Australian Government proposes regulatory framework for open banking
The Australian Government Treasury released a review report into Open Banking in Australia last week. In the 2017-18 Budget the Australian government announced that it will introduce an open banking regime in Australia. On 20 July 2017, the Hon Scott Morrison MP commissioned the Open Banking Review, chaired by Mr Scott Farrell who was asked to recommend the most appropriate model for Open Banking in Australia.
Open Banking would provide customers greater access to and control over their banking data, and it has the potential to transform the way in which customers use and benefit from the banking system.
Open Banking will be the first implementation of the Consumer Data Right (CDR) announced by the Hon Angus Taylor MP, the then Assistant Minister for Cities and Digital Transformation in November 2017. The announcement formed part of the Government’s response to the recommendations of the Productivity Commission’s Inquiry into Data Availability and Use.
The CDR will give customers the right to access their data in a machine-readable form. Australian consumers will be able to compare offers, get access to cheaper products and plans to help them ‘make the switch’ and get greater value for money.
The CDR will be implemented economy-wide on a sector-by-sector basis, initially in the banking, energy, and telecommunications sectors. The Treasurer will be leading the development of the CDR, with the design of the broader CDR informed by the recommendations of the Open Banking Review.
The final report makes 50 recommendations, on the regulatory framework, the type of banking data in scope, privacy and security safeguards for banking customers, the data transfer mechanism and implementation issues.
Some of the key recommendations are as below.
Allowing for competing approaches: Open Banking should not be mandated as the only way that banking data may be shared. Allowing competing approaches will provide an important test of the design quality of Open Banking and the CDR.
Open Banking should be implemented primarily through amendments to the Competition and Consumer Act 2010 that set out the overarching objectives of the CDR.
Open Banking should be supported by a multiple regulator model, led by the Australian Competition and Consumer Commission (ACCC), which should be primarily responsible for competition and consumer issues and standards-setting. The Office of the Australian Information Commissioner (OAIC) should remain primarily responsible for privacy protection. Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA), the Reserve Bank of Australia (RBA), and other sector-focussed regulators as applicable, should be consulted where necessary.
A Data Standards Body should be established to work with the Open Banking regulators to develop Standards.
Only accredited parties should be able to receive Open Banking data. The ACCC should determine the criteria for, and method of, accreditation. However, the review also recommends that accreditation criteria should not create an unnecessary barrier to entry by imposing prohibitive costs or otherwise discouraging parties from participating in Open Banking.
Open Banking should have internal and external dispute resolution processes to resolve customer complaints. Amendments to the Competition and Consumer Act 2010 should create powers to address complaints (to the extent these do not already exist) and give customers standing to seek remedy for breaches of their rights. There should be a single consumer data contact point - there should be ‘no wrong door’ for customers. The Rules should create a right for accredited parties to seek remedy for breaches of the CDR.
The Review recommends that data holders should be obliged to share all information that has been provided to them by the customer (or a former customer) at the customer’s direction. However, the obligation should only apply where the data holder keeps that information in a digital form. It should not apply to information supporting an identity verification assessment (the outcome should be shared).
Data holders should also be obliged to share all transaction data in a form that facilitates its transfer and use. Transfers of customer-provided and transaction data should be provided free of charge.
According to the review, data that results from material enhancement by the application of insights, analysis or transformation by the data holder should not be included in the scope of Open Banking. Aggregated data sets should not be included in the scope of Open Banking.
A customer’s consent under Open Banking must be explicit, fully informed and able to be permitted or constrained according to the customer’s instructions.
The Review further recommends that a data holder should notify the customer that their direction has been received and that the future use of the data by the data recipient will be at the customer’s own risk. That notification should be limited to a single screen or page. Data recipients should similarly provide the customer with a single screen or page summarising the possible uses to which their data could be put and allow customers to self-select the uses they agree to.
A clear and comprehensive framework for the allocation of liability between participants in Open Banking should be implemented. To the extent possible, the liability framework should be consistent with existing legal frameworks
Data transfer mechanism
Data holders should be required to allow customers to share information with eligible parties via a dedicated application programming interface (API). The Review proposes the UK Open Banking technical specification as a starting point for the Standards for the data transfer mechanism.
Data holders may not add authorisation requirements beyond those included in the Standards, while customers should be able to grant persistent authorisation. They should also be able to limit the authorisation period at their discretion, revoke authorisation through the third-party service or via the data holder and be notified periodically they are still sharing their information. All authorisations should expire after a set period.
The Standards should also allow users who do not use online banking to authorise the sharing of information through service channels ordinarily provided by the data holder.
According to the Review, a period of approximately 12 months should be allowed for implementation between the announcement of a final Government decision on Open Banking and the Commencement Date.
From the Commencement Date, Open Banking should apply to transaction data and product data. However, this should not be applicable to transactions before 1 January 2017.
The four major Australian banks should be obliged to comply with a direction to share data under Open Banking. The remaining Authorised Deposit-taking Institutions should be obliged to share data from 12 months after the Commencement Date, unless the ACCC determines that a later date is more appropriate.
Approximately 12 months after the Commencement Date, the regulator (or an independent person) should conduct a post-implementation assessment of Open Banking and report to the Minister with recommendations.
The Review consulted extensively in forming its recommendations, including over 100 meetings with banks, firms, industry bodies, consumer groups, regulators, and data specialists and consideration of formal submissions from 41 interested parties.
The Government is seeking any further detailed comments on the recommendations before making final decisions on implementation. Submissions can be sent to firstname.lastname@example.org by 23 March 2018.
Access the complete report here.