Design Paper: an ‘opt-out’ data sharing model for joint accounts in the banking and energy sectors

[CDR-API-Stream]

The following public consultation for an opt-out data-sharing model for joint accounts, is open for feedback.

We invite all participants in the Consumer Data Right to submit their feedback below as part of this GitHub consultation.

The date of closure of consultation is: 26th of May 2021

Link to the consultation: https://treasury.gov.au/consultation/c2021-168954

Context

This consultation is opened in support of the recent announcement from the Treasury, which proposes design options around rules and standards to implement a peer-to-peer model for the energy sector and on an opt-out data sharing model for joint accounts.

Feedback received on these papers will inform the development of draft rules and standards which will be the subject of formal consultation in the coming months.

In response to concerns that joint account rules could limit engagement with the Consumer Data Right, Treasury is considering proposals to support an opt-out approach, while maintaining the high security and privacy protections provided for in the Consumer Data Right. The implications of this change in direction are the subject of this consultation.

Design Paper

A design paper is a new consultation approach being trialled that intends to provide an opportunity for simultaneous consultation on the rules, policy, standards and guidelines for a change to the Consumer Data Right. In the past we have worked together to solve implementation questions and challenges by first defining Rules and Standards and then requesting comment. A design paper lets participants comment on the implications of proposed Rules and Standards, before they are defined. Where applicable, a design paper will also include consumer experience mock-ups to demonstrate the implementation and how that may affect existing participant's systems.

Providing Feedback

A design paper will elicit feedback to be consumed by multiple teams. Feedback on the standards can be provided here and the DSB will respond directly as per usual. Rules and policy feedback can also be provided here and the DSB will seek to clarify this feedback and then provide it to the appropriate team for consideration.

To assist the feedback process. We ask that you use the numbered reference assigned to each of the paragraphs in the design paper.

Feedback can also be provided via email to [email protected] or to [email protected]. As per usual practice email submissions will be made public unless a request is included to keep the submission private. While we appreciate that some submissions may need to be private the fact that they will not be available for community discussion necessarily means we will not be able to give them the same consideration as public feedback.

[RobHale-RAB]

This new approach is to be applauded. The Design Paper and public consultation on Rules via GitHub will undoubtedly facilitate a richer and more dynamic conversation resulting in better outcomes for consumers 👏

As both an active ADR and a DH, the team at Regional Australia Bank recognises the importance of contributing to this consultation. We will provide further feedback over the next 2 weeks, however if feedback is left late, the opportunity for important open discussion and debate will be limited.

Therefore to kick things, and take full advantage of the time available, See below for some high-level initial thoughts and feedback.

1) Overall, the opt-out approach for JAs is most definitely supported and will undoubtedly remove undesirable friction in the consent authorisation process.

• The UK Open Banking principles now also recognise this as something necessary "in order to deliver the best possible experience and outcomes".
• They term it as 'Parity of Experience' - where such a journey "...should involve no more steps, delay or friction in the customer journey than the equivalent experience they have when interacting directly with their ASPSP" (ie their bank).
• https://standards.openbanking.org.uk/customer-experience-gu_idelines/introduction/design-and-experience-principles/latest/

2) Assuming CDR rules will be amended so that data sharing is 'on' by default for JAs, we should consider different language to communicate this to consumers.

• Opt-out is a term with a negative connotation, it's also confusing - what am I opting out of?
• Rather than using this terminology, we could instead say something like "CDR follows the same principle as money. Those authorised to send money can also send data" - ie there is parity of experience.
• To further strengthen messaging around consumer choice, convenience and confidence, as part of consumer awareness communication, we could highlight that, while parity of experience is the default, CDR also provides additional optional capability. Consumers are able to 'switch on' fine-grained control and oversight on specific JA data if they so wish.
• This does create additional friction and ‘noise’, but the option is there, the consumer has a choice, the consumer is in control.
• It's a much more positive message about CDR.

3) Assuming data sharing is 'defaulted to on', the in-flow election functionality becomes redundant and should be removed.

• This will simplify the consent authorisation process, remove friction and cognitive load and improve conversion rates

4) Q22 of the Design Paper refers to the current notification requirements. An overall principle to minimise these is encouraged.

• Current rules could result in a barrage of notifications for some customers. If every authorisation on every account held by every DH is communicated to every JAH involved in an ADR use case, consumers may cognitively 'tap out'.
• Consumers may end up ignoring all messages received via that channel, including messages unrelated to CDR. For example, where SMS is used, CDR may inadvertently become responsible for the creation of an alert-ignoring culture, compromising the ability to reach consumers for valid and potentially urgent reasons.
• If alerts and notifications remain within CDR at the frequency and volume currently specified, consumers may quite reasonably demand controls to enable or disable these alerts from ADRs and DHs. This would require more rules to be made, creating further complexity for all and compromising desired functionality.
• Let's avoid getting to this point and keep the volume at an appropriate level.

5) Defaulting JA data sharing to 'on', removing in flow election functionality and simplifying messaging requirements will also reduce workload and complexity for DHs.

• This simplification should help ensure associated extensions to data publication timelines are minimal - enabling broader participation and consumer benefits to be achieved sooner.

[Mekaal]

What exactly is the expectation of DHs who already have a joint account solution in play? If the expectation is that customers (presumably only those who have never changed the default 'do not share' setting) are advised in advance that their settings will be altered, how much notice is required and is there any guidance on the permitted form/s that such a notice may take?

[CDR-CX-Stream]

Thanks @RobHale-RAB and @Mekaal for providing these responses. We have shared them with the relevant teams and have a few points below:

@Mekaal, in response to your query:

The design paper proposes that data holders should be encouraged (but not be required) to notify consumers of the default CDR data sharing settings on their joint account (para 23). We weren’t anticipating a need for a notification period to apply before the default setting is changed (that is, for consumers that have not actively engaged with joint account data sharing settings for an account). We would welcome feedback on whether you think notification guidance would be useful and what this might look like.

@RobHale-RAB, in response to your 4th point:

We would welcome your views on how existing alerts and notifications might be reconsidered, including any specific notifications you had in mind and what alternative requirements or methods might look like.

[TT-Frollo]

Fully concur with Rob Hale's comments.

Data sharing defaulted to 'on' for JA's will prevent many 'pending consents'. Many customers are frustrated with the complexity involved in making elections to share their JA's. In our experience many just give up.

For Q1 and Q2 raised, one difference between the banking and energy sectors for joint accounts is that in energy JA holders would also be concerned about the 'service' not just the financial aspects of the account. This would not change our views on the opt out, but some of the language used across sectors when making the rules. Not only financially focused.

Also agree with making the in-flow election redundant. As much as possible all friction points should be removed.

[DrummerDaveF]

I still hear the word "both" being used during discussions on JAs. This language limits the thinking sphere, and excludes accounts with 3 or more account holders.

I humbly suggest the word "all" be used and encouraged when talking about account holders for joint accounts.
Similarly the other account holders shouldn't be called "secondary". The word "other" provides scope for a large number of account holders and does not limit thinking. With the opt-in model perhaps the "authorising account holder" for the account holder that opted in and some other term to indicate the other account holders that now have their data being shared and could potentially terminate the sharing when they opt-out.

[CDR-CX-Stream]

Thanks @TT-Frollo and @DrummerDaveF for your feedback. We have passed these points on to the relevant people.

@DrummerDaveF:

Based on feedback from a previous joint account workshop, the wireframes and CX standards now use generic references such as 'the other account holder(s)' or 'other account holders' to help support analysis and implementation for joint accounts with more than two account holders. We will relay this point to the policy and rules teams too.

On terms to use for specific account holders, we have generally referred to the 'authorising account holder' - who has initiated the process of joint account data sharing - as 'Account Holder-A' (AH-A), and other account holders have been referred to as AH-B, AH-C, and so on. We will share this feedback with the policy and rules teams to support consistent referencing.

For reference, the language in the above two points is used in the v3 rules wireframes (Miro | PDFs).

[spikejump]

Intuit welcomes this opportunity to provide feedback on this design paper. The design paper approach, in general, will help more fruitful discussions within the community.

