ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (25th of June 2020)

ACCC & DSB Data Holder Working Group Agenda & Meeting Notes (25th of June 2020)

When: Weekly every Thursday at 3pm-4.30pm AEST
Location: WebEx, quick dial +61262464433,785383900%23%23
Meeting Details:

Desktop or Mobile Devices https://csiro.webex.com/csiro/j.php?MTID=m7c39ee9db5e5892ab35cd0bd7bbf94ce
Once connected to your meeting remember to start your audio and video
Please mute when you are not speaking.

Video Conferencing (VC) Rooms
Use the remote control or touch panel and dial the number indicated below:
External VC Room: 785383900@csiro.webex.com

Phones - AUDIO ONLY

• Primary Australia: +61 2 6246 4433
• Quick Dial: +61262464433,785383900%23%23
• Other Global Numbers: https://conferencing.csiro.au/Call-in.php
• Meeting Number/Access Code: 785 383 900

Agenda

1. Introductions
2. Outstanding actions
3. CDR Stream updates
4. Q&A
5. Any other business

Meeting notes

• Meeting Notes
• Next steps

Introductions

• 5 min will be allowed for participants to join the call.

Actions

Type	Topic	Update
Maintenance	Banking Maintenance Iteration 03	Decision Proposal 108
Decision Proposal - Energy	Decision Proposal 110 - Additional Account Holders	Decision Proposal 110
Decision Proposal - All	Decision Proposal 119 - Enhanced Error Handling Payload Conventions	Decision Proposal 119
Decision Proposal - All	Decision Proposal 120 - CDR Error Codes for Enhanced Error Handling	Decision Proposal 120
Decision Proposal - All	Decision Proposal 121 - Application of existing HTTP Error Response Codes to Enhanced Error Handling	Decision Proposal 121
Decision Proposal - All	Decision Proposal 122 - Extension of Supported HTTP Response Codes for Enhanced Error Handling	Decision Proposal 122
Question	Is it required to display the CDR data requests made by data recipients in the data holder's consumer dashboard or is it just the Authorization details to be shown in the dashboard?	Rule 1.15 of the CDR Rules provides what information and functionality must be provided through a consumer’s dashboard when a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer, including information relating to CDR data that has been authorised to be disclosed. That information is set out in rule 7.9 (which relates to Privacy Safeguard 10) which requires the consumer dashboard to show what CDR data was disclosed, when the CDR data was disclosed, and the ADR it was disclosed to. The CX Guidelines provide an example of doing this, where actual disclosure events are shown on the data sharing arrangement screen, but rule 7.9 could be met by providing notifications elsewhere on the consumer dashboard.
Question	Section 3.2 of the CDR Rules (Joint account management services) provide details about revoking accounts owner by joint account holders. How should this process happen if an individual account owner wanted to revoke 1 of 2 accounts they are sharing with the ADR: Does consent need to be fully withdrawn and then re-consent OR Can individual owners also have the capability of revoking an account?	The data standards allow data holders to provide functionality that allows the addition or removal of accounts. Data holders are not required to build this functionality, however where this functionality is in place, adding or removing accounts does not impact a current consent. Therefore, while adding or removing accounts may impact the data that is able to be collected by an accredited person, it will not trigger redundancy, and previously collected data will not need to be deleted or de-identified.
Question	Question regarding the term “publicly offered” (clause 1.4 of Schedule 3 to the CDR Rules) Has any guidance been provided by the ACCC regarding what is intended by the term “publicly offered?” Clarification is sought as to how this term should be interpreted. Should CDR data holders have regard to whether a product is considered “wholesale” or “retail” when determining if a product is in scope? If so, which definition of “wholesale” or “retail” should be relied upon? Where is this further information provided by the ACCC? We need to be able to evidence our decisions for inclusion/exclusions of products. Some of our product departments are adamant that their products are not intended to be included in CDR, however when interpreting the CDR Rules there is no justification for exclusion.	The ACCC considers ‘publicly offered’ to mean products that are generally advertised and available to customers as ‘standard form contracts’, including that they have terms and conditions that are subject to low levels of negotiation, if any. The ACCC understands this will often align with products that are made available in respect of a bank’s retail banking operations, as opposed to its wholesale banking operations. ‘Publicly offered’ does not necessarily mean the product can be acquired by any member of the public – the product may be subject to eligibility requirements. For example, a business overdraft may be publicly offered but not available to individual consumers.
