This chapter discusses evidence received by the committee on the introduction of the Consumer Data Right in Australia.
The Consumer Data Right (CDR) is an economy-wide reform with the objective of empowering consumers to access better products and services across a range of industries. It aims to achieve this by giving consumers the right to safely access certain data about themselves held by businesses, and direct that this information be transferred to accredited, trusted third parties of their choice. The CDR will also require businesses to provide public access to information on specified products that they offer (known as 'product reference data') in a common format.
The CDR is designed to give consumers more control over their data, leading, for example, to more choice in where they take their business and more convenience in managing their services. The CDR will be rolled out sector-by-sector, starting with the banking sector, where it is referred to as 'Open Banking'. The Treasurer has authority to designate sectors for rollout of the CDR. Following banking, the CDR will be rolled out in the energy and telecommunications sectors, with further sectors of the economy to follow.
The committee received a large volume of evidence on issues relating to the CDR, including:
the implementation and rollout of Open Banking;
accreditation issues and access to CDR data;
the future of alternate means of accessing customer data once CDR is implemented;
extending the CDR regime to other sectors within financial services, including superannuation and general insurance; and
governance arrangements for the CDR.
Implementation of Open Banking
The introduction of a consumer data right in the banking sector came about following an announcement in the 2017–18 Commonwealth Budget that the Government would introduce an Open Banking regime in Australia.
The government commissioned a review, led by Mr Scott Farrell, to develop the best approach to implement the open banking regime in Australia. Following a public consultation period in early 2018, the review's recommendations were agreed by the Australian Government in May 2018. The government allocated funding of $20 million over four years to oversee the implementation of the CDR, starting with the rollout of Open Banking. The legislation establishing the framework for the CDR regime was subsequently passed through the Parliament in August 2019.
Under the CDR framework, the Australian Competition and Consumer Commission (ACCC) has responsibility for developing the detailed rules governing the implementation of the CDR in banking and in subsequent sectors, including overseeing an accreditation scheme for data holders, approving technical standards, and taking enforcement action to ensure compliance by participants.
The Office of the Australian Information Commissioner (OAIC) has responsibility for privacy protections relating to the CDR, while a Data Standards Body (currently CSIRO's Data61) is responsible for developing technical standards relating to data transfer and security under the CDR.
Evidence received on Open Banking rollout
Many submitters and witnesses commented on the potential of Open Banking to create a more competitive environment in the financial services sector and enable innovative businesses to prosper and drive better outcomes for consumers.
FinTech Australia noted that 40 per cent of respondents in the 2019 FinTech Census indicated that they anticipate their organisations will become an accredited provider under the CDR regime, demonstrating that Fintech companies 'see benefit from being part of this new data regime'.
Issues of concern relating to the rollout of the CDR for banking data raised with the committee included:
the implementation timeline for Open Banking;
the accreditation regime for data recipients under the CDR, particularly the treatment of intermediary organisations;
the future of other data capture methods such as 'screen scraping'; and
the need to educate consumers about the rollout of Open Banking.
The ACCC released the foundational CDR rules and accreditation guidelines in September 2019, and the CDR Rules entered into effect as a formal legislative instrument on 6 February 2020.
The implementation of Open Banking is being pursued in an iterative fashion, with several types of data and financial institutions progressively coming under the scheme over a period of time.
The types of banking data consumers will be able to direct CDR data holders to share have been divided into three phases, which will be rolled out sequentially:
Phase 1 – data relating to credit and debit cards, deposit accounts and transaction accounts.
Phase 2 – data relating to mortgages and personal loans.
Phase 3 – data relating to products including business loans, overdraft facilities, and foreign currency accounts.
Under the current timeline for implementation, the four major banks (ANZ, Commonwealth Bank, NAB and Westpac) started sharing product reference data from July 2019 on a voluntary basis, and commenced sharing phase 1 customer data from 1 July 2020. They are required to share Phase 2 data from 1 November 2020, and phase 3 data from 1 February 2021.
Under the ACCC's current timeline, mandatory consumer data sharing obligations for non-major authorised deposit-taking institutions (ADIs) are due to commence on 1 July 2021 for Phase 1 data and 1 November 2021 for Phase 2 data, with the sharing of product reference data commencing on 1 October 2020.
The current implementation schedule is the result of several delays that have already occurred. Under the initial timeline announced in May 2018, the major banks were required to make customer data available in several phases between July 2019 and July 2020. Under an updated implementation timetable published in September 2019, the commencement of the sharing of the first customer data set was revised to February 2020.
This timetable was further revised to the current iteration in December 2019, revising the start date for the commencement of customer data sharing delayed from February 2020 to July 2020. The ACCC stated that this updated timeline for these aspects of the CDR reforms would ‘allow additional implementation work and testing to be completed and better ensure necessary security and privacy protections operate effectively'.
At the committee's public hearing on 27 February 2020, ACCC representatives advised the committee that system testing was currently underway with the big four banks as well as eight entities selected to be initial data recipients under Open Banking. Mr Paul Franklin, Executive General Manager, Consumer Data Right at the ACCC, told the committee extensive work was required on the part of all participants to build the systems necessary for Open Banking to function:
Two prerequisites for the launch are that the initial group of data recipients are accredited and that the necessary technology is in place and has been tested to ensure it's robust and secure. In relation to accreditation of the data recipients… we are currently hopeful that the majority will be able to be accredited for launch.
In relation to technology, IT builds are required by the ACCC, each of the major banks and each of the data recipients… As lead regulator, the ACCC has overall responsibility for the delivery of a trusted and secure ecosystem, and is undertaking a significant testing and assurance program to ensure that at launch the systems operate as intended, deliver the expected functionality and that they're safe and secure.
When questioned on the expected uptake of the CDR system, Mr Franklin stated that the ACCC doesn't have 'a specific target' in mind, however it has seen evidence of 'very strong demand from prospective data recipients' as well as a number of ADIs that 'are very keen to make their data available as quickly as possible'. Mr Franklin commented further:
[B]y the end of 2021 we would like substantially all consumers in Australia to have their banking data available, and we would like to have a vibrant selection of data recipients available.
Despite disruptions caused by the onset of the COVID-19 pandemic, the first phase of consumer data sharing under Open Banking formally went live on 1 July 2020. Two data recipients, Frollo and Regional Australia Bank, had fully completed the accreditation process and were the first participants able to receive Open Banking data from the major banks.
The ACCC stated although many FinTechs ‘wanted to be part of the system on day one, the pandemic had caused many to shift their priorities and redirect resources away from the accreditation process’. With a further 39 parties having started the approval process, the ACCC considers there ‘should be about a dozen official data recipients’ by September 2020.
Senator the Hon Jane Hume, Assistant Minister for Superannuation, Financial Services and Financial Technology, described the launch of Open Banking as ‘a game changing reform’ that will ‘revolutionise the way that consumers and small businesses use their data to compare prices and switch between products and providers in the banking sector’. The Minister noted that Open Banking can assist consumers navigate their finances during the COVID-19 crisis:
Open banking couldn’t have come at a better time. As people tend to their personal balance sheets and say ‘how am I going to find a way through this crisis?’ and ‘are the products that I’ve got right for me?’, Open Banking will allow them to find a better deal and to use their own data to find that deal.
It will encourage financial services organisations to innovate and tailor products specifically to their clients. And it will make switching between those products more seamless. So it actually comes at a great time and overall, of course, it will reduce the cost of financial services and of everyday banking.
Accreditation issues and access to CDR data
An issue of importance to many submitters is ensuring that the CDR regime is as accessible as possible to both small and large financial institutions who wish to participate.
The CDR rules currently provide for a single 'unrestricted' level of accreditation for Accredited Data Recipients (ADRs). Banks holding an ADI licence will automatically be able to access accreditation at this level, due to their pre-existing prudential regulatory requirements, which are deemed sufficient to meet the necessary standards for CDR accreditation. For non‑ADIs (which includes the vast majority of FinTechs), Mr Franklin of the ACCC summarised the accreditation requirements as follows:
For fintechs who are not banks…there are essentially three requirements to pass. Do they have adequate insurance? Are they fit and proper persons? Can they demonstrate that they have a secure environment for the data? Then they need to pass some practical tests that they can actually collect the data. Provided any organisation meets those requirements…any organisation is able to participate in the consumer data right.
Some FinTechs that submitted to the inquiry expressed disappointment at the estimated costs that will be incurred by organisations who wish to become ADRs, due to the need to upgrade data systems and meet the insurance and other requirements imposed under the accreditation scheme. It was estimated that the costs to an organisation of building a data storage centre capable of hosting CDR data to the required security standards can cost in the range of $50,000 to $70,000.
These submitters argued that the costs and laborious nature of the accreditation process will prove prohibitive for many FinTechs and RegTechs that would otherwise wish to participate fully in the CDR, thus limiting overall uptake of the scheme and decreasing the benefits available to consumers. Xero, a cloud-based accounting software provider, summarised these issues as follows in its submission:
For consumers to benefit from open banking and the subsequent increase in competition among lenders, the Government must ensure barriers to entry for FinTechs and RegTechs are as high as necessary but as low as possible. The accreditation process is a major barrier that will materially impact the level of participation, competition among lenders, utility to consumers and consumer interaction with the initiative.
Raiz Invest argued that the streamlined accreditation process available to ADIs under the CDR Rules unfairly benefits the large incumbent financial institutions and as such will limit Open Banking's ability to provide a more competitive market for consumers.
SISS Data Services suggested that, to ensure smaller players are able to participate in the CDR, a financial incentive could be offered by government to FinTechs who have gained CDR accreditation:
This payment would help offset the initial and ongoing costs (compliance, audit and development) of complying with the CDR. To minimise the potential abuse of this incentive, payments would be paid in equal instalments, over a period of time, and only available to FinTechs if they attained and maintained their CDR accreditation.
ANZ suggested implementing several tiers of accreditation as the next logical step in the evolution of the CDR scheme, whereby 'additional levels of accreditation that are easier to obtain could be introduced that would allow entities to receive either less sensitive CDR data or simply insights from the data rather than the data itself'.
Concerns about unaccredited parties accessing CDR data
The Financial Rights Legal Centre and the Consumer Action Law Centre (FRLC and CALC) lodged a joint submission raising several concerns about the potential for consumer data released under the CDR framework to be misused. A key concern is the leakage of sensitive financial data to non‑accredited recipients outside of the protections of the CDR framework.
FRLC and CALC stated that under the current framework, if a CDR consumer provides their CDR Data that it has received from a Data Holder (e.g. their banking provider), directly to a third party, the privacy protections afforded to that CDR Data under the CDR regime will not apply:
[U]naccredited FinTechs can simply ask for people to hand over the data that the consumers themselves request directly from their data holder in a machine readable format. These FinTechs/companies would therefore not have to get accredited.
One of the key aims of the CDR is to create a safe and secure environment in which consumers will be able to trust and have confidence that they will be able to transfer or port their data from one data holder or participant to another. However the CDR legislation will facilitate non-accredited parties obtaining CDR information, leaving these consumers, who were led into a system on the promise of higher privacy protections, vulnerable to the lower privacy standards of the [Australian Privacy Principles].
FRLC and CALC noted that ‘Treasury engaged Maddocks to prepare an iteration of the CDR’s Privacy Impact Assessment (PIA) to identify the impacts that the CDR may have on the privacy of individuals’, and stated that the Maddocks PIA ‘detailed significant issues with the current CDR’.
The Maddocks PIA was released in September 2019, making ten recommendations. In December 2019, Treasury, the ACCC, the OAIC and Data61 released an agency response to the Maddocks PIA, which supported eight of the Maddocks recommendations in full, offered partial support to one recommendation, and noted that Treasury would soon be releasing further information relating to one recommendation.
FRLC and CALC noted that Treasury and other responsible agencies have supported many of the recommendations, and expressed support for the regulators ‘implementing these recommendations as soon as possible’. They submitted further:
However the response has failed to address other fundamental issues with the CDR regime including the issue alluded to above that, if the CDR Consumer provides their CDR Data that it has received from a Data Holder, to a third party, the privacy protections afforded to that CDR Data under the CDR regime will not apply.
FRLC and CALC recommended that the CDR framework needs to ensure that third party recipients 'have clear obligations about the handling of CDR Data they receive by, for example, extending the application of the Privacy Safeguards to apply to third party data recipients of CDR Data'. These Consumer Groups also advocate for ‘amending the Privacy Act and the [Australian Privacy Principles] to ensure that the same strong protections under the CDR apply to all consumer data'.
ACCC approach to accreditation of data recipients
The ACCC explained in its submission that it is taking 'an evolving approach' to accreditation of data recipients:
Accreditation of data recipients helps foster trust in the CDR regime, by ensuring that recipients of consumer data are subject to appropriate privacy, Information Technology security, insurance and other obligations. The accreditation regime needs to strike the right balance between encouraging FinTechs to participate in the CDR ecosystem, while also ensuring sufficient consumer and information security protections are in place.
…The ACCC noted in the Rules Outline that the first general level of accreditation is intended to enable an accredited data recipient to receive all CDR data in scope for banking and is therefore subject to stringent accreditation obligations. It is intended that the unrestricted level of accreditation will become the level that entitles access to all CDR data across sectors.
The ACCC submitted that it has 'undertaken significant consultation with FinTechs that will be seeking accreditation as data recipients', with priority for initial accreditation to be given to those FinTechs that have participated in the testing program. Mr Franklin commented at the committee's public hearing:
In all of these matters the consumer data right legislation requires us to consider a number of priorities, including the interests of consumers and promoting competition and data-driven innovation, and the privacy and confidentiality of consumer information.
Underlying our approach to development of version 1 of the rules is the confidence that the CDR ecosystem can be expanded through following a successful launch, and that it is easier to relax controls over time than to tighten them. A project of the scale and complexity of the consumer data right is always going to present challenges.
Mr Franklin also expressed the view that the accreditation and application process would become more streamlined over time:
One thing we are building as part of our technology suite is a conformance test suite to automate the testing process. We intend to make it much easier for prospective data recipients to go through the accreditation and testing process. If we can facilitate the use of outsourcing providers and intermediaries, automate the testing, then the path from application through to go-live should be shorter and much less expensive.
The ACCC stated further in May 2020 that it is continuing to consider appropriate ways to reduce potential costs and provide flexibility to data recipients, stating:
We have recently revised the requirements for information security to provide greater flexibility around the type of assurance report that will be accepted to meet the information security obligation. The requirement for applicants to provide an assurance report is the biggest up-front cost for them to be accredited. This change may enable some applicants to reduce those upfront costs.
We are also pursuing other potential ways to reduce the cost of accessing CDR data, including changes to the outsourced service provider provisions, introducing lower tiers of accreditation, appropriate measures to permit the use of intermediaries, and allowing transfer of CDR data outside the CDR ecosystem in some circumstances.
Access to CDR data by third party 'intermediaries'
Given the stringent requirements of becoming accredited as an unrestricted data recipient, submitters were in agreement that Open Banking needs to provide the ability for 'intermediary' organisations to be able to become accredited and allow third party organisations to access CDR data for the purpose of providing products and services to consumers.
The ACCC submitted that it recognises the importance of intermediaries in the financial sector, and ‘the roles that they play including in assisting or facilitating the collection of data, as well as providing 'end to end' services through the collection and use of data’:
The ACCC is seeking views on whether intermediaries should be accredited and whether accreditation of intermediaries may support development of lower tiers of accreditation that would reduce barriers to entry, by allowing ADRs to become accredited at a lower cost, but with restricted data access rights. The ACCC also intends to engage with ASIC to explore the potential development of a tier of accreditation that would complement ASIC's regulatory sandbox licensing exemptions.
The ACCC released a consultation paper on how best to facilitate participation of third party service providers on 23 December 2019. The ACCC subsequently released a set of draft rules on 22 June 2020 relating to intermediary access for further feedback, with stakeholder submissions due by 20 July 2020. The draft rules would authorise third parties who are accredited at the 'unrestricted' level to collect CDR data on behalf of another accredited person, allowing ‘accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers’.
Submitters urged for the rules relating to intermediaries to be finalised as quickly as possible to provide certainty for all parties, noting that until such rules are implemented, there remains a level of ambiguity for organisations who already provide intermediary services in the financial services sector. The Financial Data and Technology Association submitted:
In the meantime, the obligations of an intermediary, acting as an outsource service provider to an ADR, [are] ambiguous making it difficult for an existing Fintech using a data intermediary or a startup looking to quickly test a new idea, to plan a viable path into the CDR ecosystem. As a result, only mature businesses or incumbent banks may be at sufficient scale to operate as an ADR, potentially at the expense of new ideas and business innovation.
Xero commented that the treatment of intermediaries and non-accredited third parties will be 'crucial elements' in determining the success of the CDR initiative, stating:
Intermediaries will be a crucial service provider in the open banking ecosystem giving access to multiple CDR APIs via a single API. This service will replace the need for accredited CDR recipients to build to the individual APIs of data holders. However, should intermediary regulation be too high the service will be the domain of few competitors. Lacklustre competition is likely to lead to higher prices, meaning CDR data is available to only the few with resources to access full API coverage or with capacity to absorb high intermediary costs they are unable to pass on.
Several submitters to this inquiry provided detailed comments on how they consider the ACCC should calibrate the settings for allowing intermediaries to access the Open Banking regime.
Future of 'screen scraping' and other alternative means of data sharing
A considerable number of submitters and witnesses provided evidence to the committee on other methods of data access currently being used in the banking and financial services industry, and how these will be affected by the introduction of Open Banking.
The practices discussed are referred to by some industry participants as Digital Data Capture (DDC) and are commonly called 'screen scraping'. In the banking context, these terms refer to the practice of an organisation (such as a bank, a financial service provider or a data aggregation company) using a customer's login details to access their bank accounts and data in order to provide a secondary product or service.
Companies that utilise screen scraping do so for a variety of use cases. Some companies access customers' accounts on an ongoing basis in order to provide investment products or financial planning tools; others access account information on a one-off basis in order to access information such as transaction records to be used, for example, as part of loan assessment process.
The committee heard that within the financial sector, screen scraping technology is widely used by banks, lenders, financial management applications, personal finance dashboards, and accounting products.
Bank terms and conditions and the ePayments Code
Various submitters noted that banks' customer terms and conditions prohibit the provision of customer account access information to third parties, and that any customers who do so by giving their details to a third party to conduct DDC may lose protections available to them under the ePayments Code if any loss, theft or misuse subsequently occurs.
The ePayments Code provides that where a service provider can prove on the balance of probability that a user contributed to a loss through fraud, or breaching the pass code security requirements in the Code, the customer is liable in full for any losses that occur until the point this is reported to the service provider.
ASIC is currently conducting a review of the ePayments Code; it released an initial consultation paper in March 2019 seeking submissions on issues to be reviewed in the Code, and conducted further stakeholder consultations in August‑September 2019. ASIC planned to release a secondary consultation paper in July 2020, setting out ASIC's intended updates to the Code (and including a draft copy of the updated Code) for stakeholder feedback. Due to reprioritisation of work as a result of the COVID-19 pandemic, ASIC now plans to release this consultation paper in the fourth quarter of 2020.
Arguments opposed to the use of digital data capture techniques
A number of submitters and witnesses advocated against the continuing availability and use of screen scraping techniques in the financial services sector. Arguments advanced by these stakeholders included that:
screen scraping is a poor technology solution that is slow and unstable, with the potential for inaccuracies and other deficiencies in the data collected;
allowing customers to engage in any practice in which they disclose logon and password information to third parties runs counter to good IT security practices and the explicit security advice provided by the Australian Government to consumers, thereby weakening consumers' resistance to other malicious activity such as phishing attacks; and
allowing screen scraping to continue alongside the faster, safer data transfer mechanism created by Open Banking will undermine the potential success of the CDR regime by creating a two‑tiered system where less trustworthy operators will continue to utilise screen scraping rather than seek CDR accreditation.
Mr Michael Morris, Head of Technology for Ferocia, a Melbourne-based software firm that developed and operates the technical platform for digital banking platform Up, summarised some of these concerns as follows:
Screen-scraping is another organisation enticing a customer to input their user name and password into their site with, I guess, a promise that they will only use it for the purposes that customer intended. Obviously there is no enforceability of this promise. There is no regulation of this promise. It's against the terms and conditions of the financial institution, yet it continues. It's effectively a time bomb waiting to happen. You have these organisations that amass a bunch of customer credentials. Secondly, it encourages bad customer practice to start typing in your user name and passwords into lots of different websites, which can lead to financial crime or breaches of privacy. There are better ways to do these sorts of things, like open banking. We would certainly not like to see it encouraged...It's a hack, if you will. We should not be promoting or endorsing that. We should be supporting organisations for their ability to enforce their terms and conditions and restrict it.
The joint consumer submission from FRLC and CALC expressed particular concern about the use of screen scraping by payday lenders:
We are aware of financially vulnerable clients providing log-in details to payday lenders, only to have the payday lender use the log-in details later to identify when a consumer is getting low on cash and subsequently directly advertise to that consumer. This has the effect of exacerbating financial hardship.
Arguments in favour of the continued allowance of screen scraping practices
Other submitters and witnesses expressed strong support for the continuing use of digital data capture techniques. Arguments advanced by these stakeholders included that:
screen scraping techniques are utilised by a wide range of institutions within the financial services sector, including major banks and accounting firms, as well as smaller FinTechs;
many providers of DDC services maintain bank-level security, and as such these practices do not put consumers at risk;
the use of screen scraping allows FinTechs to offer innovative products that increase competition in the financial services sector;
there is no significant evidence of consumer detriment or security breaches occurring as a result of these techniques being used; and
screen scraping techniques will not be readily replaceable by Open Banking in the short term, meaning that an outright ban on the practice will lead to poorer immediate consumer outcomes.
illion (formerly Dun and Bradstreet), a data and analytics company that provides products including consumer and commercial credit registries and has operated in Australia for over 130 years, submitted:
DDC is a critical mechanism to empower consumers and facilitate competition, [is] valued by consumers, is secure and cost-effective, and is making a significant contribution to the competitive dynamics in the current market.
FinTech Australia submitted:
Screen scraping is one of the primary ways that fintechs are able to receive data from customers and provide tailored services as it is cheap and easy to access. Businesses rely on this technology including as a mechanism to review payments data and perform reconciliations which may prevent against fraud. It may even assist compliance with CDR where screen scraping is used to help clean and correct CDR data parcels and perform data reconciliation. Others have noted that screen scraping may even be used as a mechanism to test ideas prior to or during the process of applying for accreditation as an accredited data recipient.
Raiz, a microinvesting platform that enables customers to save and invest their ‘spare change’ through the automated depositing of small residual amounts from everyday purchases into a managed investment fund platform, commented:
[Screen scraping] is a relatively inexpensive way in which a FinTech can provide a user with useful data aggregation services, such as money management tools. Importantly it is regulated by current privacy laws. Raiz uses Yodlee’s screen scraping services to provide our Round-Up service along with our personal financial management tool… Screen scraping has existed in Australia for over 5 years. It is widely used by many companies, including ANZ and Xero with no reported security or fraud issues in those 5 years.
Supporters of digital data capture emphasised that data aggregation firms use encryption and bank standard security measures to keep data safe, stating that these aggregators must take data security extremely seriously in order to meet the requirements of lenders who are accessing their data checking services.
When asked about screen scraping at a public hearing of the committee, ASIC Commissioner Sean Hughes told the committee that ASIC is not aware of any evidence of consumer loss occurring as a result of screen scraping.
In the context of using screen scraping to access bank statement data as part of responsible lending checks for loan applicants, illion emphasised that their customers are given a choice between using quicker digital assessment processes using digital data capture, and manual paper-based assessment which take considerably longer; when offered this choice, over 80 per cent of consumers choose the faster, digital option.
Customer communications regarding screen scraping and the ePayments Code
Submitters informed the committee that in some instances, major banks are regularly contacting their customers who are utilising third party applications via screen scraping, and warning these customers that doing so breaches the ePayments Code. FinTech Australia submitted:
Several FinTech Australia members, including Raiz Invest have long received letters from banks noting that its activities breach the ePayments code. This bank has sent notifications and emails to its customers who use the service on a continual basis. Such letters have been viewed as a thinly veiled excuse for anti-competitive conduct.
Raiz submitted further detail on its experience in this regard with the Commonwealth Bank (CBA):
CBA does not like FinTechs using screen scraping to service CBA’s customers. CBA’s campaigns against Raiz (and other FinTechs) have been ongoing since 2016...CBA contacts its customers via emails, in-app messages and push notifications…and tells them that by sharing their account details with a third-party provider (such as Raiz) to enable screen scraping, they may be putting their money at risk due to fraudulent activity on their account. CBA goes on to warn the customer that the customer may have invalidated the protections against loss of the customer’s money in the [ePayments Code.]
This communication from CBA has caused serious detriment to our business... More importantly, in our view, CBA is deliberately confusing customers and potentially misleading them about the consequences of sharing account details.
The lack of clarity around screen scaping and inaction by the regulator, Treasury and the Government allows banks to engage in campaigns that are designed to misinform the Australian public, contributing to a distrust and suspicion of new technologies and the use of [Business-to-Consumer] FinTechs. The banks’ actions are therefore directly contributing to inhibiting competition by making it more difficult for FinTechs to run successful businesses, including raising capital in Australia; investing in Australian jobs and developing technology that can be exported globally.
Finder stated in its submission that using digital data capture 'is generally accepted as the most secure way to access banking data in lieu of the CDR', and argued that negative communication from incumbents about DDC will ultimately undermine the CDR regime:
[S]ome of the major banks in Australia have been sending warning messages to their customers about using these services. While we are fully supportive of banks warning their customers about security risks, we don’t believe that these services create the level of risk that warrants the action seen from banks, including Commonwealth Bank and Bankwest. More specifically, we think that repeated emails and in-app notifications warning customers to change their log-in credentials are helping to shape public opinion in a way that discourages data sharing and undermines the CDR regime. In our opinion, the government should facilitate (and normalise) the use of third-party services and encourage participants, through regulatory catalysts, to support these processes. We appreciate the security issues and the need for appropriate indemnities but, particularly in the interim before CDR, incumbents should be discouraged from increasing consumer apprehension in this space.
Mr Robert Bell, Chief Executive Officer (CEO) of digital neobank 86 400, told the committee that its customers have also been targeted with communications by a major bank because of 86 400's use of screen scraping as part of its services offering. Mr Bell expressed the view, however, that his business had not been significantly impacted by this practice:
When a big bank writes to your customers once a week or once a day and says, 'You've breached your terms and conditions because you've used screen scraping,' that can really only be seen, I think, as anticompetitive. The good thing is, though, that Australians are pretty sensible, our customers are pretty sensible, and they just see that for what it is, so it hasn't had an impact on us.
We're not seeing any change in behaviour [from our customers]… We're giving them value, and they like it, so they want to use it. If you can genuinely provide a great product, a great service, a great experience, then people will use it.
CBA responded to the comments made by other submitters and witnesses, arguing that sharing user names and passwords 'is a fundamentally unsafe practice' and that screen scraping poses a number of security risks. In relation to its customer communications on these issues, it stated:
We communicate with our customers because we have a responsibility to protect the safety of our customers’ information, and we can play an important role in customer education and awareness on data and online safety.
We know the security of their data is a concern for customers, who may not be aware of the vulnerability to which they are exposed when providing their log-on credentials to third parties and who seek greater assistance in identifying ways to protect themselves online.
In our ongoing monitoring of the security of customer accounts, we have identified circumstances where it appears our customers’ accounts were accessed by a third party. Where we identify this may be occurring, we warn our customers of the potential risk. We then provide customers the information they need to decide about the steps they can take to protect their security and privacy online.
Our communications are consistent with, and an adjunct to, the annual notifications we are required to provide our customers under the ePayments Code.
Claims made during the Committee’s consultations that our communications are anti-competitive are incorrect.
When asked whether it was considering any possible anti-competitive behaviour in this area, the ACCC informed the committee that following the receipt of correspondence in early March 2020 from two financial institutions relating to these practices, it had considered these complaints in accordance with its Compliance and Enforcement Policy:
The ACCC considered the detail of the complaints and the terms of the warnings by the major banks and decided not to commence an investigation. The alleged conduct involves general statements or warnings regarding potential security or safety risks associated with screen scraping and sharing passwords, and does not appear to have the purpose or effect of substantially lessening competition.
The ACCC has responded to the complainants and will continue to assess any allegations of anti-competitive conduct across the financial services sector. We currently have six investigations on foot in relation to allegations of anti-competitive conduct relating to the financial services sector.
Noting ASIC's current review of the ePayments Code, some FinTechs and other companies took the view that the code should be amended to specifically allow for screen scraping practices. illion commented:
The current version of the ePayments Code does not provide clear guidance as to which party is liable for unauthorised transactions made via a customer’s account, if the customer has knowingly provided their account logon details to a third party, such as a data aggregator. This is a significant technological and market development since the last major review of the Code.
illion contends that ASIC should be more prescriptive, that DDC is a strong example of positive industry practice…This will provide greater clarity to lenders and other financial service providers, as well as benefiting consumers.
The ePayments Code, which regulates consumer electronic payment transactions and is currently subject to review by ASIC, could be amended to provide clarity on DDC technology and provide additional safeguards for consumers who are engaged with businesses using this capability.
DDC technology is a useful data transfer tool that is used consistently and safely to deliver substantial value to consumers and data holders.
Raiz considered that the Code should be amended to make it clear that screen scraping is an acceptable process, and that customers can share their account details 'without any risk of loss of bank protections'. It stated that without such an amendment, the banks 'will be able to continue to confuse customers about the technical legal position'.
Contrastingly, FRLC and CALC strongly disagreed with the suggestion that the ePayments Code should expressly authorise digital data capture practices.
ASIC officials confirmed that it would be considering screen scraping as part of the next round of consultations on the ePayments Code. When asked whether the next iteration of the ePayments Code would deal with screen scraping explicitly, ASIC Commissioner Sean Hughes commented:
It depends on what the submitters to the next round of consultations say. We would like to be more helpful. I would be surprised if we move away from the warning that both we, the ACCC, the ATO [Australian Taxation Office] and other agencies give about the risks of sharing passcodes with third parties, but we will reiterate that at the moment it is not something that the code prohibits.
Future of digital data capture under the transition to Open Banking
There were a range of contrasting views put to the committee about how DDC should be treated with the rollout of Open Banking, including that:
screen scraping must be prohibited in order for the CDR to have its intended effect;
screen scraping should be allowed for an interim period (possibly limited by sunsetting arrangements) until Open Banking is fully rolled out; or
screen scraping techniques should be allowed to continue indefinitely, in parallel with Open Banking.
Some stakeholders opposed to the practice of screen scraping argued that it must be prohibited with the introduction of Open Banking. FRLC and CALC submitted:
[The very] reason the government’s Consumer Data Right was established [is] to provide a fast, safe, and secure process to access personal and financial data.
Without a ban on screen-scraping, there is very little incentive for businesses such as payday lenders and debt management firms to use CDR accredited software over screen scraping technology.
FRLC and CALC argued that unless screen scraping is prohibited, 'two very distinct FinTech sectors will be created: a sector that will adhere to higher privacy safeguards and standards and a sector that will not'. It stated that this 'ultimately undermines the potential success of the CDR regime to ensure great consumer protections and increase confidence in the sector'.
SISS Data Services argued similarly that without a clear endpoint for screen scraping, there is no incentive for FinTechs to adopt the new CDR data sharing model. Rather than an immediate ban, however, it recommended the introduction of a sunset date to phase out screen scraping, allowing industry to focus on the CDR data-sharing model.
Conversely, illion argued that digital data capture needs to continue to operate in parallel to the Open Banking framework 'as an essential value adding technique':
The continued utility of DDC relates to real-time data provision; simplicity of customer onboarding; level and quality of data availability; and providing a redundancy fail-safe in the future world of Open Banking, for example, in a period when a financial institution's API is offline.
DDC is also a useful tool enabling smaller organisations, who are not yet participating in Open Banking to compete; they would otherwise be shut out of the system. Conversely DDC also enables larger organisations to access information from pre-Open Banking smaller organisations. Without DDC we will likely face a "have and have not" information structure benefitting larger institutions.
illion believes DDC technology will provide an important benchmark to assess the performance of Open Banking. We note the current rollout of the CDR will take many years and may be subject to additional delays. There is a need for a mechanism to be available for smaller lenders and service providers such as brokers to provide access to digital bank statement data in the interim.
Mr Fred Schebesta, CEO and Co-Founder of Finder, commented:
[W]e should keep screen-scraping live until we have the full rollout of the CDR. Why is that important? Because unlocking Australian banking data today empowers Australians to make better financial decisions now. If we were to rule out and get rid of screen-scraping we would essentially send Australians back 10 years. We obviously have to find the checks and balances and safe and responsible and regulated ways to do that, but we should work towards that and finding accredited ways to make that happen and let them join in with this new program.
FinTech Australia stated that organisations utilising screen scraping in order to undertake responsible lending checks would not be able to complete these checks using the CDR in its current form.
Several submitters noted that the initial review into Open Banking in 2017, conducted by Mr Scott Farrell, considered the issue of screen scraping and made the following points:
Open Banking should not prohibit or endorse ‘screenscraping’, but should aim to make this practice redundant by facilitating a more efficient data transfer mechanism.
Over time, the ability to share customers’ banking data in a more seamless and secure way through Open Banking should reduce the need for customers to compromise their security and privacy by disclosing their login credentials.
Open Banking should not be mandated as the only way that banking data may be shared. Allowing competing approaches will provide an important test on the design quality of Open Banking and the Consumer Data Right.
Along these lines, FinTech Australia recommended that the CDR must be implemented in a way that 'is easier to access, provides better functionality and is cheaper than screen scraping'. It was argued that this will facilitate a natural transition away from screen scraping practices over time, without the need to specifically prohibit this practice.
Other technical innovations were also mentioned to the committee that will impact on the use of screen scraping techniques. For example, Mr Morris of Ferocia informed the committee that Up's digital banking app has been designed using world‑leading technology that makes third party access of a customer's account via screen scraping impossible at a technical level.
On 23 January 2020, the Treasurer announced an inquiry into future directions for the Consumer Data Right led by Mr Scott Farrell. An issues paper was released in March 2020 and the inquiry is due to report to the Treasurer by September 2020.
Consumer awareness and education regarding Open Banking and the CDR
The committee heard that for Open Banking and the Consumer Data Right initiative more broadly to be effective, the Australian public needs to be made aware of this significant reform and the opportunities it provides. Without this awareness, adoption of services provided using the CDR may be weak.