Intuit supports the ‘opt-out’ approach as outlined in the paper. This approach avoids the issues of:

• One-time consent use-cases can’t be fulfilled properly
• Misleading for consumers to think that the account(s) are shared when they are not
• Cause ADRs unnecessary implementation costs

We believe a fundamental principle behind a consent is that everything associated to a consent must be valid/true at time of consent. Allowing joint accounts that are not approved for sharing to be selected and included in a consent violates this principle. We fully applaud the recommendation of removing ‘in-flow’ consent as outlined earlier.

There had been misconception that it is easy and simple for ADRs to deal with account(s) added into a consent at any time. While ADRs can easily use a Get Accounts API to know what accounts are available under a consent, it may not be so simple to actually use the data from a newly appeared account. ADRs may have multiple services or workflows to support the use of consumers’ data. To retroactively tie the correct workflow to the correct account(s) requires additional error handling/workflow. Some of that workflow may even require additional consumer interactions. If correct accounts are made available at time of consent, ADRs will know precisely the intent of the consumer and be able to establish the correct workflow and if additional interactions are required then consumers can immediately provide information making the whole process more efficient and pleasant for consumers.

For complex joint accounts, Intuit supports Option 1: mirror current authorities on the data holder side to transact on complex joint accounts. As an ADR, our rational is we want to reduce customer frictions to provide services to them. However, we do not believe doing that at the risk of compromising existing authorities/securities that have been put in place on complex joint accounts. The consumers and data holders must already be familiar with existing practice and process. We don’t believe in introducing a new pattern of process/rules/authorities will be beneficial to the consumers. While there may seem to be friction for ADRs to obtain access to complex joint accounts under Option 1, we feel the need for DHs and consumers to understand new process/rules to share CDR data will actually be more of a hindrance for the adoption of CDR.

The consideration on whether to adopt ‘co-approval’ or not under Option 1 really should look at what existing approval patterns are familiar to the consumers already. Let the consumers approve data sharing via this mechanism. CDR should avoid imposing another layer of approach or, worse, imposing something that contradicts current patterns.

On the CX experience for Option 1, we support a design where all consumer accounts are visible by consumers during the authorization process. However, those accounts that are not eligible to be shared at the time, should not be selectable. This avoids customers consenting to share accounts that are not eligible for sharing. The ineligible accounts for sharing should have wording/information for consumers to guide them on the reason why they’re not sharable and/or where to seek changes to allow them to share such accounts.

[anzbankau]

Regarding the recently published ‘Opt-out’ joint account data sharing model CDR rules and standards design paper (April 2020), does this include consideration for the proposed extension from read-only to “action initiation” and “payment initiation” (Future Direction of the Consumer Data Right, Farrell, 2020), particularly in regard to complex joint accounts within the banking sector?
 
Simply put, once the CDR becomes a read/write regime will data holders be expected to treat open data transactions just like any other internet banking transaction and therefore extend or synchronise existing transaction authorities from existing digital channels? Alternatively, is the intent to maintain a logical separation between open data transactions (read and write) and existing internet/mobile banking transactions? In the case of the latter, the risk is that payment permissions may be at odds with one another between open data and existing internet banking channels (for example, if a consumer changes their payment authority from one-to-sign to two-to-sign in everyday banking, this will not automatically be reflected in open data and there may be a conflict in permissions depending on their open banking election preference), whereas in the former scenario the permissions are always synchronised regardless of channel.
 
There are pros and cons to both approaches. A common set of transaction preference across all channels is arguably more intuitive and simpler to implement and maintain in the long run but it is a step change from the current joint account approach and will require time to implement. It also raises a number of questions in regard to the current CDR privacy safeguards. Conversely, a separate set of permissions may stay true to the intent of the CDR’s “explicit and informed” consent principle but it is likely to create more technical complexity and possibly consumer confusion were this to occur.
 
We would argue that an agreed end state for action and payment initiation preferences is a very important consideration in the current “opt out” design paper to avoid the risk of future rework and welcome your thoughts on the matter.

[GedTMBL]

Teachers Mutual Bank limited appreciates the new approach of public consultation prior to finalisation of rules. Addition of a Design paper provides an opportunity for participants to deep dive into the requirements and its implications before its defined in set ways. CX mock-ups assist in getting everyone on the same page. Mock-ups are also a good way to subconsciously guide consistent agreed upon customer experience via all CDR participants to its customers.

With respect to this consultation, our general sense is that the opt-out approach is preferential. One key observation from us, is that under the proposed opt-out method, either account holder can veto the provision of the data. This does not solve the inherent member experience challenge. A more seamless process would involve recognising that the data on a joint account is held both jointly and severally, and therefore either party can authorise the sharing of the data. This would mirror the general operation principles that apply to banking joint ownership structures today. Open Banking should follow the same principle.
To further expand, in a joint account either of account holder can request for detailed account statement without the approval of other. A joint account holder can also digitally download all joint account information and send to third parties without the consent of other joint holder(s) but cannot do so via Consumer Data Sharing if either of account holder turns off sharing?

We do not feel “opt out” is the right term to relay the message. This goes against “Consent to share data” motto of Open Banking. Although customers can “opt out”, their data is essentially being shared without their consent until they take action to opt out. Doing nothing = providing consent? Can send the wrong message to customers about Open Banking. This aligns to Rob Hale’s comments regarding the negative connotations of “opt out”. We will need to consider the messaging to consumers carefully.

In terms of the specific questions posed by the paper:

1. Do you prefer the definition of joint accounts in the rules, or would you prefer a sector-wide definition, for example with a focus on financial responsibility? Are there other factors should we consider?
   The existing definition was made with the banking sector front of mind, so we’re supportive of retaining the existing language. However, we do acknowledge that the current definition may be problematic for other sectors. There is room for a distinction between the joint-ownership nature of the account structure and the authority to operate rules that govern the usage of the account. For banking, these rules align; accounts most often operate severally (with few exceptions). In terms of information in a banking context, accounts operate entirely severally; each account owner can request information (including transactional and product data) on their account at any time, and we are obligated to provide it without the consent of the other owners of the account. The concepts of Open Banking are not dissimilar to this use case.

2. Do you agree with the CX standards proposals?
   Generally yes, but we acknowledge that the proposed CX standards conflict with existing account data ownership principles; that an owner can requests information on their joint account (and subsequently share that information electronically or through statements), without the joint owners’ consent.

3. Which option do you support for complex joint accounts and why?
   Option 3. This option recognises the existing principle that information and transaction are two separate concepts when it comes to account ownership. This proposal likely involves the least effort while delivering the most seamless and frictionless member experience.

4. Do you agree with the proposal that where ‘co-approval’ settings continue to be optional implementation, joint account holders should be able to independently switch to a ‘co-approval’ setting without additional input from the other account holder(s)?
   Assuming the adoption of Option 3, we would consider co-approval settings to be redundant for account owners, but relevant for account signatories (especially in SME/business use cases).

[RobHale-RAB]

@CDR-CX-Stream, in reference to your follow-up question:
#176 (comment)

I think one of the learnings so far for us all here is to be cautious in creating rules on the basis of an assumed model of adoption. Q22 in the Design Paper appears to assume that all JAHs would find notifications of other account holders' sharing activities useful. We don't actually know this yet, and consumers can't reasonably be expected to provide an opinion, given that they have not yet experienced this process at any meaningful scale.

A suggested approach is therefore to make rules based on an MVP for notifications and controls, and wait for ADR and DH feedback on how consumers are reacting. It will be easier, less expensive, and faster, to augment existing processes with future iterations of rules, than to remove functionality baked into participant systems (that may have required third party commercial contracting to achieve). It feels as though this approach would also align well with a CDR objective of building consumer trust and confidence, whereas removing things could be viewed negatively and create confusion.

In simple terms, an MVP for consent notification, might be to only provide a confirmation receipt from the ADR and the DH, and only provide this to the account holder that gave the authorisation.

A guiding principle to support determination of the right volume of confirmation messaging might be to ask, "what is the minimum interaction that a consumer would reasonably expect in order to confirm their authorised action has been carried out?".

[RobHale-RAB]

@anzbankau raises a good point in comment #176 (comment)

It would indeed be desirable to have a common set of transaction preferences across all channels. Of course this is not the status quo in banking today, and probably for good reason. When transferring funds to a new payee or via a new channel, or where a transaction value exceeds a predetermined threshold, consumers are used to being challenged for further authentication, perhaps by entering a OTP via hard/soft token, SMS, Google/Microsoft Authenticator etc. It seems appropriate for CDR behaviour to be consistent with this, and consider different control mechanisms for read v write access.