Question	"when are simple business accounts included in the phasing? I can see business loans. I know complex business accounts (X to sign) are separate to joint accounts. I can't see a normal business saving account or business TD with a simple structure (one to sign)" "In the schema for product eligibility, the first value is business - only business may apply for the account. In the product category, business isn't mentioned under any deposit products. However it doesn't say personal either. It is neither inclusive nor exclusive."	A customer must be an ‘eligible CDR consumer’ in order to share CDR data. A CDR consumer is eligible with respect to a particular data holder if the consumer is an individual (18 years or older) who is the account holder of at least one account with the data holder that is open and set up in such a way that it can be accessed online. This includes individually held retail accounts as well as some small business accounts (for example, accounts held by sole traders). Savings accounts in general are phase 1 products. An eligible consumer (which may include some small business customers) with a savings product could share CDR data from that account when phase 1 products come in scope for the particular DH. The ACCC intends to amend the rules in the future to accommodate CDR data sharing by corporate customers and for complex accounts. An updated phasing table was published in the newsletter of 22 June, copy available on the ACCC’s CDR website under ‘Latest Communications’.
Question	To be eligible to share data, each joint account holder needs to be over 18, and be the account holder for an account that is set up in such a way that it can be accessed online. If one joint account holder sets up their online access to the joint account, it could be argued that both joint account holders will be “account holders for an account that is set up in such a way that it can be accessed online” (i.e., it is accessible online, but only to the account holder who set up access). Is it the intention of the rules to capture joint account holders accounts where the second joint account holder is unable to access the account online?	The policy intent is that both joint account holders must be ‘eligible’ (eligible is as defined in cl 2.1(2) of schedule 3). Therefore it is the ACCC’s intention that where the joint account holders only have one account with the data holder (the joint account), that account must be online and accessible to both consumers in order for the account to be eligible for sharing. However, we also note that whether the rules capture a joint account where the second joint account holder is unable to access the account online will depend on whether the account holder has any other accounts ‘online’ with the data holder, for example: Example 1: Anna has a joint account with Betty. The joint account is set up for online banking for Betty only, and Anna does not have any accounts set up with this DH that she can access online. Neither Betty nor Anna may make requests for data sharing on the joint account. Example 2: Anna has a joint account with Betty and a savings account in her own name. The savings account is set up for online banking for Anna, the joint account is set up for online banking for Betty only. Anna and Betty are both eligible consumers and (subject to the other restrictions in the rules, including, Part 4 of schedule 3), could both request sharing on the joint account.
Question	I was hoping you could provide guidance when is the obligation date for CDS technical standards v1.3.1? I would like to request that obligation dates be included in future version releases as currently there is no clear way to tell by when we need to comply.	The standards have a section at the beginning titled “Future Dated Obligations”. A given version of the data standards may have different obligation dates and requirements depending on whether the participant is a Data Recipient or Data Holder as well as the type of Data Holder. As such there is no single obligation date for the data standards.
Question	Question 4 Would you please confirm an Open Banking Solution Provider contracted by a ADR ADIs or Fintechs be set as their endpoint connection to a DH.	On 22 June 2020, the ACCC published draft rules for consultation which will authorise third parties who are accredited at the ‘unrestricted’ level to collect CDR data on behalf of another accredited person. This will allow accredited persons to utilise other accredited persons to collect CDR data and provide other services that facilitate the provision of goods and services to consumers. The consultation period closes 20 July 2020. More information is available on the ACCC’s website. The ACCC has also provided guidance on utilising software to collect CDR data. This guidance is available in our newsletter published 22 June 2020.
Question	Seeking clarification on CBA’s position: during outage periods, failure to respond to API requests does not constitute a refuse to disclose. This is in relation to both planned outages, and incidents (unplanned outages). By nature these periods will have limited system capabilities and will not provide reliable instrumentation. Additionally, planned outages and incidents are measured through other data standards APIs.	We do not expect data holders to report on refusals as a result of a scheduled maintenance or an unexpected outage for the purposes of rule 9.4.
