Clarification: November obligations for concurrent consent

[CDSAustralia]

Request for clarification

A request was made at yesterday’s Banking Data Standards Advisory Committee (27/05/2020) pertaining to the Standards applicable for concurrent consent and related November 2020 compliance obligations.

Answer

Unless there is a change in compliance obligation dates advised by either Treasury or the ACCC, the following applies for 1st of November 2020 obligations.

At a high level, concurrent consent introduced three standards changes:

• Adoption of Pushed Authorisation Requests (PAR) as a mechanism to stage authorisation and push sensitive authorisation details into the back-channel
• A CDR Arrangement API hosted by both data holders and data recipients that facilitates consent withdrawal by both parties
• Introduction of a CDR Arrangement Identifier to uniquely identify ongoing sharing arrangements facilitating concurrent consents

And, concurrent consent removed one standards obligation for data recipients:

• Data recipients no longer host a revocation API. Instead this has been replaced with the CDR Arrangement API.

These changes went through a full consultation process which involved multiple iterations and were reviewed by the Banking Data Standards Advisory Committee prior to approval for inclusion in v1.3.0 of the standards which was published on 17 April, 2020.

The changes above are specified in the 1.3.0 release of the standards which has since been updated to 1.3.1 to address feedback and errata. Data holders and data recipients should be aligning their November implementation to this version of the Data Standards.

No further changes to the standards which specify November compliance obligations will be considered unless requested changes are expressly marked as Urgent Change Requests and have the full support of all impacted Data Holders and ADRs during the consultation process.