Noting Paper 157 - CX Standards Arising from v2 Rules

[CDR-CX-Stream]

26 May 2021
Following community requests, this issue is being re-opened to provide an update on the items outlined in NP157.

The purpose of this document is to clarify that, other than the open consultation on DP160, no further Data Holder obligations are anticipated for July 2021 or November 2021 in relation to CX standards referenced in the below document, unless required as a result of further rules amendments.

An updated version of NP157 is attached below:
Update to Noting Paper 157 - CX Standards Arising from V2 Rules.pdf

This issue will be kept open until Friday 4 June 2021. While feedback is welcome, a Noting Paper is not part of a formal consultation. Consultations on the specific issues contained in this document, which have not already commenced or completed, will be conducted separately.

---

29 January 2021
This noting paper outlines the anticipated Consumer Experience Data Standards changes arising from the v2 rules being made on 23rd December 2020.

The noting paper is attached below:
Noting Paper 157 - CX Standards Arising from V2 Rules.pdf

Feedback is now open on this noting paper. Feedback is planned to be closed on Friday 12th February, 2021.

The specific changes raised in this paper will be consulted on separately, but CDR participants are invited to use this consultation to raise any concerns or impacts that have not been identified.

[commbankoss]

Commonwealth Bank requests that a final version of CX Standards and Guidelines be published at least 6 months ahead of the compliance deadline for all required scope. Given the volume and complexity of scope required for the 1 November 2021 milestone, Commonwealth Bank requests that CX Standards and Guidelines be provided as soon as possible for these items.

Document Reference	Detail	Feedback
Pg 2	Table 1. Consent changes # 2 Amending Consents: authorisation flow Standards to be made by Feb/March 2021	Commonwealth Bank requests that Standards be finalised by February 2021 to provide sufficient time for delivery by the compliance date of 1 July 2021, as per the amended CDR Rules (refer CDR Phasing, December 2020, pg 2).
Pg 3	Table 1. Consent changes # 3 Separate Consents (ADR)	Commonwealth Bank requires clarification on whether a separate consent is required for collection and use for Accredited Data Recipients, or whether the consumer can consent to collect and use within the same consent, for the same duration. This would also mean that a consumer can withdraw their consent to collect and use at the same time. Commonwealth Bank recommends that CX Standards be provided for the various consent types to support customer comprehension and to ensure consistency across Accredited Data Recipients.
Pg 3	Table 1. Consent changes # 4 Separate Consents (DH)	Separate to the optional messaging identified, Commonwealth Bank expects that Data Holders will continue to be provided with details of the collection consent from the Accredited Data Recipient only, and therefore will not be required to make any changes to the current consumer experience to cater for the different consent types. Commonwealth Bank would appreciate confirmation of our interpretation.
Pg 3	Table 2. Disclosure consents # 5 AP Disclosure # 6 AP Disclosure: withdrawal Standards made by: No later than July 2021 Comply by: No later than July 2021	Commonwealth Bank requests the compliance date be amended to ensure that a final version of the CX Standards are published at least 6 months ahead of the compliance date. For example, if CX Standards are to be provided July 2021, the compliance date should be amended to January 2022 to allow for a transition period. In addition, Commonwealth Bank recommends that the CX Standards, as with ADR consents, ensure a simple and clear revocation process for AP consents, to help consumers stay in control of their data.
Pg 6	Table 4. DH dashboards and authorisation # 11 CX of DH dashboards and authorisation	Commonwealth Bank assumes that the required compliance date of 1 November 2021 will be clarified in the CX and CDR Registry Standards, as this is not specified in the amended CDR Rules or supporting CDR Phasing documentation.
Pg 6-7	Table 5. Eligibility	Given the significant delivery complexity of non-individual consumers, business partnerships and secondary users, Commonwealth Bank requests that a final version of the CX Standards (including user scenarios and expected experience) be published more than 6 months ahead of the compliance date of 1 November 2021. Commonwealth Bank requests that CX Standards be provided in February 2021 to provide Data Holders with sufficient time to plan, solution and build.
Pg 6	Table 5. Eligibility # 12 Non-individual consumers: authorisation flow	Commonwealth Bank agrees with the proposal and recommends that the CX Guidelines also cover suggested Data Holder notifications; for example, notifying authorised persons of changes to their nominated representative status.
Pg 7	Table 5. # 14, 15, 16 Secondary users	Commonwealth Bank is supportive of the development of CX Guidelines to provide clarity on expected experience for secondary users. Commonwealth Bank also recommends that these guidelines reflect how the secondary user experience should be implemented with joint accounts, including examples of user scenarios and the expected experience.
N/A	Direct-to-consumer data sharing	Commonwealth Bank requests that CX Standards and/or Guidelines be provided for direct-to-consumer data sharing, by March 2021 to enable delivery by the current compliance date of 1 November 2021. Commonwealth Bank notes the ACCC have advised participants that direct-to-consumer data sharing (including the compliance date) would be subject to additional consultation during early 2021.

