ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 11th of August 2022

CDR Implementation Call Banner

Agenda & Meeting Notes

When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61-2-9338-2221,,1650705270##

Meeting Details:

Desktop or Mobile Devices https://treasuryau.webex.com/treasuryau/j.php?MTID=m9614a7c6166155d3d950a8999e437f9f Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: 1650705270@webex.com

Phones - AUDIO ONLY

Primary Australia: +61-2-9338-2221
Quick Dial: +61-2-9338-2221,,1650705270##
Other Global Numbers: https://treasuryau.webex.com/cmp3300/webcomponents/widget/globalcallin/globalcallin.do?MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&serviceType=MC&serviceType=MC&serviceType=MC&siteurl=treasuryau&siteurl=treasuryau&siteurl=treasuryau&apiname=globalcallin.php&apiname=globalcallin.php&apiname=globalcallin.php&rnd=6124483603&rnd=6124483603&rnd=6124483603&tollFree=0&tollFree=0&tollFree=0&ED=1403111402&ED=1403111402&ED=1403111402&needFilter=false&needFilter=false&needFilter=false&actappname=cmp3300&actappname=cmp3300&actname=/webcomponents/widget/globalcallin/gcnredirector.do&actname=/webcomponents/widget/globalcallin/gcnredirector.do&renewticket=0
Meeting Number/Access Code: 165 070 5270

Agenda

Introductions
Actions
CDR Stream updates
Presentation
Q&A
Any other business

Introductions

5 min will be allowed for participants to join the call.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.
We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.

House Keeping

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may contact@consumerdatastandards.gov.au should they have any further questions or wish to have any material redacted from the record.

Community Guidelines

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

Updates

Type	Topic	Update
Standards	Version 1.17.0 Published	Link to change log here
Standards	Version 1.18.0 to incorporate changes from Maintenance Iteration 11	Timing to be confirmed
Maintenance	Maintenance Iteration 12	First meet on the 20th of July 2022
Maintenance	Maintenance Iteration 12	Next week on the 17th of August 2022 the Working Group will meet
Maintenance	Decision Proposal 259 - Maintenance Iteration 12	Changes, meeting notes and updates for the iteration can be found here
TSY Newsletter	To subscribe to TSY Newsletter	Link here
DSB Newsletter	To subscribe to DSB Newsletter	Link here
TSY Newsletter	26th of July 2022	View in browser here
DSB Newsletter	5th of August 2022	View in browser here
Consultation	Normative Standards Review (2021)	No Close Date Link to consultation
Consultation	Decision Proposal 229 - CDR Participant Representation	Placeholder: no close date Link to consultation
Noting Paper	Noting Paper 255 - Approach to Telco Sector Standards	Link to consultation
Consultation	Decision Proposal 256 - Telco Endpoints Feedback closes: 12th of August 2022	Link to consultation
Consultation	Decision Proposal 257 - Customer Data Payloads for Telco Feedback closes: 12th of August 2022	Link to consultation
Noting Paper	Noting Paper 258 - Independent Information Security Review	Link to consultation
Consultation	Decision Proposal 260 - Energy Closed Accounts	Link to consultation
Consultation	Decision Proposal 262 - Telco Product Reference Payloads	Link to consultation

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their stream of work

Organisation	Stream	Member
ACCC	CDR Register	Emma Harvey
ACCC	CTS	Andrea Gibney
DSB	CX Standards	Amy Nussbaumer
DSB	Technical Standards - Energy	Hemang Rathod
DSB	Technical Standards - Banking	Mark Verstege
DSB	Technical Standards - Telecommunications	Brian Kirkpatrick
DSB	Technical Standards - Engineering & Register	James Bligh

