A perspective on open banking in Australia

The convergence of technology and financial services has sparked innovation in the global banking system. In Australia, this financial revolution that will connect consumers, banks and third-party applications will demand traditional banks to rethink their traditional transaction model

During the Federal budget in 2017-2018, the treasurer announced that open banking would be introduced in Australia's banking system. As part of open banking, a new bill "Consumer Data Right" (CDR) was recommended to enable consumers to access information held by banks in a safe and convenient way.

While the treasury is responsible for overseeing the development of CDR legislation, The Australian Competition and Consumer Commission (ACCC) that is the lead regulator for designing the rules supporting the CDR legislation and The Office of the Australian Information Commissioner (OAIC) that advises the Treasury and ACCC on privacy safeguards, will consequently handle customer complaints related to the regime. Data 61, being the data arm of The Commonwealth Scientific and Industrial Research Organization (CSIRO) is the interim body responsible for developing the technical standards related to APIs, information security and customer UX.

Once CDR is passed it will enable consumers to gain more control over their information leading to convenience, enable secure access to consumer data by trusted and accredited agencies and is expected to enable more choice and competition in the Australian market eventually promoting public interest.

While the government has introduced the CDR bill to parliament, weeks after the launch of the open banking pilot launch, through our quick guide, we aim to address the most commonly asked questions about Australia open banking and what it means for banks and other financial institutions, FinTechs.

In this post we cover the most frequently asked questions for Open Banking in Australia:

• What is Consumer Data Right (CDR)?
• When does CDR become law?
• What is designated instrument?
• What is accreditation and who is responsible for it?
• How would banks be impacted and what would be their role in CDR implementation?
• What are the main milestones to be achieved under the consumer data right bill?
• How is open banking in Australia different from Open Banking in the UK?
• What is Comprehensive Credit Reporting (CCR) in Australia open banking?
• What are the types of financial data included in Australia open banking?
• What is Notifiable Data Breaches (NDB) scheme?

What is Consumer Data Right (CDR)?

CDR lays the ground rules for open banking and once enforced, will give consumers a right to direct the data acquired about themselves, by business, for acquiring a product (name, contact details, eligibility to acquire etc.) and data related to use of the acquired product (transaction data, account balances etc.) to be shared with accredited third parties they trust (consent based) and ultimately be benefitted from customized products and services.

In the banking sector, open banking is synonymous with CDR. It is the first sector to which the general right will apply. With data emerging as new money other sectors like telco and energy in Australian economy will also implement CDR to unleash better customer experience across industry sectors thereby fostering economic growth and create new high value jobs.

When does CDR become law?

The roadmap to CDR implementation will continue in a phase-wise approach with product data for credit & debit cards, deposit & transaction accounts being already made available to public since 1 July 2019 by initial data holders and consequent sharing of customers CDR data by initial data holders (Big four) followed by reciprocal data holders (Tier 2 banks and other accredited third parties) and finally by subsequent data holders (foreign bank branches) as per the schedule stipulated in the actual CDR framework. More info here.

What is designated instrument?

The treasurer has designated banking industry as first subject for CDR rules and the rules framework applicable to enforce open banking scheme is termed as "Designated instrument". Following data are subject under open banking:

Customer Data- Data about the customer provided in connection with acquiring a product

Product Use Data- Data about the use of the product by the customer
Product Data- Data about the product per se

What is accreditation and who is responsible for it?

Accreditation is the procedure to be followed to get enlisted as a data recipient (consumer of CDR data post consent) in the open banking regime. As part of accreditation procedure, prospective data recipients must provide a description of their planned services for consumers using CDR data as an accredited data recipient.

Apart from drafting guidelines for secured implementation of open banking, the ACCC will also credit entities to be qualified for receiving CDR data from consumers. ACCC will manage an online register of accredited data recipients and data holders

Note: Formal dates announced by ACCC to begin engaging interested parties for accreditation is 1 July 2019

How would banks be impacted and what would be their role in CDR implementation?

While CDR enables development of better products and services, it throws many challenges to the banks like:

• Massive change to open up APIs and readiness of bank's legacy system to expose customer data in real time
• Additional Security burden on Banks with capability for anomaly detection, incident reporting etc.


• Changes on channels to support registration mechanism and provisioning of dashboard for Consumers & TPPs
• Scalability could become a massive issue
• Banks can just be left holding the asset and all value could provide by TPP / Data Recipients
• Building service catalogue as part of accreditation procedure

What are the main milestones to be achieved under the consumer data right bill?

