Noting Paper 207 - Draft v3 Rules Analysis | Anticipated Data Standards

[CDR-CX-Stream]

1 September 2021
Feedback has closed. Thank you to everyone who has provided feedback.

30 August 2021
This noting paper will remain open for follow-up feedback. If there is no further feedback to the responses provided this Noting Paper will be closed at COB Tuesday 31st August.

9 August 2021
The purpose of this Noting Paper is to consult on the scope and intent of the anticipated data standards changes by reference to the draft v3 rules.

This paper includes anticipated changes to the Consumer Data Standards relating to Consumer Experience, Information Security, Technical API Standards and the CDR Register to support alignment with the proposed draft v3 rules.

Targeted decision proposal consultations will occur separately to this Noting Paper for the specific areas listed in this document, in light of the final rules made by the Minister.

While a Noting Paper is not part of a formal decision proposal consultation, the DSB strongly encourages feedback to help inform data standards development in relation to these key items.

The noting paper is attached below:
Noting Paper 207 - v3 Rules - Anticipated Standards.pdf

Feedback on this noting paper will close on Tuesday 24th August 2021.

---

4 August 2021 - Placeholder
This is a placeholder for a noting paper on the anticipated standards impacts based on the DSB's analysis of the draft v3 rules.

This noting paper will cover issues relating to to CX, infosec, technical, and Register standards.

This paper is currently being finalised but is not yet ready for publication.

This placeholder issue has been opened to invite community commentary on the scope and content of the issues before formal consultation commences.

[da-banking]

Regarding the technical/CX standards for joint accounts, if they will be finalised in Q4 2021, the obligation date will need to push out to later in Q2 2022 (at the earliest).

This needs to factor is the Dec/Jan break when there are minimal staff available.

[EnergyAustraliaBA]

Thank you for the opportunity to provide feedback.

On Sponsored Accreditation - recommends that further analysis will need to be conducted to understand how affiliates will or will not surface in DH authorisation flows and dashboards. It is not clear why Affiliate ADRs should be presented differently compared to ADRs that are not affiliates. We consider that information on the fact that an ADR is an Affiliate and what this means, should be provided through the ADR’s consent flow and presented to the customer at the time they provide consent to disclosing data to an ADR linked to a sponsor/affiliate arrangement.

[AusBanking2]

Thank you for the opportunity to comment.

Please see attached the ABA's position in respect to data standards for draft Rules 3.0.

210824 - ABA submission DSB CDR NP 207.pdf

[WestpacOpenBanking]

Westpac welcomes the opportunity to comment on Noting Paper 207.

We have the following comments on ADR Representation:

• In a data holder context, customers should be able to identify and understand which party is responsible for dispute resolution under both sponsorship and representative models. This suggests that the Affiliate ADR or Principal ADR should always be presented in consent flows (including grant and manage).
• Presenting multiple parties (e.g. sponsor and affiliate or principal and representative) to customers may cause confusion, especially if one party is later unfamiliar to a customer in a consent management context. We recommend that the DSB undertake CX research and prototyping before finalizing requirements.
• As noted in the paper, most metadata is currently stored in the registry. We are supportive of this approach. We note that the ‘Standards made:’ column has the value ‘N/A’ in many cases where it should be ‘TBD’, however.

[NationalAustraliaBank]

Thanks you for the opportunity to provide feedback.

We support the recommendations submitted by ABA and Westpac. With reference to ADR representation in data holder consent flow and dashboard, we recommend that DSB undertake CX research and prototyping before finalizing CX standards and CDS technical standards.

[CDR-API-Stream]

Thanks @da-banking,

Regarding the technical/CX standards for joint accounts, if they will be finalised in Q4 2021, the obligation date will need to push out to later in Q2 2022 (at the earliest). This needs to factor is the Dec/Jan break when there are minimal staff available.

We note the request to consider alternative timeframes for the introduction of Joint Account standards obligations. This feedback has been provided to the Rules team. Obligation dates are subject to the Minister's determination.

[CDR-API-Stream]

Thanks @energyaustraliaDD,

On Sponsored Accreditation - recommends that further analysis will need to be conducted to understand how affiliates will or will not surface in DH authorisation flows and dashboards. It is not clear why Affiliate ADRs should be presented differently compared to ADRs that are not affiliates. We consider that information on the fact that an ADR is an Affiliate and what this means, should be provided through the ADR’s consent flow and presented to the customer at the time they provide consent to disclosing data to an ADR linked to a sponsor/affiliate arrangement.

Thank you for this feedback. The CX working group will consider this as part of its ongoing work and the targeted Decision Proposal on ADR representation.

[CDR-API-Stream]

Thank you @WestpacOpenBanking,

• In a data holder context, customers should be able to identify and understand which party is responsible for dispute resolution under both sponsorship and representative models. This suggests that the Affiliate ADR or Principal ADR should always be presented in consent flows (including grant and manage).

This will be further explored in the targeted Decision Proposal for access arrangements. Noting that this will require technical changes to the authorisation flow and possibly the CDR Register APIs to facilitate the feedback provided.

• Presenting multiple parties (e.g. sponsor and affiliate or principal and representative) to customers may cause confusion, especially if one party is later unfamiliar to a customer in a consent management context. We recommend that the DSB undertake CX research and prototyping before finalizing requirements.

Thank you for this feedback. The CX working group will consider this as part of its ongoing work and the targeted Decision Proposal on ADR representation.

• As noted in the paper, most metadata is currently stored in the registry. We are supportive of this approach. We note that the ‘Standards made:’ column has the value ‘N/A’ in many cases where it should be ‘TBD’, however.

This will be further explored in the targeted Decision Proposal for access arrangements to determine if any changes to the CDR Register APIs is required.

[CDR-API-Stream]

Thank you @NationalAustraliaBank,

We support the recommendations submitted by ABA and Westpac. With reference to ADR representation in data holder consent flow and dashboard, we recommend that DSB undertake CX research and prototyping before finalizing CX standards and CDS technical standards.

Thank you for this feedback. The CX working group will consider this as part of its ongoing work and the targeted Decision Proposal on ADR representation.

[CDR-API-Stream]

Thank you @AusBanking,

Please see attached the ABA's position in respect to data standards for draft Rules 3.0. 210824 - ABA submission DSB CDR NP 207.pdf

Re: Information Security Standards between Accredited Persons
In response to feedback to create Information Security standards between Accredited Persons or between an Accredited Person and a Person (non-accredited; e.g., Trusted Advisor or Representative) we note that to date, the DSB has not sought to define technical or security standards between accredited persons.

Whilst Schedule 2, Part 2.2 (1) Encryption in transit permits the creation of data standards for the "encrypting (of) data in transit and authenticating access to data", this is only in relation to the encryption of data whilst in transit and 4.10 (2) states that in relation to 4.10(1)(a)(ia), technical data standards do not apply to:

• (a) a collection consent for collection of CDR data from an accredited data recipient; or
• (b) a disclosure consent.

Furthermore, it is noted that accredited persons, in relation to Schedule 2, Part 2.2 (1) Encryption in transit, are required by the Rules to apply industry best practice, implementing processes to audit data access and use, and implementing
processes to verify the identity of communications.

Re: Joint Account obligation dates

Thank you. We note the request to consider alternative timeframes for the introduction of Joint Account standards obligations. This feedback has been provided to the Rules team. Obligation dates are subject to the Minister's determination.

[CDR-API-Stream]

This noting paper will remain open for follow-up feedback. If there is no further feedback to the responses provided this Noting Paper will be closed at COB Tuesday 31st August.