The convergence of technology and financial services has sparked innovation in the global banking system. In Australia, this financial revolution that will connect consumers, banks, and third-party applications will demand traditional banks to rethink their transaction model.
During the Federal budget in 2017-2018, the treasurer announced that open banking would be introduced in Australia’s banking system. As part of open banking, a new bill called the Consumer Data Right (CDR) was recommended to enable consumers to access information held by banks in a safe and convenient way.
While the treasury is responsible for overseeing the development of the CDR legislation, customer complaints related to the regime will be handled by The Australian Competition and Consumer Commission (ACCC), the lead regulator for designing rules supporting the CDR legislation, and The Office of the Australian Information Commissioner (OAIC) that advises the treasury and ACCC on privacy safeguards. Data 61, being the data arm of The Commonwealth Scientific and Industrial Research Organization (CSIRO), is the interim body responsible for developing technical standards related to APIs, information security, and customer UX.
Once the CDR is passed, it will enable consumers to gain more control over their information leading to greater convenience and enabling secure access to consumer data by trusted and accredited agencies. It is also expected to enable more choice and competition in the Australian market, eventually promoting the public interest.
With the CDR bill being introduced in the parliament, weeks after the launch of the open banking pilot, through our quick guide, we aim to address the most commonly asked questions about Australia’s open banking and what it means for banks and other financial institutions and FinTechs:
- What is Consumer Data Right (CDR)?
- When does CDR become law?
- What is a designated instrument?
- What is accreditation, and who is responsible for it?
- How would banks be impacted, and what would be their role in CDR implementation?
- What are the main milestones to be achieved under the consumer data right bill?
- How is open banking in Australia different from open banking in the UK?
- What is Comprehensive Credit Reporting (CCR) in Australia open banking?
- What are the types of financial data included in Australia’s open banking?
- What is the Notifiable Data Breaches (NDB) scheme?
- Open banking timeline in Australia
What is Consumer Data Right (CDR)?
CDR lays the ground rules for open banking and, once enforced, will give consumers more control over how businesses use their data. The CDR will give consumers greater access to and control over their data. It will improve consumers’ ability to compare and switch between products and services and will encourage competition between service providers, leading not only to better prices for customers but also to more innovative products and services.
In the banking sector, open banking is synonymous with CDR. It is the first sector to which the general right will apply. With data emerging as new money, other sectors like telco and energy in the Australian economy will also implement CDR for better customer experience across industry sectors, thereby fostering economic growth and creating new high-value jobs.
When does CDR become law?
The roadmap to CDR implementation will continue in a phase-wise approach – with product data for credit & debit cards, deposit & transaction accounts being already made available to the public since 1st July 2019 by initial data holders and consequent sharing of customers CDR data by initial data holders (the big four) followed by reciprocal data holders (Tier 2 banks and other accredited third parties) and finally by subsequent data holders (foreign bank branches) as per the schedule stipulated in the actual CDR framework. More info here.
What is a designated instrument?
The treasurer has designated the banking industry as the first subject for CDR rules, and the rules framework applicable to enforce open banking scheme is termed as Designated Instrument. Following data are subject under open banking:
Customer Data – Data about the customer in connection with acquiring a product
Product Use Data – Data about the use of the product by the customer
Product Data – Data about the product in use
What is accreditation, and who is responsible for it?
Accreditation is the procedure to be followed to get enlisted as a data recipient (consumer of CDR data post consent) in the open banking regime. As part of the accreditation procedure, prospective data recipients must provide a description of their planned services for consumers using CDR data as an accredited data recipient.
Apart from drafting guidelines for secured implementation of open banking, the ACCC will also credit entities to be qualified for receiving CDR data from consumers. ACCC will manage an online register of accredited data recipients and data holders
Note: Formal dates announced by ACCC to begin engaging interested parties for accreditation is 1st July 2019
How would banks be impacted, and what would be their role in CDR implementation?
While CDR enables the development of better products and services, banks need to be aware of the challenges:
- Massive change to open up APIs and readiness of the bank’s legacy system to expose customer data in real-time
- Additional security requirements, such as the capability for anomaly detection and incident reporting
- Changes on channels to support registration mechanism and provisioning of a dashboard for Consumers & TPPs
- Scalability could become a massive issue
- Banks can be left holding just the asset while TPPs/data recipients deliver all the value could
- Need for a service catalogue as part of the accreditation procedure
What are the main milestones to be achieved under the consumer data right bill?