If CDR controls are 'scenario dynamic' then that feels reasonable, provided the burden of those controls (on the consumer) is proportional to the risk and significance of the action being initiated. Authorising an ADR to view an account balance should have less need for interaction, than making a large financial payment to a third party with whom no prior transaction has been made. It is suggested that, for the time being, we focus on data sharing controls, and address action initiation in future iterations once consumer feedback and participant learnings are established.

[TT-Frollo]

@anzbankau and @RobHale-RAB both raise good points in regard to implications for future access initiation rules.

Preferences that the consumer understands and are aligned as far as possible to their existing understanding is preferable. Of course CDR is new and so a step by step approach is useful starting with read access. Write access will need further consideration and we should not hold up establishing read access into the community until all conditions have been addressed. Banking is changing with CDR and it will take some time to get right for the consumer, so agree with the MVP approach @RobHale-RAB has put forward and his comments on transaction action considerations.

Frollo also suggests that, for the time being, we focus on data sharing controls, and address action initiation in future iterations once consumer feedback and participant learnings are established.

[damircuca]

Hey Everyone

Sorry to be so late to the party - and hopefully our comments are received on time.

First - this is a great initiative and we welcome / appreciate capturing feedback this way.

In regards to the initiative concerning the improvement of joint account holders, this is a HUGE step in the right direction. The adoption, and ability for a consumer to have a great "first-time" experience when setting a CDR consent is probably one of the most important factors that will lead to its success. Hence why it is so important, when designing a solution to ensure that each experience will lead to a successful outcome. In the current rules, this is definitely not the case, because an individual can get all the way to account selection only to determine that their accounts are not visible.

It's also worthwhile noting how painful this experience can be for a Fintech as well... Considering the limited capital / resources they have to prove out their business model, grow and scale - they finally convince someone to download their app (yay!), ask them to register (yay x 2), ask them to connect their accounts (deep breath - "hope they trust me"), finally they decide to connect (yay x 100) only to find out that their account is not there - the consumer cancels the flow, closes the app and never bothers again :-(

The one concern we have always held with the current approach is this disconnect, or dishonour of not respecting the rules concerning the data sharing arrangement as held with the data holder (or "bank"). The concept of introducing additional configuration options that enable a person to toggle joint-account data sharing on / off via open-banking is counter to what happens when the same joint-account individuals / parties see when they log-in to their banking portal (where they see everything).

We believe that this simply introduces too much complexity, and further has the ability to break the ADRs app e.g. one joint account holder uses a budgeting app to track spending, the other joint account holder goes into banking settings and turns off sharing - budgeting app can no longer see data and the app is broken...

Furthermore, the ability for an individual to control whether another shared account holder can access / use 3rd party services is also a form a control which could be a counter argument as to why the sharing opt-in model was first introduced. If an individuals accounts are all joint-accounts then the other ja parties can effectively refuse to enable sharing - thus preventing an individual from engaging and using other financial services. This form of control can effectively reduce an individuals right to manage their finances.

As a summary, our recommendations are as follows:

• Data arrangements that already exist with the data holder (institution) should be honoured and CDR should inherit these permissions, rather than add an additional layer of configuration.

• Permissions concerning whether a joint account holders feel comfortable with sharing their data with each other should be administered at the institution level (as they currently are) rather than introducing this as a CDR configuration.

We believe by adhering to existing permissions, it will reduce cognitive complexity and will create a more transparent experience when consumers use a range of apps that interpret and rely on their data.

Answers to Questions

7. Yes, "opt-out" approach is preferred over "opt-in" but a zero configuration approach where we simply inherit permissions as they already stand between the joint account holders and their institution would be even better.
8. Yes.
9. Yes.
10. No, I think we should introduce a principal person (who setup the consent) and they should be notified - rather than all the joint account holders. Informing all joint account holders could increase support requests and create confusion - as all JA's would have to agree (verbally) or be given a heads up that they will receive an email because of the individuals is using a app such as a budgeting app. It all feels over-done considering I can log-in to my internet banking portal and export all of the statements, or transactions via CSV and share with whomever I like - it just doesn't makes sense and creates too much confusion.
11. Option 3
12. Yes
13. As per earlier comments - we would prefer that the settings don't exist as this level - as they are already present (this is something which people configure when they opened their bank account).
14. See 13.

[Abhinavraje]

NAB welcomes the opportunity to provide feedback to improve customer experience for data sharing. We have carefully considered the problem statement and options listed in the paper which aim to reduce the perceived friction for the customer for CDR data sharing. However, after detailed analysis of each of the options, NAB does not support the ‘Opt-out’ approach and other options for complex joint accounts, as each option comes with an impact which may or may not help to achieve desired outcome.

We believe that the Opt-out approach undermines the key principles of the CDR system, which has the customer and their fully informed consent at its core. There are privacy risks associated with an ‘opt out’ approach because consumer control and privacy is diminished if data sharing is set as a default. For example, if the opt out approach is taken this will allow one party to in effect unilaterally decide that data is shared as a default position built into the Rules. In cases where there is vulnerability there is a risk that this may lead to adverse outcomes for individuals. The Consultation Paper notes that “the rules provide that a consumer can only ever share their own customer data; customer data of the other account holder(s) is never sharable data (clause 3.2(3)(b)).” However, it seems to us that if an opt-out model is adopted Data Holders will be faced with a situation where they will be required to share a non-authorising account holder’s personal and potentially sensitive information (within transaction data) without their consent in contravention of the Rules and potentially in breach of privacy laws.

After reviewing all options, the following is our feedback:

Option 1: (mirror current authorities to transact on complex joint accounts).
We believe that transaction authority and data sharing authority serve two different customer outcomes. Mirroring these two authorities may limit the flexibility for customer to choose different authorities as per their purpose. Moreover, the customer may not wish to have the same authority for the transaction and data sharing. Ultimately, it goes to a policy question on whether the ability to transact is equivalent to the ability to share data. From an implementation perspective, it create a significant addition of scope and results in lost effort for already delivered capability. Moreover, we support ANZ’s comments in relation to the need for a clear, agreed end state for action and payment initiation preferences, prior to determining the approach to an ‘opt-out’ design in order to avoid the risk of future rework.

Option 2: require ‘opt-in’ for complex joint accounts
We do not recommend this option as we do not necessarily agree with the premise that individuals would seek greater control and oversight of data sharing over complex accounts vs standard accounts. Also having two sets of rules for standard and ‘complex’ joint accounts will create added and unnecessary complexity into the rules and impact customer experience.

Option 3: apply the ‘opt-out’ setting to complex joint accounts
As per comments above, "Opt in" is preferable from a privacy perspective. Hence, we do not recommend this option.
We prefer the "Opt In" approach as it is outlined in current rules from a privacy perspective and is in line with the underlying basis of the CDR as a voluntary consent based data sharing ecosystem. We believe that introduction of in-flow disclosure option as per new CDR rules may help to reduce the friction for the customer issue as stated in the paper without compromising on their privacy controls and having any impact existing functionality.

Implementation Considerations:

65. Given any shift to an ‘opt-out’ approach is unlikely to significantly interrupt implementation efforts to date, we would propose a short delay to the timelines for implementation of joint accounts from the current 1 November 2021 to a date within the first quarter of 2022. This will ensure CDR roll-out continues as an appropriate pace to support uptake and value for prospective ADRs. We would welcome feedback on the earliest feasible implementation timeframes._
    • We don’t agree with paragraph 65. Depending on which option is chosen, we would need to do a data migration and potentially introduce linkages in our technology solution that do not currently exist. For example, when a new joint account is created today, we do not have to set the default OB opt-in setting (as customers are required to opt-in). There are also tech moratoriums in place in Dec-Jan where we limit technical change and Data Holders have other significant releases to manage. In addition, implementation timeframes need to factor educating customers of this new opt-out model in time for Q1 2022 and possibly changes to our T&C’s etc. We support the ABA’s suggestion that a CDR public education campaign needs to be mounted - similar to My Health where customers are given notice to opt-out if they did not want their medical data shared.

