The Australian Government Treasury released a review
report into Open Banking in Australia last week. In the 2017-18 Budget the Australian
government announced that
it will introduce an open banking regime in Australia. On 20 July 2017,
the Hon Scott Morrison MP commissioned
the Open Banking Review, chaired by Mr Scott Farrell who was asked to recommend
the most appropriate model for Open Banking in Australia.
Open Banking would provide customers greater access to and
control over their banking data, and it has the potential to transform the way
in which customers use and benefit from the banking system.
Open Banking will be
the first implementation of the Consumer Data Right (CDR) announced by the
Hon Angus Taylor MP, the then Assistant Minister for Cities and Digital
Transformation in November 2017. The announcement formed part of the
Government’s response to the recommendations of the Productivity
Commission’s Inquiry into Data Availability and Use.
The CDR will give customers the right to access their data in
a machine-readable form. Australian consumers will be able to compare offers,
get access to cheaper products and plans to help them ‘make the switch’ and get
greater value for money.
The CDR will be implemented economy-wide on a
sector-by-sector basis, initially in the banking, energy, and
telecommunications sectors. The Treasurer will be leading the development
of the CDR, with the design of the broader CDR informed by the recommendations
of the Open Banking Review.
The final report makes 50 recommendations, on the regulatory
framework, the type of banking data in scope, privacy and security safeguards
for banking customers, the data transfer mechanism and implementation issues.
Some of the key recommendations are as below.
Context
Allowing for competing approaches: Open Banking should not
be mandated as the only way that banking data may be shared. Allowing competing
approaches will provide an important test of the design quality of Open Banking
and the CDR.
Regulatory framework
Open Banking should be implemented primarily through
amendments to the Competition and Consumer Act 2010 that set out the
overarching objectives of the CDR.
Open Banking should be supported by a multiple regulator
model, led by the Australian Competition and Consumer Commission (ACCC), which
should be primarily responsible for competition and consumer issues and
standards-setting. The Office of the Australian Information Commissioner (OAIC)
should remain primarily responsible for privacy protection. Australian
Securities and Investments Commission (ASIC), Australian Prudential Regulation
Authority (APRA), the Reserve Bank of Australia (RBA), and other
sector-focussed regulators as applicable, should be consulted where necessary.
A Data Standards Body should be established to work with the
Open Banking regulators to develop Standards.
Only accredited parties should be able to receive Open
Banking data. The ACCC should determine the criteria for, and method of,
accreditation. However, the review also recommends that accreditation criteria
should not create an unnecessary barrier to entry by imposing prohibitive costs
or otherwise discouraging parties from participating in Open Banking.
Open Banking should have internal and external dispute
resolution processes to resolve customer complaints. Amendments to the
Competition and Consumer Act 2010 should create powers to address complaints
(to the extent these do not already exist) and give customers standing to seek
remedy for breaches of their rights. There should be a single consumer data
contact point – there should be ‘no wrong door’ for customers. The Rules should
create a right for accredited parties to seek remedy for breaches of the CDR.
Scope
The Review recommends that data holders should be obliged to
share all information that has been provided to them by the customer (or a
former customer) at the customer’s direction. However, the obligation should
only apply where the data holder keeps that information in a digital form. It
should not apply to information supporting an identity verification assessment
(the outcome should be shared).
Data holders should also be obliged to share all transaction
data in a form that facilitates its transfer and use. Transfers of
customer-provided and transaction data should be provided free of charge.
According to the review, data that results from material
enhancement by the application of insights, analysis or transformation by the
data holder should not be included in the scope of Open Banking. Aggregated
data sets should not be included in the scope of Open Banking.
Safeguards
A customer’s consent under Open Banking must be explicit,
fully informed and able to be permitted or constrained according to the
customer’s instructions.
The Review further recommends that a data holder should
notify the customer that their direction has been received and that the future
use of the data by the data recipient will be at the customer’s own risk. That
notification should be limited to a single screen or page. Data recipients
should similarly provide the customer with a single screen or page summarising
the possible uses to which their data could be put and allow customers to
self-select the uses they agree to.
A clear and comprehensive framework for the allocation of
liability between participants in Open Banking should be implemented. To the
extent possible, the liability framework should be consistent with existing
legal frameworks
Data transfer
mechanism
Data holders should be required to allow customers to share
information with eligible parties via a dedicated application programming
interface (API). The Review proposes the UK Open Banking technical specification
as a starting point for the Standards for the data transfer mechanism.
Data holders may not add authorisation requirements beyond
those included in the Standards, while customers should be able to grant
persistent authorisation. They should also be able to limit the authorisation
period at their discretion, revoke authorisation through the third-party
service or via the data holder and be notified periodically they are still
sharing their information. All authorisations should expire after a set period.
The Standards should also allow users who do not use online
banking to authorise the sharing of information through service channels ordinarily
provided by the data holder.
Implementation
According to the Review, a period of approximately 12 months
should be allowed for implementation between the announcement of a final
Government decision on Open Banking and the Commencement Date.
From the Commencement Date, Open Banking should apply to
transaction data and product data. However, this should not be applicable to
transactions before 1 January 2017.
The four major Australian banks should be obliged to comply
with a direction to share data under Open Banking. The remaining Authorised
Deposit-taking Institutions should be obliged to share data from 12 months
after the Commencement Date, unless the ACCC determines that a later date is
more appropriate.
Approximately 12 months after the Commencement Date, the
regulator (or an independent person) should conduct a post-implementation
assessment of Open Banking and report to the Minister with recommendations.
framework for Open Banking/ From Appendix D of Review into Open Banking
The Review consulted extensively in forming its recommendations, including over 100 meetings with banks, firms, industry bodies, consumer groups, regulators, and data specialists and consideration of formal submissions from 41 interested parties.
The Government is seeking any further detailed comments on the recommendations before making final decisions on implementation. Submissions can be sent to data@treasury.gov.au by 23 March 2018.
Access the complete report here.
