04/02/2019

Right before Christmas last year, a burst of activity occurred in relation to the implementation of the Consumer Data Right (CDR) to the Banking industry (Open Banking):

  • CSIRO's Data 61, the Consumer Data Standards body overseeing the CDR, released a second working draft of the technical standards that will support the CDR regime;
  • the Government released a draft Privacy Impact Assessment on the impact of the CDR on privacy and privacy safeguards; and
  • the Australian Competition and Consumer Commission (ACCC) released the Consumer Data Right Rules Outline (Rules Outline) setting out proposed draft rules for the CDR regime.

At the same time, the Government also quietly announced that the launch of Open Banking would be delayed by seven months to 1 February 2020.

Legislation delayed

Initially, the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Bill) was scheduled to be introduced into Parliament in 2018, to allow for Open Banking to commence in July 2019. However, despite the Bill being tabled for the last day of sitting, it did not get introduced into Parliament due to a delay in the agenda. As a result, the Government issued a media release announcing a revised implementation timeline for Open Banking:

  • Open Banking would now commence on 1 February 2020 for CDR data relating to consumers, instead of 1 July 2019; and
  • a “pilot program” would be launched with the four major banks (ANZ, CBA, NAB and Westpac) on 1 July 2019 to test the performance, reliability and security of the Open Banking system. Consumers and FinTechs will be invited to participate, as well as other banks who are interested.

Revised implementation dates

Initial Data Holders

The obligation to share CDR data will first apply to the four major banks (but not their related brands) (Initial Data Holders). This will occur in phases based on the type of product the CDR data relates to.

 

For Initial Data Holders, the implementation date for:

  • Phase 1 products where the CDR data relates to a consumer - 1 February 2020;
  • Phase 1 products where the CDR data is generic product data (e.g. product types, names, prices, features and eligibility) - 1 July 2019 (same as before); and
  • all CDR data relating to Phase 2 and Phase 3 products - 1 February 2020 (same as before).

Subsequent Data Holders

The obligation to share CDR data will then apply to other authorised deposit-taking institutions (ADIs) except foreign bank branches (Subsequent Data Holders) 12 months later. This will also occur in phases (based on the type of product the CDR data relates to).

 

See the diagram below for revised implementation dates for sharing of CDR data by Initial and Subsequent Data Holders.

Revised implementation dates from 1 July 2019 to 1 July 2021


Draft CDR Rules for Open Banking delayed

On 12 September 2018, the ACCC released the Rules Framework for public consultation (see our previous insight here). The Rules Framework gave stakeholders an understanding of the structure and content of the rules the ACCC intended to propose under section 56BA of the Bill (CDR Rules).

Initially, the ACCC committed to publishing draft CDR Rules by the end of 2018. However, on 21 December 2018, the ACCC announced that draft CDR rules will now be released in the first quarter of 2019. In the interim, the ACCC released the Rules Outline, setting out what the ACCC proposed to include in version one of the CDR Rules.

Changes to the proposed CDR Rules

The Rules Outline reiterates most of the principles previously set out in the Rules Framework. However, there are some important changes and clarifications to the proposed CDR Rules.
 

Data can be shared with consumers via existing mechanisms on their account

Previously, the Rules Framework proposed data sharing via an application programming interface for both consumers and accredited data recipients.

Minors will no longer be in the first version of the CDR Rules

This will be considered in subsequent versions of the CDR Rules.

Complex accounts will not be included in the first version of the CDR Rules

Multi-party or complex accounts (other than joint accounts) including accounts held by business entities or multi-entity corporate structures will be considered in subsequent versions of the CDR Rules.

Transaction metadata will not be included in the first version of the CDR Rules

This will be considered in subsequent versions of the CDR Rules.

No fee payable when data recipients apply for accreditation

 

A consumer’s consent and authorisation will last for 12 months

This is a significant extension from the 90 days proposed in the Rules Framework.

Default position if a joint account holder does not make an election

There will now be a default position if a joint account holder does not make an election regarding the sharing of CDR data – this approach differs significantly from the Rules Framework which proposed rules requiring that each joint account holder be notified of any data transfer arrangements initiated on their account and be given the ability to terminate data sharing arrangements initiated by other joint account holders.

 

 

 

Our Experts
Smart Counsel

A one-stop shop for the most frequently asked legal questions by in-house counsel, providing expert tips, example clauses and usage guides.