[RobHale-RAB]

It seems there may be a CX implication associated with the November 2021 JA changes, not documented in the noting paper. It relates to the updated authorisation flow and the need to notify other JAHs when JA data is to be shared - both when a disclosure option has been set, and when it has not.

Where a disclosure option has been set, the notification is for JAH2+ awareness.
When a disclosure option has not been set, notification is required as a prompt to JAH2+ to consider setting a disclosure option on a specific JA, via the DH's digital banking channel(s).

It would be helpful to provide CX guidance on the following points:

• How quickly should that notification be given? Where an ADR employs one-off consent, it is highly time-sensitive, so this really needs to be instant
• What channel(s) are acceptable for the notification? SMS or push notification is vastly preferable to email which may not be seen. Ideally the notification should be sent via whichever channel is most likely to be accessed by the consumer first.
• What should happen where sharing of data from multiple JAs is authorised within a single consent? This is a real world scenario. Many consumers have multiple joint bank accounts. Because disclosure options are unique to each JA, there is a potential negative CX impact if multiple separate notifications were to be sent due to multiple JAs.

For context on this latter point, as part of a loan application, data from all relevant accounts may need to be shared in order for a full assessment to be undertaken. Consumers may have joint accounts for savings, investment, home loans, credit cards etc. All are potentially in scope. Furthermore, consumers may have multiple DH relationships, each with multiple JAs, so the negative impact could be multiplied for certain use cases.

To help ensure a consistent CX across all DHs, it would be helpful to provide CX guidance on the following additional points:

• How would we avoid sending the same JAHs multiple notifications associated with the same consent?
• Not not all JAs may involve the same parties so care must be taken here to ensure all unique JAHs receive a notification.
• Accelerated access to a specific JA disclosure setting ("click here to change your disclosure options for this account now") couldn't be achieved if a single notification applied to multiple JAs. This may impose more navigational burden on JAH2+ to find the specific settings if they wish to update a disclosure option. So there would appear to be a trade off between multiple targeted notifications, and a single generic one.
• Setting guidance, perhaps along the lines of “DHs SHOULD attempt to minimise the number of notifications given to JAHs where the same JAHs are associated with multiple JAs authorised within the same consent”

The above considerations further demonstrate the significant design challenges created for certain scenarios as a consequence of the JA Rules that mandate JA data sharing is off by default.

If the default position was that JA data could be shared (with some appropriate exceptions), many of these (and other) notable issues would not exist. A potential public position on this could be:

"By default, if you have access to banking data, you are able to share it. However, we have built CDR with consumer choice, convenience and confidence top of mind, so where Joint Accounts are concerned, any joint account holder is able to instantly disable or enable sharing on specific accounts at any time via their DH."

