Other people could be empowered to open bank accounts, make payments and change utility services on your behalf under mooted changes floated as part of a discussion paper about the future of emerging Consumer Data Right (CDR) legislation.

The release of a formal Issues Paper sets the stage for formal submissions to the Inquiry into Future Directions for the Consumer Data Right, a Treasury-led discussion intended to expand the use of CDR and ensure, among other things, that it “promotes innovation in a manner that is inclusive of the needs of vulnerable customers”.

One of the key areas for examination is the addition of ‘write’ access that would allow customers to apply for and manage a range of products using online application programming interfaces (APIs).

In the mooted model, third parties such as financial advisors or product-comparison sites could use the APIs to automatically change services – for example, switching you to a cheaper energy plan based on their work comparing products from different providers.

This would, the paper notes, only happen “at the customer’s direction and with their consent” – which would be managed using a ‘consent taxonomy’ that would formalise the way customers give and revoke such access.

The inquiry is also evaluating ways that the CDR framework could be linked with other infrastructure – such as the New Payments Platform (NPP) or Bulk Electronic Clearing System (BECS) – to add additional functionality to the ‘Open Banking’ regime that comes into full effect on 1 July.

That regime, which was finally formally detailed by the Australian Competition and Consumer Commission (ACCC) in February, marks a long run-up that started with the passage of CDR legislation last July.

Among its overall goals is to standardise the way banks describe their financial products, such as loans and credit cards, so that consumers and their agents can easily compare between institutions.

CDR also allows consumers to access the information that banks have on them through a purpose-built portal, which makes it easier to provide this data to financial advisors or new institutions to which the customer is transferring their business.

Automating consumer choice

CDR’s staged introduction into the banking industry – the Big Four go live on 1 July 2020, with smaller institutions tentatively set to follow on 1 July 2021 – is being seen as an enabler for massive customer-focused change in an industry that has been rocked by scandal and broken trust over the years.

Further enabled with ‘write’ access, CDR’s subsequent extension to utility and telecommunications industries would transform it from being a way of accessing consumer data, into an active mechanism for fluid transfer of services between providers.

The inquiry is “particularly interested in interested parties’ views on how the CDR could best enable payment initiation,” the paper notes.

Automating such powerful capabilities would, however, potentially introduce other issues.

With data transfers, account opening and closing, service changes and payments happening seamlessly in the background, however, the system would also need to be built with rock-solid security mechanisms to prevent fraud and other issues.

The ACCC recently addressed this issue by publishing formal CDR Privacy Safeguard Guidelines that empower privacy watchdog the Office of the Australian Information Commissioner (OAIC) to establish safeguards for consumer privacy.

Those guidelines “provide very good guidance to businesses as to the OAIC’s expectations and best practice for compliance with the privacy requirements of CDR,” Holding Redlich partners Angela Flannery and Sarah Cass noted in a recent CDR update.

Companies need to comply with “complex” technical standards and develop clearly expressed policies around the way they handle CDR data, they note, and this “must be underpinned by appropriate internal processes and practices”.

Just what constitutes such processes and practices depends on the application, but the inquiry is floating one possible mechanism by considering how customer authentication requirements for the CDR could be connected with other digital identification and verification processes.

The inquiry is accepting submissions until 23 April 2020.