Open banking one step closer with Consumer Data Right bill introduced in Parliament

Open banking in Australia is one step closer, with the introduction of a bill to legislate the "consumer data right". A Senate Committee is reviewing the bill and will accept public submissions until 28 February 2019, and report on its findings by 18 March 2019.

What’s happened?

On 13 February 2019 the Treasury Laws Amendment (Consumer Data Right) Bill 2019 was introduced in the Federal House of Representatives.

If passed, the Bill will amend the Competition and Consumer Act 2010 to introduce a "consumer data right" (CDR). The objectives of these provisions (as described in the Bill) are to:

1. enable consumers in certain sectors of the Australian economy to require information relating to themselves to be disclosed safely, efficiently and conveniently:
   1. to themselves for use as they see fit; or
   2. to accredited persons for use subject to privacy safeguards;
2. enable any person to efficiently and conveniently access information in those sectors that:
   1. is about goods (such as products) or services; and
   2. does not relate to any identifiable, or reasonably identifiable, consumers; and
3. create more choice and competition, or otherwise promote the public interest, as a result of 1 and 2 above.

The Bill will also make consequential amendments to the Privacy Act 1988 (Cth) and Australian Information Commissioner Act 2010 (Cth).

What is the purpose of the CDR?

The Government summarised the CDR as follows in the Explanatory Memorandum to the Bill:

"The [CDR] provides individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses. The CDR authorises secure access to this data by trusted and accredited third parties. The CDR requires businesses to provide public access to information on specified products they have on offer. CDR is designed to give customers more control over their information leading, for example, to more choice in where they take their business, or more convenience in managing their money and services."

Legislative framework for the CDR

The Bill creates a framework whereby:

1. The Minister will designate each sector to which the CDR will apply, and the relevant data holders and data sets, in a "designation instrument".
2. The Australian Competition and Consumer Commission (ACCC) will have the power to make rules to determine how CDR functions. This will be done in consultation with the privacy regulator, the Office of the Australian Information Commissioner (OAIC). The ACCC:
   1. published and publicly consulted on an extensive Rules Framework in Sep/Dec 2018;
   2. published a Rules Outline on 21 December 2018 (updated on 25 January 2019) setting out its position on what should be included in the rules governing the CDR; and
   3. has said that the policy position in the Rules Outline will be reflected in draft Rules which the ACCC will publish for consultation in the first quarter of 2019.
3. Technical standards dealing with matters such as data format, transfer and security will be developed by a Data Standards Body. The interim Data Standards Body, CSIRO's Data 61, is developing these standards and released a "Christmas Working Draft" on 20 December 2018.
   

What sectors will be affected by the CDR?

The Government has committed to introducing the CDR in the banking, energy and telecommunications sectors, and eventually across the economy. First in line is the banking sector, where the CDR is commonly known as "Open Banking".

When will Open Banking begin?

Assuming the Bill is passed, the latest indication from the Government is that Open Banking will be phased in as follows:

1. From 1 July 2019, the big four banks will be required to make product data for credit and debit cards, deposit accounts and transaction accounts available. Other banks can make this information available if they wish.
2. Sharing of consumer, account and transaction data (as opposed to product data) for those types of accounts has been delayed pending the pilot program described below.
3. From 1 July 2019, the ACCC and Data 61 will launch a pilot program with the big four banks to test the performance, reliability and security of the Open Banking system. Commonwealth Treasurer Josh Frydenberg has said that:
   

   "Consumers and FinTechs will be invited to participate in these pilots and the ACCC and Data61 will also work closely with other banks who have expressed an interest in participating in Open Banking earlier than originally envisaged."
   

4. From 1 July 2019, the ACCC will begin formally engaging with parties interested in accreditation (see "What is accreditation?" below).
5. Once the ACCC is comfortable with the robustness of the system, the big four banks will be required to make consumer data, account data and transaction data for credit and debit cards, deposit accounts and transaction accounts available. This will be no later than February 2020.
6. From 1 February 2020, the big four banks will be required to make product data, consumer data, account data and transaction data for mortgage accounts available. 

Thereafter the intended timeline will be:

• July 2020:
  • Big four banks: make available product data, consumer data, account data and transaction data for personal loan and other accounts.
  • Other banks: make available product data, account data and transaction data for credit and debit cards, deposit accounts and transaction accounts.
• February 2021: other banks: Make available product data, account data and transaction data for mortgage products.
• July 2021:  other banks: Make available product data, account data and transaction data for personal loan and other accounts. 

What is accreditation in the context of the CDR?

There will be three key players in the CDR system in relation to any given piece of data: ^[1]

1. The consumer: this is the person or entity that has the right to request that their information is transferred from the data holder to the accredited data recipient.
2. The data holder: this is the original holder of the data that is to be transferred - e.g. the consumer's bank.
3. The accredited person / accredited data recipient: an "accredited person" is a person who is licensed to receive data through the CDR system. Once they have received such data, they are an "accredited data recipient" and must follow strict privacy safeguards regarding the data.

On 1 July 2019 the ACCC will open registrations of interest from entities wishing to become an accredited data recipient.

Authorised Deposit-taking Institutions within the meaning of the Banking Act 1959 (Cth) (ADIs) will be 'data holders' (unless they are foreign bank branches) but will not automatically be 'accredited persons' (as was recommended in the Final Report of the Open Banking Review in December 2017). Instead, the ACCC's Rules Outline contemplates that a streamlined accreditation process will apply to ADIs. It also notes that the ACCC may consult with APRA on any of the requirements for accreditation of an ADI.

What's next?

The Bill was referred to the Senate Economics Legislation Committee, which is due to report on it by 18 March 2019. The Senate Committee will accept submissions on the Bill until 28 February 2019. The Bill will likely then be considered by the Senate in its budget sitting in early April. The Federal Opposition supports the CDR in principle but has raised questions about aspects of the Bill and urged a longer timeline for those questions to be considered before the Bill is passed.

Nonetheless, businesses should be setting up their policies and processes for compliance with the CDR regime (including the necessary IT upgrades and staff and customer education) and considering how they might make use of CDR data once the regime comes into effect.  

The Government's Explanatory Memorandum to the Bill estimates that the CDR will increase compliance costs in the banking sector and for accredited parties by an average of $86.6 million per year, on an annualised basis. Compliance activities may include developing new policies, processes, systems and technologies, identifying and collating relevant data, and setting up the necessary framework to collect and comply with customer requests to share their data.

The ACCC is expected to publish draft CDR Rules for consultation before the end of March 2019. These are likely to closely resemble the Rules Outline available on the ACCC's website, so businesses can be preparing now for any submissions they might like to make on the proposed CDR Rules. Given the significant compliance costs, complexity and implications of the regime, businesses should consider having their say on the regime through submissions while it is still possible to do so.

^[1] The Explanatory Memorandum to the Bill does contemplate a fourth key player, the "designated gateway" - an entity designated by the Minister for facilitating the transfer of information between data holders and accredited persons. However, it is not yet clear if any designated gateway will apply in Open Banking. The Government currently "expects that there will be limited circumstances when a gateway will be designated", and has named only one potential example: the Australian Energy Market Operator in the energy sector. ^{Back to article}