation Requests (PAR), it MUST NOT support Request Object references". Answered on the call by the Data Standards Body: "PAR is required by all data holders from November. The second statement was included to cover the scenario where a data holder chooses to partially implement aspects of the concurrent consent decision early "
#9 thanks for link to comparator tool - we notice that one of the banks isn't returning data, is that something that is been taken up with them or a potential issue with the tool? Answered on call: The Enterprise has been contacted
#10 Generally speaking, w.r.t. Decision Proposals - how can we raise feedback/concerns and ensure our voices are heard? Github vs email? Github is the preferred means, if you submit a question via email we will ask to post on your behalf to share with the community
#11 Hi, I am looking for a clarification about error codes in the standards, just wondering if this is the right place to ask that question or could you let me know where to direct this question? thanks Answered on call by the Data Standards Body
#12 We are looking to check if there are any requirements or guidelines around the handling of requests that contain authorisation scopes that are not included in an ADR's SSA, but are subsequently requested as part of a consent flow In this scenario, should the Data Holder reject the request OR instead, prompt the user for consent using previously registered scopes that match the request, ignoring the scopes that the ADR has not been registered for (saved as part of the SSA during the client registration process)? -
#13 invalid_redirect_uri - The value of one or more redirection URIs is invalid. invalid_client_metadata - The value of one of the client metadata fields is invalid and the server has rejected this request. This error value is also used when attempts at duplicate registrations for the same software_id are rejected:
invalid_software_statement - The software statement presented is invalid.
unapproved_software_statement - The software statement presented is not		 Answered on call by Data Standards Body
#14 In terms of Data Latency, the following statement is available - "the requirement for data latency is that data presented via API end points should be commensurate to data presented via other primary digital channels" How could we interpret 'commensurate'? - at the same time as, or within seconds/minutes of other channels? https://consumerdatastandardsaustralia.github.io/standards/#data-latency Answered on call by Data Standards Body
#15 as an ADR if we get consent for data scope A & B : and then do a data request for A & C, we are ok that gets rejected in full as it is not a validate request... a validate request in our view is for A, B or A+B Answered on call by Data Standards Body
#16 is it possible to get a template of streamline accreditation application prior to registering? -

Other business

  • TBA

Appendices

  • Not required

Next Steps

  • Notes to be added and written up
  • Next week's meeting scheduled
⚠️ **GitHub.com Fallback** ⚠️