[NationalAustraliaBank]

NAB also requests that a final version of the relevant CX Standards and Guidelines be published with enough lead time to enable compliance, i.e. at least 6 months before. 

---

2. Amending Consents: authorisation flow - DH

Timing:
- If the Standards are made by Feb/March 2021 as indicated, this does not provide for sufficient lead time before the possible compliance date of (i) July 2021. As at least 6 months is needed for compliance, NAB suggests that the compliance date should be (ii) Nov 2021.

Scope of the Standard:
- Can a user do inflow election when amending a consent?
- As per Decision Proposal 144, there will be a requirement for pre-selection of accounts when amending consent. Will there be a requirement to display ineligible accounts in a particular way when amending a consent, or will it be left to the DH to decide how ineligible accounts will be displayed?

---

3. Separate Consents - ADR

Scope of the Standard:
- NAB believes that there should be CX Standards around the new consent types, including clear definitions, to ensure that ADRs and DHs use the same terms for a consistent CX.
- When creating a new consent, or amending or withdrawing the existing consent, there should be a requirement for specific messaging presented to the customer by the ADR that:
-- the DH is responsible only for collection consent; and
-- that the ADR is responsible for management of all other consent types. 

---

4. Separate Consents - DH

Timing:
- NAB notes that the timing for the release of Standards and for compliance is at the same time - in this case July 2021. While noting that this is a MAY obligation, the release of the Standard by Feb/March 2021 does not seem to provide sufficient lead time to achieve compliance, if the comply date is also Feb/March 2021. 

Scope of the Standard:
-As with 3 - Separate Consents above: When creating a new consent, or amending or withdrawing the existing consent, NAB believes there should be a requirement for specific messaging presented to the customer by the ADR that:
-- the DH is responsible only for collection consent; and
-- that the ADR is responsible for management of all other consent types.

---

5. AP Disclosure - ADR

NAB believes that both Technical Data and CX Data Standards are required for this issue due to potential security and privacy implications.

---

6. AP Disclosure: withdrawal - ADR

Timing:
- As with 4 - Separate Consents, NAB notes that the timing for the release of Standards and for compliance is at the same time - in this case July 2021. Again, NAB notes that there does not seem to be sufficient lead time for ADRs (in this case) to comply. 

Scope of the Standard:
- As with 5 - AP Disclosure: NAB believes that both Technical Data and CX Data Standards are required for this issue due to potential security and privacy implications.

---

7. Joint accounts: auth flow 1 - DH

Scope of the Standard:
- Is the required message to the joint account holder mentioned here intended to facilitate safe and informed authorisations for vulnerable persons?
- Has DSB considered the implications of a scenario whereby the roles are reversed and the partner of a vulnerable person could take advantage of this issue?
- NAB anticipates that the message to the account holder when they initiate an authorisation may cause confusion about what they are required to do and in what order.
- Additionally, it is unclear what a DH who is contacted by a requestor is reasonably expected to do in the circumstances, in terms of ensuring that the other account holder is not alerted about the authorisation. The authorisation is likely to appear in other places, for instance on the other account holder's consumer dashboard.
- NAB therefore suggests that, at least initially, this obligation be a MAY while these complex issues are worked through.
- Will the Standards or CX Guidelines provide advice on which terminology should be used for preferences and when, ie "data sharing preferences" or "disclosure preferences" or "pre-approval" or something else? This applies to both existing elections that were set prior to V2 of the Rules, as well as disclosure preferences set after the V2 Rules.

---

8. Joint accounts: auth flow 2 - DH

NAB suggests that the obligation for this Standard be a MAY due to different DHs having different processes in place to protect vulnerable customers.

---

9. Joint accounts: auth flow 3 - DH

Scope of the Standard:

- Will this Standard allow consents to be created on joint accounts even if election preferences have not been completed by all the joint account owners? This could be during either pre-election or in-flow election
- NAB believes that there should be messaging to help customers differentiate between approved consents and sharing of data to help them understand that, without elections in place, data will not be shared.
- NAB believes that, at a minimum, the obligation for this Standard be SHOULD. It could even be a MUST if appropriate.

