Introduction
Following the re-election of the Morrison Government, the Consumer Data Right (CDR) for the Australian banking sector is imminent. From 1 July 2019, the four major Australian banks are expected to publish generic product information by way of an application programming interface (API). The API will allow data to be read by a computer so products can be easily compared.
Last month, NRF hosted a Financial Institutions Symposium where attendees gained insights from four CDR experts on the proposed regime. The panellists agreed that in ensuring the CDR achieves its purpose, the Government must balance the competing interests of all parties who will be affected by the new regime. CDR will allow Australians to access their own financial data and share it with accredited data recipients, with the aim to facilitate and encourage more competition in the banking sector. While a simple proposition, the introduction of the regime is accompanied by tensions from a privacy and competition law perspective, in addition to the technology challenges of security and the ability of different systems across the industry being able to “talk” to each other.
Notwithstanding that the legislation underpinning the regime is yet to be passed by parliament1, the steps to finalising the CDR regime are now underway. It is expected that the law will be passed in the coming months and open banking will be in full effect from 1 February 2020. Banks should be ready by to share data by 1 July 2019. For those wishing to profit from the potential increase in consumers seeking to benefit from a streamlined approach to information sharing, being ready for when a potential customer seeks to have their information transferred is critical.
What steps should a financial institution be taking now?
- Information technology – assessing your system capabilities against the Data61 API.
- Privacy – commence preparation of the necessary consumer consent documents to provide for the transfer of consumer information. The Exposure Draft Rules require that consent be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn (noting that these requirements provide additional protection compared to existing privacy laws).
- Regulatory compliance – setting up the necessary structures to ensure that information is received and handled in accordance with the (draft) rules.
- Accreditation – considering the accreditation criteria and the ability to satisfy its requirements.
Further consultation by the ACCC
The ACCC will perform the role of the CDR Registrar and will maintain the Register of Accredited Persons (the Register) who have been granted accreditation as an Accredited Data Recipient. The ACCC is currently seeking feedback in relation to the design of the Register to ensure it meets the needs of the CDR ecosystem. The ACCC also intends to consult on other aspects of the CDR Register by the end of June 2019, including: (i) business and technical design principles; (ii) security profile and certificate management; and (iii) caching and refreshing of Register metadata2.
Our Financial Institutions Symposium CDR panellists agreed that, for the CDR to be an effective regime, consumers must have complete confidence and trust that their data will be used appropriately. All panellists agreed that the framework effectively facilitates this. Financial Institutions wishing to take advantage of the regime should take steps now – a CDR regime is imminent.