-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standards & Guidelines regarding Sponsored Accreditation #427
Comments
Hi @biza-io thanks for raising this. There is a fair bit to address in this issue. Just touching on the consultation earmarked in NP207, this was anticipated as a future consultation once v3 rules related standards were finalised. This issue was deprioritised due to the extent of v2 and v3 rules obligations on DHs and other issues identified in NP207. Given the community request to address this topic (including this issue), we will bring forward the DP consultation on this subject and consider the feedback presented in this change request. |
TrueLayer supports the indication of @CDR-API-Stream to bring forward consultation on this subject and suggest there would be merit in extending the scope of that work to include all access arrangements discussed in NP207. Thank you @biza-io for describing a range of identified issues and proposing potential solutions associated with the rapidly approach Sponsor/Affiliate model 👏. There are also potential issues with the (already active) Principal/Representative model that would benefit from adjustments to metadata in order to adequately represent relationship attributes where a single software product is used by multiple representatives. This would support better consumer experiences where intermediaries are used to collect data. We are concerned that one potential 'easy' solution might be to advise intermediaries to allocate a unique software product to each representative. This would be highly problematic for those planning to offer a platform product at scale. Aside from negating the commercial viability of this approach, it would also create very real practical issues for things such as client certificates, IDs, deployment of changes across products and CTS retesting. We would appreciate CX Guidance and a Register Attribute Review being deemed as prioritised activities to enable design and engineering teams currently working on solutions to have confidence that they will be compliant and that the CX for consent, authorisation and dashboard functionality can clearly communicate the role of all parties involved. This work will benefit any ADR considering an alternate access arrangement. |
We note the following notice from the ACCC related to the issues highlighted by this ticket:
We wish to highlight, once again, and not withstanding the technical issues outlined, that with this communication the following behaviours will be experienced by all data holders:
Further we note the following:
|
We support @biza-io's suggested change to introduce additional metadata to allow Data Holders to give clear guidance to consumers about the data disclosure that is occurring. We also agree that data disclosure traceability is crucial. We think it must be maintained regardless of the access model that a Data Recipient participates in CDR under. Data disclosure traceability and accountability in CDR is strong with the current software products model. A software product belongs to a Data Recipient. A software product is registered with a Data Holder by way of dynamic client registration. A client ID is issued by the Data Holder to a Data Recipient for that particular software product. Authorizations are then made with that client ID. There is no grey area. Adatree has already built for Principal/Rep at scale with the current standards that are in place in order to maintain strong data disclosure traceability. I agree with @RobHale-Truelayer that it is the 'easy' route for the ecosystem but it's also on the right path for data disclosure traceability. Yes, the complexity on intermediaries is increased but that's why the intermediary model exists, to handle complexity. To completely abstract a downstream ADR client behind the software of a Sponsor/Principal would be to introduce grey into the data disclosure process and erode traceability. We think as a rule of thumb authorization should become more accurate and not less. Management of multiple IDs and associated certificates at scale is not something that modern multi-tenant software should be too concerned with and absolutely shouldn't drive ecosystem policy. The ecosystem must not fit the technology, the technology must fit the ecosystem, and the ecosystem's intent has always been traceability and accountability. Without individual consumer facing software being represented at a client level at a Data Holder there is no disclosure traceability within the ecosystem aside from within Data Recipient Sponsor/Principal platform solutions themselves. Might this be good enough? Regardless of whether it works or not it is a step backwards for the ecosystem in our opinion. Transparency has been demanded from Data Holders. We feel Data Recipients of any nature should be held to the same standard. Consumers give consent to disclose data to use a product or service. A data collection platform is not a product or service of any relevance to a consumer. It is an ecosystem implementation detail. A facilitator of disclosure. We don't think a consumer should be giving authorization to a client ID at a Data Holder that is attached to a data collection software product that also encapsulates hundreds of other downstream software products. We propose:
The benefits of the above are as follows:
Again, in our view the above is in fact the 'easy' solution for the ecosystem but also (currently) the only one to maintaining authorization integrity within it. We don't think it should be degraded to accomodate the system design choices of individual participants. Adatree will support any proposed changes to increase the accuracy of data disclosure traceability but we feel we must oppose anything that could potentially reduce it. |
@biza-io our understanding is that consent referencing the sponsoring entity would contravene the below from https://www.legislation.gov.au/Details/F2021L01392:
Edit: As @biza-io has kindly pointed out their point is related to Sponsor/Affiliate and not Principal/Rep model. |
Just going to callout here that allocating a software product to sub-parties in all models will be challenging because Software Products belong to Brands and Brands belong to Recipients which are linked to Legal Entities. There is currently only an inherited legal entity identifier from 2 levels up the tree outlined in the (redacted during merge of Register into CDS Standards) historical Register standards: Despite it no longer being located in the "Standard" the JSON structure doesn't lie. This therefore flies in the face of CX Guidelines which explicitly promote the use of legal entity details:
Essentially, irrespective of the accreditation status the legal entity will show the Unrestricted ADI providing service (via whatever means). The only other pathway would be to have every downstream entity created at the top level with essentially no link to the sponsoring entity. Speaking of which a UK colleague mentioned that they solved it by introducing OnBehalfOfObOrganisation:
|
Note that interim guidance, that can be used while changes to the standards are agreed and implemented, has been posted at: ConsumerDataStandardsAustralia/standards#228 |
