Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decision Proposal 144 - Amending Consent | Authorisation Flow #144

Closed
CDR-CX-Stream opened this issue Dec 4, 2020 · 20 comments
Closed

Decision Proposal 144 - Amending Consent | Authorisation Flow #144

CDR-CX-Stream opened this issue Dec 4, 2020 · 20 comments
Assignees
Labels
Category: CX A proposal for a decision to be made for the User Experience Standards Industry: All This proposal impacts the CDR as a whole (all sectors) Industry: Banking This proposal impacts the banking industry Industry: Electricity This proposal impacts the electricity industry sector Status: Decision Made A determination on this decision has been made

Comments

@CDR-CX-Stream
Copy link
Member

CDR-CX-Stream commented Dec 4, 2020

April 6 2021: Decision Made
This decision was approved on 2 April 2021. The decision record is attached below:
Decision 144 - Amending Consent - Authorisation Flow.pdf

---

March 19 2021: Proposal Revision
A final revision to decision proposal 144 is now open for consultation. The purpose of this proposal is to allow the community to review the final position and provide feedback before the decision is submitted to the Data Standards Chair for approval.

Specifically, this decision proposal seeks to:

  1. Decide the obligation levels for each item
  2. Decide the compliance date for the proposal as a whole
  3. Decide if the revisions provide an appropriate level of flexibility for exception scenarios

The revised decision proposal is attached below:
Decision Proposal 144 - Revision - Amending Consent - Authorisation Flow.pdf

Feedback is now open for this proposal for one week and will close on Friday, 26th March 2021

---

December 4 2020: Original Proposal
This decision proposal relates to the topic of amending consent as outlined in the recent ACCC consultation.

Specifically, this decision proposal seeks to:

  1. Identify authorisation flow options that support amending consent experiences
  2. Decide if accounts that are already associated with the consent should be pre-selected by the DH
  3. Decide if DHs should signify ‘new’ versus ‘existing’ aspects of the authorisation
  4. Decide if other entity selections, such as customer profiles, should be assumed based on the entities already associated with the consent
  5. Decide the appropriate implementation timeframe(s) for any supported options

The consultation draft for this decision proposal is attached below:
Decision Proposal 144 - Amending Consent | Authorisation Flow

Feedback is now open for this proposal for an extended period to account for the end of year break. This consultation window will close on Friday 22nd January 2021 Monday, 1st February at 5pm.

---

Edit: The hyperlinks in the decision proposal document have been corrected for those who were experiencing issues.
Edit: Feedback window extended
Edit: Revision to DP144 published
Edit: Decision record published

@CDR-CX-Stream CDR-CX-Stream added Status: Open For Feedback Feedback has been requested for the decision Category: CX A proposal for a decision to be made for the User Experience Standards Industry: Banking This proposal impacts the banking industry Industry: Electricity This proposal impacts the electricity industry sector labels Dec 4, 2020
@CDR-CX-Stream CDR-CX-Stream self-assigned this Dec 4, 2020
@CDR-API-Stream CDR-API-Stream added Industry: All This proposal impacts the CDR as a whole (all sectors) Industry: Banking This proposal impacts the banking industry Industry: Electricity This proposal impacts the electricity industry sector and removed Industry: Banking This proposal impacts the banking industry Industry: Electricity This proposal impacts the electricity industry sector Industry: All This proposal impacts the CDR as a whole (all sectors) labels Dec 10, 2020
@commbankoss
Copy link

Commonwealth Bank requests an extension on the decision proposal to allow participants sufficient time to review and provide feedback, especially with additional context once rules v2 are published. We would also like to reiterate that any technical changes that may arise from this consultation should have minimum 6 months lead time from standards finalisation date to obligation date. Complex changes may require longer time to implement and a well defined transition period.

@Susan-CDR
Copy link

Suncorp requests an extension on this proposal. We have a 3 week shutdown over Christmas period so this leaves only 3 weeks to review whilst we are in a critical time for our July 21 major delivery. Additionally I would like to note that any dataholder changes arising from this proposal should have a minimum 6 months from standards finalisation to delivery. Suncorp plans to be completing its build and moving into testing early in 2021 so any change to the scope of this the Phase 1 (July 21) release will impact our delivery timeline.