---

10. Joint Account Management Service (JAMS) - DH

Scope of the Standard:
- NAB suggests that to ensure consistency of the CX across different DHs, consideration be given to producing CX Guidelines on:
-- the withdrawal of secondary user instruction;
-- use cases related to more than two joint account owners;
-- the ability to distinguish between whose customer data will be shared when a secondary user creates a consent that relates to customer scopes (ie the secondary user's customer data or either of the joint owner's data); and
-- new functionality related to in-flow elections and existing pre-election preferences.

---

14. Secondary users: authorisation flow - DH

NAB believes that the Standard should address how secondary user authorisation flows will work to include joint accounts. 

---

16. Secondary users: withdrawal - DH

NAB believes that the Standard should address how secondary user withdrawal flows will work to include joint accounts. 

NAB further believes that a MAY or SHOULD obligation is appropriate. 

---

[anzbankau]

Whilst we are broadly supportive of the scope items we would like to draw attention to the importance of finalizing the CX guidelines as soon as possible - the current timeline for making the standards may not allow sufficient time for delivery by 1 November 2020. If CX standards are not made until May 2021, there is a risk of rework and impacts to delivery for participants.

The extension of the scope of joint accounts as well as the inclusion of secondary users and nomination capability is particularly important. It introduces a number of permutations and considerations in both the authorization flow and the consumer dashboard. In our experience, significant CX changes generate lengthy discussion and feedback cycles which in turn have substantial impact on underpinning system design and build. Considering the volume of changes and tight timeframes proposed, we would like to highlight this dependency as key to successfully meeting these requirements.

[WestpacOpenBanking]

Westpac is still completing a detailed analysis of the new rules and developing a detailed implementation plan. We are therefore not yet able to categorically confirm that the identified CX standards changes will accommodate all changes required from the Rules 2.0.

The rules indicate a November 1 compliance date for Direct to customer data access and have explicit references to the data standards. Although direct to customer data access is not a new addition to the new version of the rules, we ask DSB to clarify what standards are intended in relation to this item and when they might be finalized.

Based on our preliminary analysis of the proposal, we have the following comments and questions:

• A February/March date has been identified to make standards in relation to Decision Proposal 144 on amending consents. A July obligation date for these changes would not allow a six month period to make any required changes. Hence, in alignment with our response to that issue, we recommend a November obligation date.
• Our understanding is that data holders will not be required to make any changes in relation separated consent types, for example consents to use. We would appreciate if this could be explicitly confirmed.
• The update to rule 1.13 (e) indicates that data holders must provide a service to allow persons with account privileges to make secondary user instructions or revoke instructions. We would appreciate confirmation that the ‘service’ referenced here will be left to the competitive space.
• The rule 4.6 sections (4) to (6) now include a checklist of requirements for the joint account management service. Will the CX guidelines be expanded to include these requirements?
• If the rules require data holders to display information about cases where one data recipient is collecting data on behalf of another data recipient then the standards will need modifications in order to allow this.

The data standards body may also wish to refer to our response to Decision Proposal 153 in relation to this issue as the technical standards and CX standards are linked.

[CDR-CX-Stream]

Thank you everyone for your feedback on this noting paper.

Feedback on Noting Paper 157 is now closed while the DSB reviews the contributions and develops a response to the queries raised.

[CDR-CX-Stream]

Following community requests, this issue is being re-opened to provide an update on the items outlined in NP157.

An updated version of NP157 is attached in the original post.

This issue will be kept open until Friday 4 June 2021. While feedback is welcome, a Noting Paper is not part of a formal consultation. Consultations on the specific issues contained in this document, which have not already commenced or completed, will be conducted separately.

[CDR-CX-Stream]

This issue is now being closed.