ACCC & DSB Data Holder Working Group Agenda & Meeting Notes 2020_05_07 - ConsumerDataStandardsAustralia/standards GitHub Wiki
When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:
Desktop or Mobile Devices
https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.
Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: [email protected]
Phones - AUDIO ONLY
- Primary Australia: +61 2 6246 4433
- Quick Dial: +61262464433,785383900%23%23
- Other Global Numbers: https://conferencing.csiro.au/Call-in.php
- Meeting Number/Access Code: 785 383 900
- Introductions
- Outstanding actions
- CDR Stream updates
- Q&A
- Any other business
Meeting notes
- 5 min will be allowed for participants to join the call.
Outstanding questions
Type | Topic | Update |
---|---|---|
Clarification |
The following question was submitted as part of the 16th of April 2020 Working Group: Under the CDR Rules, a data holder must have an internal dispute resolution process which complies with RG165. Do complaints or disputes include expressions of dissatisfaction in regards to Product Reference Data? The following answer was provided:The Rules require data holders to have internal dispute resolution processes that comply with provisions of Regulatory Guide 165 that deal with certain matters, as if references in Regulatory Guide 165 to complaints or disputes were references to CDR consumer complaints. CDR consumer complaints means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant that relates to, inter alia, the CDR participant’s obligations under or compliance with Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 or the binding data standards. |
There is now an update to the response for this question. Following further inquiries into this issue, the ACCC wishes to clarify that while a CDR consumer may make a complaint about product reference data and the data holder may wish to record that complaint, there is no requirement under the current version of the CDR rules for a data holder to report on or have particular internal dispute resolution processes in place for managing such complaints. This is because complaints from consumers about product data (defined in the Competition and Consumer Act 2010 (Cth) as CDR data for which there are no CDR consumers) fall outside the scope of what is to be considered a ‘CDR consumer complaint’, as currently defined in the CDR rules. Updated as of 7th of May 2020 |
Question | CDS Logo ownership, location and access for Data Holders and Data Recipients | The CDR logo will be issued to participants during the onboarding process. Before being able to use the CDR Logo, participants will need to register their intent to use the CDR logo and their acceptance of the terms and conditions of use. If there are changes to the logo over time, the logo will be reissued to participants along with new terms and conditions (if applicable). Rules relating to the use of the CDR logo are currently being consulted on. The CDR logo terms and conditions of use are currently under development and will be published on the ACCC’s website when finalised. The ACCC has made an application for registration of the trade mark for the CDR logo which is pending approval at this time. More information on the CDR Logo will be made available after the consultation process has concluded. |
Question | Given there will be many non-major ADI's requiring APRA endorsement for their CDR architectural concepts at the same time, what is the expected timeframe for the submission process? | To the extent an ADI has questions about its outsourcing functions (whether as a DH or an ADR) and APRA’s prudential regulations, those questions should be directed to APRA via the ADI’s usual compliance channels with APRA. The ACCC notes that the CDR Rules do not regulate the use of third party providers used by ADIs to implement their Data Holder solutions, but the CDR Rules do regulate the use of third party providers used by accredited ADIs to implement their Accredited Data Recipient solutions. APRA’s prudential regulations apply to ADIs independently of the CDR regime. |
Action | Can issue resolutions please be posted on maintenance issues along with closing comments? This will help participants understand what the outcome each issue is, rather than having to look into the release notes and find the changes. | Yes, they will be updated as we provide answers to specific issues on GitHub |
Question | Will it be required that the ADR who has as a result of accumulating the multiple ADHs data respond to requests or be obligated to provide this accumulated or consolidated data to all of the respective any or all the original ADHs? In effect if you took a traditional PFM use case would where a consumer can “see all their accounts in one place”, that a consolidated view of transaction data forms the minimum data set that is eligible for reciprocity???? |
Under the Rules, reciprocal data holder obligations are turned on for accredited persons that are not ADIs only in respect of CDR data that is: > Generated and held by the accredited person; and That is, an accredited non-ADI will not be a data holder of CDR data that was disclosed to it under the CDR Rules. For example, a non-bank lender who has also been accredited to operate as an ADR could be a DH for CDR data that it generates and holds, but not for CDR data that it holds because it was disclosed to it via the CDR regime. |
Question | Are the admin API's required for the launch of Product data for phase 1 | No, they are not required for Product Reference Data Phase 01 |
Question | Question for API standards team: Is the static payload test tool available to download for API conformance testing for PRD? If available to all participants, could you provide a link to that? | Link to the Conformance Test Suite is here |
Question | Is there any time frame for when the Data Recipients Working groups to commence? | At this time no date has been set for the Data Recipients Working Group Call to commence, however this call is open to both Data Holders and Recipients and we welcome participation from both parties here. |
Question | With regards to voluntary sharing of PRD prior to 1 Oct, if a Data holder chooses to share PRD data earlier, how would this impact timeline obligations for the other swim lanes or is this completely independent of other swim lanes? | If a Data Holder chooses to share PRD data earlier, this does not impact timeline obligations for other swim lanes. |
Question | Does the data holder need to apply for voluntary participation? |
Previous responses provided for questions similar to this included: As a Data Holder, you are not required to register on the CDR Register until you are required to share CDR consumer data with accredited data recipients in accordance with the timetable set out in under Schedule 3 of the CDR Rules. You are not required to register to share product reference data nor report on product reference data via the Admin APIs. Further clarification was provided: As a Data Holder, you are not required to register on the CDR Register until you are required to share CDR consumer data with accredited data recipients in accordance with the timetable set out in Schedule 3 of the Rules. You are not required to register to share product reference data (PRD). Reporting via the GetMetrics API is also delayed until Data Holders are required to share CDR consumer data, however, reporting under Rule 9.4(1) commences when Data Holders commence sharing PRD. We anticipate the approved form for reporting will be made available in the near future. At this stage, the ACCC anticipates Data Holders will be able to register via the CDR Participant Portal just prior to the CDR consumer data sharing obligation commencing. A Data Holder’s PRD URI can also then be captured on the CDR Register. The ACCC recommends making your PRD URI available on your website between now and when you are Registered as a Data Holder. We also note that on Friday last week, the ACCC made an announcement with respect to delaying the commencement date of product reference data sharing obligations in light of COVID – the media release is available here and newsletter here. |
Question | And what is the process of conformance/assurance testing for those who want to share PRD data early? | There is no process of conformance testing for PRD data. |
Question | You're asking Holders if they think it's ok that Recipient complaints aren't covered by the rules framework? Presumably this would be a resounding "Yes" from Holders... it doesn't cover what recourse Recipients have if Holders fail to deliver reliable and accurate CDR services. |
The Rules require data holders to have internal dispute resolution processes that comply with provisions of Regulatory Guide 165 that deal with certain matters, as if references in Regulatory Guide 165 to complaints or disputes were references to CDR consumer complaints. CDR consumer complaints means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant that relates to, inter alia, the CDR participant’s obligations under or compliance with Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 or the binding data standards. The ACCC may consider expanding the scope of internal dispute resolution and complaints processes for Product Reference Data if required in light of experience, including complaints we receive directly. |
Question | Question for ACCC rules team: I believe with the recent changes to the wording within Rule 4.25 (Withdrawal of authorisation to disclose CDR data and notification), is it correct to assume that Data holders are not mandatorily required to accept authorisation withdrawal requests in writing now, and they can chose to have that feature if they’d like? |
That is correct – the proposed amendment will mean that a Data Holder can allow a CDR consumer to withdraw authorisation to disclose CDR data to an accredited person by using an alternative method of communication made available by the Data Holder. The proposed amendment is intended to better reflect existing methods of communication made available by Data Holders to its consumers. DHs must always have two forms of mechanisms available to consumers to withdraw authorisations. One mechanism must be through the consumer dashboard, and the other may be of the DH’s choosing, but an alternate method must be in place. |
Question | Question for ACCC rules team: Section 2.1(2)(a) provides reference to ‘individual who is 18 years of age’ (Meaning of eligible section). What does the word ‘individual’ mean here in the context of Business products which are tailored for businesses/organisatons (business savings ac, business TD, business CC)? |
The proposed amendment to clause 2.1 to clarify that a CDR consumer is eligible is an individual who has an account with the data holder and is the account holder. This amendment is to clarify that the accounts in scope are those where the account holder is a natural person (not a legal person, e.g. a corporate entity). A business account will be in scope if the account is held in the name of one or two natural persons (e.g. a sole trader business). Further rules will be made to bring in accounts where the account holder is a corporate entity. |
Question | Is it required to display the CDR data requests made by data recipients in the data holder's consumer dashboard or is it just the Authorization details to be shown in the dashboard? | The details in rules 1.15 and 7.9 must be displayed in the data holder’s consumer dashboard. These details generally relate to authorisations and disclosures of CDR data. |
Question | Will there be rules for this dispute resolution process? |