66. Initial analysis suggests that a change to Option 1 will be a new initial input as opposed to a build change. DHs with active joint account implementations would need to ensure that data sharing ability is ‘on’ by default and follows existing authorisations for transactions.
    • We do not agree with paragraph 67. Option 1 requires build changes. In our current production implementation, there is no link between the Transaction Authority and the JAMS service. To implement such a link would require significant technical change. Also, Option 1 requires build change implement co-approval (which is currently optional under the rules).

Enhanced CDR Participant Communication
NAB is supportive of the principle of improved communication between ADR and DHs. We agree that it is beneficial for ADRs to have greater understanding of account data sharing status.

However we are seeking clarification on the problem statement that Enhanced CDR Participant Communication is looking to address eg. what use cases would ADRs use the enhanced information for. Our understanding is that ADRs are facing several problems:
• ADR don’t currently have a fixed set of accounts that relate to a given data sharing authorisation.
• ADR don’t know the data sharing status of an account at any given time

We are unclear how ADRs would make use of the different statuses proposed in the paper: “it is awaiting approval” or “has not been approved” or “has been set to ‘off’ (when a consumer opts out of data sharing on the joint account entirely)” or “has been stopped for a specific data sharing arrangement (when a consumer removes an ‘approval’)”? All of these effect the same outcome – the ADR is not able to get a complete set of account data.

From a technical implementation perspective, we believe that some enhanced data could be provided by DHs through error handling (ie. when ADR calls Get APIs, DH returns an appropriate error response). Furthermore, we believe ADR’s should pull status information from DHs (rather than DHs pushing updates to the ADR). We believe that a pull solution by the ADR is a more robust solution (avoids the challenges with DH having to retry in the case of errors) and it aligns to same pattern of ADR’s calling other DH endpoints. NAB believes that we should not be developing bespoke CDR technical solutions but rather, we should align with the upstream technical standards, both current and emerging.

[ghost]

Thank you to the ACCC rules team for opening this up for consultation. With CDR having been live for almost a year, we are now able to provide feedback with some practical, real-world experience behind us.

These are my personal comments after being involved with both DR & DH implementations.

Default setting for an ‘opt-out’ approach
I believe a model of digital access parity ('opt-out') is undoubtedly a superior model to one where users must explicitly opt-in, for the following reasons:

• The user experience would be much improved. Users are able to share data without needing to be confused over a new set of permissions and associated steps, not to mention the process to tick the right boxes. This would be a step in the right direction for user satisfaction and engagement.
• It passes the pub test. That is to say that, in my view, everyday consumers would expect that if they have the authority to access their data online, they would also have the authority to share that data. It would be great to confirm this through market research. :-)
• It simplifies things. This simplification increases usability, engagement, satisfaction, ease of implementation as well as enables and encourages potential CDR use-cases.

Although an 'opt-out' approach is superior to an 'opt-in' approach, going a step further to simply align CDR data access with everyday digital access with no CDR-specific access options would have even more benefits. If consumers can log into Internet banking or their energy portal, download statements and share them with whoever they want with no additional restrictions, what benefits are gained by adding other layers of access controls and notifications in CDR? What problems are trying to be solved with such additional layers???

Complex joint accounts
In maintaining the principal of digital access parity, I believe option 3/c would be the pick of the bunch here. That is, "adopting the ‘opt-out’ approach regardless of the authorities to transact on the account".

Again, keeping things simple and in line with existing expectations on digital data access is the way to go. We are talking about data sharing at present, not payment initiation. Anyone with existing access to their data through digital channels should expect that they have the same access to share that data via CDR, regardless of their authority to transact.

As stated in other consultations, any form of 'co-approval' introduces sufficient friction and delays that effectively make once-off consents pointless, even with the 24 hour once-off window. Option 3 nullifies this problem.

Additionally, introducing an avenue to restrict data sharing through a 'co-approval' model has the potential for one JA holder to effect control over the other JA holder. Probably not something we want to be introducing.

'Opt-out' settings
As above, let's keep things simple and expected by honouring the existing digital access rights of the consumers. That is to recommend not implementing an opt-out setting specific to CDR. The result would be that any JA holder with digital access to their account information (e.g. through a mobile banking app or Internet banking) would similarly have access to their account information via CDR once consent is established. The only way for that access to be removed would be to have digital access in general removed at the data holder for that JA holder.

There is acknowledgement of the effort and expense already outlaid by some data holders (including RAB) in the implementation of JA rules as they currently stand and that my position on 'opt-out' setting functionality would result in that effort and expense being thrown away. Granted this doesn't seem an ideal situation. I feel that in the interest of driving towards a functioning CDR ecosystem and a digital economy more broadly, we shouldn't lose sight of the bigger picture and we should objectively recognise the sunk-cost fallacy at play. The cumulative costs of maintaining an opt-out feature will, eventually, be more than the initial outlay. Also, despite 7 months of JAs I suspect numbers of JA consents are still relatively low. So lets save the bigger of the costs by cutting the opt-out feature lose sooner rather than later.

Notification requirements
Although we have almost 12 months of CDR experience under our belt now, I feel as though we still don't have enough experience to properly understand ideal notification requirements. On the one hand, informing all JA holders when any one of them sets up a sharing arrangement could be helpful in understanding who has access to data. But on the other hand, it could also be annoying, confusing and useless at best or dangerous at worst.

As it is always easier to introduce features than it is to remove them, I suggest we refrain from introducing potentially unnecessary complexity by way of notifications until we recognise an explicit need/requirement. If we must, then limit it to a notification to the consent initiator of ongoing consents only (i.e. not once-off consents; they're over in a flash).

Implementation considerations
Under the suggestions above, implementation is minimal; each JA holder is essentially handled as an individual account holder for their accounts, which is already supported by all active DHs. The effort for existing DHs would, in fact, be in pulling out any existing 'opt-out' setting functionality. Under this understanding, the existing implementation timelines can be maintained.

[CDR-API-Stream]

The following feedback was sent via email to [email protected] in addition to be posted here on behalf of Momentum Energy:

Dear Sir/Madam

Peer to Peer Data Access Model in the Energy Sector and ‘Opt-Out’ Joint Account Data Sharing Model

Thank-you for the opportunity to provide a submission in response to the recently released papers covering the Peer to Peer Data Access Model in the Energy Sector and the ‘Opt-Out’ Joint Account Data Sharing Model.

Momentum Energy Pty Ltd (Momentum) is an Australian operated energy retailer, owned by Hydro Tasmania, Australia's largest producer of renewable energy. We pride ourselves on providing competitive pricing, innovation and outstanding customer service to electricity consumers in Victoria, New South Wales, South Australia, Queensland, the ACT and on the Bass Strait Islands. We also retail natural gas to Victorian customers. We offer competitive rates to both residential and business customers along with a range of innovative energy products and services.

It is our understanding that the costs and benefits of the Customer Data Right (CDR) for energy have never been fully quantified. We are also unsure of how many customers will utlise their data right and the frequency of such utilisation. Therefore our responses to the issues raised in these consultation papers are largely based on preserving the privacy and control of customer data for customers and minimising complexity and costs for all parties. We believe that customers will initially be very cautious in their approach to the CDR and building their confidence in the systems and processes is paramount for its future success. In this submission we have only responded to questions which we believe have specific relevance to our business model.

2. Opt-Out’ Joint Account Data Sharing Model

Question 2 Is there variation to the operation of joint accounts in different sectors that should be considered when developing sector wide rules?

Momentum does not have joint accounts per se. Accounts are set up in the name of the financially responsible person. Accounts may have secondary contacts and enquiry contacts with less authority over the account. We ask that a single account model is maintained in the CDR energy rules with the restrictions currently placed on these lesser authorities continuing to be recognised.

Questions 7 Do you agree that an ‘opt-out’ approach is preferred over the current ‘opt-in’ approach?

As has now been asserted, Momentum contends a single account model would be the most appropriate approach to CDR in energy. Given this discussion of an ‘opt-out’ vs. ‘opt-in’ approach relates purely to how consent to CDR would be obtained from joint energy account holders, Momentum’s preferred model renders this discussion needless.

In any case, Momentum would raise concern that an ‘opt-out’ approach would have a diminishing effect on customers’ absolute right to control access to their data. Whilst we understand the intent of the ‘opt-out’ approach is to avoid ‘friction’ and to increase the initial and long term use of the CDR, we are concerned this comes at too high a cost. Customers need to have complete confidence that the CDR processes do not undermine the privacy or control of their data in any manner. Therefore, in our non-preferred scenario of a joint account model, we would be supportive of an ‘opt-in’ approach.

