Following in the footsteps of Governments across international borders, the results of the long-awaited and much discussed Review into Open Banking in Australia were released late on Friday, 9 February, 2018. The 158 page report recommends a model for the introduction of open banking as part of the broader ‘Consumer Data Right’ introduced by the Government late last year. It follows the Productivity Commission’s recommendations in their Data Availability and Use Report last year to give consumers a ‘comprehensive right’ with greater access to and control of their data.
The Report contains 50 recommendations covering the regulatory framework, the scope and types of banking data that should be shared, privacy and security safeguards, the technical mechanisms for data transfers as well as proposals on implementation and beyond. It proposes that open banking should be applicable for all ADIs (authorised deposit-taking institutions) carrying on business in Australia – though notably foreign bank branches are excluded. A phased introduction is recommended, with the Big Four banks only to be included in the first phase, and other ADI’s (including super funds and insurance companies) to follow suit in later phases.
Although clearly taking learnings from across the water (most notably the UK open banking and EU PSD2 regimes), the open banking model proposed by the Farrell Report reflects an industry-sided reform model, proposing Rules and Standards to be introduced by Ministerial subsidiary orders, rather than enacting new legislation aimed specifically at open banking. To ensure efficiencies, the Report contends that legislative amendments need to be outputs based and ‘contain only those ideas and principles that are intended to last’ confirming that Ministerial orders are better equipped to deal with the rapid change that accompanies technological developments. Nonetheless, it marks a sizeable shift in the traditional banking platform model long decried by fintechs. If enacted in its current form by the Government, it will require banks and ADIs to open up their platforms for data extraction and sharing, modernise legacy ICT systems (to prepare for the introduction of API platforms) and enhance privacy and security safeguards for online data sharing.
The key findings and recommendations from the Report’s six chapters include:
- Open Banking should be legislated through amendments to the Competition & Consumer Act (2010), (CCA) with the ACCC as the primary regulator focusing on competition, consumer and standards setting. ACCC will be supported by other regulators, most notably OAIC on customer privacy and security protection.
- A new statutory ‘Consumer Data Right’ (CDR) should be created, supported by the enablement of a Ministerial power to apply the CDR to certain designated sectors (Banking being the first, with Energy and Telecommunications likely to follow) and set parameters for subsidiary rule-making. Ministerial determinations and other legislative instruments are determined to ‘respond more quickly to technological change’ and are therefore a more appropriate legislative forum – rebuffing the Productivity Commission’s recommendation for a new Data Sharing and Release Act to be implemented to enshrine the customer’s ‘comprehensive right’ to data.
- New Rules and Standards (including technical data, transfer & security standards) are needed – which are specific to open banking and set expectations as to what must be delivered (the Rules), and how it must be done (the Standards). An independent Data Standards Body, working in conjunction with the regulators, should be created to develop and oversee standards creation & roll-out. The Report suggests this may be Data61 (CSIRO body), with support from Standards Australia – though the ACCC should have the ability to step in as a standards-making body should the need arise.
- In keeping with the UK’s ‘whitelisted parties’ and EU PSD2’s accreditation process, all data recipients will require accreditation – the criteria for, and method of, to be determined by the ACCC. The Big Four banks are automatically accredited. For fintechs and non-ADI institutions, it suggests that a graduated risk-based accreditation standard be applied, which would give preference to those organisations with strong technical measures and who can provide comfort on security.
- Shared data would include customer-provided data (but only once AML law reforms are finalised and ACCC approves the timing of implementation), digital transaction data and products data, but excludes any identity verification data, aggregated data and ‘transformed’ data (data which has been materially enhanced by applying insights, analysis or value-derived data by the bank). All data should be transferred free of charge. It will be ‘read only’ data initially for the data recipient but ‘write access’ reforms could be included in later evaluations according to the Treasurer’s statement, which could allow a customer to act independently of the bank when transacting, thus facilitating peer-to-peer payment platforms and the bypass of traditional banking platforms.
- Safeguards on privacy and security are highlighted as being paramount to ensuring consumer trust, with the customer’s informed explicit consent required at a minimum to any data sharing. Recommendations of specific modifications to the APPs under the Australian Privacy Act are suggested to incorporate this consent requirement and strengthen consumer confidence and trust in open banking. The OAIC may also be given the power to enforce new confidentiality provisions between businesses.
- Interestingly, a special right to data deletion is not recommended for customers – in contrast to similar rights elsewhere, including the ‘right to be forgotten’ under EU GDPR –the Report surmising that this was due to the complexities in legislating for a new right given there is no existing right under the Privacy Act for an individual to instruct deletion of their data. This is an interesting departure – perhaps not surprising given the practical realities and applications of a right of erasure – but it may have been a missed opportunity by the review to tackle the issue of data retention, only likely to increase under any new open and shared data regime.
- The regime should be accessible to small business owners as well as consumers, with a principles-based liability framework to be established for data sharing, and an open disputes resolution forum.
- In contrast to the EU PSD2, the Report mandates the specific use of APIs (application programme interfaces) to transfer data, using the UKs technical specification on open banking standards as a starting point, with extensibility built in for future functionality. Multi factor authorisation has been highlighted as a reasonable security measure but no additional authorisation requirements should be added ( to make it more difficult for customers) beyond the Standards.
- Similar to the UK and EU regimes, the report recommends that the process of ‘screen-scraping’ should not be endorsed or expressly prohibited but rather that open banking should make this process redundant if its implemented as a data safe transfer mechanism. Records of all data transfers should be maintained for access by consumers and provision to Regulators (on request & as applicable).
- An implementation period of 12 months is recommended from the date of the Government’s decision to implement. ACCC could be given the authority to extend this timeline if necessary for certain institutions. Implementation will include amending laws, defining the regulator roles, setting out the Rules and Standards and setting up accreditation board /body as well as establishing a Data Standards Body. There should be a plan for formally evaluating the regime after the initial 12 months’ commencement.
The Report is not entirely definitive – before the Government makes its final decision, the Treasurer has invited interested parties to make submissions on the Report’s recommendations on or before 23 March 2018. It is anticipated that a final regime will be adopted on or before July 2018. The Report and submissions made can be accessed here.
For more information, please contact Peter Jones or Sinead Lynch.