In May last year, the Commonwealth Government announced that it would introduce an overarching Consumer Data Right (CDR), starting in the banking sector with the phased implementation of ‘Open Banking’ from 1 July 2019.
While the starting dates for the CDR have since changed, the ambition of the program remains unaltered, with the Australian Competition and Consumer Commission (ACCC) already engaged in preliminary discussions to extend the CDR beyond banking to the power and telecommunications industries.
So, what is Open Banking/CDR? And what is its potential impact on Authorised Deposit-taking Institutions (ADIs)?
The Consumer Data Right
The CDR is a plan to provide all Australian consumers with a right to safely share the information they currently hold with businesses, with accredited others they trust. As expressed by the ACCC:
“The Consumer Data Right (CDR) will provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses; and to authorise secure access to this data by trusted and accredited third parties. The CDR will also require businesses to provide public access to information on specified products they have on offer.”
This right will be enshrined in legislation.
Why do this? The key policy objective is consumer benefit. That is, the CDR is planned to provide consumers with better and more cost-effective products and services.
How will this occur? Through:
- better access to product comparison information (allowing business to create targeted offers and consumers to compare these offers more easily); and
- new and improved services (from either existing industry participants or new entrants) through enhanced solutions based on the wider access to data enabled by the CDR.
Again, to quote the ACCC:
“CDR is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services.”
The first industry where the CDR is to be implemented is banking. The CDR in the Australian banking industry will do two things:
- require all ADIs to share standard information about their consumer banking products (‘product reference data’); and
- allow all consumers to share their own banking data (‘consumer CDR data’ eg balances, transaction histories, loan data, etc) with trusted third parties.
Many other countries have already introduced a form of Open Banking or are planning to do so. But Australia is, so far, unique in planning to extend the idea across multiple industries through the CDR. The next industry off the rank is power, followed by telecommunications. Others are expected follow; ultimately the CDR is planned to apply economy-wide.
How will the CDR work?
The simplest way to understand the CDR in banking is through the diagram below.
There are three parties:
- Consumers: individuals, businesses, etc who have banking accounts
- Data Holders: ADIs
- Accredited Data Recipients: third parties that have been accredited by the ACCC as being suitable recipients of consumer data.
The process will work like this:
- The Consumer will provide consent to an Accredited Data Recipient accessing their data (eg a budgeting app wanting to access banking details).
- The Accredited Data Recipient will request this data from the Data Holder (the consumer’s ADI).
- The Data Holder will start the process of confirming this with the consumer by first authenticating them.
- The Data Holder will then obtain the consumer’s authority to release the data.
- Finally, the Data Holder will then release the data to the Accredited Data Recipient.
In its initial form, the CDR will support ‘read only’ access. This will allow Consumers to provide Accredited Data Recipients with the authority to access the Consumer’s CDR data and to use it for an authorised purpose (eg. in a 3rd party app).
The ability to support ‘write’ access may be considered at a later date. Should this be forthcoming, this will allow Consumers to authorise Accredited Data Recipients to make changes to their banking records (eg. to update information or possibly even initiate payments).
What makes it work?
There are two capabilities that make the CDR possible.
The first is the supporting framework of legislation, rules, regulations, standards and compliance obligations being established. A large number of Commonwealth bodies are actively progressing the creation of this framework, including the ACCC, Treasury, the Office of the Australian Information Commissioner and a CSIRO offshoot, Data61. In addition to this work, a large number of industry participants are actively engaged in the consultative process surrounding the framework.
The second capability supporting the CDR is technological. The underlying technical framework is Application Programming Interfaces (APIs). APIs are software capabilities that allow the efficient, scalable and secure transmission of data between systems. They are commonly utilised across many, if not all large-scale technology solutions. APIs are now so widespread that it would be hard to find any large or modern system that does not use them. If you have an app on your phone, it uses APIs.
APIs can be either private (eg to support in-house system data exchange) or public (eg many government databases are being opened through public APIs and the Google Maps APIs can be accessed by anyone). As more and more systems become supported by APIs, so too does the opportunity to utilise the data and functions delivered by those systems. Distributed data and functionality, supported by APIs, is a hallmark of modern system development.
The CDR is built on APIs. A large amount of the work undertaken to date has been the establishment of a series of standards describing the APIs needed to support the CDR in the banking industry, and ultimately in other industries too. This work is now well-progressed. Early versions of the initial APIs are in place and a full iteration is expected to be finalised in the next month or so.
The potential impact of the CDR
So what can market participants do with these APIs? Well, a great deal. Think about the two categories of data that will be supported by the CDR mentioned earlier: product reference data and consumer CDR data.
Widespread availability of product reference data is designed to allow consumers to compare and contrast competing product offers – and to find the best deal. Instead of having to make sense of different offers that often can be expressed in diverse (or sometimes confusing) ways, consumers should be able to use product comparison tools and services that provide clarity like never before. In theory, all of us as consumers should benefit from this.
Supporting this will be the ability of consumers to share their own banking data (consumer CDR data) with trusted third parties. This will allow consumers to consent to their banking data being shared with a range of solution suppliers.
The policy objective here is competition. The widespread adoption of open banking is designed to facilitate new products, services, solutions and competition; all designed to enhance the value that consumers derive from their banking. In theory, it may even introduce a new way of banking in which we rely on a variety of third-party tools, potentially supplied by a range of different suppliers, to manage and optimise our finances.
The impact of the CDR on Financial Institutions
Financial institutions are addressing the impact of the CDR in two areas.
All ADIs will be obliged to participate in the CDR regime in their role as Data Holders. In this capacity they will be required to:
- share generic product reference data via standard APIs;
- support standard authentication and authorisation processes that will apply when a consumer consents to sharing their data with an Accredited Data Recipient;
- make consumer CDR data accessible via standard APIs (once this is authorised by consumers);
- provide one or more ‘dashboards’ that will allow consumers to view, manage and revoke authorisations;
- enable consumers to access their CDR data directly;
- abide by a range of compliance obligations; and
- provide periodic mandatory reporting on CDR delivery and compliance.
Financial institutions are also exploring how to access the opportunities that will become available under the CDR.
Most notable among these is the opportunities that exist by becoming an Accredited Data Recipient. ADIs will be offered a streamlined accreditation process for becoming an Accredited Data Recipient, so the work involved will be relatively straight-forward. Once accredited, ADIs can offer enhanced CDR-enabled products and services to their customers as easily as any third party.
Short term, obvious examples of these opportunities include account aggregation and obtaining detailed information about a customer’s existing loans to streamline loan applications. But hundreds of potential use cases exist and will emerge with time.
When will Open Banking commence?
For a variety of reasons the CDR timetable is fluid and has already changed a number of times. Furthermore, due to delays in progressing the supporting legislation it is likely that the timetable will change further. That said, the current timetable (@ 4 April 2019) is for an initial limited rollout of product reference data in July this year. The deployment of Consumer CDR capabilities will follow.