• 1 July 2019 until 31 January 2020- Four major banks, Commbank, ANZ, Westpac, and NAB will provide access to product data (branded with the name of the bank) requested for Phase I products (i.e. credit and debit cards, deposit accounts and transaction accounts etc.) Other voluntary participating banks can also make the product data available if they wish. From 1 July 2019, the ACCC has launched a pilot program with big four banks to test the performance, reliability and security of the open banking system.
• 1 February 2020- Big four banks will be required to provide access to CDR data for Phase 1 and Phase 2 products (mortgages).
• 1 July 2020- Big four banks will need to provide access to CDR data for Phase 1, Phase 2 and Phase 3 products (personal loan, lines of credit etc.) Other banks need to make the product data available for Phase 1 products.
• February 2021 -Other banks need to provide access to CDR data for Phase 1 and Phase 2 products.
• July 2021 -Other banks (except a foreign bank branch licensed to conduct banking business in Australia through branches or a foreign bank branch of a domestic bank) need to provide access to CDR data for Phase 3 products.

How is open banking in Australia different from Open Banking in the UK?

The Open Banking in the UK follows the PSD2 and CMA9 regulations while open banking in Australia is part of the Consumer Data Right.

In Australia, open banking is regulated by the Australian Competition and Consumer Commission (ACCC), Office of the Australian Information Commissioner (OAIC), Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA) and Reserve Bank of Australia (RBA) and other sector-focused regulators.

In the UK, the open banking framework is regulated by CMA with standards set by the UK Open Banking Implementation Entity (OBIE) and regulated by European Union's PSD2. In PSD2, National Competent Authorities (NCAs) regulate and control the banks in national markets to ensure PSD2 compliance.

Australian open banking standards diverge in many places when compared to UK, as Australia is implementing a banking standard within a broader consumer data regime which is intended to operate across sectors. However, the program in Australia has adopted globally used information security protocols and following the UK on information security adopting Oauth 2.0 and OpenID connect. In terms of API endpoints there are 60% commonalities per the draft standards v 0.8.4 published earlier in GitHub

What is Comprehensive Credit Reporting (CCR) in Australia open banking?

A credit bureau is a body that collates and distributes CCR data from credit providers about a borrower's financial record. Credit providers such as banks, building societies, utility companies and telecommunications carriers, collect the information about individuals banking activities in relation to consumer credit and send it to the central databases managed by credit reporting bodies (CRBs). This information builds the credit report that are generated through credit reporting agencies operating in Australia. A borrower can seek a free copy of the report from the agencies to know the scores.

Lenders can also access the reports and scores for prior assessment of the borrower's banking behavior before offering a credit card or a loan.

In an open banking regime, a CCR creates a transparent banking process with reduced information disparities between lenders and borrowers. It helps lenders to take more firm lending decisions based on credit scores by approved bureaus.

What are the types of financial data included in Australia open banking?

What is Notifiable Data Breaches (NDB) scheme?

With open banking mandate of data sharing, cybersecurity and data privacy would be key areas of concern for banks. To help banks adhere to Australian regulations and improve security of data sharing, Australia has introduced the Notifiable Data Breaches (NDB) scheme.

Agencies and organizations regulated under the Australian Privacy Act 1988 (Privacy Act) are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.This legislation helps to make all agencies and organizations involved in handling personal data more accountable and results in more secured and effective data security.

• December, 2014: David Murray‚ Financial System Inquiry was established in December 2013 to assess Australia's financial scheme in the aftermath of the 2008 global financial crisis. The final report focuses on increasing access and improving the use of consumer's financial data in a protective manner to explore new business, products and services.
• November, 2015: The Harper Review into Competition Policy recommends amending the Competition and Consumer Act to address misuse of market power, cartel and joint venture provisions, Third line forcing (TLF), resale price maintenance (RPM), Merger clearance process, industrial agreements, authorization processes, and national access regimes.
• July, 2017: The Hon Scott Morrison MP commissioned the Open Banking Review. The review was chaired by Scott Farrell who shared recommendations on the most appropriate model for open banking in Australia.
• November, 2017: On 26 November 2017, the Hon Angus Taylor MP, the then Assistant Minister for Cities and Digital Transformation, announced the development of a national Consumer Data Right (CDR). It was declared that the Treasurer will be leading the development of the CDR, with the design of the broader CDR informed by the recommendations of the Open Banking Review. Consumer Data Right will be implemented across energy, telecommunications and banking. Scott Farrell from a multinational law firm, King and Wood Mallesons, will share recommendations to get CDR in place.
• February, 2018: Scott Farrell delivers a 158 page report into open banking making 50 recommendations about the security and regulation involved in open banking submissions.

The open banking regulations differ in each country and organizations needs to consider diverse macro and micro economic factors as per geographies to develop successful financial business models. Open banking is more than a compliance and to capitalize on open banking, banks and financial institutions need to refurbish their digital engine and revamp their business plan to unlock new growth opportunities.

OPEN BANKING WHITE PAPERS