Presentation

Title: Consent Flow
Stream: Data Standards Body
Presenter: James Bligh

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

Answer provided

Ticket #	Question	Answer
1108	Currently, the guidance for White-Labelled brands (https://cdr-support.zendesk.com/hc/en-us/articles/900003938166-White-Labelled-brands-in-the-CDR) in the CDR recommends that in some circumstances (such as Example 1) an additional data holder brand should be added to the registry and that in those cases there should be associated separate infosec APIs, Public APIs and Metrics APIs. In other circumstances (such as Example 7) it is recommended explicitly that no additional brand is added to the registry and that separate infosec, public and metrics APIs are not required. This guidance is not reflected in some earlier guidance relating to the data standards, for example this article on Multiple Brands and GET Metrics (https://cdr-support.zendesk.com/hc/en-us/articles/900003829606-Multiple-Brands-and-GET-Metrics). We would appreciate it if the earlier guidance could be clarified to align with the white-labelled brands guidance. Further, we would also like to clarify that in circumstances where a data holder’s primary retail or business digital banking channels are used to enable CDR for consumers holding in-scope products offered through other data holder brands (e.g., wealth brands as permitted in this guidance (https://cdr-support.zendesk.com/hc/en-us/articles/360004351495-CDR-access-for-wealth-brand-customers)), it is appropriate to not add the wealth brand to the registry, and not separate infosec, get metrics or public APIs (per Example 5 and other similar scenarios of the white-labelled guidance), if customers understand the relationship between the data holder and the relevant wealth brand.	Our knowledge article on Multiple Brands and GET Metrics has been updated for clarity. In relation to the second part of your enquiry, we consider that it is appropriate not to add the wealth brand to the CDR register in the circumstances you have described. This is because no additional brand entries are required in the CDR Register if a data holder’s primary retail or business digital banking channels are used to enable CDR data sharing through other data holder brands. Please refer to example 3 of our White labelled brands in the CDR guidance for more information.
1375	In a situation where a customer only has 1x closed account that was closed for less than 24 months (making it an eligible account) and 1x joint account. Since joint accounts are not being exposed yet for non major banks, would it be expected that the Data Holder still expose the closed account when customer is trying to set up a consent? Note: we do understand this has to do with voluntary data and we agree to share this. We are just unsure if the other eligible account held by customer must be one that is being exposed by the DH already or if it just needs to meet CDR eligibility irrespective of when it's being delivered.	Please refer to this guidance here: https://cdr-support.zendesk.com/hc/en-us/articles/5225692624271
1398	If a Joint Account has a Secondary User Instruction associated with it AND the Joint Account is set to Co-Approval. If the Secondary User initiates a sharing arrangement for that Joint Account, do all other Joint Account owners need to approve it? If a Joint Account owner initiates a sharing arrangement for the Joint Account (which is Co-Approval), do all Joint Account Owners AND the Secondary User need to approve it?	The ACCC has developed Joint account implementation guidance which may assist you. The General operation of secondary users and joint accounts section contains information on the approach to secondary users including in relation to approval options. Note that while the co-approval option would require all joint account holders to approve any data sharing (including where initiated by a secondary user), a secondary user is not an account holder. Our view is that they would not need to approve any data sharing arrangement proposed by an account holder.
1514	Are there any knowledge articles with regards to how POA’s and guardianship accounts are treated under the CDR. With the introduction of secondary users is it correct that where an account privilege exists with respect to POA the CDR customer can add the POA as a secondary user for CDR purposes. And secondly can nominated representatives be nominated for trust account types.	“Are there any knowledge articles with regards to how POA’s and guardianship accounts are treated under the CDR. With the introduction of secondary users is it correct that where an account privilege exists with respect to POA the CDR customer can add the POA as a secondary user for CDR purposes?” The ACCC has recently published guidance regarding the interaction between powers of attorney and the CDR, which you may find here. The CDR Rules do not contain provisions that expressly deal with powers of attorney and the ability of an attorney to serve as a secondary user. The issue of whether an attorney has account privileges and may be classified as a secondary user therefore depends on the scope of the attorney’s authority, which will need to be assessed on a case by case basis, with reference to the power of attorney document. “And secondly can nominated representatives be nominated for trust account types? Can we get some clarity whether trust accounts are part of non-individual accounts i.e follows the nominated representative process?” In determining whether a trust account can be considered a non-individual account and therefore whether the nominated representative provisions may apply, CDR participants should have regard to whether the CDR consumer, being the person who the data relates to because of the supply of a service to the person (for example, the person that is receiving services relating to a trust account that is provided by the data holder) is an individual or a non-individual. We encourage data holders to seek their own advice to make that determination in relation to the trust account products they offer, particularly noting that data holders may have a range of different structures for providing trust account products to their customers. For more information on nominated representatives, please also refer to our guidance on nominated representatives, non-individuals, and partnerships in the CDR.
