DSB Maintenance Iteration 22: Meeting Notes (5 February 2025) - ConsumerDataStandardsAustralia/standards GitHub Wiki
Meeting Notes
Release Plan
- Current version of the standards is v1.33.0.
- The outcome of Maintenance Iteration 22 may be published in v1.34.0 or later.
Updates
BCP195 - Transaction Security Ciphers
- The future dated obligation for this change to TLS and Ciphers is approaching, it was made to align with FAPI 2.0.
- If participants have any concerns regarding this change, they're encouraged to raise a ticket on the CDR Support Portal.
Consultative Groups
-
Information Security
- A Noting Paper on the Chairs opinion on best Practice Security, incorporating redirect to app which is working well in the UK, will be published soon. A series of Decision Proposals to consult on specific changes to the Security Profile will follow.
- Issues Addition of a DH-side endpoint for querying the status of a consent establishment flow #628 and Inconsistent JARM error responses #649, consulted on in the last few Maintenance Iterations have been moved to the backlog as they will be addressed through the work of this Consultative Group.
- Consensus from attendees is to wait for more information from the Consultative Group to inform progress.
-
Non-Functional Requirement
- Meetings for this group in February have been cancelled but there's lots of work going on in the background. The work of this group will generate a number of Decision Proposals for consultation on specific changes.
Outages and drop offs
- Outages and drop offs continue to be problematic, there's a number of policy related issues that we are working through with Treasury.
Open ID FAPI 2.0
- Implementer's Drafts of the FAPI 2.0 Security Profile and FAPI 2.0 Attacker Model are open for public review.
Proposed Candidates
The candidates proposed for MI22, arising from discussions in the meeting on 5 February, are tabled below and were posted on DP 386. We invite Participants to review the change requests to provide opinion on the problem space and options where available to facilitate discussions in Meeting 2 on 19 February. Discussion notes on the proposed candidates are included below the table.
Discussion Notes on proposed candidates
Maintenance Iteration 22
#683 - Maintenance Iteration 22 Holistic Feedback
- Two minor fixes are proposed on this issue one Energy and one Banking.
CX
#674 - CX Guidelines - Updates stemming from 2024 Consent Review changes
- This issue has been carried over from MI21.
- Additional draft guidance has been prepared by the DSB, the details are available in two posts on 5 February 2025 and 6 February 2025.
- Participant review and feedback is welcomed.
#684 - CX Guidelines - ADI or NBL to hold CDR data as a DH
- This issue provides guidance on consent management and how it might manifest on dashboards as a result of changes to Clause 7.2 in Schedule 3. These changes extended to the NBL sector.
- ACTION Participant review and comment required.
Security
#650 - Weaken JARM Encryption Requirements for ADRs
- ACTION Biza has more information and will post an update for further discussion.
Register
#679 - Update SSA specification
- Change is to resolve an issue that is blocking registration updates in some cases.
- Priority for the ACCC.
#682 - Spec alignment - OpenID Provider Configuration and issuer value
- Register OpenID configuration has a different host to issuer which is not compliant and a fix should be considered.
- ACCC is reviewing the impact of this issue as it will affect all participants.
- ACTION: Participants to consider the impact for a discussion on options.
Banking
#656 - A status of POSTED should indicate the final update for a transaction
- This is an ongoing issue that has been carried over from MI21.
- A small number of Data Holders are presenting authorised credit card transactions with a status of posted when the status is inconsistent with the usual lifecycle of a transaction.
- A range of options have been proposed in this comment.
- In one participant's opinion, Option 1 would appear to solve the problem for 99% of Data Holders.
- ACTION: Data Holders requested to comment on the accuracy of this assumption.
- A majority of the options could be converted to individual change requests because they each deal with a slightly different problem.
- One participant felt that for most commercial banking systems Option 2 would be almost impossible. Banking systems are not accounting systems.
- Some smaller Data Holders change the amount and identifier for transactions that are adjusted in some way, therefore they cannot be reconciled against existing transactions.
- Issue #173 Behaviour where posted transactions only have an associated date is related to Option 4.
#553 - Running balance available under transaction detail
- This is a long running issue that has been carried over from previous iterations.
- Relates to reconciling transactions and understanding balances over time.
- Ongoing concern that this issue relates to data quality and inconsistency between CDR and internet banking apps. Some banks are 36 hours behind in posting transactions, which means over Easter there will be a 7 day delay.
- One participant noted the wording in rules and relationship to standards doesn't appear to be strong enough, they think it's SHOULD, not MUST.
- Discussion included adding a timestamp to the endpoint as a potential solution.
#681 - Retirement date for Get Transaction Detail V1
- Straightforward change to consider a retirement date.
- ACTION: Data Holders and ADRs to advise on an appropriate period of time to support V1 and V2.
- This was proposed as a candidate.
- There is a related Service Management Portal ticket with the ACCC.
Energy
#680 - Jurisdiction Code of ISO
- The ISO Jurisdiction code is returned for some NMIs that are outside the National Energy Market (NEM) and are causing failures in API calls.
- The definition for ISO is Isolated and relate to NMIs in Far North Queensland.
- The data being returned is of reasonable quality and would be useful to consumers, however ACCC is considering whether, despite being outside the NEM, it would be appropriate for Ergon to provide the data voluntarily.
- While the addition of a new ENUM would generally be considered a breaking change, because the breaking change has already occurred it would be possible to consider this change non-breaking.
- ACTION Participants to comment on whether this could be a non-breaking change.
#677 - Energy transaction fields should be conditional
- Candidate proposed by the DSB.
- ACTION Participants to comment on whether this could be a non-breaking change.
- ACTION Participants to consider other changes that could be made that affect the same endpoint.
NFR
#660 - Revise the Availability Requirements NFRs
- The following notes reflect the views of some participants on the call:
- Some participants commented outages during business hours are problematic for customers relying on ADR services for access to banking data for their operations.
- Participants commented that CDR is as important and viable as internet banking but not managed the same way.
- One data holder has a scheduled outage from 11:00PM to 2:00AM every night, which indicates the way their system is architected. Internet banking is 24x7, the expected availability for CDR.
- Tightening up the wording of the standards would help.
- DSB proposed a number of options for participant consideration in this comment.
- ACTION Participants to review options and provide comment.