@da-banking
Copy link

Data Action agrees with views shared by Commonwealth Bank and Suncorp regarding a minimum 6 months lead time from standards finalisation to delivery. Out of the 3 options presented in this proposal, Data Action prefers option 3.

@ValentinaDunoski
Copy link

ING requests an extension on the decision proposal to allow us and our peers sufficient time to review and provide feedback, especially with additional context once rules v2 are published.

We would also like to reiterate that any technical changes that may arise from this consultation should have minimum 6-12 months lead time from standards finalisation date to obligation date. We are moving to an environment where Capital and Operational expenditure is tighter then previous years as a result of the pandemic. It is important to note, particularly complex changes may require longer time to implement and a well defined transition period, and embedding into the organisations processes.

@CDR-CX-Stream
Copy link
Member Author

Thanks to those who have made early contributions to this discussion.

This consultation will be extended to 5pm Monday, 1st February in response to community requests for extension and taking the upcoming January 26th public holiday into account.

@spikejump
Copy link

Intuit welcomes the discussion on standardisation of amending consents.

Of the 3 options, option 2 or 3 are better for end-users. In general, the earlier the option is effective in the ecosystem the better experience will be for end-users.

To make the proposal clearer and cleaner for DH/DR and consumers, perhaps the following can be added in the proposal:

  • When cdr_arrangement_id is received by DH as part of the PAR request, DHs MUST NOT provide changes of requested scope, sharing duration and existing authorised account for consumers in the CX. Consumers are only allowed to either accept (authorise) or reject the amendment request.
    Any desired modification by customers, e.g. removal of accounts, should be taken care of by existing mechanisms. That is, either i) create a new concurrent consent or ii) revoke existing and create a new consent.

Rational here is because ADRs have specific needs to service the customers and hence the request is specific. It is cleaner for ADRs to support rejection of amendment requests than to support modification at DHs and recover, if at all possible, from partial authorisation. The customer experience can be extremely bad and complicated during the recovery at DRs due to the number of potential issues that can arise.

For example, if an amendment request from ADR is to extend sharing duration only, but customer accidentally unselects bank:accounts.detail:read data scope then the end result for the ADR is a consent without the required data scope. ADR will no longer be able to provide the required service for the customer. While the CDR CX per se seemed fine but the customer experience at the ADR now suffers. Recovery at the ADR can be more challenging than losing the whole consent.

It is also envisaged with this proposal where customers can only accept or reject, it might be simpler for the DHs to implement where a highlight of differences of amendment request vs original authorisation can be given compared to a full-on modification of all possible variables.

CX consistency in the ecosystem can be achieved when customers are only asked to accept or reject an amendment request.

Further Down the Road
While we are supportive of standardising the concept of consent amendment, we’d like to request consideration of use of RAR in combination with enhancements in the CX. RAR offers a technical backbone for ADRs to clearly articulate the details of the authorisation request to DHs. It can be used for new authorization as well as amendment. Granted RAR is still in draft at this point in time. However, it would be still worthwhile to roadmap the near future direction on adopting RAR as part of the authorisation process.

@Susan-CDR
Copy link

Suncorp supports Option 3. We support the proposed change from a CX and technical perspective including the MUST recommendations from November. Unfortunately, it would not be possible for Suncorp to absorb this change prior to November. Additionally, we would not expect there would be a high demand from Consumers to amend consents with Suncorp with our first Phase not being delivered until 1st July 2021.

We also support Intuits response that the amendment can only be authorised or rejected (not modified). Only the selection of accounts should be available to be modified in the authorisation flow.

@ghost
Copy link

ghost commented Jan 29, 2021

On behalf of AGL Energy CDR working group:

AGL in principle agrees with the intent behind Decision Proposal 144 of simplifying the consumer experience. However, Decision Proposal 144 is silent on the implications of the Gateway Model for the energy industry.

