ACCC & DSB Data Holder Working Group Agenda & Meeting Notes 2020_04_16 - ConsumerDataStandardsAustralia/standards GitHub Wiki

ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (16th April 2020)

When: Weekly every Thursday at 3pm-4.30pm AEST Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:

Desktop or Mobile Devices https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]

Phones - AUDIO ONLY

Agenda

  1. Introductions
  2. Outstanding actions
  3. CDR Stream updates
  4. Q&A
  5. Any other business

Meeting notes

Introductions

  • 5 min will be allowed for participants to join the call.

Actions

Outstanding questions

Type Topic Update
Rules Under the CDR Rules, a data holder must have an internal dispute resolution process which complies with RG165. Do complaints or disputes include expressions of dissatisfaction in regards to Product Reference Data? This would be captured in the complaints and dispute for CDR Consumers
CDR Register https://github.com/cdr-register/register/issues/31 Issue is being tracked through https://github.com/cdr-register/register/issues/93.
Compliance Issue 162 - Product Reference Data Conformance to CDS ACCC are currently reviewing this issue
CX Guidelines and Rules CDS Logo ownership, location and access for ADHs and ADRs Response pending
Data Standards https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/182 Issue has been provided with an answer.
Data Standards https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/183 This issue is in the DSB's backlog and under review
CDR Register https://github.com/cdr-register/register/issues/88 Issue has been provided with an answer.
Data Standards, Rules and Compliance Definition of a "Tolerable delay"

Please advise what is a tolerable delay to show the transaction in the API response from the moment transaction is made.

From a standards perspective please refer to https://consumerdatastandardsaustralia.github.io/standards/#data-latency.

Within this proposal there is no specific requirement with regard to data latency (ie. how up to date data should be). Instead, the requirement for data latency is that data presented via API end points should be commensurate to data presented via other primary digital channels.

For example, for a Bank that provides a mobile application as their primary digital experience, a balance presented via one of the balance end points should be the same as the balance presented through the mobile application.

It should reasonably match what you see in your Internet Banking channel, so if you see your salary deposited on your Data Holder’s internet banking application – it should be represented in the Data Holder’s endpoint in a reasonable period of time.

The follow-up question around enforcement and the answer, was that this should be policed/ enforced via consumer complaint process.

CDR Register In 'create register', there is version "x-v" passed in header but version is not mentioned in other 3 register operations (get/modify/delete), may be the documentation needs to be updated? I believe all register APIs are versioning enabled Issue has been raised here: https://github.com/cdr-register/register/issues/95
CDR Register Are banks required to register for PRD before before becoming Data Holders?

As a Data Holder, you are not required to register on the CDR Register until you are required to share CDR consumer data with accredited data recipients in accordance with the timetable set out in under Schedule 3 of the CDR Rules. You are not required to register to share product reference data nor report on product reference data via the Admin APIs.

Also see ACCC’s latest CDR Newsletter

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their workplaces

  • ACCC Rules
  • ACCC CDR Register (Technical)
  • DSB CX Standards
  • DSB Technical Standards - Energy & Banking

Presentation

No presentation is scheduled for this week.

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.

Currently received pre-submitted questions:

# Question
#1 No pre-submitted questions have been received

Notes

Stream updates:

Rules

  • End of next week for rules update draft; delayed by one week

  • Commencement schedule is not part of the rules update draft

  • An issues or queries for commencement dates will be handled from a separate announcement

Register

  • Register 1.1.1 is not published yet, requiring internal sign off, once completed will be published

  • External identifies used on the dashboard, GitHub Issue #94 has been raised to solicit the information from the consultation group, for get data recipients API

CX

  • Last week CDR logo use and joint account consultation wrapped up, heaps of feedback was provided -- thank you to all

  • All outcomes and directions are interrelated with the rules, all decisions will be delayed so they are completed in tandem with rules consultation, thus they will not be part of 1.3.0

Technical

  • Banking

    • Decision proposal 99 for concurrent consent, under review by the data standard advisory committee by end of week, include and publish as 1.3.0 standards, include iteration 2 change requests

    • Iteration 03 -- end of current week 17th of April for feedback

  • Energy

  • Engineering

    • Working in the background on a number of artefacts with a 1.2.0 version to match the standards