The first half of this feedback referenced the Peer to Peer Energy model and is submitted there.

[ghost]

@Abhinavraje Risk to vulnerable consumers is often brought up as an argument to tighten controls and introduce friction in CDR. However there is a flip side to that approach where if CDR is usable, efficient and simple it can provide invaluable opportunities for vulnerable consumers to escape their situations. The UK's open banking has produced some great examples with use-cases that help build financial resilience, access credit scores, access financial assistance, debt management/advice services, affordability calculators, etc... It is these sorts of opportunities that come to mind when I think of the having the consumer at the core of CDR. It would be unfortunate if we were to forego such potential opportunities.

[JTRlaw]

@charteredaccountantsanz @cpaaustralia

Representing over 200,000 professional accountants in Australia we support a single, sector wide, definition of a joint account and a single approach to action requests to share data from a joint account that mirrors existing authorities to transact on that account.

Question 1: Do you prefer the definition of joint accounts in the rules, or would you prefer a sector-wide definition?
We support a sector-wide definition. Such a definition should include persons authorised to act on a joint account in addition to the account holders.

Question 7: Do you agree that an ‘opt-out’ approach is preferred over the current ‘opt-in’ approach?
We do not agree to moving to an ‘opt-out’ approach. An ‘opt-out’ approach would potentially conflict with the intent of the CDR regime which is to provide a consumer control over their data. That control should not be diminished when their data is held in a joint account.

Question 11: Which option do you support for complex joint accounts and why?
We do not support the segregation of joint accounts into either simple or complex. An account is considered a joint account when there is more than one account holder. It is irrelevant how many account holders exist or the layers of authority to transact on such an account. To introduce different meanings of ‘joint’ based on such factors as the number of account holders adds an unnecessary layer of complexity with no discernible benefit for the consumer or regulated entities.

With the view that a joint account is an account with more than one account holder we support Option 1 – mirror current authorities to transact on all joint accounts.

[SarahSilbertAGL]

AGL appreciates the opportunity to provide feedback on the issues raised in the ‘Opt-out’ joint account data sharing model paper (Opt-out paper). Whilst this paper is largely directed to the banking sector, we acknowledge Treasury’s preference that a model be developed which is workable from an economy wide perspective. As an overarching comment, we do not consider that the joint account rules will have extensibility from the banking sector to the energy sector due to different account management practices and the fact that joint accounts are not commonly available in the energy sector.

We provide the following comments regarding the application of joint accounts in the energy sector and a broad overview of the manner in which accounts are established:

4. Joint accounts in a cross-sectoral context

• As noted in the Opt-out paper, unlike the banking sector, the energy sector does not have joint accounts as contemplated by the rules in Schedule 3, clause 1.2, nor do we employ an alternative term or format which meets that definition. There is no meaningful equivalence in the energy sector for that term.

• At AGL we refer to our customers as ‘account holders’ but only one person or entity can establish an account and this person or entity is financially responsible for the account, these persons are often referred to as the ‘primary account holder’. As a result, we cannot offer multiple account holders on an account as there can only be a single account holder to enable financial settlement of the account.

• In addition to the account holder, there are several different relationships that can be maintained within an account with varying levels of access to information and authorised actions, these roles are often referred to as a ‘secondary account holder’. Some of these designated relationships are contact persons, account managers for business accounts, invoice recipients, financial counsellors, those holding a power of attorney, broker/third party bill validator, each of which can have varying levels of access to an account but are not financially responsible for an account nor usually able to terminate or change a contract the account holder has with the retailer. This presents a significant difference to the banking sector with its concept of joint accounts in which both account holders have equal authority and liability for the account.

• Accordingly, in the energy sector whilst the account holder being a single party (person or entity) will be able to provide consent to CDR data sharing, we query whether this ability should or can be extended to secondary account holders, and if so, what authority, consent or verification must they be granted by the account holder to enable this whilst ensuring the ongoing security and privacy of the account holder’s information and data. We recommend further consultation on the concept of ‘secondary users’ as set out in the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 and its application to energy secondary account holders.

• While we support commonality of CDR across sectors, this might be one area where we need to develop energy specific rules to enable secondary account holders to participate in the CDR eco-system on behalf of the primary account holder. We suggest that Treasury further consults with the sector on design considerations for the provision of consent for CDR data sharing and how customer accounts are designated to enable the sharing of data. We refer to our comments on customer accounts presented in our Peer-to-Peer data access model response, also posted on GitHub.

[EnergyAustraliaCDR]

Hi All,
Feedback from EnergyAustralia below:

Joint Accounts in a cross-sectoral context

Joint Account concept may not be appropriate for energy sector
We welcome the opportunity to comment on the Design Paper regarding Joint Accounts. Our main point is that we disagree with the application of the “Joint Account” concept (however it is defined) to the energy sector.
The current CDR Rules provide for special arrangements for Joint Accounts in the banking sector. Joint Account is defined in the Rules as:

Joint Account :
(a) means a Joint Account with a data holder for which there are 2 or more Joint Account Holders, each of which is an individual who, so far as the data holder is aware, is acting in their own capacity and not on behalf of another person;
(b) does not include a partnership account with a data holder.

Where there is a Joint Account arrangement, the current CDR Rules provide that both Joint Account Holders must agree to or opt-in to the same disclosure option to allow for sharing of Joint Account data. The disclosure options are:

• Pre-approval - which means each Joint Account Holder can share data independently (without approval from other Joint Account Holders) and,
• Co-approval which means each Joint Account Holder must approve each data share before data sharing can occur.

We submit that the above current definition of Joint Account, and the entire concept of Joint Account does not fit the energy sector for the following reasons.

1. Consumers view energy and banking services differently - Consumers view their electricity accounts differently than they do their banking and other accounts with financial institutions; therefore, it is to be expected that multiple Account Holder arrangements will differ. i.e. It is a matter of convenience that partners living at a premises or a business may set up multiple Account Holder arrangements with their Energy Retailer, but most often will only enter into a Joint Account arrangement for their banking or financial services with a higher degree of care and ongoing attention (often visiting their bank to sign paperwork etc).
Also, energy Joint Accounts are based on physical supply of electricity to a site and this is fundamental to the arrangement. If one of the Account Holders is no longer associated with the site, it is often not top of mind for that Account Holder or other Account Holders to update their energy account details accordingly. This is a significant source of issues relating to family violence and privacy breaches. Energy Retailers take a great deal of care to contact the correct person, confirm their latest details, listen for and act appropriately on possible signs of family violence and to be particularly cautious of forwarding new address details (of the Account Holder that has moved) to other Account Holders linked to the same original account. Regardless of how each Energy Retailer sets up its systems, these factors will play out very differently for energy accounts versus banking and financial services accounts.

2. Granting account permissions and data sharing are different decisions - Another reason why the Joint Account concept does not translate well to the energy sector and possibly other sectors is to consider the different contexts in which account authority or permissions are being granted. A customer (Primary Account Holder) may be comfortable granting permissions to allow another person to manage their energy service and pay their bills, but they may not be comfortable in allowing that other person to share CDR data including sharing data in a way that could allow that other person to see it. i.e. managing an energy service and data sharing are different decisions. There are risks around assuming that being comfortable with the first means a customer is comfortable with mirroring those arrangements for the second. These risks are exacerbated if an opt-out approach is adopted for Joint Accounts as it means the mirroring approach applies as default unless the customer opts out.

3. The concept of independent authority is key - Energy Retailers may allow for multiple people to be connected to an account as “Additional Account Holders”; however, equating these Additional Account Holders to Joint Account Holders which have independent authority is overly simplistic and disregards key differences.
EnergyAustralia has different Additional Account Holders with different levels of authority or account permissions for the account that they are linked to. The highest level of authority is an Account Holder with financial responsibility (FR) for payment and debt, who also has much of the same permissions to take action with respect to the energy account, including arranging for disconnection of electricity supply (FR Account Holder).
Importantly however, this FR Account Holder arrangement is one where the Primary Account Holder can unilaterally revoke the FR Account Holder’s permissions, i.e. revoke the FR Account Holder’s authority without the FR Account Holder’s agreement. The FR Account Holder is therefore ultimately subordinate to the Primary Account Holder.