The Rules require data holders to have internal dispute resolution processes that comply with provisions of Regulatory Guide 165 that deal with certain matters, as if references in Regulatory Guide 165 to complaints or disputes were references to CDR consumer complaints. CDR consumer complaints means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant that relates to, inter alia, the CDR participant’s obligations under or compliance with Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 or the binding data standards. The ACCC may consider expanding the scope of internal dispute resolution and complaints processes for Product Reference Data if required in light of experience, including complaints we receive directly. |
Question | Hello there, Stage 4 dates for non-majors are still Feb-2021 or will it be considered to be extended ? | The ACCC is conscious of the impacts of COVID-19 but no other changes have been made to the timeframes for the CDR as yet. Any future changes to the timetable will be communicated via the ACCC’s CDR newsletter. |
Question | Asking recipients to use "commercial channels" with billion dollar banks is pointless. It seems like ACCC needs to be ensuring that Holders aren't "mistreating" Recipients |
The Rules require data holders to have internal dispute resolution processes that comply with provisions of Regulatory Guide 165 that deal with certain matters, as if references in Regulatory Guide 165 to complaints or disputes were references to CDR consumer complaints. CDR consumer complaints means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant that relates to, inter alia, the CDR participant’s obligations under or compliance with Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 or the binding data standards. The ACCC may consider expanding the scope of internal dispute resolution and complaints processes for Product Reference Data if required in light of experience, including complaints we receive directly. |
Question | Is there an update on Reporting forms and PRD reporting guidance. The last udpate was: "We are expecting to release the approved reporting forms by the end of the month. We expect to release further guidance on our reporting expectations for phase 1 PRD obligations alongside the reporting forms." | We anticipate an announcement to be made about the approved reporting forms and associated guidance via the CDR newsletter this Friday. |
Question |
ANZ is looking for some clarity around closed accounts. Scheduled payment Could someone from the rules team please comment on the points above? |
Answer is being prepared |
Provides a weekly update on the activities of each of the CDR streams and their workplaces
- ACCC Rules
- ACCC CDR Register (Technical)
- DSB CX Standards
- DSB Technical Standards - Energy & Banking
Title: White Labelled Products
Presenter: Andrew Breeze, ACCC
The ACCC will provide clarification regarding white label products under the CDR. We will also set out our proposed next steps, and the options for stakeholders who would like to provide information and feedback.
Link to the presentation can be found here.
Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.
Currently received pre-submitted questions:
# | Question | Answer |
---|---|---|
#1 | Standards question - The get account detail API has the extended data section. The only service catered for in the standards is X2P1.01. We also get a number of other services/transactions via NPP (eg X2P1.02, X2P1.03). Why are these not catered for and is there any intention to add these services? | Clarification found in Issue 157 and Change Request has been raised in Issue 181 |
#2 | Rules question - On github a question was asked about Joint Account Management Service - https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/123#issuecomment-622282537 about what are the possible scenarios relating to JAMS. The CDR response was counter to our understanding of this clause. The text in the rules states (continued in Appendix A) | Answer provided in Appendix A |
#3 | On the Data Holder Working Group 23/04/2020, a question was raised regarding whether another security review will be conducted. The response was that it was being internally reviewed and it will be advised if another Security review is required. Can you please give an update on this issue. Will a security review be conducted ? If so, is this likely to be prior to go-live? |
- |
#4 | During the Data Holder Working Group held on 16/04/2020, a participant asked a question about the on-sharing of data (question 1 of Question and Answers). During the Data Holder Working Group held on 30/04/2020, we followed up asking when a response was going to be provided (question 1 of Q&A). We believe this issue has significant implications for data holders and consumers, including security and privacy, and thus merits formal discussion. Can we please get an update. |
- |
# | Question | Answer/ Action |
---|---|---|
#1 | Could you please confirm how we find details of the CDR 101 session? | Link to be sent out soon. |
#2 | Hi, I've got a question around the Data Standards. Can you please let me know what is the maximum length for the URIString field used in the response schema's for some of our APIs? | No defined length for the URIString field - however, this should still remain functional and usable by both the Data Holder and its consumer. |
#3 | Regarding Accessibility Standards. In CX Standards it has been stated that CDR participants must seek to comply with the said area. Does this mean that if the participants took a reasonable steps to comply with the understanding guideline would be sufficient or all the success criteria mentioned in the understanding guidelines have to be complied with. | Question taken on notice |
#4 | Could you clarify the answer to the question about 'Admin APIs' from last week - are the Get Status and Get Outages APIs required as part of the non-major PRD release in July/October? (noting they are not in the 'Admin APIs' section of the standards.) If not mandatory, are there any concerns about releasing them voluntarily at the PRD stage? | - |
