Momentum is finally building for the July 1 introduction of transformative Consumer Data Right (CDR) legislation after the Australian Competition and Consumer Commission (ACCC) released detailed guidelines about the information banks will be required to give you when you ask for it.
CDR, which forms a core plank of the broader open data movement, is designed to improve transparency and access to customer data by making it easier to switch bank accounts, credit cards, and other products.
It passed into law last July and since then, banks have been voluntarily sharing information about their products – for example, interest rates, fees and charges, and eligibility criteria – with each other and with non-bank organisations, such as brokers, in a standard format.
- From 6 February, this is now a legal requirement.
- From 1 July, banks will also have to provide you with key information about the data they hold about you and your various accounts, and let you direct this to a third party.
- From 1 November, they’ll also have to share data about mortgages and personal loans.
“Product reference data is vital for accredited data receiving businesses to provide comparison services and potentially offer better deals to consumers,” ACCC commissioner Sarah Court said in a statement announcing the new Competition and Consumer (Consumer Data Right) Rules.
Enshrining the rules about how CDR will work in law is “a major milestone in delivering the CDR in banking,” she said.
Even as CDR’s rollout brings open banking to the financial-services industry, similar requirements will soon take effect in industries including energy and, potentially, telecommunications.
Promoting competition in banking
The CDR Rules reflect extensive work with the Data Standards Body (DSB) – in this case, CSIRO’s Data61 data arm – to delineate the technical standards to be used for representing consumer data in an interchangeable format.
Those standards, which are currently in the 1.2.0 release and available on GitHub, support a host of new rules that are arranged into nine major parts.
Consumer data requests are managed through mandatory consumer dashboards, which are defined within the rules as “simple and straightforward” interfaces that enable management and withdrawal of authorisations for access to a consumer’s CDR data.
You grant such an authorisation so that a third party can request details of your financial history directly from the bank, putatively for the purpose of providing you with new options for alternative financial products.
Each CDR authorisation must, the rules outline, include details of the specific CDR data that has been authorised to be disclosed, when the authorisation was given and for how long, and more.
Authorisations expire at most 12 months after they are given.
Consumers can also request that “redundant data” held about them be deleted and withdraw their consent for third parties to access their data – unless the data is required under a legal order or the requesting party is involved in a dispute.
Any copies of the requested data must be deleted, and companies holding the data must also request the same from anyone else who has access to it.
Despite mandating the release of data when a CDR Product Data Request is made, the CDR Rules also allow data holders to refuse to disclose required product data in certain situations – such as preventing “physical or financial harm or abuse” or compromising the “security, integrity, or stability” of the data holder’s IT systems.
Data holders will be required to regularly report summaries of CDR activity including the number of product data requests and consumer data requests they received during the reporting period.
They’ll also need to explain how many requests they refused to disclose, and why.
Avoiding another de-identification disaster
The CDR Rules also spell out the process that accredited data recipients have to take when de-identifying CDR data – including applying an “appropriate” deidentification technique and deleting the CDR data – as well as requiring them to keep track of to whom the de-identified data was provided.
De-identification has been a tricky issue for government bodies like Medicare, which released a massive anonymised data set that was revoked in 2017 after Melbourne University researchers demonstrated that cross-referencing could be used to match the data with individual Australians.
And last year, Public Transport Victoria was ruled to have breached privacy laws after releasing almost 2 billion lines of de-identified information during a data hackathon.
Researchers demonstrated how they could reliably identify a specific person’s movements by correlating just a few points of data.
The CDR Rules recommend use of the CSIRO’s De-Identification Decision-Making Framework (DDF) to guide this decision-making process.
CDR has crawled towards implementation for several years, having been delayed due to the complexity of the industry-wide mandates.
It’s the latest in a series of initiatives the ACCC has pursued to make the financial-services industry more transparent and accountable for its financing decisions.
Introduction of home-loan comparison rates, for example, aimed to illuminate the sometimes-opaque conditions attached to banks’ mortgage lending.
Yet CDR hasn’t been without its controversies, with fintech advocates recently complaining that certification is too expensive, privacy watchdogs concerned that CDR is nowhere near as protective of privacy as it needs to be, and consumer groups warning that startups were poised to leverage the data to swoop on unsuspecting consumers.
Others have decried CDR’s lack of an EU-styled ban on screen scraping: Commonwealth Bank CEO Matt Comyn, for one, railed against the screen-scraping practices for which fintechs have been clamouring, arguing that aggressive fintechs would use them as a way to circumvent CDR’s requirements.