We request that Decision Proposal 144 expand its scenarios, assumptions, and assessment of each the options to include proposed flow options outlined into Decision Proposal 140 and more broadly the implications of the Gateway model, its proposed role as the consent master and Decision Proposal 140’s approach to Authentication and Authorisation CX flows.

Without this additional detail it is difficult to recommend any of the proposed options.

@anzbankau
Copy link

ANZ is supportive of the CX changes as it will enhance the experience for customers. The standards should also consider exception scenarios such as:

  • A customer is no longer eligible for 1 or more accounts since the previous consent – our view is any accounts in this situation should be excluded from the preselection.
  • A data cluster is being removed from the consent.
  • The expiry (sharing_duration) passed by the ADR doesn’t match what is held by the data holder (i.e. off by seconds/minutes) - should we highlight this as a diff to the customer?

From an implementation perspective we support Option 3 as this will provide adequate time to design and implement all the necessary changes, subject to any further changes in the proposal.

@NationalAustraliaBank
Copy link

NAB would like to see these changes included in future versions of the CX guidelines, again with sufficient lead time from the finalisation of the standard.
Considering the above, NAB supports Option 3 and the following:

  • NAB supports the MUST requirement for pre-selecting accounts in consent amendment interactions
  • NAB supports the MUST requirement to distinctly indicate where a dataset is being added to the authorisation, or a duration is being amended. The design choice to indicate this should be left to the data holder's discretion.
  • NAB suggests a SHOULD requirement for omitting profile selection for the November obligation. Authentication and profile selection methods may differ between data holders and we suggest that this should be guidance rather than obligation.

@commbankoss
Copy link

CBA agrees with the overall decision proposal. Detailed feedback is outlined below.
From an overarching perspective CBA’s expectation is that amendments to duration and data clusters will apply across all accounts within the consent, and that granular consent management will not be introduced as part of this release.

Document Reference Proposal Feedback
Pg 2 1.     The rules will allow consents to be amended from 1 July 2021 as suggested in the CDR Roadmap published as part of the v2 rules consultation CBA requests the compliance date be amended to ensure that a final version of the CX Standards and Technical Standards are published at least 6 months ahead of the compliance date.
Pg 2 2.     Amending consent flows will require the full authorisation flow by default CBA supports ensuring requiring full authorisation with the Data Holder by default, as this ensures a consistent customer experience.
Pg 2 10. A future state for amending consent simplification is expected to align with the introduction of FAPI 2.0 over the course of 2021 and 2022. As this future state will be consulted on separately and result in technical changes it should not be seen as a guaranteed change and may also be phased in stages to progressively enhance what is possible CBA is supportive of continued consultation from both a customer experience and technical standpoint. CBA reiterates the need for final Standards be published at least 6 months ahead of the compliance date for any changes. We anticipate that the transition to FAPI 2.0 including fine grain consent management will be a complex change, requiring publication of Standards more than 6 months ahead of the expected compliance date.
Pg 3 Scenario 3 – Amending consents for specific customer profiles
A consumer wants to extend the duration of a number of existing consents in succession. The consumer has to authenticate and authorise each of these changes. The consumer has several customer profiles associated with a single customer ID for multiple consents. For the original consent, the DH offers a ‘profile selection’ step following authentication to allow the consumer to choose if they want to share data for their business accounts or individual accounts. The consumer has to select the correct customer profile for each amending consent’s authorisation flow.
CBA expects that Accredited Data Recipient will send separate requests to the Data Holder for each of the original consents.
Pg 4 Data Holders SHOULD/MUST pre-select accounts that are already associated with the consent in the authorisation flow. CBA agrees with allowing pre-selection, assuming consumers will be given the opportunity to amend the pre-selected accounts to remove an account from the consent. CBA expects that amendments to duration and data clusters must apply to all accounts within the consent. CBA recommends that Data Holders should be given the option to provide an explanation on why some accounts have been pre-selected.
Pg 4 Data Holders SHOULD/MUST distinctly indicate where a dataset is being added to the authorisation, or a duration is being amended. This MAY be a ‘new’ label or similar to signify the relevant attribute being changed; the specific design choice is at the data holder’s discretion. CBA supports indicating new aspects of the consent. CBA expects that amendments to duration and data clusters must apply to all accounts within the consent. CBA also recommends allowing Data Holders to indicate other new aspects of the consent as part of the confirmation screen experience, for example, indicating the accounts which have been newly added to the consent.
Pg 4 Data Holders SHOULD/MUST omit the profile selection step and assume the customer profile already associated with the consent for the authorisation flow. CBA supports omitting the profile selection screen to streamline the customer experience. However, CBA suggests that in the case where the consumer has multiple profiles, Data Holders MAY be permitted to identify which profile the consent relates to and provide an explanation on how consumers can share customer data from a different profile.
Pg 7 From July 2021, these standards would be articulated as a SHOULD; from November 2021, these standards would be articulated as a MUST:
  • Data Holders SHOULD/MUST pre-select accounts that are already associated with the consent in the authorisation flow.
  • Data Holders SHOULD/MUST indicate where a dataset is being added to the authorisation, or a duration is being amended. This MAY be a ‘new’ label or similar to signify the relevant attribute being changed; the specific design choice is at the data holder’s discretion.
  • Data Holders SHOULD/MUST omit the profile selection step and assume the customer profile already associated with the consent for the authorisation flow.
CBA supports the recommendations made in Option 3, subject to feedback provided above. CBA assumes that Data61 will continue to consult on these amendments and provide a final version of the CX Standards and Technical Standards at a minimum of 6 months prior to the compliance date.