#5 | Last week there was mention of a 1.3.1 version of the standards to rectify bug fixes, when can we expect this update? | Soon to announce a time frame for Standards v1.3.1 |
#6 | Can you please clarify issue#214 -Below link for client registration endpoint states: https://consumerdatastandardsaustralia.github.io/infosec/#13-9-client-registration-endpoint "Data Holders MUST ensure that the CN (Common Name) in the Client certificate subject field matches the software_id claim present in the software statement." We cannot see this statement in the security profile present in our consumer standards 1.3.0 Is it something missing in 1.3.0 or this requirement of DH removed from 1.3.0 security profile? | Question taken on noice |
#7 | Re Brookes statement regarding she mentioned 'primarily for retail banking, not bespoke products...': Can you clarify where this is defined regarding the scope for product reference data | - |
#8 | Hi Jarryd... is there an ETA for when the minutes from last week be finalised? | By the 8th of May 2020 |
#9 | Question following up from pre-submitted Question 2. Is it permissible to implement only two-to-authorize without the one-to-authorize mechanism? | - |
#10 | On Privacy Safeguards 11&13 - The current API Standards don’t allow for qualification statements or accompanying information to be included as part of CDR data responses. There is also no current mechanism for a DH to re-send the corrected data to an ADR, as the current API Standards don’t allow for ‘Push’ notifications. The only way for the ADR to obtain the corrected CDR Data is for the ADR to request for the same data again. How is the ACCC planning to address the issues with implementing the Privacy Safeguards? | Question taken on notice |
#11 | Can I just confirm that there is a requirement to record complaints regarding PRD made by other CDR participants? | - |
Other business
- Consumer Data Right introductory session to be held shortly - focus of the session is informational for attendees to become acquainted with the Rules, Designation Instrument, CX, Tooling and communication points. While this coincides with the consultation into the Energy Sector this is open to all Consumer Data Right participants who may find this informative. Link to come soon.
continued from Pre-submitted question #2
4.2 Joint account management service
(1) A data holder that could be required to disclose CDR data that relates to a joint account must provide a service for joint accounts with the data holder that can be used:
(a) by both of the joint account holders together to jointly elect, to the satisfaction of the data holder, that each joint account holder will individually be able to:
(i) make consumer data requests directly to the data holder for information that relates to the joint account; and
(ii) give authorisations to disclose CDR data in response to consumer data requests for information that relates to the joint account that are made by accredited persons; and
(iii) revoke such authorisations, whether given by themselves or by the other joint account holder; and
(b) by either of the joint holders individually to revoke, to the satisfaction of the data holder, such an election.
Note: This subclause is a civil penalty provision (see rule 9.8).
(2) The service may, but need not:
(a) be online; and
(b) include a functionality that permits the joint account holders to:
(i) elect, to the satisfaction of the data holder, that both joint account holders will be able to perform the tasks referred to in subparagraphs (1)(a)(i), (ii) and (iii) together; and
(ii) revoke, to the satisfaction of the data holder, such an election.
We read this to mean that both must have elected for either to consent individually. Or, visually:
Jack JAMS setting | Mary JAMS setting | Jack can consent on Joint account | Mary can consent on joint accounts |
---|---|---|---|
N | N | N | N |
Y | N | N | N |
N | Y | N | N |
Y | Y | Y | Y |
As such we do not ever see a scenario where you have either of
Jack JAMS setting | Mary JAMS setting | Jack can consent on Joint account | Mary can consent on joint accounts |
---|---|---|---|
Y | N | ||
N | Y |
Please clarify the intentions of this rule – ideally using same table structure
Answer from ACCC
The ACCC’s position on joint accounts is as per point one. I.e.:
Jack JAMS setting | Mary JAMS setting | Jack can consent on Joint account | Mary can consent on joint accounts |
---|---|---|---|
N | N | N | N |
Y | N | N | N |
N | Y | N | N |
Y | Y | Y | Y |
For completeness, we note that the difference in Schedule 3, clause 4.2(1)(a) and 4.2(2)(b) is that in the former only the joint account holder requesting the good or service completes the authorisation process (the JAMS election allowing that both account holders are able to authorise individually and at any time, having already been made by both account holders in respect of the account). However, in the latter, clause 4.2(2)(b), both must complete the authorisation process to allow sharing on that account at that particular time. The ACCC encourages data holders to build to the latter, ‘two to authorise’ state. To illustrate this through the current example:
Jack JAMS setting | Mary JAMS setting | Jack can consent on Joint account | Mary can consent on joint accounts | |
---|---|---|---|---|
Under a 4.2(1)(a) election process (‘one to authorise’) | Y | Y | Jack individually authorises sharing on the joint account | No action beyond the JAMS election is required of Mary |
Under a 4.2(2)(b) process (‘two to authorise) | Y | Y | Jack must authorise the sharing on the joint account and CDR data must not be shared until Mary has authorised too | Mary must also authorise the sharing on the joint account |
- TBA