We consider the idea of subordinate versus equivalent or independent authority is a key criterion in determining whether the Joint Account Holder concept is relevant to new sectors.

In EnergyAustralia’s example, as the FR Account Holder is ultimately subordinate and does not have independent authority (i.e. their authority depends on the Primary Account Holder), we would suggest that the Joint Account Holder concept does not apply to EnergyAustralia’s account arrangements. We contend that the Secondary User concept could be a more appropriate mechanism to allow multiple people to share data under the CDR in a way that aligns to the structure of multiple Account Holder arrangements in the energy sector.
Our comments relate to EnergyAustralia’s Account Holder arrangements. Account Holder arrangements are inconsistent and vary significantly across Retailers in the energy sector and would be highly difficult to align.
Treasury should obtain information about the various arrangements across the sector and consider whether any of these arrangements meet the independent authority criterion outlined above.

4. Financial responsibility – The Paper suggests that the idea of financial responsibility may be a criterion to help define Joint Account Holders. Specifically, financial responsibility may have greater relevance when considering how Joint Accounts may be applied for sector-wide rules.

We disagree with this view as a financial responsible person linked to an account may not reside at the premises and physically consume electricity at that premises, and therefore much of the CDR energy data (such as Metering Data or consumption data) does not link to that person. Allowing a financially responsible person who does not reside at the same premises as the Primary Account Holder to be a Joint Account Holder and potentially share CDR data for that premises would not be appropriate. This is an issue which might not exist in banking – where there is no separate physical aspect of the service.
In addition, it is not an easy solution to require “Joint Account Holders” to be financially responsible and to reside at the same premises as the Primary Account Holder, as Retailers may not capture the latter as a data point. Another practical consideration is that Retailers may not be capturing the necessary details (e.g., mobile or email) to enable authentication of Additional Account Holders, which means that it will be difficult to implement Joint Account Holder arrangements for the energy CDR.

5. The size of the problem - Lastly, we highlight that Treasury should consider the scale of the Joint Account Holder issue in sectors other than banking. Unlike the banking sector where we understand a very high proportion of bank accounts are Joint Accounts, the proportion of multiple Account Holders in the energy sector is significantly lower. Only around 13% of EnergyAustralia’s electricity accounts have both a Primary Account Holder and a FR Account Holder. Therefore, setting up Joint Accounts for the energy sector (and granting access to multiple people linked to an account) will be much less frequently used compared to the banking sector. Further, and as alluded to above, Additional Account Holders can be made eligible to share data via the Secondary User mechanism (where that mechanism applies). The secondary user mechanism is in the CDR Rules today and has the benefit of setting up the secondary user instruction to share data as a different decision (resolving issue 2 above).

For completeness, a summary of our levels of Additional Account Holders is provided in the Attachment.

Default setting: Opt-Out approach

As detailed above, we do not consider that the Joint Account Holder arrangements under the CDR Rules should apply to the energy sector. However, should Treasury take a different view and extend Joint Account arrangements to the energy sector, our view is that the Opt-Out approach carries significant risks for customers and is not consistent with good customer experience. We note previous CX research and ACCC views to support this view below.

The Consumer Data Standards: Consent Flow Phase 2 CX Stream 1 Report June 2019 states:

“Almost all participants preferred Joint Accounts to require multi-party authorisation. Many participants expressed concerns about ability for one party to share access to a Joint Account without the other party’s approval. In particular, some participants had concerns that this could be used for surveillance, or that malicious Joint Account Holders could deliberately grant access to untrustworthy third parties.
Requiring multi-party authorisation was seen as the preferred method of accessing Joint Accounts by most participants, since this prevented abuse by malicious third parties by preventing access without all parties’ approval” (p 56)

When first considering Joint Accounts, the ACCC considered an approach aligned with Opt-Out, where each Joint Account Holder would be notified of any data transfer arrangements and given the ability to terminate any data sharing arrangements initiated by any other Joint Account Holders. The ACCC moved away from this approach in the first version of the CDR rules. The ACCC said in their CDR Rules outline:

“While the approach for Joint Accounts differs from the proposal in the Rules Framework, the ACCC considers that putting the election in the hands of consumers presents an appropriate balance between the divergent views received from stakeholders on appropriate permissions for Joint Accounts”.

Taking into account these strong previous views, we urge Treasury to conduct more customer research to ensure that customers are satisfied that an Opt-Out approach will provide sufficient control and oversight over data sharing by other Account Holders. The Paper refers to concerns about customer friction, but these concerns seem to have been raised by Accredited Data Recipients (ADRs) and not customers. We also note that an alternative explanation as to why Joint Account Holders do not complete the disclosure option journey might be that they do not want to share Joint Account data and therefore they disengage, and that it is not due to reasons of customers experiencing friction in using the process.

Another reason to retain an Opt-In approach is that it is another safeguard which may protect vulnerable customers, particularly customers at risk of family violence (physical or financial harm or abuse perpetrated by other Joint Account Holders).
The Rules already empower Data Holders to protect customers by choosing not to provide CDR data or to not show authorisations, data approvals or other notifications, where appropriate to prevent family violence. However, the Opt-In is another protection which applies where Data Holder efforts may fail (i.e., where the customer has not notified the Data Holder of their family violence issue). This is because the Opt-In provides a clear decision point where a Joint Account Holder who is vulnerable can refuse to allow the other Joint Account Holder/s (perpetrator) to share data on the Joint Account. This is particularly important for Metering Data which could show the likely patterns of when a vulnerable person is at their premises. We see moving from Opt-In to Opt-Out as removing a critical safeguard which would help prevent risks to vulnerable customers.

The Paper seeks feedback on additional protections for vulnerable customers. One key additional protection for vulnerable customers is to limit the data that can be shared through the CDR for Joint Accounts so that it excludes personal data i.e. data about an Account Holder’s contact details (including address) and potentially data that could expose patterns of a customer’s whereabouts (Metering Data). This approach was followed in the banking sector and would also be effective for the energy sector.

Complex Joint Accounts

We do not think that the concept of complex Joint Accounts (Account Holder requiring multiple approvals before a transaction can occur) is applicable to the energy sector.

The Paper seems to characterise “simple” accounts in the energy sector as arrangements which allow Joint Account Holders to independently add permissions for an additional person without approval from the other Account Holder (p 8). We consider this is a mischaracterisation – the relevant function should not be adding permissions of Additional Account Holders but being able to do actions in relation to the energy service. Focussing on the energy service would be more analogous to the approach for banking, where simple account means being able to transfer funds from the bank account without additional approval. Based on this re-definition of simple vs complex accounts to be where Additional Account Holders can or cannot do actions in relation to the energy service without further approval, we are not aware of any complex accounts in the energy sector. We submit that there is no initial need to accommodate complex accounts in the CDR Rules for the energy sector and should a need arise in the future Treasury can address it then.

It is also not clear how prevalent complex accounts are in the banking sector either. Canstar acknowledges that there are generally two types of joint bank accounts:

• “Both to sign”: can only transact when both Account Holders sign or approve. This is essentially the idea of complex accounts.

• “Either to sign”: can transact when either Account Holder signs or approves, analogous to simple accounts.

Canstar observes that as a rule of thumb, Westpac says most accounts are typically “Either to sign” – i.e. simple and not complex accounts.

Enhanced CDR Participant Communication

The Paper states that community feedback has suggested that issues relating to disclosure delays and denials can be mitigated with enhanced communication between Data Holders and ADRs. Basically, status updates are expected to assist ADRs in deciding when to proceed with collecting data based on the status update.

We need more detail about these communications. It is unclear how the status updates will benefit the ADR and how they may benefit the customer. For example, how may the updates be used by the ADR in their interactions with the customer? If there are no clear benefits to the customer then we question whether implementing the status alerts would be worthwhile. We also question whether the status alerts would be voluntary or mandatory.

Attachment

For completeness, we have set out the different roles that people can have in relation to an account.

1. Account Holder
   Retailers typically have a Primary Account Holder who has full control of the account to manage their electricity supply, and accountability for any debt that may incur on the account. Their name will appear on all bills and correspondence.