- 1st July 2019 until 31st January 2020– Four major banks – Commbank, ANZ, Westpac, and NAB will provide access to product data (branded with the name of the bank) requested for Phase 1 products (i.e., credit and debit cards, deposit accounts and transaction accounts, etc.) Other voluntary participating banks can also make the product data available if they wish. From 1st July 2019, the ACCC has launched a pilot program with the big four banks to test the performance, reliability, and security of the open banking system.
- 1st February 2020– Big four banks will be required to provide access to CDR data for Phase 1 and Phase 2 products (mortgages).
- 1st July 2020– Big four banks will need to provide access to CDR data for Phase 1, Phase 2 and Phase 3 products (personal loan, lines of credit, etc.) Other banks need to make the product data available for Phase 1 products.
- February 2021 – Other banks need to provide access to CDR data for Phase 1 and Phase 2 products.
- July 2021 –Other banks (except a foreign bank branch licensed to conduct banking business in Australia through branches or a foreign bank branch of a domestic bank) need to provide access to CDR data for Phase 3 products.
How is open banking in Australia different from open banking in the UK?
Open banking in the UK follows the PSD2 and CMA9 regulations, while open banking in Australia is part of the Consumer Data Right.
In Australia, open banking is regulated by the Australian Competition and Consumer Commission (ACCC), Office of the Australian Information Commissioner (OAIC), Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA) and Reserve Bank of Australia (RBA), and other sector-focused regulators.
In the UK, the open banking framework is regulated by CMA with standards set by the UK open banking Implementation Entity (OBIE) and regulated by the European Union’s PSD2. In PSD2, National Competent Authorities (NCAs) regulate and control the banks in national markets to ensure PSD2 compliance.
Australian open banking standards diverge in many places when compared to the UK, as Australia is implementing a banking standard within a broader consumer data regime, which is intended to operate across sectors. However, the program in Australia has adopted globally used information security protocols and follows the UK on information security, adopting OAuth 2.0, and OpenID connect. In terms of API endpoints, there are 60% commonalities per the draft standards v 0.8.4 published earlier in GitHub.
What is Comprehensive Credit Reporting (CCR) in Australia open banking?
A credit bureau is a body that collates and distributes CCR data from credit providers about a borrower’s financial record. Credit providers such as banks, building societies, utility companies, and telecommunications carriers, collect the information about individuals’ banking activities in relation to consumer credit and send it to the central databases managed by credit reporting bodies (CRBs). This information builds the credit report generated through credit reporting agencies operating in Australia. A borrower can seek a free copy of the report from the agencies to know the scores.
Lenders can also access the reports and scores for prior assessment of the borrower’s banking behavior before offering a credit card or a loan.
In an open banking regime, a CCR creates a transparent banking process with reduced information disparities between lenders and borrowers. It helps lenders to make more firm lending decisions based on credit scores by approved bureaus.
What are the types of financial data included in Australia’s open banking?
Debit card accounts
Personal basic accounts
GST and tax accounts
Cash management accounts
Farm management accounts
Pensioner deeming accounts
Lines of credit
Credit and charge cards
Asset finance and leases
Mortgage offset accounts
Retirement savings accounts
Foreign currency accounts
What is the Notifiable Data Breaches (NDB) scheme?
With the open banking mandate of data sharing, cybersecurity and data privacy would be key areas of concern for banks. To help banks adhere to Australian regulations and improve the security of data sharing, Australia has introduced the Notifiable Data Breaches (NDB) scheme.
Agencies and organizations regulated under the Australian Privacy Act 1988 (Privacy Act) are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. This legislation helps to make all agencies and organizations involved in handling personal data more accountable and results in more secure and effective data security.
Open banking Timeline in Australia
Considering these timelines, ADIs have only a couple of months to comply with the Product Reference Data phase for Phase 1 products and to start planning their strategies to address the more complex CDR compliance requirements within the deadlines.
The open banking regulations differ in each country, and organizations need to consider diverse macro and microeconomic factors as per geographies to develop successful financial business models. Open banking is more than compliance, and to capitalize on open banking, banks and financial institutions need to refurbish their digital engine and revamp their business plan to unlock new growth opportunities.
Download our white paper, Open Banking: The New Customer Frontier to learn more about how open banking will revolutionize the banking and financial services industry.
We also examine what banks and other financial services companies can do to meet the initial challenge of transformation and then to go beyond that first step by developing new business models that will anticipate changing consumer demands and build the winning companies of tomorrow.
Download our new white paper, Open Banking Beyond Compliance
to learn about why monetizing open banking APIs is vital for long-term success.
In this white paper, Virtusa surveys the current open banking landscape and puts forward recommendations for effective API monetization, including API pricing models, risk and quality control mechanisms, potential new business models, and strategies for open banking. Download here