Question	For the number of refusal, does this include DoS attacks e.g. millions of requests come through and the system blocks it due to security attack.	We expect data holders to report on refusals to disclose CDR data and the CDR rules or data standards relied on to refuse to disclose that CDR data (items 4.1-4.2 of the reporting form). Item 4.3, which requests the data holder state the number of times it has relied upon the CDR rules or standards cited in response to item 4.2, is an optional reporting item. Under rule 2.5, a data holder may refuse to disclose required product data in response to a request in circumstances (if any) set out in the data standards. Examples of such circumstances in relation to product data are: (i) When the number of requests the data holder is receiving is above their service level thresholds defined in the non-functional requirements section of the data standards; (ii) There is a valid security reason that prevents sharing PRD data temporarily or for requests considered as suspicious. This would include refusing to disclose data as a result of a DoS attack.
Question	Question on item 2.7 of product data reporting - Do we need to extended existing customer complaints process to accommodate CDR participants complaints?	Currently there are no internal dispute requirements specified in the CDR rules for the handling of CDR participant complaints in relation to product data requests, so there are no formal obligations for the DHs to extend their existing customer complaints process to accommodate CDR participant complaints under the rules. What may need to be implemented, however, is a system for recording the number of complaints that come in from other CDR participants so they can report on these under item 2.7.
Question	Question on item 4.2 of product data reporting form – Can you clarify on non-technical / CDR rules used while refusing requests	The reference to ‘non-technical’ refusals in the reporting guidance for data holders relates to reasons specified in the rules whereby a data holder may refuse to disclose CDR data, as opposed to refusing to disclose in accordance with circumstances set out in the data standards (which we’ve described in our guidance to be ‘technical’ refusals). For example, in relation to CDR consumer data, rule 4.7(1) allows a data holder to refuse to disclose required consumer data where it considers it necessary to prevent physical or financial harm or abuse. ‘Non-technical’ reasons for refusing to disclose CDR data are less relevant for product data sharing as the current rules only state the data holder may refuse to disclose required product data in response to a request in circumstances set out in the data standards (see rule 2.5 of the CDR rules).
Question	will the advice next week regarding the portal and registration of data recipients will it include any updtes or comments and timeframes regarding intermediatries who may direct ADR or outsource service providers	On 22 June 2020, the ACCC published draft rules for consultation which will authorise third parties who are accredited at the ‘unrestricted’ level to collect CDR data on behalf of another accredited person. This will allow accredited persons to utilise other accredited persons to collect CDR data and provide other services that facilitate the provision of goods and services to consumers. The consultation period closes 20 July 2020. More information is available on the ACCC’s website. The ACCC has also provided guidance on utilising software to collect CDR data. This guidance is available in our newsletter published 22 June 2020.
Question	It was mentioned allowing 3 months for the accreditation process, can we assume the same period of time for the 'streamlined' ADI process?	The ACCC anticipates that the streamlined accreditation process will take between 4-6 weeks, subject to information provided.
Question	Is a copy of the draft rules that have been submitted to the treasurer (with the changes) available for download/can we obtain a copy?	Minor amendments to the rules have been made by the ACCC and took effect on Friday 19 July. The amendments clarify the intended operation of particular rules, and ensure appropriate alignment with the technical standards, prior to the commencement of the Consumer Data Right regime on 1 July. Details of the amendments to the CDR Rules are available on the Federal Register of Legislation.
Question	Have the amendments to 4.25 gone through unchanged or have they been removed?	Minor amendments to the rules have been made by the ACCC and took effect on Friday 19 July. The amendments clarify the intended operation of particular rules, and ensure appropriate alignment with the technical standards, prior to the commencement of the Consumer Data Right regime on 1 July. Details of the amendments to the CDR Rules are available on the Federal Register of Legislation.
Question	1. Can the ACCC outline the plan for what the industry testing/conformance will look like in practice for the non-major banks, including timelines?	The ACCC is working on a Test Strategy, it will replace the Assurance Strategy used to inform Industry Testing. When more information is available it will be released via the CDR Newsletter.
Question	In the rules the definition is provided: recognised external dispute resolution scheme means a dispute resolution scheme that is recognised under section 56DA of the Act. Section 56DA of the Act states (1) The Commission may, by notifiable instrument, recognise an 26 external dispute resolution scheme for the resolution of disputes: 27 (a) relating to the operation of the consumer data rules, or this 28 Part, in relation to one or more designated sectors; Has an/the external dispute resolution scheme been determined/recognised and if so where is this stated/documented?	By notifiable instrument, the ACCC recognises the Australian Financial Complaints Authority as the external dispute resolution scheme for the resolution of disputes relating to the operation of the consumer data rules, or Part IV of the Competition and Consumer Act 2010, in relation to the banking sector and involving on or more of: (i) CDR participants for CDR data, (ii) CDR consumers for CDR data, (iii) other persons relating to the banking sector. The notifiable instrument is the Competition and Consumer (External Dispute Resolution Scheme–Banking Sector) Instrument 2019. It was registered on the Federal Register of Legislation on 8 October 2019 and came into effect the following day.
Question	Question in Issue 232	The ACCC has recently published guidance about product data requests and white label products under the CDR Rules in our newsletter. The ACCC intends to engage with key stakeholder groups regarding our approach to consumer data requests in the coming months. Interested stakeholders may also approach the ACCC to provide comments on the guidance or seek a discussion via the Consumer Data Right inbox at accc-cdr@accc.gov.au.
Question	Regarding the announcement on the CDR dates for non-major ADI’s moving out to July ’21, will the ACCC be releasing a new Phasing table to confirm obligation dates for: PRD - Phased products (1,2,3) CDR - Phased products (1,2,3) CDR – consumer type individual, joint) CDR – account status type (open, closed) DTC – direct to consumer obligations	The ACCC has published an updated phasing table summarising the commencement dates of mandatory data sharing obligations. This table incorporates the deferral of certain commencement dates in light of recent exemptions and is available on the ACCC’s website.
Question	If a non-major bank chooses to make their Product Reference Data API public on their website prior to the 1st of October (PRD phase 1 obligation date). Does the reporting period start from the date when the API is made public or does the reporting period only start from the 1st of October? i.e. we launch our PRD API on our website on the 1st of July does that mean the reporting period is from the 01/07/2020 – 31/12/2020 (6 month period)	Reporting obligations under rule 9.4 will commence from the date you begin sharing PRD. For example, if a bank chooses to commence sharing PRD from 1 July 2020 (rather than from 1 October), it will be expected to report from 1 July 2020. \
Question	Questions for ACCC around Product reference data timeline obligations - Could you please clarify if Non-major ADIs can commence sharing PRD data for phase 1 products "prior to 1 July 2020" if ready? And if yes, would this automatically trigger any changes to other swim lane obligations (for PRD phase 2 and/or Consumer data)? Also, are we required to advise/inform the ACCC of the exact go-live date?	1) Yes, you can commence sharing PRD prior to 1 July 2020. 2) No, this does not affect swim lane obligations for PRD phase 2 or consumer data sharing. 3) There is no express requirement to notify the ACCC of the exact go-live date if you elect to share PRD early. However, please note that reporting obligations under rule 9.4 will commence from the date you begin sharing PRD. For example, if a bank chooses to commence sharing PRD from 1 July 2020 (rather than from 1 October), it will be expected to report from 1 July 2020.
Question	is there an SLA or expectation on the time that an ADR would make available to a consumer data received from and ADH.	There is no SLA and the expectation is on the nature of the good/ service provided.
Question	Question regarding the term “publicly offered” (clause 1.4 of Schedule 3 to the CDR Rules) What is the ACCC’s view of the term “publicly offered?” Clarification is sought as to how this term is intended to be interpreted. (Rest of question is continued in Appendix	The ACCC considers ‘publicly offered’ to mean products that are generally advertised and available to customers as ‘standard form contracts’, including that they have terms and conditions that are subject to low levels of negotiation, if any. The ACCC understands this will often align with products that are made available in respect of a bank’s retail banking operations, as opposed to its wholesale banking operations. ‘Publicly offered’ does not necessarily mean the product can be acquired by any member of the public – the product may be subject to eligibility requirements. For example, a business overdraft may be publicly offered but not available to individual consumers.
Question	There is appears to be some ambiguity in the interpretation of rules with respect to joint account elections, as described in Monday’s OB Implementation Advisory Meeting (see extract below, p3, Item 4 (3)). In short the ACCC response below suggests that, when the joint account election is removed, “the data holder must not disclose consumer data on that account in response to a consumer data request. However, all other authorisations remain in place”. This is ambiguous and appears to contradict previous advice shown in the adjacent column below. We believe that the wording should be “the data holder must not disclose consumer data on that account in response to a new consumer data request. However, all other existing authorisations remain in place”. We would be grateful if the ACCC would confirm our understanding.	The ACCC confirms that where a joint account holders withdraws a JAMS election, the data holder must not disclose consumer data on that account in response to a new consumer data request. However, all existing authorisations remain in place.