Although we acknowledge there is now a related noting paper, it seems appropriate to continue the dialogue in the context of other responses. We'll provide a direct comment within 228 in due course. It's great to see the range of well-considered ideas and proposed adjustments emerging through this issue, particularly those from @ShaneDoolanAdatree 👏 👏 We would support the following earlier suggestions:
These would go a long way towards overcoming real, shared issues that ADRs have identified and flagged, specifically, the:
This approach would also allow intermediaries flexibility to offer a SaaS platform for Representatives with reduced risk in terms of instant and universal application of patches, fixes, enhancements etc on a single, existing, tested and operationally proven codebase. It is perhaps also worth re-stating here that, while Affiliate and Representative models both raise similar technical issues, there is a fundamental difference in that the Affiliate relationship involves 2 x ADRs. This allows the Affiliate's accreditation to be suspended or revoked independently of the Sponsor. With the Representative model, there is only 1 ADR, the Principal so another mechanism is needed in order to discriminate, and the multiple software product arrangement enables this. These proposed adjustments potentially resolve all but one identified issue - that of certificate management under the Representative model. While this can be managed by the ADR platform, there is room for debate here in terms of whether it is appropriate for an entity that is not collecting data to be issued with a client certificate. We therefore encourage further discussion and debate on the following points:
We would also appreciate advice from ACCC/DSB on these two items:
|
To help manage the scope of issues being discussed through the standards maintenance process, issue #508 has been raised so the impact of improving the scalability of onboarding software products can be prioritised separately. Issue #508 will discuss the following requests were raised by ShaneDoolanAdatree:
|
The below responses are provided as an update to 427's progress: Display of Affiliate Name in Data Holder Dashboard Display of Sponsor's Name/Accreditation Number Authentication to Sponsor's Dashboard Identification of Accreditation type in the Register API |
I believe this thread and the scope of change required will need to be assessed again based on the "other operational enhancements" additions in the latest rules draft: https://treasury.gov.au/consultation/c2022-315575 |
Description
We have opened this item as a changelog item because the only guidance regarding the areas of issue is that contained in Noting Paper 207 which is closed. The issues raised are a result of CDR Rules V3 amendments made 30 September 2021 and for which Sponsored Accreditation is available from 1 February 2022. Our reading of the amendments seems to indicate that a current Unrestricted Data Recipient can enter into an agreement at any time after 1 February provided they notify the "Data Recipient Accreditor as soon as practicable, but no later than 5 business days" and the Registrar has recorded on the "Register of Accredited Persons that the person is an affiliate of the sponsor" which could feasibly be done in the construct of the current Register API meeting the legal requirement but with likely unintended technical consequences.
In the interest of avoiding ambiguity:
We acknowledge the areas outlined here are likely to not be complete with regards to the likely changes to the Standards.
Display of Affiliates Name within Data Holder Dashboard
Under 1.10D (2) a Sponsor may collect data on behalf of the Affiliate:
As a consequence of this, such data collection may occur using the sponsors information security registration and, subsequently, the Data Holder will only have visibility of the Sponsor. This item was highlighted by the DSB in NP207 but we are not aware of any Decision Proposal to resolve it:
The Holder Dashboard therefore is likely to have information which is not aligned with the Recipient Dashboard especially as the accredited person now appears to incorporate sponsored affiliates.
Display of Sponsors Name & Accreditation Number within Affiliates Dashboard
The dashboard operated by an affiliate must display the sponsor's name and sponsor's accreditation number:
These requirements are not currently incorporated in the CX Guidelines. Noting Paper 207 stated that "No additional CX Data Standards are anticipated for this item" however the rules incorporate this information as part of "details of each consent" so we are left to ask whether such a statement is incorrect.
Authentication to a Sponsors Dashboard
It is unclear how (or if) there is an expectation that a Consumer will be required to authenticate to the Sponsors dashboard for the purposes of managing arrangements. In certain situations (like where the Sponsor is collecting on behalf of the Affiliate) this may be the only method of managing arrangements yet there does not appear to be any such Standards relating to this and it is very unclear how this would be smoothly managed for the Consumer.
Identification of Accreditation Type in the Register API
There is currently no prescribed method of identifying the accreditation type within the Register API. This appears to be stated as a mandatory requirement within the amendments to Division 5.3, 5.24:
Area Affected
Change Proposed
Biza.io continues to question the viability of authorisation chaining that is not cryptographically bound and, while highlighting this via various industry body submissions since 2019, again looked to highlight this without entering a technical deep dive in our response regarding Rules V3 ("Data Disclosure Traceability"). We continue to believe that the most effective means of communicating multi-level consent is likely an encapsulated cryptographically signed consent descriptor.
Nonetheless, as time is now of the essence and not wishing to delay the activation of Affiliates by February 2022 we propose the following tactical changes:
Display of Affiliate Name in Data Holder Dashboard
a. Introduce a
dataRecipientBrandType
intodataRecipientBrands
attribute ofRegisterDataRecipient
allowing for the disclosure of SPONSORED vs. UNRESTRICTED and within which the software product of the Affiliate could be contained (allowing for Holders to render such implications). (Possibly) introduce adataRecipientBrandSponsorId
attribute to allow for explicit linking of an Affiliate to a specific Data Recipient Brand.b. Specify CX Guidelines related to the disclosure of the Affiliate Name in the Data Holder Dashboard.
Display of Sponsors Name/Accreditation Number
CX Guidelines should incorporate Sponsorship details within the Data Recipient dashboard
Authentication to Sponsors Dashboard
Specify a CX Standard that an Affiliate must provide a Dashboard, accessible via its existing authorisation channels (or potential within its software product directly) that directly manipulates the arrangements collected on its behalf by the Sponsor.
Identification of Accreditation Type in the Register API
This is likely resolved by proposed change 1(a).
The text was updated successfully, but these errors were encountered: