©2018-2019 by The GRC Institute - Governance, Risk & Compliance.  ABN: 42862119377

ACCC consulting on CDR rules

September 12, 2018

 

 

The competition and consumer regulator is consulting on the consumer data right (CDR) to meet the open banking deadline next year.

 

While the ACCC will be overseeing the CDR right in some sectors the banking sector is set to be the first one to be regulated in this way.

 

In the paper, Consumer Data Right Rules Framework, the ACCC said that the draft rules around the consumer data right will be released at the end of this year.

 

The focus of the consultative paper are the rules and standards framework are to get the rules and standards in place for next year.

 

Rules and Standards

In the ACCC consultation report there is an acknowledgment that there will need to be close correlation between standards and rules.

 

The paper indicated that there will not be a fee for access to consumer data by third parties once consent or authorisation has been given. The paper also addresses broadening the definition of the word customer to include large business customers with the ‘specifically tailored banking products’.

 

Former customers being able to access their data is not priority for first draft rules, but the ACCC indicated that this is something to be considered in the future.

 

The ACCC writes:

 

However, the ACCC considers it desirable that former customers are brought within the scope as soon as possible, and seeks stakeholder views on what would be a reasonable timeframe for requiring data holders to share the data of former customers under the CDR regime.

 

Offline customers will be considered for the first draft rules, but the initial benefits will be for those who are online. The report said that the methods with which customers offline can access their data are something that will be brought into scope in the first draft.

 

Who it applies to

The open banking regime will apply to Australian authorised deposit-taking institutions (ADIs) but will not apply to what the report defines as foreign bank branches. 

 

The implementation will be phased and the big four banks will be the first to be captured by this, while the other ADIs, including brands related to the big four, will be brought into scope with a 12-month delay.

 

 What Data is in Scope?

The scope will data that is held digitally and is product data that his held within the scope of the regime, and this will not include identity verification or authorisations to share data.

 

The ACCC writes:

The ACCC proposes to make rules to specify minimum inclusions for ‘transaction data’. The ACCC welcomes submissions from stakeholders on what transaction metadata could be within scope; what benefits to consumers it could deliver; and what risks would arise. The ACCC proposes to make rules to specify minimum inclusions for ‘product data’. The ACCC proposes to make rules to the effect that data holders will be obliged to make ‘generic’ product data publicly available. The ACCC proposes to make rules which specify that the standards will include further detail with respect to the relevant data sets, including specific fields and formats and a detailed product data taxonomy. The ACCC proposes to make a rule to the effect that data should be shared in the format as determined by the standards.

 

 

Derived Data and Reciprocity

While the document speaks about the derived data falling into the CDR scope, for the purposes of privacy this will not include what the ACCC defines as the “data that results from ‘material enhancement by the applications of insights, analysis or transformation by the data holder’”.

The document goes on that sharing the customer data the, product data and transaction data in as much as it is connected to the scope of the CDR.

 

ACCC is looking at the concept of reciprocity between those participating in the data sharing, but none which can take place without the authorisation or consent of the consumer or customer.

 

ACCC will also be looking at making rules around accreditation for the data recipient.

 

Click here to read the CDR Rules Framework.

Please reload

Suggested Posts
Please reload

Tags
Please reload