Open Banking is powered by consents and authorisations. To have a crack at finding betters deals on financial services and to eventually save money, consumers must consent and authorise.
Consumers must authorise the sharing of their financial data with a third-party, and they must consent for the third-party to using the data within specified constraints as depicted in Figure 1 (my own take on the process).
Figure 1: Consent + Authorisation = Better Deals?
Consumers must provide two elements of agreement to have their data shared and used, as summarised below:
- Consent to the Accredited Data Recipient (e.g. potential new bank) to collect and use the data. This consent specifies:
- Data (incl. data types and period to time);
- Purpose of use; and
- Time constraint (time period for which the data holding, and the data use is allowed). Expected maximum limit of 90 days. After the time period, the data becomes “redundant” and the ACCC has not yet decided of their requirement on the subject (e.g. mandate data de-identification or deletion).
- Authorisation to the Data Holder (e.g. current bank), to share data with a specified Accredited Data Recipient. This authorisation specifies:
- Data in scope of sharing, which is expected to match the data in scope of the consent to the Data Recipient; and
- Time constraint (once-off request or open for up to 90 days), which is independent of the time constraint consented to the Data Recipient.
Collect, use and pass on data
Accredited Data Recipients can collect, use and pass on to third-parties consumers’ data, but they can only do so within the constraints of the consumers’ consents.
Data Recipients initiate requests for consent, which must clearly specify the uses to which data will be put. Consumers are to be properly aware of and understand what they are consenting to. It is also required that consents are explicitly provided and express (explicit opt-in) and can be easily withdrawn with “near immediate effect”.
For joint accounts, only one individual consent will suffice to share data, and it is suggested to notify all individuals with account transaction authority and allowing any of them to terminate data sharing agreements. For example, my wife and I have a joint bank account. I could initiate a data sharing agreement with another bank without the action of my wife. Conversely, my wife could subsequently terminate the data sharing agreement by revoking consent without my action.
A Data Recipient that has collected data (therefore holding data) does not become a Data Holder under the terms of the CDR Rules and as such cannot share data with another data recipient under Open Banking use cases. However, there are two scenarios where an Accredited Data Recipient can pass on collected data to another third-party. The scenarios include:
- A non-accredited entity such as a consumer’s accountant, providing the transfer is clearly within the Specified Purpose and other consent constraints. In this scenario, the data leaves the realm of the ACCC CDR Rules. In the example of an accountant, the ACCC does not regulate how the accountant manages the data it has received from the data recipient.
- A service provider to the Data Recipient, which may add value to the services of the Data Recipient (e.g. a storage provider or an advisor). The service provider is not required to be accredited. However, the Data Recipient is required to, responsible for and liable to ensuring the service provider manages the data, the data risks and the data security in full alignment with the CRD Rules.
An additional scenario of data sharing with an intermediary is included in the CDR Rules, but I won’t comment on it as it does not appear to be fully committed use case under CDR.
When authorised to do so by a consumer, Data Holders must comply with the authorisation request and they must provide the Accredited Data Recipient with the authorised Specified Data.
The authorisation process must meet specific standards prescribed by the ACCC, which include for example:
- Provide multi-factor authentication (MFA) consistent with the requirements of the European Union Payment Services Directive (PSD2) Regulatory Technical Standard (RTS) for Strong Consumer Authentication (SCA);
- Implement the OAuth 2.0 authorisation framework by reference to the UK Open Banking Security Standard, in specific adherence to the Financial-grade API (FAPI) Read/Write Profile. FAPI further specifies the Open ID Connect (OIDC) standard, by prescribing detailed requirements such as for security (e.g. TLS considerations such as permitted ciphers). I suggest referring to the CSIRO/Data 61 Consumer Data Standard Security Profile for further details on the Australian specific technical standards required for CDR and Open Banking;
- Not add any further requirements to the authorisation process beyond those specified in the ACCC endorsed standards, such as the PSD2 RTS SCA and FAPI referred to in point above);
- Provide a reasonable level of control on the granularity of the Specified Data to share. The requirement on granularity is expected to be further refined in the future;
- Providing the ability for a consumer to grant authorisation for a specific, once-off request, or authorisation that persists over time (maximum 90 days);
- Complying with data sharing performance service levels and providing API performance reports on the data sharing;
- Providing a Consumer Dashboard (see below).
What did I consent to? Where can I withdraw a consent?
Data Holders and Data Recipients are both required to provide Consumer Dashboards (online interface) allowing consumers to easily view and revoke their consents and authorisations. The respective dashboards must provide consent statuses (e.g. revoked) and historical details.
Consumers can revoke a data sharing agreement with either the Data Recipient (withdraw consent) or the Data Holder (revoke authorisation). The party with which the revocation is triggered must inform the other party.
A long road to finding better deals
Having your data used to find better deals comes with some complexity and a long list of requirements and challenges for the CDR Participants under Open Banking in Australia. The first release of Open Banking Australia, which can be qualified as a MVP (see Open Banking Australia), is scheduled for July 1, 2019, but the CDR/Open Banking standards are still work in progress and already outline some serious technical considerations.