    • Moving to optimise our artefacts to fast follow newly released standards uplifts

    • Key features

      • Parameterised test tools are replaced with Jupiter test tools

      • Moving away from pure code generation model

      • Targeting 1.3.0 release of the standards, due for 17th of April 2020

Other business

  • No presentation this week

Question and answers

# Question Answer
1 1. When an ADI receives CDR data from an external source it becomes a Data Holder of that data (Sec 56AJ(4), and explanatory notes 1.88).2. Must this external data be included in the data provided to the CDR Consumer (when answering a direct request from the consumer)?3. Must this external data be included in the data provided to an Accredited Person (when answering a third party data request)? Response to be provided.
2 1. CDR data that becomes redundant must be de-identified or destroyed (Sec 56EO(2) Privacy Safeguard 12). Data becomes redundant when it is no longer needed by the Data Recipient (Sec 56EO(2)).2. Is the redundancy of CDR data automatically tied to the finish of a consumer's CDR consent period, i.e. are the two events linked together, or are they separate and unrelated? 3. If these two events are indeed linked, what are the legislative or CDR Rule references for this linkage (other than through section headings)? Response to be provided.
3 1. What public education about CDR/Open Banking is planned to be rolled out, and if so, when and what channels are planned to be used? Response to be provided.
4 1. Given there will be many non-major ADI's requiring APRA endorsement for their CDR architectural concepts at the same time, what is the expected timeframe for the submission process? Question taken on notice, response to be provided.
5 Are there any compliance/reporting requirements relating to Product Data (phase 1)?ACCC Response: Under rule 9.4(1)(c) -- data holders are required to report every six months on the number of product data requests received during the reporting period, as well as the number of times the data holder refused to disclose data in response to a request and the rule or standard relied on for the refusal. We then followed up asking: Regarding your response to question 13,  Rule 9.4(1)(c) states that the report required every six months will be "in the form approved by the Commission for the purposes of this rule".  Has the form been defined, and if so where can we find that please?The ACCC then provided us a form (attached) that was in draft awaiting feedback.  This form is focused on Accredited Data Recipients reporting requirements, and does not clearly address what a Data Holder will need to provide during phase 1 (when only product data is being shared).We are seeking clarity on how to report to the ACCC, as a data holder, requirements relating to our product reference data, in accordance with rule 9.4(1)(c). Form is not approved by commission yet.Action: ACCC to pass on to the compliance and enforcement team to reach out TMBL for discussion. 
6 On how the form can be submitted, will it be manual submission or via API Initial capture mechanism will be a manual submission. The delivery method will be formalised as part of the announcement.
7 Non majors -- reporting on Product Data, only required when exposing compliance endpointsThe number of times a data holder refuses a request is this required to be made available?  Metrics API -- requires authentication and is expected to be part of the CDR Consumer Data Obligation.The 6mnth report is separate to this and is required. Response to be provided.
8 Further to the RG165 question, how are bank to bank/third parties complaints are meant to be managed under RG165? ACCC to provide a response
9 is there any indication when any possible change to the nov or other timeline dates mentioned at start might will be happening in view of Covid or otherwise ACCC continue to monitor the current situation -- no update as of yet.
10 Brooke around the questions related to compliance/reporting requirements relating to product data (phase 1) be shared with the whole group, or noted on github or meeting minutes? Response to be provided.
11 Could you share how to access the excel template for semi annual reporting of Product data and refusals mentioned before? Once forms are approved -- will be shared
12 Issue 187: https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/187  Answer provided in Issue
13 Requests blocked at hardware level -- do they need to be reported on. Request sent through to ACCC. Response to be provided.
14 Can we please re-visit the question from last week "Under the CDR Rules, a data holder must have an internal dispute resolution process which complies with RG165. Do complaints or disputes include expressions of dissatisfaction in regards to Product Reference Data?" - as the answer shown in MoM ("This would be captured in the complaints and dispute for CDR Consumers") is not really clear. Thanks ACCC to provide a response
15 Are Banks are required to register for the PRD endpoints?  Banks are not required to register until under Schedule 03

Other business

  • None

Next Steps

  • None
⚠️ **GitHub.com Fallback** ⚠️