CDR Stream Updates

Provides a weekly update on the activities of each of the CDR streams and their workplaces

• ACCC Rules
• ACCC CDR Register (Technical)
• DSB CX Standards
• DSB Technical Standards - Energy & Banking

Presentation

• No presentation this week.

Q&A

Questions will be received by the community via WebEx chat before the questions are opened to the floor. Participants can pre-submit questions to the DSB mailing box.

Currently received pre-submitted questions:

#	Question	Answer
#1	Given the CTS is in build (we assume it must be given the urgency of its completion) then you must have a defined scope and requirements. If you are developing it then I assume you would also have some kind of design spec. Are you able to share any or all of these artefacts so that we understand what it will and will not address? The greater the level of transparency the easier it is for future participants to plan and prepare and this should lead to a greater level of assurance for the regime and reduced risk.	The ACCC is working on a Test Strategy that will replace the Assurance Strategy used to inform Industry Testing. When information is available it will be released via the CDR Newsletter.
#2	Confirmation required – If an ADR chooses to invoke the DELETE operation on the Registration endpoint for a clientId, then this has the same result as the registry setting a software product status to “Removed” i.e. All consent agreements for the software product involved are revoked.	-
#3	The ACCC CDR update of 22/6 indicated that “accredited persons may utilise SaaS and other software products provided by non-accredited persons to collect Consumer Data Right data where the accredited person controls its Secrets Manager component, and does not permit the third party to access its security artefacts.” How can a non-accredited SaaS provider register their software and subsequently gain access to Data Holder API’s if one needs to be accredited in order to register software and appear on the register? Essentially, I am unclear how a non-accredited SaaS provider can participate in the current regime given the tight federated control only allows for ADR, DH and Register. Additionally, my understanding is that there is no ability under the current rules for an Outsourced Service Provider to access CDR data directly, further limiting the use of a SaaS provider to collect CDR data on behalf of an accredited person.	Question taken on notice by the ACCC - there will be an upcoming workshop (to be announced) on Intermediaries, where questions of this nature are to be explored.
#4	What is the ACCC/DSB position on account number masking both from the CX standards and from technical standards perspective? Is there an explicit requirement to share unmasked account details or can a DH follow their internal policies for this (both in API response and in authorization/dashboard UI)?	-

Notes

• ACCC Update:
  • Newsletter was published on Friday 19th of June, was subsequently republished with a number of corrections which can be found here
  • Consultation will begin shortly on CAP Arrangement Rules
  • A proposed workshop for Intermediaries is planned and will be announced shortly
  • There will be an update on whitelabeling and Phasing table as well
• CDR Register:
  • 3 Projects have been raised to cover planning and design of subsequent phases, these can be linked to and viewed here
• Consumer Experience:
  • Phase 3 Research report is being finalized and shared once it is complete
  • The team is lining up next research issues and planning workshops
• Technical
  • Second Error Handling Workshop completed - thank you to all the participants
  • Next round of workshops on pause for Go-Live activities and focus
  • DP119 has been extended to the 7th of Jul 2020
  • Maintenance Iteration 4 is being planned with dates to be announced soon
  • Data Quality workshop is under way for planning with dates to be announced in the coming weeks
  • Maintenance Iteration 3 changes have been reviewed and finanlised these are to be circulated soon

Question and answers

#	Question	Answer/ Action
#1	where an uaccredited entity is the initial recipient of consumer requess/ consents that it is then passed onto a ADR or its outsouced provider what is the initial compliance responsibility and who is responsible and then 2. where the ADR receives data from an ADH but then shares consumer requested data to the downstream entity, re above question same applies for cancellation or renewal of consent. our view they stay with the accredited ADR who would then be responsible through contracts and third party management for the initial entity and anyone they provide the data. . appreciate confirmation	Question taken on notice
#2	Will there be a formal definition of direct debits and scheduled payments forthcoming by the ACCC before November, seeing as these terms are in the CDR rules? At present the CDR standards definition are somewhat light and open to interpretation.	The terms are intended to have their ordinary meaning, as commonly understood by industry and customers, and in connection with Internet banking applications. A direct debit being an automatic transfer of money from one customer’s account to another account, and a scheduled payment being a payment that is scheduled for a specific date.
If there are particular examples of instances that might be open to interpretation, please raise them in the DHWG.
#3	How do we access the updated Comparator tool where V2 & V3 data can be requested?	Banking Comparator Tool can be found here
#4	Can Non Major ADI's share Product Reference data on Phase 2 products prior to 1 Feb 2021, if they are ready? Would this trigger any obligations under the concept of 'voluntary participating ADIs' and trigger any changes to other swim lane obligations (for PRD phase 3 and/or Consumer data)?	Early sharing of PRD is encouraged, and non-major ADIs are able to share product reference data early without this triggering any changes to their other data sharing obligations. The ACCC intends to remove the concept of voluntarily participating ADI from the rules. An updated version of the phasing table is available here.
#5	If a data holder has a document in PDF, say a payslip that a borrower provided as part of a loan application, is that "in digital form" for CDR purposes?	Question taken on notice
#6	When will the CDS Comparison demo app be upgraded to support version 2 of the product apis?	Tool is now upgraded to support
#7	If we add another participant api link on the CDS Comparison tool, will it be visible to all other site users? or just temporarily added to the person who has done it?	If you add this in your own browser, you will only be able to view this change. However, if you are the Data Holder you can submit an Issue or Pull Request on the Repository to have the endpoint and logo added the tool. Repo located here
#8	Clause 2.1 of Schedule 3 of the Rules outlines that in order to be considered an eligible CDR consumer, a person must (amongst other things) have an account with a data holder that is “set up in such a way that it can be accessed online”. If a consumer has a temporary block status applied to their online banking access (e.g., because of suspected fraud activity), they will be temporarily unable to access their account online. We seek confirmation that in the event a consumer has a temporary block on their account, that this by itself would not result in the consumer no longer being an eligible CDR consumer?	Question taken on notice
#9	Are there any published guidelines regarding how to provide product data as there appears to be different interpretations regarding this?	Question taken on notice
#10	Regarding identifier first authentication on Data Holder's side, CX guidelines state that "The code (OTP) should also be delivered by other methods such as email as alternative to SMS via mobile number". Does this mean that the OTP should be delivered as SMS and email at the same time? Or can the customer chose the preferred channel?	-
#11	Hi, just a quick clarification on corporate accounts. They would be put under the umbrella of joint accounts?	The ACCC is developing rules to bring in corporate and more complex accounts and will be consulting on draft rules in the future.
#12	This question is further to the answer provided by the ACCC on PRD and retail Vs Wholesale product data. Just to clarify, for PDR, the expectation is that it only covers products available to Individuals, and there is no expectation to make available products used by Large corporates/wholesale products. E.g. Credit cards used by individuals are required, but Credit Cards/ Charge Cards used by Large Corporates are not required for Phase 1 PRD.	The PRD that is expected to be shared is not limited to only products offered to individuals. For example, several of the products listed in Phase 1, 2, 3 are business specific (e.g. a business overdraft). Provided the product is generally known as the type described in Phase 1, 2, 3 and publicly offered, it must be shared. The ACCC considers publicly offered to mean products that are generally advertised and have terms or conditions that are subject to low levels of negotiation, if any (i.e. standard form contracts). Often this will align with products available through a bank’s retail operations, rather than its wholesale operations, however, it could include business products that are generally available with standard terms and conditions to ‘wholesale’ (or, business) clients. Publicly offered does not mean available to the public at large, because eligibility requirements may apply.
#13	In terms of consent capture, are the joint account proposals related to the treatment of corporate accounts?	-
#14	quick clarification on the business accounts - are individuals who hold corporate cards (organisation is liable for credit but the card is in the individual's name) in scope for CDR?	A CDR consumer is eligible with respect to a particular data holder if the consumer is an individual (18 years or older) who is the account holder of at least one account with the data holder that is open and set up in such a way that it can be accessed online. This will therefore include individually held retail accounts as well as some small business accounts (for example, accounts held by sole traders). Provided the individual in question is the account holder (and not the company) – they are in scope.
#15	How are joint accounts with more than 2 account holders handled?	Currently, the rules only cover joint accounts held in the name of two individuals. The ACCC will consider joint accounts with more than two account holders as part of the development of rules for more complex accounts.
#16	To add to the question regarding the revocation of joint account elections, when we need to stop sharing, should we also revoke affected consents?	Question taken on notice