2. Additional Account Holders
   Retailers may also have arrangements to allow Additional Account Holders to be assigned to an account, upon request and as approved by both the existing Primary Account Holder and new Additional Account Holder. However, the Primary Account Holder can revoke the Additional Account Holder’s account permissions unilaterally.

Additional Account Holders can be assigned varying levels of authority and responsibility. The below categories are an example only of EnergyAustralia’s main arrangements.

• Additional Account Holder with financial responsibility (FR Account Holder): Person has the same level of authority as the Account Holder to manage the account e.g. arrange de-energisation and re-energisation. They may appear as a second person entry in the billing system. They are held accountable, alongside the Account Holder, for any debt that may incur on the account. Their name appears on any bills and correspondence. They are also eligible to claim concessions/rebates.
• Fully authorised (not financially responsible) – Person can do everything on an account that the Account Holder or Financially Responsible person can, including arranging de-energisation and re-energisation service orders etc. However, this person is not Financially Responsible for the account and therefore not held accountable for any debt. Power of Attorney has this level of authority.
• Enquiry only (not financially responsible) – Person can discuss with their Retailer and action the following: adding life support registration to an account, extend the bill due date, make balance enquiry, request general tariff/product information; request when the next scheduled read date is; discuss a bill/bill adjustment; apply a concession (if the Retailer has the concession details); provide a credit card payment; raise a fault service order; make and record a payment and set up direct debit (but not responsible for the debt on an account).

[PratibhaOrigin]

Origin appreciates the opportunity to provide input into the ‘opt out’ joint account data sharing model Design Paper. Origin has provided a detailed response to the Design Paper to Treasury.
A summary of our comments and specific technical comments are provided below.

• Joint account as defined in the CDR rules suggests that each account holder has the same level of authority on the account and have provided consent to act on each other’s behalf in relation to the account. We do not believe that this definition will transfer to the energy sector.

• There is no industry standard for setting up accounts in the energy sector.

• Our account set process is to generally to establish a primary account holder who has financial responsibility for the account and has full authorisation over the details of the account. Additional account holders or authorised representatives are included on accounts; however, they do not have the same level of authorisation on the account.

• It would seem that our additional account holders more align with ‘secondary users’ in the CDR rules and not ‘joint account holders’. However, we need to work through what information an additional account holder could obtain access to. The additional account holder would not provide any of the primary account details, direct debit details or concession information. If the additional account holder did not provide this information, should they be entitled to receive primary account holder details?

• Another key difference with the ‘secondary user’ requirements in the CDR rules is that additional account holders do not have online access to accounts. The primary account has the online access, and the secondary user will only have online access if the primary account holder has shared log in details for the account.

• Given the set-up of accounts, the CDR scheme should be limited to primary account holders in energy.

• We do not support an “Opt out” approach. A fundamental consumer protection in energy is the concept of explicit informed consent. This means that a customer must actively provide consent before a retailer can make changes to their plan or whether information on their account is shared. We believe this principle must be preserved under CDR regime.

• “Opt in’ approach is our preferred approach. It recognises the set-up of the account and that there are joint authorisations required on the account. It provides for data security and ensures that only data that has been consented to, is released.

• We have specific concerns on how domestic or family violence accounts will be dealt with within the scheme framework. These are a category of accounts which should be withheld from the CDR regime given the potential risks of data being received by a party not authorised to receive it. Under Victorian legislation (managed by ESC), retailers are not to share details of a family domestic violence accounts with anyone without the consent of the customer. Hence, we have explicit checklist including extra password to follow when a customer identifies themselves as family domestic violence victims. DSB and Treasury should consult with the ESC with regards to this issue if it is intended to include domestic violence accounts within scope.

• With complex accounts, the simplest and consumer focussed approach would be to allow the primary account holder to determine who is entitled to consent to the release of information.

Specific technical comments on the wireframes for the Joint Accounts are set out below -

• Design Paper Point 21 (p7) –

“The ‘opt-out’ approach suggests that the approach would automatically allow an individual joint account holder to independently share data on the joint account by consenting to an accredited person collecting and using the data from a joint account and authorising the disclosure of that data with a data holder. “

Question: If there is a joint account and account holder 1 initiates the CDR process and authorises DH, will the data be shared immediately (assuming the default opt-in on behalf of account holder 2? Is there a proposal to delay the sharing of data to allow account holder 2 to object if they do not want the data shared? How will the notification occur to account holder 2? There is a potential for data to be shared and account holder can only object after the fact.

•

CX Standards notes that there are exemptions for ‘harm and abuse’. It is understood that if an individual account to potential open to physical or financial harm, the data holder should provide notification in the authorisation flow that the additional account holder should not be notified.

We believe DV accounts should be excluded from CDR to protect the consumer – this is particularly important to energy. Please see above – there is an explicit provision in Victoria that we are not to share any details on the account without explicit consent and additional password provisions.

• In flow 1.3, any joint account arrangement should not include individual family domestic violence accounts or other sensitive customers. As stated above, these accounts should be excluded. Also in flow 1.3 , is it suggesting that the other account will not be notified?

[CDR-CX-Stream]

Thanks all for providing submissions and ongoing commentary.

The below follow up queries will help us correctly interpret these comments:

@spikejump
Thank you for providing this valuable feedback. We note your support for option 1 for complex joint accounts, which would make data holder implementation of co-approval mandatory. We are also interested in any views you (and others) have on how the principle that ‘consent to be valid/true at the time of consent’ can be applied to co-approval.

@anzbankau
Thank you for contributing these considered points on action-initiation. The Government has not yet provided a response to the Inquiry, and as such a potential future state for action-initiation has not been defined. The Design Paper does make the following assessments, but we are interested in strategic considerations (in addition to those already provided) for complex accounts and potential future states like action-initiation:

1. Page 10, in relation to how extensible Options 1-3 are for future directions of the CDR, including action-initiation
2. Page 11, line 41, in relation to co-approval settings
3. Page 17, line 70, in relation to co-approval and potential action-initiation examples

@damircuca
Thank you for submitting this response. We are seeking clarity on your response to question 10, which asks if the proposed CX Standards in section 5.3 are supported. These standards are concerned with providing in-flow notifications to AH-A only (which you referred to as the 'principal person'). Our interpretation of your response is that it relates to the overall position on notifications being provided to the other account holder(s) in section 8.1, rather than the way the CX Standards propose to notify AH-A. We would like to understand if your views on the CX proposals in section 5.3 differ to your views on the overall notification position in section 8.1.

[WestpacOpenBanking]

Westpac welcomes the opportunity to provide feedback on design paper #176 (an ‘opt-out’ data sharing model for joint accounts in the banking and energy sectors). We support the intent of reducing friction for consumers, however, any trade-offs should be carefully considered including completion of a detailed privacy impact assessment.

Our concerns with the current proposal are as follows:

• It does not align with the CDR principle that consent is voluntary, express, informed and specific as to purpose;
• It results in inconsistency with existing ways customers manage their banking joint accounts for things such as setting communication preferences and opting in for eStatements (i.e. these are not tied to transaction authority); and,
• It leads to potential reputational risks for data holders and the broader CDR ecosystem if consumers believe their joint account data is shared without their explicit authorisation.

With regard to the complex joint account options, our feedback is as follows:

• Option 1: We agree with NAB that transaction authority and data sharing authority serve two different purposes and that these should not be linked. Our view is that consideration to link transaction and data sharing authority should also consider other elements of how joint accounts are managed more generally (as noted above they are not currently relied upon for communication preferences and eStatements, and as noted by ANZ, extension for future write-access should also be considered).
• Option 2: We do not agree with having separate approaches for “simple” and “complex” joint accounts. We note that customers can change signatory authorities at any point in time and this will likely to result in confusion to the customer from the different proposed approaches. This also creates build complexity from supporting two different approaches.
• Option 3: We are not supportive of an opt-out model. In addition, we note that the other joint account holder(s) have no recourse with the ADR to get their data deleted (unlike the consenting joint account holder, who holds the relationship with the ADR). An opt-out model further removes consumer control over the data for this account holder.

In terms of implementation considerations, we note that all options require additional build work. We agree with NAB that there is significant technical work to align transaction authority and data sharing authority. An opt out model may also require update to product terms and conditions which will further add to implementation timeframes. Coupled with the already significant build work underway for the current compliance milestones, we would recommend that any change be considered for 2022 H2.

