DSB Maintenance Iteration 20: Meeting Notes (21 August 2024) - ConsumerDataStandardsAustralia/standards GitHub Wiki
Meeting Notes
Release Plan
- Current version is v1.31.0.
- The outcome of Maintenance Iteration 20 will likely be published in v1.32.0.
Maintenance Iteration 20 Candidates
Holistic Changes
- #647 - Maintenance Iteration 20 Holistic Feedback
- No concerns have been raised by participants, DSB will proceed with staging non-breaking changes.
CX
- #646 Clarify selection of Trusted Adviser in the CX Guidelines
- An overview of the CX comment was provided, no issues were raised. Changes to the CX Guidelines will be limited to:
- the amendment from ‘Trusted Adviser Directory’ to ‘Select a Trusted Adviser’, for simplicity
- removal of the trust rating component in the ‘About Trusted Adviser’ screen
- clarify through a new CX Guideline that it is optional for an ADR to offer a TA disclosure service for any TA of the consumer’s choosing
- clarify through a new CX Guideline that a consumer's selection of a TA can constitute nomination
- An overview of the CX comment was provided, no issues were raised. Changes to the CX Guidelines will be limited to:
InfoSec
-
#648 - Adopt BCP 195 for TLS ciphers
- This change will be staged.
-
#650 - Weaken JARM Encryption Requirements for ADRs
- No information on data holders who require encryption on JARM responses is available for discussion, defer to a later meeting.
Banking
- #641 - Update CDS documentation to clarify expected rate value 'sign' (+/-) for each RateType
- The proposed change in this comment aligns with current interpretation and will be staged.
Energy
-
#644 - AmountString field type impractical for energy tariffs
- Not discussed, no change proposed as stated in this comment.
-
#652 - Specify units of currency to be used for the AmountString field type
- An overview of the proposed change, described in this comment was provided.
- If there are no further comments from participants the change will be staged.
-
#653 EnergyPlanTariffPeriod - cater for plans with no dailySupplyCharge
- An overview of the proposed change, described in this comment was provided.
- DSB is seeking feedback to align with the current FDO.
- Request to publish the change as errata rather than a new version, if adopted it would align with the FDO for the original change.
- ACTION: Participants impacted by this change are asked to consider the proposal and advise if treating the change as errata can be accommodated.
Requirements Analysis
Common
- #610 - Addition of an (18 or over) Age Verification Flag
- Not discussed as there have been no comments since last meeting.
- OUTSTANDING ACTION: Participants to provide examples of use cases.
- Not discussed as there have been no comments since last meeting.
Banking
-
#553 - Running balance available under transaction detail
- While there are a number of outstanding actions on this issue, there are compliance aspects which the DSB has escalated to the ACCC.
- Aside from the compliance aspects, based on feedback provided in previous meetings is it possible this request may become a separate endpoint. Further discussion on the fields and pattern required are needed. Remaining question on whether new NPP code overlays are required and apply to other endpoints.
- OUTSTANDING ACTION ADR to clarify requirements in options proposed in original post.
- OUTSTANDING ACTION ADRs to investigate whether information exists on differences between data holders that illustrate the problems with calculated balances.
- OUTSTANDING ACTION DHs to provide clarification on the difference between 'current' and 'available' balances.
- OUTSTANDING ACTION DHs to provide details on how balances are calculated.
-
#636 - Remove BankingTransactionDetail and incorporate extendedData into BankingTransaction
- Not discussed, compliance aspects have been escalated to the ACCC.
- OUTSTANDING ACTION: DSB to follow up with Dima on NPP opinion. In progress
- OUTSTANDING ACTION: DSB to schedule offline discussion with SISS (Josh) on data quality analysis. In progress
- OUTSTANDING ACTION Participants to provide feedback on summary of earlier discussions in comment
- Not discussed, compliance aspects have been escalated to the ACCC.
Energy
- #651 Supporting HTTP Status 429 passthrough from Secondary Data Holder
- The proposed trial to test use of error 429 is described in this comment and will be updated as details come to hand.
Security
- #628 - Addition of a DH-side endpoint for querying the status of a consent establishment flow
- Resolving consent drop-offs is a priority and was addressed in the Assistant Treasurer's letter to the Data Standards Chair.
- Authentication uplift, under consideration by the Information Security Consultative Group will address some aspects, however the package of required changes is a significant piece of work and will be progressed in Maintenance Iterations or as standalone Decision Proposals.
Other business
- Extended outages
- Recent multi-day planned and unplanned outages have caused problems in the ecosystem.
- DSB is interested in whether the Outages API is meeting the needs of ADRs to prepare and support consumers using CDR solutions.
- ADRs have noticed the problems and do rely on the Outages API. Extended Outages cause customer complaints because internet banking is working so "why can't I see my data" and they lay blame on ADRs. ADRs requested DHs make CDR outage information available to consumers via a mechanism other than the CDR Outages API to help alleviate this pain.
- When outages occur, consumers have the option to switch back to Screen Scraping. This means consumers don't switch back to CDR when outage is over, preferring to wait until CDR is stable.
- Request to consider updating NFRs and SLAs. If online banking was offline it would be in the news, so it would be helpful to put limits on outages for CDR. Extended outages are really damaging for ADRs CDR business.
- Concerns are exacerbated by the irony of small businesses doing their accounting work on the weekends which is when CDR outages occur. This pattern of weekend work is also experienced by Large Lenders.
- Planned outages aren't included in the availability metrics so DH availability will show as 100% regardless of how many planned outages they have in a month. However planned outages are intended to be commensurate in length and frequency to other channels and should be published to give ADRs one weeks lead time. Further, outages may occur without notification if the change is to resolve critical service or a security issue.
- Concern is Availability standards are a SHOULD and therefore not enforceable.
- Suggestion to delete the third dot point "May occur without notification if the change is to resolve a critical service or security issue" because it is so problematic.
- Participants have concerns the CDR is not being treated as a first priority system but needs to be.
- The incident in question originally occurred over the weekend as a planned outage but wasn't resolved by Monday morning so the planned outage was extended instead of being updated to an unplanned outage. This communication isn't accurate or helpful for ADRs to manage their consumer's expectations.
- Request for Data Holders to notify their consumers of a CDR outage in the same way they do when they take internet banking offline. The preference is to not leave that communication to ADRs, and for DHs to take responsibility for providing this critical service.
- Issues emerging:
- Commensurate nature of CDR outages with other internet banking outages;
- Extension of planned outages that become unplanned outages; and
- Opportunity for DH communication on CDR outages to consumers to be improved.
- ACTION: DSB requesting support from participants to raise an issue on outages if a standards change should be considered.
- Issue #660 Revise the Availability Requirements NFRs was raised following the meeting.
Next Steps
DSB will stage the changes for candidates discussed in this iteration for community review. The community is invited to contribute to the discussion on issues affecting them.