ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 2nd of June 2022
When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61-2-9338-2221,,1650705270##
Meeting Details:
Desktop or Mobile Devices
https://treasuryau.webex.com/treasuryau/j.php?MTID=m9614a7c6166155d3d950a8999e437f9f
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.
Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: 1650705270@webex.com
Phones - AUDIO ONLY
- Primary Australia: +61-2-9338-2221
- Quick Dial: +61-2-9338-2221,,1650705270##
- Other Global Numbers: https://treasuryau.webex.com/cmp3300/webcomponents/widget/globalcallin/globalcallin.do?MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&MTID=m311f46c87a3ab9ae5335a6c0ea431da4&serviceType=MC&serviceType=MC&serviceType=MC&siteurl=treasuryau&siteurl=treasuryau&siteurl=treasuryau&apiname=globalcallin.php&apiname=globalcallin.php&apiname=globalcallin.php&rnd=6124483603&rnd=6124483603&rnd=6124483603&tollFree=0&tollFree=0&tollFree=0&ED=1403111402&ED=1403111402&ED=1403111402&needFilter=false&needFilter=false&needFilter=false&actappname=cmp3300&actappname=cmp3300&actname=/webcomponents/widget/globalcallin/gcnredirector.do&actname=/webcomponents/widget/globalcallin/gcnredirector.do&renewticket=0
- Meeting Number/Access Code: 165 070 5270
- Introductions
- Actions
- CDR Stream updates
- Presentation
- Q&A
- Any other business
- 5 min will be allowed for participants to join the call.
The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may contact@consumerdatastandards.gov.au should they have any further questions or wish to have any material redacted from the record.
We acknowledge the Traditional Custodians of the various lands on which we work today and the Aboriginal and Torres Strait Islander people participating in this call.
We pay our respects to Elders past, present and emerging, and recognise and celebrate the diversity of Aboriginal peoples and their ongoing cultures and connections to the lands and waters of Australia.
| Type | Topic | Update |
|---|---|---|
| Standards | Version 1.170 Published | Link to change log here |
| Maintenance | DSB Maintenance Iteration 11: Agenda & Meeting Notes on 25th of May 2022 | Link to the agenda and minutes |
| Maintenance | Meet next week on the 8th of June 2022 | To receive an invitation: reach out to contact@consumerdatastandards.gov.au |
| Maintenance | Additional session on the Tuesday 14th of June 2022 | Focused on Energy items for Maintenance Iteration 11 |
| TSY Newsletter | To subscribe to TSY Newsletter | Link here |
| DSB Newsletter | To subscribe to DSB Newsletter | Link here |
| TSY Newsletter | 6th of April 2022 | View in browser here |
| DSB Newsletter | 27th of May 2022 | View in browser here |
| Consultation | Normative Standards Review (2021) | No Close Date Link to consultation |
| Consultation | Decision Proposal 229 - CDR Participant Representation | Placeholder: no close date Link to consultation |
| Action | Question taken on notice: in regards to SSO with the Consumer Data Standards | CDR Support Portal - SSO and CDR authentication |
Provides a weekly update on the activities of each of the CDR streams and their stream of work
| Organisation | Stream | Member |
|---|---|---|
| ACCC | CDR Register | Emma Harvey |
| ACCC | CTS | Preeti Patel |
| DSB | CX Standards | Michael Palmyre |
| DSB | Technical Standards - Register | Ivan Hosgood |
| DSB | Technical Standards - Energy & MI11 | Hemang Rathod |
| DSB | Technical Standards - Banking | Mark Verstege |
| DSB | Technical Standards - Engineering | James Bligh |
None.
Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.
| Ticket # | Question | Answer |
|---|---|---|
| 1427 | We are considering the scenario where a Data Holder may have a consumer that has an "open gas account" or “open telco account” but a "closed electricity account”. When there are multiple open accounts with a Data Holder and a customer closes one account the authorisation does not necessarily immediately expire [as it would e.g., by operation of Rule 4.26(1)(c)]. This depends on whether the consumer remains an eligible consumer [as defined in Schedule 4, clause 2.1]. Our interpretation is that given Consumer Data Right (Energy Sector) Designation 2020 and interactions with the CDR Rules is that “open gas accounts” or an “open telecommunications account” would not be considered an “open account” for purposes of determining whether a customer remains eligible for CDR. [As the Energy Sector Designation covers gas and electricity, however gas does not fit the definition of an eligible customer under the CDR Rules. N.B. the telecommunications sector is yet to be designated.] However, we are unsure if Schedule 4, part 3, clause 3.2(2)(b)(iii)(A) may influence whether a customer remains eligible particularly if a ‘relevant account’ could have cross-sectoral implications – such as a gas or telco account. Could you please give us direction on the policy intent regarding interpretation of Schedule 4, part 3, clause 3.2(2)(b)(iii)(A). Also Note 2 to clause 3.2(2) [see Note 1 below] suggests that closed accounts are in scope, but references that the consumer must be eligible (which we understood to be the case only the case if the account is open) – are you able to clarify the intent of this Note please? |
For a consumer to be eligible in relation to a retailer, the consumer must be a customer of the retailer in relation to an eligible arrangement as stated in clause 2.1(1)(a) of Schedule 4. Clause 1.2 of Schedule 4 to the rules and Section 5(1)(b) of the Energy Sector Designation define a ‘customer’ as a person who purchases electricity or to whom electricity is supplied by a retailer. Clause 1.2 and 2.1(2) of Schedule 4 define an eligible arrangement as “an arrangement that relates to one or more connection points or child connection points for which there is a financially responsible market participant in the National Electricity Market.” Clause 3.2 of Schedule 4 deals with consumer data that is required or voluntary and does not relate to a CDR consumer’s eligibility. A CDR consumer can share data on closed accounts if they remain eligible CDR consumers with the relevant data holder despite the account closure. If the person continues being eligible in relation to the data holder (for example, they have another account with the energy retailer which is open and satisfies the eligibility criteria), the person will continue to be able to share CDR data from the closed account subject to clauses 3.2(4) and (5) of schedule 4. |
| 1475 | Can you please confirm our understanding that required data for closed accounts is 24 months before the day of the request? We note references within the CDR - i.e. Schedule 4, 3.2(2)(iii)(B) which defines required billing data for a time that is not more than 2 years before the day of the request. However this is not defined specifically in relation to required data for closed accounts - see Schedule 4, 3.2(7) | Thank you for your question. Schedule 4, clause 3.2(7)(c) of the CDR rules specifies that for a closed account, any CDR data not excluded by 3.2(7)(a) or (b) that “relates to a transaction or event that occurred more than 2 years before” is not required consumer data. This means that billing data held by a retailer (and metering data held by AEMO) that relates to an event or transaction that occurred less than 24 months before the date of a consumer data request is required consumer data for closed accounts. However, note that the CDR Rules only require a retailer data holder to share CDR data that relates to a closed account if the CDR consumer remains an eligible CDR consumer in relation to the data holder (see Rule 1.10B and Schedule 4, clause 2.1 for the definition of an eligible CDR consumer in the energy sector). |
| 1513 | User Info API for Nominated Representatives In regards to the User Info API in the OAuth Specifications (that provides information about the user establishing the consent), this oAUth API mostly deals mostly with the consumer use case. For the obligations related to business consumers, for a business account user consenting to share business account information that they are a nominated representative for, should User Info represent the business account info or the nominated representative? |
The UserInfo response relates to the authenticated end user. For individual consumers this is currently the consumer. For non-individual consumers this will be the data of the nominated representative. |
