In November 2017, the Australian Government announced their intention to create a Consumer Data Right (CDR). This was driven by a belief that consumers should own data about them, and that giving them access to and control over this data will lead to more robust and competitive markets. Banking will be the first industry required to expose consumer data under the CDR, with the energy sector slated to follow in 2020. Telecommunications has been proposed as a third sector, and there is speculation that superannuation will be a likely fourth.
Ash Priest, managing partner at Novigi, recently chaired innovation discussion groups in Melbourne and Sydney on behalf of the Association of Superannuation Funds Australia (ASFA), the topic of which was Open Banking. These sessions were attended by an impressive list of thought-leaders and decision makers from the superannuation industry, whose experience and insight made for a thought-provoking discussion.
What exactly is it?
Through Open Banking, and the CDR more broadly, there will be three scenarios in which data holders will need to make data available:
Generic product data — data holders (banks, in Open Banking) are required to expose generic data on products and services that they offer.
Data directly to consumers — consumers will be able to access their data directly from data holders.
Accredited third parties — consumers will be able to authorise accredited third parties to access data from data holders that relates to them.
The principal bodies responsible for the administration and regulation of the CDR are the Australian Consumer and Competition Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). The ACCC are currently in the process of receiving submissions relating to the technical implementation of the register of accredited third parties, which they will ultimately be responsible for maintaining. The other key organisation to be aware of is Data61, CSIRO’s data innovation group. Data61 have developed the API specification for Open Banking that will need to be adopted by data holders and accredited third parties to be compliant.
How will it work?
At its core, the Open Banking regime requires banks to build APIs. For those that aren’t familiar with the term, an API is an interface through which applications can talk to each other. It might be useful to think of an API a bit like a butler. You might ask your butler to bring the car around. In doing so you wouldn’t have to think about where the car is, how it would get from where it is now to where you are, what the traffic is like, or any number of other considerations. You just need to ask and your butler takes care of the details. Similarly, when you request banking data from an API, you (the end consumer) don’t need to consider what systems that data is in, what processes need to happen to aggregate it, or what other processes are happening within the banks ecosystem. You just call the API and you (or another application) receive the data you requested.
On a technology level, Open Banking will require both the banks and accredited third parties to implement two key components:
An authorisation/consent management service
The actual APIs required to expose the data
Data61 have specified a number of principles to which these APIs must adhere, but in essence they must be simple, lightweight and secure.
In our discussions with technical people both from the banks and from aspiring accredited third parties, the consensus is that that the technical implementation of the APIs and authorisation/consent management services will be reasonably straightforward. The challenge for the banks — and for other industries conforming to the CDR — will be primarily around surfacing the relevant data from the various legacy systems in which it resides, and in privacy, compliance and risk considerations.
What is the timeline and current status?
The original deadline for the exposure of all open banking data by the major banks was 1 July 2019. That was changed such that the 1 July 2019 deadline only applied to generic product data, and was in fact voluntary pending the passage of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (which received royal assent on 12 August 2019). This data only needed to be made available for beta testing, as has now been done by the big four banks.
As the ACCC are still receiving consultation on the design of the register of accredited third parties, it is not yet possible to register to become one.
What does all of this mean for us?
Obviously, the answer to this question depends on which ‘us’ we are talking about. Our discussion group with ASFA centred around how the roll out of Open Banking would impact the superannuation industry, but we believe that many of the points raised are applicable to other industries as well.
Open Banking will present opportunities for those who can use banking data to enhance their product and service offerings, or to develop completely new products and services. In our discussions with super funds, the idea of using open banking data to enrich the financial advice experience was raised multiple times. Being able to auto-fill this data, much of which is currently used but collected and entered manually, is a much better experience for consumers, and an efficiency saving for funds. Another use case that was mentioned more than once was the development of dashboards that give a consumer a view of all the financial products and services they have across all banks. This would allow super funds to become something of a central dashboard for a consumer’s finances, hopefully increasing the ‘stickiness’ of members. The question we posed here is whether or not super funds are well-placed to offer this dashboard functionality, and whether another third party, or maybe even the banks themselves might be better positioned to succeed here.
In this sense, Open Banking is also a significant risk for incumbents in industries likely to fall under the scope of the CDR. There is a distinct possibility that rather than increasing competition and encouraging new entrants to the banking sector, the CDR ultimately consolidates the dominance of the major banks. Banks could use the inherent advantage they have in being a facilitator of payments to become major re-sellers of energy, telecommunications, superannuation, and any other sector added to the CDR regime. It’s not difficult to imagine a scenario in which your bank might be able to recommend you an energy provider that they are confident can offer you a better deal. The bank is present at the point of payment, and can leverage their own data to determine what people like you (in terms of family structure, income, geography etc.) pay for their energy. When combined with the data Open Energy would give them access to under the CDR, banks will be uniquely placed to become re-sellers of energy. The risk here is that the companies ultimately providing these services will lose significant control over the customer experience.
Privacy and data security were both hot topics in the discussion group. Both are obviously complex areas, with a number of different legislative and regulatory factors impacting privacy, and an even greater range of technical considerations affecting data security. Our overarching — if somewhat simplistic — conclusion was that broadly the same considerations (standards like ISO/IEC 27001 and regulations such as APRA CPG 234 in the superannuation and banking industries) apply here as to non-Open Banking scenarios involving consumer data. A more detailed discussion of these factors would likely increase the length of this blog by orders of magnitude, so we encourage you to refer to some of the many resources available online if you need more information.
Scott Farrell — the author of the Review into Open Banking which made key recommendations around the implementation of Open Banking — remarked that “engaging in the consumer data right will create opportunities for businesses to truly immerse themselves in Australia’s ‘new’ data sector and data economy.” Open Banking and the CDR will indeed present many opportunities for businesses in a whole range of sectors, but it will also threaten the positions of many incumbents. While exactly how it will transform the economy is far from certain, we can be fairly confident that it will be disruptive and transformative.