01/07/2020

Today, the Australian Competition and Consumer Commission (ACCC) officially switches on the Consumer Data Right (CDR) regime, implemented in the banking sector.  After a delayed start, consumers will now be able to direct the four major banks (ANZ, CBA, NAB and Westpac) to share specified CDR data in relation to products with their main brands with accredited third parties (Accredited Persons).

What is Open Banking?

The CDR provides consumers (both individuals and businesses) with a right to access specified data that businesses hold about them.  Consumers will be able to consent to this information being provided to Accredited Persons.

The implementation of CDR in the banking sector, referred to as 'Open Banking', is taking place over three product phases:

ANZ, CBA, NAB and Westpac in relation to their main brands (Initial Data Holders) have been sharing with Accredited Persons product specific data that does not relate to a CDR consumer, such as information about rates, fees and features of banking products (Product Data) for Phase 1 Products since 1 July 2019 and Phase 2 products since 1 February 2020. Product Data can be used by comparison sites to allow consumers to compare financial products.

However, other aspects of Open Banking were delayed to July 2020.  In explaining the deferred launch date, Commissioner Sarah Court explained that: “The CDR is a complex but fundamental competition and consumer reform and we are committed to delivering it only after we are confident the system is resilient, user friendly and properly tested.

An updated timeline setting out the latest implementation dates from the ACCC for each of the relevant phases is available here.

Given that Australia is now grappling with the COVID-19 pandemic, Senator Jane Hume acknowledged in June that the roll out of Open Banking is expected to be a "slow burn”.


What commences today?

From today, the Initial Data Holders are required to share two further categories of CDR data.

Consumer Data for Phase 1 Products

From 1 July 2020, consumers will be able to direct Initial Data Holders to share CDR data that relates to them as a CDR consumer (Consumer Data) in relation to Phase 1 products (as set out in the diagram above) with an Accredited Person.

However, an Initial Data Holder’s obligation to share Consumer Data with an Accredited Person does not extend to joint accounts, closed accounts, direct debits, scheduled payments, payees or 'get account detail' or 'get customer detail' (Phase 1 Exceptions).  The Phase 1 Exceptions do not need to be shared by Initial Data Holders until 1 November 2020.

Product Data for Phase 3 Products

From 1 July 2020, the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) also require Initial Data Holders to share Product Data in relation to Phase 3 products (the final phase of products).


What remains delayed?

On 4 June 2020, the ACCC announced a number of exemptions to the implementation timeframes outlined in the CDR Rules for non-major authorised deposit-taking institutions (ADIs) and Initial Data Holders.  Section 56GD of the Competition and Consumer Act 2010 (Cth) (CCA) gives the ACCC a broad discretionary power to exempt a person from one or more provisions of the CDR regime.

For Initial Data Holders

The CDR Rules envisage that data holders will be required to share Consumer Data directly with CDR consumers.  This was originally scheduled to commence on 1 July 2020.  When the ACCC released the CDR Rules in February 2020, the implementation of this phase was delayed to 1 November 2020.

The ACCC granted an exemption to Initial Data Holders on 4 June 2020 which provided them with an additional year before having to share Consumer Data directly with CDR consumers (i.e. until 1 November 2021).  However, this timing still remains in doubt – the ACCC stated in the phasing table released in June 2020 that the “future position post Nov 2021 [is] to be confirmed.

For Secondary Data Holders

Following industry consultation, the ACCC has also issued an exemption to the related brands of Initial Data Holders and other ADIs, such as building societies and credit unions (Secondary Data Holders), providing extensions for compliance with certain implementation deadlines.

On 24 April 2020, the ACCC announced that Secondary Data Holders are not required to share Product Data in relation to Phase 1 products until 1 October 2020 (instead of 1 July 2020).  Commissioner Sarah Court said that: “The ACCC is granting these exemptions as an acknowledgement of the intense resource requirements of the industry as a result of the COVID-19 pandemic, and in particular non-major banks that may not be able to prioritise this at this time.

On 4 June 2020, the ACCC announced a further set of exemptions providing Secondary Data Holders with additional time to comply.  Secondary Data Holders are now required to share:

  • Consumer Data with Accredited Persons in relation to Phase 1 products, apart from the Phase 1 Exceptions, from 1 July 2021 instead of 1 February 2021 (a delay of 7 months).
  • Consumer Data with Accredited Persons in relation to Phase 2 products and the remainder of Phase 1 products (including Phase 1 Exceptions), from 1 November 2021 instead of 1 July 2021 (a delay of 8 months).
  • Consumer Data with CDR consumers, from November 2021 instead of 1 July 2021 (a delay of 8 months).  However, as noted above, the ACCC has stated in the phasing table released in June 2020 that the: “future position post Nov 2021 [is] to be confirmed”.

In the newsletter announcing these exemptions, the ACCC stated that it: “believes this exemption will allow non-major ADIs adequate time to build and test their systems before they must start sharing data.”  The exemptions were granted in response to the continuing impact of the COVID-19 pandemic on the banking sector.


Accreditation

In late March, as a part of the lead-up to the implementation of Open Banking in respect of Consumer Data, the ACCC:

  • launched the CDR and Accreditation Application Platform (RAAP), a portal where businesses can apply for accreditation under the scheme; and
  • released finalised Accreditation Guidelines and FAQs that provide further guidance regarding how to achieve accreditation.

An unrestricted accreditation is the only level of accreditation currently available for Accredited Persons.  The ACCC has indicated that it intends to add further levels of accreditation in the future.

Applications for unrestricted accreditation will be reviewed against the criteria set out under Rule 5.5 of the CDR Rules.  Only once an organisation is accredited can that organisation participate in Open Banking by receiving CDR consumer data from a data holder at the request, and with the consent of, that CDR consumer.

Accredited Persons are subject to ongoing compliance obligations, including regular attestation statements and assurance reports.


Compliance and enforcement

The CDR regime is governed by a legal and regulatory framework that is made up of the following:

  • legislation including the CCA, the Privacy Act 1988 and the Australian Information Commissioner Act 2010;
  • the CDR Rules; and
  • the Consumer Data Standards which are the technical standards that apply to Open Banking,

together the Regulatory Framework.

Compliance

Responsibility for enforcing compliance with the Regulatory Framework is vested in the ACCC and the Office of the Australian Information Commissioner (OAIC).  The ACCC and OAIC jointly released the CDR Compliance and Enforcement Policy (the Enforcement Policy) on 8 May 2020.  The Enforcement Policy outlines how the ACCC and OAIC will approach compliance and respond to breaches of the Regulatory Framework.

The policy seeks to encourage compliance through a multifaceted approach making use of the following methods:

Tool

Practical Use

Stakeholder intelligence and complaints

Receiving information from both interested stakeholders as well as third party dispute resolution bodies, such as the Australian Financial Complaints Authority with respect to the Banking sector.

Business reporting

Requiring mandatory reporting from data holders and data recipients in order to track compliance.

Audits and assessments

Conducting audits of data holders and data recipients to ensure active compliance with the Regulatory Framework.

Information requests and compulsory notices

Either issuing data holders and recipients with requests to voluntarily disclose information to inform compliance and enforcement activity, or making use of statutory information gathering powers to compel the same.

These processes will be used to monitor and assess levels of compliance and prevent breaches of the Regulatory Framework.

Enforcement

If this compliance methodology is unable to prevent a breach from occurring, the OAIC and ACCC may turn to enforcement options provided for under the Regulatory Framework, including:

Tool

Entity

Practical Use

Administrative resolutions

Both

Addressing a breach through a voluntary written commitment from the entity in breach, which will be monitored for further compliance.

Infringement notices

ACCC

The ACCC may issue infringement notices regarding a breach of the Regulatory Framework.  Infringement notices allow the ACCC to directly impose pecuniary penalties without court orders.  Penalties per notice are $133,200 for listed corporations, $13,320 for unlisted corporations and $2,664 for individuals.[1]

Court enforceable undertakings

Both

Accepting a court enforceable written commitment from the entity in breach that it will take, or refrain from taking, such action as is necessary to remedy the breach and ensure compliance.

Suspension or revocation of accreditation

ACCC

The ACCC may revoke accreditation under Rule 5.17 of the CDR Rules under certain circumstances.  The Accredited Person is prohibited from collecting data during a suspension period.

Determination and declarations power

OAIC

Following an investigation, the OAIC may determine that a breach of a relevant privacy safeguard has occurred.  This may be coupled with a declaration that the entity in breach should take such steps as are necessary to ensure no further breach occurs.

Court proceedings

Both

Initiate legal action for breach of the Regulatory Framework.


Intermediaries

Despite Open Banking commencing today, the ACCC still has not outlined in the CDR Rules how third-party service providers, also known as Intermediaries, may operate within the Open Banking regime.

In fact, the ACCC is still consulting on this issue and on 22 June 2020 released for public consultation:

The ACCC is seeking stakeholder views on whether the Draft CDR Rules operate optimally “as intended”, with submissions closing on 20 July 2020.  This follows an earlier consultation issued by the ACCC in December 2019 which indicated that stakeholders supported both an outsourcing and accreditation model for Intermediaries.

CAP arrangements: how Intermediaries can collect data

The Draft CDR Rules outline how Intermediaries can collect and receive CDR data on behalf of Accredited Persons.  The Draft Rules propose a ‘Combined Accredited Person’ (CAP) arrangement, where an Accredited Person (the Principal) can engage the services of another Accredited Person (the Provider) to collect CDR data on the Principal’s behalf.

  • The Principal is a consumer-facing person accredited to the 'unrestricted' level, and the person from which a CDR consumer requests goods or services.  A Principal may use multiple providers and may have CAP and outsourcing arrangements in place to provide its goods and services to CDR consumers.
  • The Provider is a person accredited to the 'unrestricted' level who assists a Principal to provide goods and services to consumers.  This could include collecting CDR data from data holders on behalf of the Principal.  Under a CAP arrangement, the Provider may engage directly with the consumer.  For example, delivering the dashboard to the CDR consumer to provide the CDR consumer with an app.

Under the Draft CDR Rules, where a CAP arrangement is in place, the Principal is liable for:

  • providing the goods and services to the CDR customer; and
  • the conduct of the Provider in providing the CDR goods or services (regardless of whether the Provider is acting inside or outside the scope of the CAP arrangement).

Where a Principal and Provider enter a CAP arrangement, both parties are Accredited Persons at the 'unrestricted' level and so both are subject to obligations under the CDR Rules.  The Principal and Provider can contractually decide which of them will discharge certain obligations, for example, by providing a CDR receipt after a consumer consents to the collection and use of CDR data.  Although both the Principal and Provider are separately responsible for providing a CDR receipt, where a CAP arrangement provides that the Provider is responsible to provide the CDR receipt, the Principal does not also need to provide a receipt.

Legal uncertainty over ACCC rule making remains to be resolved

Interestingly, in considering the expansion of the CDR Rules to cover the operation of Intermediaries the ACCC has stated in the Explanatory Note that there is “some legal uncertainty” about the scope of the ACCC’s rule making powers.  The Draft Rules will remain in draft form until that uncertainty has been resolved.

 

The authors would like to thank Emma Frederiksen for her assistance.


[1] On 1 July 2020, the penalty unit increased from $210 to $222 for the purposes of the Crimes Act 1914 (Cth).

""

Our COVID-19 hub collates important articles and legal advice on various aspects of COVID-19 on how it may impact your business.