Other business

• OAIC have launched a new Privacy Safeguard Guidelines page, which can be found here

Appendices

Background for question

Clause 1.4(1) of Schedule 3 of the Competition and Consumer (CDR) Rules 2020 (CDR Rules) states that the term “phase 1 product” means a product that is publicly offered and generally known as being of any of the following types:

1. a savings account;
2. a call account;
3. a term deposit;
4. a current account;
5. a cheque account;
6. a debit card account;
7. a transaction account;
8. a personal basic account;
9. a GST or tax account;
10. a personal credit or charge card account;
11. a business credit or charge card account.

Pursuant to clause 1.2 of Schedule 3 of the CDR Rules, the term “product” has the meaning given by the banking sector designation instrument.
The Consumer Data Right (Authorised Deposit Taking Institutions) Designation 2019 (Designation Instrument) defines the term “product” in subsection 4(2) as:

1. a good or service that is or has been offered or supplied to a person in connection with one or more of the following activities:
   1.1. taking money on deposit (otherwise than as part-payment for identified goods or services); 1.2. making advances of money; 1.3. another financial activity prescribed for the purposes of subparagraph (b)(ii) of the definition of banking business in subsection 5(1) of the Banking Act 1959; or
2. a purchased payment facility that is or has been offered or supplied to a person.

The term “publicly offered” is not defined in the CDR Rules or the Designation Instrument, nor banking legislation generally.

Both the Explanatory Statement to the CDR Rules and the Explanatory Statement to the Designation Instrument are silent on the matter of what is considered to be “publicly offered.”

In assessing call account and term deposit products, according to the above they are products captured by the term “phase 1 products” for inclusion in product reference data obligations. Our product department is quite sure that call account and term deposit products that are available only to wholesale clients are not intended to be within scope. Guidance is sought from the ACCC as to whether the term “publicly offered” is intended to be construed as excluding products available to wholesale customers only.

Next Steps

• TBA