@WestpacOpenBanking
Copy link

Westpac welcomes the opportunity to comment on the proposed changes for the amending consent authorisation flow.

  • We recommend that account pre-selection is left as a MAY and that there are specific exclusions in cases where the customer may be misled by pre-selections or it is otherwise impossible to pre-select the entire original list of accounts. As an example, accounts that were associated with a consent at the time it was granted may later become unavailable for data sharing. If this occurs then a pre-selection is undesirable because it many incorrectly suggest to the customer that the account list has not changed since the last time consent was granted.
  • Westpac supports indication of where a dataset is being added to an authorisation or a duration. Careful thought should be given to what is being communicated to customers. We note that as the standards evolve the data cluster language and data fields shared under pre-existing scopes may evolve, for example. We recommend that this requirement remain as a SHOULD.
  • From our perspective, omission of the profile selection step is not relevant until we are able to support business and corporate customers because customers will be unable to select any profile but their personal profile until that time. We recommend that the due date for this requirement aligns with the business and corporates timeline and that omitting the profile selection step remain as a SHOULD. This is because there may also be circumstances where Data Holders are unable to omit the step because a change to configuration of customer profiles has occurred. As an example, a data holder could feasibly allow a customer to create a new profile and move a subset of the accounts associated with a consent to the new profile.
  • Finally, given there is build impact resulting from these changes, a minimum of 6 months should be provided for between standards finalisation and the required implementation date.

@PratibhaOrigin
Copy link

Origin Feedback

In general, Origin supports the intent behind this Amending Consent and CX consultation (DP-144) – that is, to improve and provide a better customer experience.

Option 3 seems like a preferable option from a data holders perspective considering it gives time for implementation of core functionality and leaves time to clarify the details necessary for the implementation of the standards proposed in July 21.

While Option 3 is preferable at this stage, it is unclear to the energy sector how this process will interact the proposed Gateway Model (DP-140). Following a decision on the role of the Gateway, the scenarios and options outlined in this paper (DP-144) should be re-visited and consulted on with industry. A decision on the role of the Gateway will allow us to consider the details of scenarios and options in greater detail.

Cheers!
Prats

@CDR-CX-Stream
Copy link
Member Author

Thank you everyone for your contributions. Feedback on this decision proposal is now closed while the DSB reviews the submissions. A revision will be developed based on this feedback accompanied by new amending consent CX artefacts.

Some clarifications below based on the DSB's current interpretations:

  • Consumers cannot amend the requested datasets or duration in the authorisation flow. Consumers will only be able to approve or deny (not modify) authorisation requests related to these attributes.

  • Consumers can amend the accounts associated with the authorisation during the authorisation flow because accounts operate independently to authorisations. The expectation is that this will extend to pre-selected accounts.

  • This proposal does not propose greater authorisation granularity and as such duration and dataset amendments will apply to all accounts associated with an authorisation.

  • DP144 does not account for a gateway. When the practical role of CDR gateways becomes clearer the DSB will consider additional consultation on this issue.

  • DP144 assumes that preselection and change indications will only apply to attributes that remain eligible and/or are new aspects of the authorisation request. For example, the expectation would not be to preselect accounts that have become ineligible since the previous authorisation (this would conflict with the rules on eligibility). Similarly, the expectation would not be to indicate where a dataset has been dropped since the previous authorisation.

  • The expectation would be for DHs to indicate where sharing_duration does not exactly match what is held by the DH, even where it may be a shorter duration than the previous authorisation.

  • The v2 rules allow consents to be amended from July 2021 using the full authorisation flow. DP144 is proposing CX enhancements that build on the v2 rules and the basic technical functionality. For example, DP144 currently proposes Option 3 to come into effect in November 2021, 4 months after the July 2021 rules compliance date for amending consents.

  • The future state referenced in DP144 will be subject to extensive consultation in light of the opportunities made possible with FAPI 2.0/RAR.

  • The meaning of 'succession' in 'Scenario 3 - Amending consents for specific customer profiles' describes the situation where a consumer authorises distinct amendments for separate consents/authorisations. This scenario assumes that an ADR is sending separate requests to the DH for each of the original (and separate) consents/authorisations.

@ConsumerDataStandardsAustralia ConsumerDataStandardsAustralia locked and limited conversation to collaborators Feb 2, 2021
@CDR-CX-Stream CDR-CX-Stream added Industry: All This proposal impacts the CDR as a whole (all sectors) Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated and removed Status: Open For Feedback Feedback has been requested for the decision labels Feb 2, 2021
@CDR-CX-Stream
Copy link
Member Author

A final revision to decision proposal 144 is now open for consultation. The revision has been attached to the original post.

Feedback is now open for this proposal for one week and will close on Friday, 26th March 2021.

@CDR-CX-Stream CDR-CX-Stream added Status: Open For Feedback Feedback has been requested for the decision and removed Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated labels Mar 19, 2021
@NationalAustraliaBank
Copy link

NAB supports the final revision to DP 144.

@Susan-CDR
Copy link

Suncorp supports the final revision to DP144

@CDR-CX-Stream
Copy link
Member Author

Thanks to the final contributors. Feedback on this decision proposal is now closed. DP144 will now be finalised and sent to the Data Standards Chair for review.

@CDR-CX-Stream CDR-CX-Stream added Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated and removed Status: Open For Feedback Feedback has been requested for the decision labels Mar 29, 2021
@CDR-CX-Stream
Copy link
Member Author

This decision was approved on 2 April 2021. The decision record can be found in the original post.

@CDR-API-Stream
Copy link
Contributor

Changes arising from this approved decision were included in the v1.8.0 data standards release.

@CDR-CX-Stream CDR-CX-Stream added the Status: Decision Made A determination on this decision has been made label Jun 25, 2021
@CDR-API-Stream CDR-API-Stream removed the Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated label Aug 29, 2021
JamesMBligh added a commit that referenced this issue Mar 22, 2022
Update to all swaggers to make them OpenAPISpec v3.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: CX A proposal for a decision to be made for the User Experience Standards Industry: All This proposal impacts the CDR as a whole (all sectors) Industry: Banking This proposal impacts the banking industry Industry: Electricity This proposal impacts the electricity industry sector Status: Decision Made A determination on this decision has been made
Projects
None yet
Development

No branches or pull requests