| 1522 | Scheduled Payments and Direct Debits requests where there is no data Where a request is made to either get scheduled payments or direct debits on one or multiple accounts and there are no scheduled payments or direct debits on the account. What should the response be. i.e. Status Ok with an empty array or an error code as the mandatory fields can't be populated. |
If the request is valid you must respond with a 200 OK and an empty array. |
| 1544 | Error Code 404 - Difference between Invalid and Unavailable data The 404 error description highlights that the "Unavailable" and "Invalid" are differentiated based on whether the ID provided in URL is permanently unavailable for "Invalid" and available but not shared due to status for "Unavailable". In CDR rule 3.5(1)aa and 4.7(1)(c)- The status mentioned are "blocked" and "suspended". Should Energy Retailer send 404 - "Unavailable" for data which is blocked and suspended. Similarly send "Invalid" if the data is not able with Energy retailer? |
The guiding principle for Unavailable vs Invalid is whether future calls to the same resource are likely to be responded to. If the account is temporarily unavailable (for example a transient hold on the account) then Unavailable is the appropriate response. If however, for protection of the vulnerable consumer or the account is no longer associated with the consent, then Invalid is the appropriate response. Business rules within each Data Holder will also play a role in determining how you handle each scenario. This is left to the discretion of the Data Holder. |
| 1549 | As part of the OIDC Authorization Code Flow, Data Holders are expected to support JARM. Questions: 1. For the "authorization_signed_response_alg attribute" should the DH use PS256 or leave it to default which is RS256? 2. Should the JWT be encrypted? 3. If yes, what should be the OB recommended values list for these attributes. a. authorization_encrypted_response_alg b. authorization_encrypted_response_enc |
Question 1: For the "authorization_signed_response_alg attribute" should the DH use PS256 or leave it to default which is RS256? Answer: RS256 is explicitly excluded by FAPI. FAPI provides requirements for allowed signing algorithms in section 8.6: https://openid.net/specs/openid-financial-api-part-2-1_0.html#algorithm-considerations Question 2. Should the JWT be encrypted? Answer: No. There is currently some discussion in the Maintenance Iteration 11 to exclude encryption of responses (this would be a constraint to the JARM spec) Question 3. If yes, what should be the OB recommended values list for these attributes. a. authorization_encrypted_response_alg b. authorization_encrypted_response_enc Answer: Currently, the algorithms specified in JWE apply. The JARM spec states these requirements. https://openid.net/specs/openid-financial-api-jarm.html in section 6: https://openid.net/specs/openid-financial-api-jarm.html#authorization-server-metadata - authorization_encryption_alg_values_supported OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response. - authorization_encryption_enc_values_supported OPTIONAL. JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response. |
| 1557 | We have a question for the FAPI 1.0 upgrade (i.e. https://github.com/ConsumerDataStandardsAustralia/standards/issues/209) For September 16th obligation date, under the heading of "Authorization Code Flow" it states "Data Holders MAY support the Authorization Code Flow in accordance with FAPI 1.0 Advanced. This requires JARM and PKCE." The above statement states "MAY" however in the 'Future Dated Obligation' page for September 16th 2022, it states "Data Holders and Data Recipients MUST support FAPI 1.0 Final including [RFC9126], [RFC7636] and [JARM]". The 2 sites contradicts each other as one says "MAY" and the other says "MUST". Can you please let us know if it's indeed a "MAY" or "MUST" so we can prioritise our upgrade ? |
the intention of the statements in the future dated obligations is to indicate any Data Holder adopting Authorization Code Flow in Phase 2 must do so according to FAPI 1.0 Final including [RFC9126], [RFC7636] and [JARM]. The requirement for Authorization Code Flow support in Phase 2 is actually a SHOULD, not a MAY, but this does give discretion to the Data Holder. Whilst we encourage Data Holders to implement and support the Authorization Code Flow from September, it is only mandated from April 2023 (after which time the OIDC Hybrid Flow is deprecated). Please note that "MAY" support for Authorization Code Flow is July 2022, "SHOULD" support is September 2022 and "MUST" support is April 2023. |
View a number of informative and useful links in the Consumer Data Standards Implementation Guide on Information Links.