The Australian Computer Society noted:
Australia’s [CDR] legislation will ultimately be judged against increased competition and consumer movement across products by enabling consumers to share their data with third parties. If adoption is weak, the main objective will be lost, and we won’t see the downstream innovation on products and services[.]
FinTech Australia submitted that consumers generally have poor awareness of alternative financial services providers outside the major incumbent players in the market, and that consumers need to be educated about new initiatives such as the CDR. It commented:
CDR will require a campaign to educate consumers about what it is and how they can receive new services and improved services from new providers. As an example, the government should look to equivalent overseas campaigns, such as in the UK.
FinTech Australia recommended that government 'should conduct a targeted campaign to educate consumers as to what the CDR is to allow them to understand the opportunities provided to consumers through the new data economy'.
When asked for more details on what type of education campaign would be required, representatives of FinTech Australia commented that it needs to focus on educating consumers that the CDR will provide a new safe and trusted mechanism for sharing their sensitive financial information, and highlight the ways consumers can use it to their benefit.
FinTech Australia commented further that the CDR education campaign ‘should be composed of various modules that address different parts of relevant markets’:
Firstly, ads and explanatory materials should be available to consumers that explain what the CDR is, and the benefits that it can bring. These explanatory materials should come in the form of electronic and paper materials, and should be made available by the participating banks and fintechs, as well as government bodies. As highly technologically literate individuals, high school and university students would also be ideal candidates for targeted marketing. These campaigns could concentrate on leveraging their existing technological knowledge and familiarity, with an aim to improve financial literacy and fiscal behaviour.
Secondly, increased adoption of the CDR can be driven through an increase in professional development, particularly in key industries such as legal and professional services. Should individuals in these industries better understand the CDR and the benefits it can bring to themselves and their clients, the higher adoption rates will be. Professional development should also be provided to those in more consumer facing roles, such as customer service professionals at participating banks and fintechs.
FinTech Australia also stressed the importance of banks ensuring that CDR functionality is integrated seamlessly into their customer-facing systems:
To promote adoption through an increase in consumer trust, a consumer’s interaction with a bank’s CDR related interfaces, such as web pages that facilitate the movement of data or provision of consent, should be consistent with any other experience with that bank. Members have noted that in the UK these experiences can differ significantly, which can negatively impact consumer trust. Adoption of the CDR by everyday consumers necessitates accessibility and ease of use. Making the web pages that facilitate the consent process straightforward and easy for the consumer to navigate through is essential, as well as ensuring that any legal language is in plain English, and clearly sets out that customer’s rights.
FinTech Australia Member Mr Stuart Stoyan commented that a further issue to consider will be which body will coordinate a CDR education campaign.
The ACCC informed the committee that it is working closely with Treasury, the OAIC and the Data Standards Body to develop a 'comprehensive communication and education strategy which will be targeted to both consumers and industry'. The ACCC outlined further:
The work includes educational materials, including videos and webinars, a dedicated website, stakeholder newsletters and proactive media engagement. Elements of the strategy have already commenced, the CDR website will be launched in June 2020 and consumer-focussed communications will commence from July 2020.
We are working with cross-government stakeholders to ensure consistency in communications to consumers and industry, and each agency involved in the delivery of the Consumer Data Right will play a role in delivering communications to consumers.
We have been funded $350,000 in FY2019-20, which is being used among other things for development of a stand-alone CDR website and educational videos and a series of webinars.
The FRLC noted that the implementation of Open Banking and CDR could further exacerbate the “digital divide” of those who have access to technologies and those who don’t—and more importantly, those who understand technology and those who don’t:
We have found that there are becoming 'digital haves' and 'digital have‑nots'. Even those who do have access to technology find themselves in difficult circumstances. I'm thinking of people in rural or remote communities who don't have access to a wide range of ATMs or digital services and are forced to go to the only ATM in town, which charges them quite a lot. This came up during the royal commission. Palm Island is an example. Yes, there are a lot of people who are not able to access, for example, technologies to receive their bills electronically. They're either charged for a paper bill, in some circumstances, or end up not being able to receive bills, and they may fall behind. So, yes, there are a lot of benefits that the fintech sector and fintech products will be able to provide for most Australians, who are on smartphones, but, yes, unfortunately there will be some losers in this situation.
The FRLC noted that it is under resourced and not funded to undertake education campaigns on financial literacy:
Our organisation is pretty small and under-resourced. It's basically me and another policy officer.
We're one of the few organisations that do have a policy person who can deal with these [Fintech related] issues.
With the royal commission, we've basically had to put all our resources into fixing problems now, and very few of us in the consumer movement can even have the time to think about what the problems are in the future. We've decided to do that (now focus on issues related to CDR) because we see a lot of poor people calling us worried about data. We've discovered some problems, so we decided to put some effort into providing a submission to this inquiry and other inquiries around the CDR. We will continue doing so where we can.
Our organisation is not funded to do that (Financial Literacy), but sometimes we get funding to do a project from Ecstra or its predecessor, Financial Literacy Australia, to do a small financial literacy project. One I can think of is one that we did around payday loans recently. It's very rare that we are able to do it, because we're not funded to do it.
When asked at a hearing whether the FRLC think that financial literacy is keeping up with the range of products and offerings on the market as it is innovating and changing so quickly, Mr McRae stated:
No, not at all. On the weekend, I walked past a poster for a new buy now, pay later service called Bundll, which had a bear with sunglasses, basically saying, 'You can put this on buy now, pay later,' and it had photos of the types of things you can put on. One was a roll of toilet paper and one was a hamburger. My thought, when I saw that, was that most people will think that's really cool; it's got a cool bear in cool sunglasses. There is nobody out there providing financial literacy information about the problems inherent in buy now, pay later, and debt more generally, that would enable people to have a bit more understanding of the problems that may arise when you're using a buy now, pay later service to buy essential goods like toilet paper.
Expansion of the Consumer Data Right to other sectors
The committee heard a range of evidence on the potential to expand the Consumer Data Right to other sectors.
Under the CDR framework, the ACCC can recommend to the Treasurer that a sector should be designated for rollout of the CDR after considering a range of factors. As noted earlier, the first three sectors (banking, energy and telecommunications) have been nominated by the government. The designation of the CDR rollout to other sectors is a decision for government.
The ACCC noted that specific sectors raised with it by interest groups as possibilities in the economy-wide rollout of CDR include: superannuation; general insurance; private health insurance; digital platforms; hotels; agricultural data; automobile telematics data; and supermarket data. The ACCC submitted:
We have not yet considered which of the above sectors may be best suited for priority rollout of the CDR. For some sectors, substantial benefits may be captured through the release of product reference data to facilitate reliable and independent price comparisons, but there may be significant challenges and complexities in sharing consumer data, such as where contractual terms must be reduced to machine readable format. There will no doubt be lessons from implementation in banking that are relevant to other sectors, but each sector will raise novel issues that need to be closely worked through as part of the ACCC's sectoral assessment. The scope for facilitating innovation and new services, the privacy risks and the costs of implementation will differ across sectors.
Evidence presented to the committee by submitters and witnesses focused particularly on CDR rollout into other segments of the financial services industry beyond banking services, namely superannuation and insurance.
