Legislation has been introduced in Australia’s parliament to expand the functionality of the consumer data right (CDR) – the country’s high-profile data-sharing and portability initiative – to enable ‘action initiation’.
This latest step in the national data portability scheme’s phased introduction will mean that consumers and small business will be able to allow accredited third parties – for example, financial management and product comparison services – to initiate CDR-powered actions with their consent and on their behalf.
The CDR went live almost two-and-a-half years ago, with the country’s four biggest banks mandated to share access to consumer data for a range of personal accounts (with the customer’s permission) – the launch of open banking in Australia. Smaller banks came under CDR one year later. Expansion of the CDR to energy began on 1 October – the CDR’s first move beyond financial services.
‘Combining the power of CDR data-sharing with the ability to instruct third parties to initiate actions is going to supercharge the CDR,’ states Kate O’Rourke, first assistant secretary in the Treasury’s CDR division, in the department’s latest CDR newsletter.
Action initiation will ‘give consumers the ability to do things like automate payments towards savings or investment goals, automatically move funds to optimise interest or minimise fees, or find and switch to a utility plan better suited to their circumstances,’ O’Rourke explains in the bulletin, adding that ‘CDR-powered action initiation will support a whole range of new and innovative business models to boost competition across the Australian economy.’
ABA urges caution
Ahead of the introduction of the legislation, the Australian Banking Association (ABA) – whose 20 members include the four major banks – urged the government to ‘carefully consider and address the scams, fraud and cyber risks, while the CDR is still in its early stages’.
‘Now is the time to ensure regulatory settings prioritise the protection of consumers,’ the ABA said in its three-page submission to a consultation seeking comments on exposure draft legislation to enable action initiation. ‘It is critical that the safety and security of the CDR ecosystem is retained and strengthened, and that a careful consideration of the phasing of the rollout of action types based on use value, risk and complexity is undertaken.’
The association cited research that fewer than one in five consumers felt comfortable sharing data. ‘We suggest far fewer would be comfortable with third parties initiating actions on their behalf using shared data. This is understandable, given recent cyber-security breaches,’ it stated in its submission – a reference to major cyber-attacks in Australia, such as that which hit Australian telecoms giant Optus in September.
The ABA said in its submission (made on 24 October) that the CDR ‘needs more time to grow naturally and that increasing functionality at this stage may not result in more customers using the CDR. On the contrary, adding these functionalities without allowing the market a level of stability to enable use-case development could impede the development of a competitive market for use cases. Adding action initiation in the near term may also compromise the intended outcome by adding considerable strain on finite resources and staff. In light of these factors, the ABA recommends the government allow a period of at least 18-24 months ahead of declaring actions for implementation.’
The planned ‘go-live’ date is yet to be communicated although Sydney-headquartered international law firm Allens has noted that its team ‘anticipate that action initiation could commence as early as mid-to-late 2023’.
Non-bank lending next up
In a separate CDR development, non-bank lending has been formally designated as the fourth sector (after the four biggest banks, smaller banks and the energy sector) to fall into the CDR.
Combining non-bank lending datasets with those already available in banking means that people will be able to compare lending products more easily and hunt out improved deals, the Treasury states, adding that the department will be engaging shortly on ‘related rules design’.
The expansion to non-bank lending follows a ‘CDR Sectoral Assessment for the Open Finance sector – Non-Bank Lending’ consultation that asked a series of questions about applying the CDR to businesses that provide loans, mortgages, personal finance, credit cards and other types of finance, but that do not hold a banking licence or accept deposits.
Non-bank lending in Australia ‘continues to grow in both balance-sheet size and range of products’, in many cases offering specialised products to consumer segments that are not prioritised by banks, the document pointed out.
‘Faced with complexity, many customers base their decisions on “rules of thumb” or shortcuts, such as choosing a well-known institution or an institution with which they have an existing banking arrangement,’ the consultation document also noted. ‘This can place non-banks at a competitive disadvantage, as consumers may be more likely to seek credit solutions from banks even if a better value deal is offered by a non-bank.’
At time of writing, Australia has 114 ‘data holders’ in banking (providers that ‘hold’ consumer data) and 36 accredited ‘data recipients’ (meaning: accredited by the ACCC to receive consumer data to provide a product or service), of which 24 are described as ‘active’. Global Government Fintech reported the main numbers, respectively, at 106 (data holders) and 29 (data recipients), in March 2022. There are so far two active data holders in energy.
Australia’s new cyber-security ambition
Implementation of the CDR is a multi-department effort across the Treasury, Australian Competition and Consumer Commission (ACCC) and Office of the Australian Information Commissioner (OAIC). The initiative and its expansion are being watched by many governments and relevant authorities worldwide as it is an example of how the data-sharing principles that underpin open banking can be rolled out to further sectors.
The CDR’s recent expansion into energy came just over a fortnight after the Treasury launched a consultation as it looks to ensure that the CDR’s rules ‘remain fit‑for‑purpose and support the policy aims of CDR’. The department is seeking comment on what it describes as ‘possible enhancements’ to the rules, with a deadline for responses of 31 December. There will then be ‘ongoing consultation in relation to the CDR rules, and a further consultation period will open in early 2023.’
An independent ‘Statutory Review of the Consumer Data Right’ report containing 16 recommendations and 15 findings was released by assistant treasurer and minister for financial services Stephen Jones on 29 September. Authored by Elizabeth Kelly PSM, a former long-standing senior public servant, the 96-page report described the CDR as being at a ‘critical point in its implementation’.
Among the report’s recommendations were that the government ‘should consider undertaking a whole-of-ecosystem cyber security assessment to ensure that the CDR cyber security architecture continues to be fit for purpose’; that government ‘should consider ways to increase small business participation in the CDR’; and that ‘facilitating government participation in the CDR should be a priority to ensure consumers benefit from more seamless government interactions and an ability to share their data across a greater range of services’.
Minister for home affairs and minister for cyber security, Clare O’Neil, earlier this month (8 December) said the government plans to develop a new cyber-security strategy that aims to strengthen the country’s critical infrastructure and for Australia “to be the world’s most cyber-secure country by 2030”.
Global Government Fintech’s open banking / open finance topic section
‘Australia’s Consumer Data Right goes live for energy sector’ – our news story (3 October 2022) on the CDR expanding from the banking sector into energy
‘Australia’s Consumer Data Right sandbox goes live’ – our news story (29 July 2022) on the launch of a CDR sandbox by the ACCC
‘Australian government consults on first phase of open finance’ – our news story (21 March 2022) about the consultation on expanding the CDR to non-bank lending
‘Open to possibilities: governments bank on opening up financial services data’ – our report on a Global Government Fintech ‘Open Banking and Open Finance: What Role – And Benefits – For Governments?’ webinar, which was held on 15 March 2022 (panellists included the Australian Treasury’s Jessica Robinson)
‘Australia’s open banking regime enters next phase’ – our news story (14 July 2021) on new CDR legislation coming into effect extending the number of banks expected to share consumer data
‘Open banking gets off to slow start in Australia’ – our news story (9 July 2020) on open banking becoming a reality after the CDR legislation went live