1608	I was wondering if any updated timelines were available regarding the deferral of ‘direct to consumer’ obligations. I see in your latest article that a consultation was planned to occur before November 2021. I was wondering if this consultation occurred and if not what the current timeline if any is?	Treasury leads CDR policy and is responsible for the development of CDR Rules. Given the issue you’ve raised relates to CDR policy, we will refer this to Treasury for further consideration. A timeline for consulting on the implementation of direct to consumer obligations has not been set since these obligations were deferred by rule changes in October 2021. However, we note that direct consumer access to data is one of the topics being considered through an independent review of the CDR. The review is exploring implementation of the CDR to date and will assess whether the CDR framework is fit-for-purpose to provide benefits for consumers, increase competition, and drive innovation. One of the questions raised in the terms of reference (ToR) is whether the CDR framework could be revised to facilitate direct to consumer data sharing. Further information and context on the ToR questions can be found in the recently released issues paper. The public consultation for the review has now closed with further activity of the Statutory Review of the Consumer Data Right a matter for Government. Next steps are currently under consideration.
1635	Is a foreign based entity required to completely register as a foreign company with ASIC/ ACCC before they can get access to the CDR Participant Portal to begin an ADR application, or is a simple contract with a "local agent" sufficient. before commencing application to be ADR.	The CDR Rules accommodate foreign entities participating in the CDR as ADRs, provided they meet the usual accreditation requirements. Section 56CA of the Competition and Consumer Act 2010 (Cth) specifies that a person may be accredited even if they are not a body corporate established by or under a law of the Commonwealth, or a state or territory. Under the CDR Rules, in addition to the usual requirements, a foreign entity seeking accreditation is also required to provide details of the Australian entity they have appointed as their local agent to accept service on their behalf (see rule 1.7), and the local agent’s address for service (rule 5.2(2)(c)(ii)). This is the only additional requirement for foreign entities to become ADRs in the CDR Rules. However, as stated in the Explanatory Memorandum for Part IVD of the CCA at [1.241] note that “Accreditation requirements under the CDR do not remove the need for accredited persons to obtain any other required licences for the business they are undertaking. For example, if a FinTech is providing financial services as defined in the Corporations Act 2001 and the Corporations Regulations 2001, it will also be required to hold an Australian Financial Services licence.” This statement captures other requirements to carry on a business in Australia, including any requirement for registration as a foreign company with ASIC. That is – while a foreign entity can gain access to the portal to start an accreditation application without obtaining licence/s or registration required for the business they are undertaking, they would need these in order to become accredited. We also suggest that you review the ACCC’s Accreditation Guidelines for further details about the accreditation process.
1660	Is a non-individual CDR consumer allowed to choose nominated representatives to his/her account regardless of the type of account ? For example, a joint account, a business loan account, a trust account etc.	In general, a non-individual CDR consumer can nominate a representative to their account for any of the product types listed in Schedule 3, Clause 1.4 of the CDR Rules. However, we note that a joint account is not considered a product type and is instead a separate account structure. Notably, under Rule 1.7, to satisfy the meaning of a ‘joint account’, each joint account holder must be an individual. This means that non-individual CDR consumers cannot be a party to a joint account, as defined in the CDR Rules. Further considerations also apply in relation to trust account types. For more information, please see our knowledge article on trusts and nominated representatives in the CDR. For more information generally, please also refer to our guidance on nominated representatives, non-individuals, and partnerships in the CDR.
1662	Where can I find a CDR implementation timeline for both DH and ADR.	For the energy sector, the commencement dates for CDR obligations can be found in Part 8 of Schedule 4 to the Consumer Data Right Rules. You may also wish to review the ACCC’s Compliance Guide for Data Holders – Energy Sector. It also contains a summarised version of these commencement dates on page 9 along with other important compliance information for data holders in the energy sector.
1666	Does Hybrid flow need to use PKCE? e have implemented PKCE use only in case of authorization code flow and not hybrid flow. Do we have to implement PKCE use for hybrid flow too?	yes from September 2022, the data standards adopt the FAPI 1.0 Advanced profile. The FAPI standards require Authorisation Servers supporting PAR RFC9126 to also support PKCE. See clause 18 of section 5.2.2 shall require PAR requests, if supported, to use PKCE (RFC7636) with S256 as the code challenge method.