CDR in superannuation
The committee heard strong support for measures to make data in the superannuation sector more accessible, including by designating the sector under the CDR framework.
The Productivity Commission's report Superannuation: Assessing Efficiency and Competition, released in January 2019, recommended that superannuation funds be automatically accredited as authorised data recipients for Open Banking data, and that the CDR be extended to superannuation members' data itself. The report commented:
The new Consumer Data Right, which is initially being applied to banking, can help by enabling members to consent to their banking data being shared with their super fund…The Government should automatically accredit super funds to be eligible to receive such data (with the member’s consent). The Government should also roll out the Consumer Data Right to superannuation itself, to empower members to take their data with them when they switch funds — which may, in turn, help funds to design better insurance products (for example, using contributions data to infer breaks from the workforce) and retirement products (for example, using data on past drawdowns).
Intended purpose and scope of 'open super' data
Submitters raised several potential applications of extending the CDR to superannuation. These included:
sharing of individuals' superannuation data to allow for holistic financial planning and advice, including automated digital advice;
allowing superannuation funds to access CDR Banking data in order to provide better and more tailored products (including insurance products within superannuation) to their customers; and
making machine-readable product reference data available for products offered by super funds, to enable FinTechs and RegTechs to provide digital advice and comparison services to consumers on their superannuation options.
The Australian Business Software Industry Association commented that utilising 'open super' data could facilitate the uptake of automated digital financial advice services to benefit consumers, and stated:
The introduction of Open Super, alongside Open Banking, would cover the majority of an individual’s entire financial position allowing software providers to create solutions capable of bringing this data together in products aimed at both individual consumers and advisers. The opportunity exists to empower advisers and give them the necessary tools to provide more encompassing super advice to their clients, as most individuals are not aware of their full financial positions. Additionally, the opportunity exists for services to provide Robo advice[.]
Neobank 86 400 commented:
We believe that CDR should be extended to superannuation as soon as possible. As superannuation is a very significant part of financial planning this will significantly improve the quality of digital advice and the ability to provide holistic advice.
We would suggest that as well as requiring superannuation funds to share data, the ATO should also use the CDR to report on unclaimed funds that those entities hold (i.e. lost super).
Some stakeholders argued that making machine-readable product reference data available for superannuation products should be a focus of Open Super. Finder argued that this product reference data should be a logical starting point for Open Super, as it has been for the rollout of Open Banking. It stated that in particular, making product reference data available can assist in enabling comparison of insurance products offered within superannuation:
One key area where we believe Open Super can improve consumer experience in the market for superannuation is in relation to the insurance that is routinely packaged up in superannuation products. These insurance products can be difficult for consumers to understand, particularly when trying to understand what they're paying for this cover and the value of what the cover provides. This information is often buried in the Product Disclosure Statement and is presented in a variety of ways from fund to fund. We would advocate for this insurance information to be clearly broken out in any product reference dataset created as part of the Open Super regime. This would enable an accredited data recipient like a comparison website to use this information to clearly show a consumer the insurance product they are paying for and to compare it with like-for-like products from competing superannuation and insurance providers. Again, this outcome could be achieved with low-risk product reference data alone.
Other submitters argued that the focus of Open Super should be on access to individual consumer data rather than product reference data. The Gateway Network Governance Body commented that a 'significant amount of information is already available to superannuation fund members through their fund and the ATO, as well as the increasing volume and quality of data being collected by APRA':
Ultimately, data about products and investment options is best obtained through regulator data collection and publication processes. APRA has significant work underway to increase the quantity and quality of information collected and published. The value of implementing an open super framework lies in making available additional data as it relates to individual members.
We envisage that the most likely use of open super data will be in the context of fund members receiving services from a financial advisor, who may benefit from their advisor having broader integrated data on full financial health and history, which could include their superannuation and group life insurance details.
The Financial Services Council (FSC) similarly expressed this view, and recommended that the Open Super framework should centre 'on enabling individuals to access their own, tailored data and be a core focus in extending the Consumer Data Right'.
The Australian Institute of Superannuation Trustees (AIST) emphasised the importance of super funds being able to access Open Banking customer data:
AIST supports the use of CDR to allow members to share relevant information with their super funds. This will allow super funds to tailor their services, increase member engagement and ultimately improve retirement outcomes for members. Implementation of CDR in superannuation needs to include the ability for superannuation funds to be eligible to receive information under the Open Banking Initiative.
Standardisation of superannuation product information
Super Consumers Australia (SCA) submitted that in order for the benefits of open data to be realised, common standards around superannuation product information are required:
There is currently little agreement over a common standard for comparison of superannuation products. For example, what one fund might classify as a growth investment option, another will classify as balanced. Without ‘apples with apples’ comparisons an open data regime may further complicate decision making and ultimately lead to poor outcomes for consumers.
SCA noted that the Productivity Commission report made recommendations in relation to rectifying identified shortfalls in APRA's data collection in the superannuation system, and requiring super funds to publish simple, single‑page product dashboards for all superannuation investment options and standard machine readable versions of this data.
SCA argued that the implementation of these recommendations should occur by June 2020, and that this would pave the way for the benefits of Open Super data to be realised. It recommended further that the Federal Government adequately resource ASIC to develop a consumer-facing comparator tool for superannuation, including product dashboards for choice products, comparable information on insurance products and a comparison tool for superannuation fund performance.
Implementation considerations for Open Super
It was noted that the superannuation industry already has significant data infrastructure in place that could be leveraged to facilitate the implementation of CDR in superannuation. The Superannuation Transaction Network (STN) is the digital data messaging network over which superannuation transactions are sent, with approximately 79 million data transactions per year across the network between employers, superannuation funds, APRA and the ATO.
The Gateway Network Governance Body (GNGB), an industry-owned governance body which oversees the security and integrity of the STN, submitted that several considerations would be necessary in developing a framework for Open Super:
A clear definition of what "open super" means and its intended benefits to consumers is needed to encourage innovation and make the link between consumer demand and solution development.
Wide stakeholder engagement on possible design solutions for the open super environment is required, taking into consideration existing data infrastructure, such as the STN and the interdependencies of multiple solutions across the end to end superannuation environment.
Agree clear data standards for open super based on the Superannuation Data and Payment Standards.
Adopt the STN as the preferred access mechanism for any open super design to streamline and control data access.
Ongoing Governance: in a highly dynamic environment, which is also subject to a large degree of regulatory change, the long-term success of any infrastructure is dependent on the ongoing governance, continuous improvement and maintenance of the asset.
Representatives of the GNGB confirmed that, with some configuration, it would be possible at a technical level to incorporate Open Super data into the existing data transfer mechanisms utilised by the STN.
Several FinTechs and consumer groups commenting on Open Super argued that the transition to implement Open Super should occur as soon as possible.
Stakeholders representing superannuation providers were less enthusiastic about the rapid rollout of Open Super. The Financial Services Council (FSC) argued that a 'significant pipeline of reform' is currently underway in the superannuation system, and that 'other reforms flagged by the Productivity Commission and Royal Commission are likely to offer a greater benefit to consumers, including the implementation of a ‘default once’ system for default superannuation'. The FSC recommended that in this context, the government should 'delay the development of Open Super until 2022 to allow the appropriate level of resources to be dedicated to this important reform'.
The FSC also commented that the extension of the CDR to superannuation 'should be supported by other reforms as required to ensure that superannuation legislation is technology-neutral, and consumers are able to engage with and manage their superannuation online if they choose'.
The Australian Institute of Superannuation Trustees similarly commented that sufficient time needs to be given prior to the implementation of Open Super, to be able to assess learnings from Open Banking and ensure a considered approach to the transition to Open Super.
ACCC consideration of implementing CDR in Super
Mr Franklin of the ACCC commented in evidence to the committee that one of the ACCC's roles in relation to the CDR is to do studies of other industries that could be opened up to the CDR, and that the ACCC would happily take a request to consider the superannuation sector.
Extending CDR to general insurance
Mr Fred Schebesta, CEO of Finder, a comparison website offering services in various financial services segments, argued that the insurance sector, and in particular the market for car insurance in Australia, would benefit from the extension of the CDR:
[We need] more access to car insurance pricing so that Australians can get a better deal and are better protected on the road. Right now superannuation and car insurance are two industries that are very difficult to navigate, to switch, to deal with...Car insurance in the United Kingdom has been an open industry, whereas in Australia it has not been...The pricing of car insurance in Australia is high compared to the UK now. That's because comparison industries have given people choice and have reduced prices. We don't have that here in Australia. You've got two big insurers with 70 per cent of the market controlling it. I say this very openly: they send us legal letters all the time telling us to pull down our comparisons of their products. I don't think that's how a normal competitive market should operate. We should have comparison in the insurance space in Australia. It's not competitive.
FinTech Australia submitted that 'insurtech' companies who are seeking to innovate and disrupt the insurance industry would be greatly assisted by the extension of the CDR to the general insurance sector. It commented:
CDR in insurance is critical in the insurtech sector as there is a fundamental and significant information asymmetry between incumbents and insurtechs. In the insurance industry, access to historical claims information (including no claims bonus information) is critical to designing new products and pricing them.
At present, insurance companies are sharing historical general insurance claims, underwriting and other data through their membership of the Insurance Council of Australia. Disrupters and innovators in insurtech are excluded from accessing this information as they are not APRA regulated insurers and cannot become members of the Insurance Council.
There is no incentive for incumbents to disrupt their own product suites given their market dominance and their control over insurance data. CDR in insurance would disrupt this imbalance and promote an environment where new insurtechs can more easily compete and develop and test new product offerings. This is critical in an insurance market where Lloyd’s and APRA-regulated insurers are exiting certain lines of insurance due to loss making books of business, changes in risk profile and profitability limitations.
Insurance Australia Group (IAG) argued that if CDR is extended to general insurance, there should be provisions to protect underwriting data held by insurers:
[T]he protection of underwriting data, including pricing and historic claims data and models, is essential to the proper functioning of the insurance sector.
Underwriting data is a source of intellectual property and a commercial asset for insurers. It forms the basis of insurers assessing and pricing risk as well as price competition. It is imperative that any future rollout of CDR that looks to grant access (either read or write) to consumer data to Fintech companies does not compromise the IP embedded in the underwriting data of insurers. To do so would be to discourage further innovation in the understanding of risk.
IAG submitted that intellectual property issues need to be considered in the drafting of the CDR Rules for general insurance, including specific exemptions and anti-avoidance provisions to address issues with intellectual property.
Governance arrangements for the Consumer Data Right
As noted above, under the CDR framework, the ACCC has responsibility for developing the detailed rules governing the implementation of the CDR in banking and in subsequent sectors, while the OAIC has responsibility for privacy protections relating to the CDR and the Data Standards Body is responsible for developing technical standards relating to data transfer and security. Treasury also has responsibility for broad policy development in relation to the CDR scheme. Some submitters expressed concern that oversight of the CDR initiative is unnecessarily fragmented, and that regulatory arrangements may need to be consolidated.
The Financial Data and Technology Association submitted:
There is undoubtedly good collaboration between the CDR regulator and the data standards body. However, ongoing ambiguity between the rules and technical data standards may suggest the need for an overall coordinator, similar to the Open Banking Implementation Entity in the UK.
Data Republic contended that more broadly, regulatory responsibility in Australia for all relevant elements of the data economy are split across multiple different bodies or government departments, resulting in problems including: confusion within and outside of government about departmental ownership and mandate for different components of the data value chain; and piecemeal legislation and policy action in different parts of the data economy. It recommended that Australia should ‘centralise data economy regulation and industry development under one dedicated government body to allow for greater transparency, accountability and effective engagement with private industry’.
Data Republic contrasted Australia’s fragmented regulatory arrangements with those of Singapore, which has ‘evolved rapidly to a single executive branch for the data economy which has a paired model of accelerator (innovation, industry development) and brake (privacy, sovereignty etc)’. It explained further:
The IMDA is a statutory board in the Singapore government, that seeks to deepen regulatory capabilities for a converged info-communications media sector (i.e. data) while safeguarding the interests of consumers and fostering pro-enterprise regulations.
Within the IMDA, the paired brake/accelerator model reports under a single statutory authority (separate sub-branches) which allow for nuanced decisions to be made that might require consideration of trade-offs between privacy and innovation. These two sub-branches are:
● Personal Data Protection Commission – whose mission is to “promote and enforce personal data protection so as to foster an environment of trust among businesses and consumers, contributing to a vibrant Singapore economy”; and
● Data Innovation Programme Office (DIPO) – stated ambitions include facilitating data-driven innovation projects, and the development of Singapore’s data ecosystem. DIPO will introduce a Data Sandbox Programme, a trusted platform for companies to share data across sectors.
These capabilities have been organised to deliver on Singapore’s stated ambition “to build the world’s first “global data exchange”, based in Singapore”. Given a coordinated and comprehensive top down data strategy, the ability to organise industry and Singapore’s status as a progressive yet privacy-centric country, they are well-placed to achieve this vision.
In relation to Australia’s regulatory arrangements for data issues, the Australian Banking Association (ABA) submitted:
The Consumer Data Right (CDR) is a transformational Australian innovation that will empower consumers to utilise their own data, making more informed decisions about the financial products that best suit them and their families.
With the launch of Open Banking and the CDR in 2020, Australia is uniquely placed and we should now examine, refine and consolidate the regulatory responsibility for all relevant elements of data management and privacy in the digital economy that is currently split across multiple regulators and government departments.
The ABA believes it is critical that a more effective, clear and accountable regulatory structure is established for such an important part of the Australian economy. Ultimately, a co-ordinated national data strategy should also be tasked with facilitating public and private sector collaboration by engaging with and solving those data issues as they emerge. A good example of this would be ensuring that the privacy regime that accompanies the CDR does not conflict with existing Australian Privacy Principles…such that incumbents and start-ups entering a market only have to comply with one clear set of privacy obligations thereby strengthening compliance, protecting consumers and also minimising regulatory costs and facilitating innovation.