[commbankoss]

The Commonwealth Bank (‘CBA’) appreciates the opportunity to make this submission in response to the Treasury’s An ‘opt-out’ data sharing model for joint accounts in the banking and energy sectors design paper, published 30 April 2021. We welcome the introduction of a design paper approach, which allows for discussion of concepts and policy issues during the design stage, prior to draft Rules and Standards being issued for formal consultation.

The Consumer Data Right (‘CDR’) is a reform that has the potential to drive significant economic benefits for consumers for decades to come. As one of the first organisations to be delivering the CDR for our customers, and as the first major bank to become an Accredited Data Recipient (‘ADR’), CBA is committed to building trust in the regime and maximising its benefit for all Australians.

CBA re-affirms its view that for Open Banking to deliver positive outcomes and increase benefits to consumers, the Rules, Standards, and implementation approach must prioritise data security and customer privacy rights.

The primary consideration of the CDR regime must be ensuring that consumer trust and confidence in the regime is not reduced through a weakening of the consumer protection mechanisms in the CDR framework. This means ensuring:

1. consumer data is protected by appropriately robust security practices;

2. privacy protections are retained at every step in the process;

3. consumer consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn; and

4. appropriate oversight, monitoring and governance of entities collecting, holding, and transmitting CDR data is conducted.

Responses to specific questions raised in the design paper:

7. Do you agree that an ‘opt-out’ approach is preferred over the current ‘opt-in’ approach?

CBA is not supportive of an ‘opt-out’ approach for joint accounts.

An ‘opt-out’ approach does not align with the objective of the CDR regime, which is to give consumers more control over their data (which includes personal information). The CDR is a right for consumers to determine what data is shared, on what terms, and with whom. This is achieved by requiring the consumer’s consent for the collection and use of their CDR data, and ensuring that their consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn. An ’opt-out’ model for joint account holders would effectively take away that control, as it will result in data being shared without the prior consent of certain consumers.

Further, transacting on an account is inherently different than data sharing – currency is fungible and recoverable; data is not. Transaction data reveals rich information about a person’s location, their preferences, associations, who they are with, their income and liabilities. This data is inherently personal, and may include sensitive information under the Privacy Act 1988. In our experience, it would be out of line with customer expectations for this data to be shared without their explicit consent. As such, it is our view that the current opt-in approach must prevail as it ensures that data sharing can only occur on a joint account once all account holders are informed, have consented and enabled the account for data sharing.

It is our view that the proposed ‘opt-out’ approach is contrary to global privacy and data security trends which would compromise the interoperability of the CDR, and is not aligned with recent recommendations by the Australian Competition and Consumer Commission (‘ACCC’) and Office of the Australian Information Commissioner (‘OAIC’) on consent, including:

a) The ACCC’s recommendation on strengthening consent requirements and pro-consumer defaults in the recently published Digital Platforms Inquiry Final Report, which statedⁱ:

Valid consent should require a clear affirmative act that is freely given, specific, unambiguous and informed (including about the consequences of providing or withholding consent). This means that any settings for data practices relying on consent must be pre-selected to ‘off’ and that different purposes of data collection, use or disclosure must not be bundled.

In December 2020, the ACCC reiterated this recommendation in their submissionⁱⁱ to the Review of the Privacy Act 1988 (‘Privacy Act Review’). The ACCC also noted that allowing consumers to have meaningful control over their data is ‘integral to maintaining the consumer trust necessary to continue the economic and social benefits of personal data flows’.ⁱⁱⁱ

b) The OAIC’s recommendations in their submission to the Privacy Act Review that consent should be defined to ‘require a clear affirmative act that is freely given, specific, current, unambiguous and informed’.^iv

We hold concerns about the implications for customer financial security and wellbeing if an opt-out approach is taken in the CDR. Further, we hold concerns about the implications of an ‘opt-out’ approach for consumers experiencing vulnerability, and encourage further consultation with consumer advocacy groups on the design of any proposed changes to the current ‘opt-in’ approach and consent model.

11. Which option do you support for complex joint accounts and why?

CBA is firmly of the view that the current opt-in approach should be retained for all joint accounts, whether ‘simple’ or ‘complex’, for the reasons outlined above. The current opt-in approach ensures that data sharing can only occur on a joint account once all account holders are informed, have consented and enabled the account for data sharing.

12. Do you agree with the proposal to remove ‘in flow election’ requirements?

CBA supports retaining the current ‘opt-in’ approach and ‘in flow election’ requirements. CX research conducted by CBA has shown that in-flow election provides an improved user experience that will significantly aid consumer uptake of joint account data sharing.

Additional comments, clarifications:

• The complexity and material risks of introducing a change to core tenets of Open Banking (i.e. opt-in approach and consent-driven sharing) cannot be understated. As such, any consideration and design of future CDR policy should be informed by data-driven findings of a post-implementation review conducted after the full implementation of the current CDR (Open Banking) regime as recommended in the 2017 Final Report for the Review into Open Banking in Australia^v and previously committed to by Government.
• Regarding the proposed changes to CDR policy and Rules, CBA would appreciate greater clarity on what consideration has been given to the strategic roadmap for the CDR, including the proposed Future Directions for the CDR, such as expansion to action initiation and payment initiation?

---

ⁱ ACCC, Digital Platforms Inquiry – Final Report, Recommendation 16(c), p35 (available at https://www.accc.gov.au/system/files/Digital%20Platforms%20Inquiry%20-%20Final%20report%20-%20part%201.pdf)

ⁱⁱ ACCC Submission in response to the Issues Paper, December 2020, Review of the Privacy Act 1988, Annexure A, p16 (available at https://www.ag.gov.au/sites/default/files/2021-01/accc.PDF)

ⁱⁱⁱ 4.1 of the ACCC submission in response to the Issues Paper, December 2020, Review of the Privacy Act 1988, p7 (available at https://www.ag.gov.au/sites/default/files/2021-01/accc.PDF)

^iv OAIC Submission in response to the Issues Paper, 11 December 2020, Review of the Privacy Act 1988, Recommendation 34, page 77 (available at https://www.oaic.gov.au/assets/engage-with-us/submissions/Privacy-Act-Review-Issues-Paper-submission.pdf)

^v Australian Government, Final Report, Review into Open Banking in Australia, December 2017, Recommendation 6.6 (available at https://treasury.gov.au/consultation/c2018-t247313)

[jmmaughan]

People’s Choice welcomes the opportunity to provide feedback on the proposed changes to managing data sharing through the CDR regime for joint accounts.

People’s Choice agrees that a default ‘opt-out’ approach in relation to joint accounts is preferred over the current ‘opt-in’ approach in the CDR rules.

We believe that this approach will reduce friction for sharing data and improve consumer experience and participation within the CDR eco-system. The ‘opt-out’ approach will also simplify the rules and processes for providing authorisations in relation to joint accounts and the use of appropriate notifications will ensure joint account holders are adequately notified and kept advised of data sharing arrangements. Further, the CDR rules relating to the data minimisation principle and the deletion and de-identification of CDR data by accredited data recipients also provide additional protections for joint account holders, including during any period before an ‘opt-out’ right is exercised.

In relation to ‘complex joint accounts’, People’s Choice supports Option 3 which would mean the same ‘opt-out’ approach is taken across standard and complex joint accounts. By aligning the approach between standard and complex joint accounts so that both follow the same ‘opt-out’ approach, we believe there will be less confusion within our member base as all joint account types are treated consistently. This simplicity in rules will lead to a better understanding and acceptance of the CDR regime by consumers.

In People’s Choice’s opinion, the approvals or authorisations required to perform transactions on a joint account do not need to be the same as the approvals or authorisations required to share data relating to the joint account through the CDR regime. Performing transactions and sharing data are separate matters and should be treated as such.

Currently (outside of the CDR regime), each account holder on a joint account has the right to be provided with information relating to the joint account independent of other joint account holders, irrespective of the operating instructions on the account (i.e. even if the account is set to ‘all to sign’). This will continue to be the case outside of the CDR regime and any joint account holder will continue to be able to access information about the joint account without the consent or authorisation of the other joint account holders outside of the CDR regime irrespective of the rules and requirements that apply within the CDR regime.

If the ‘opt-out’ approach is introduced, we think that the CDR rules need to be clear about what the effect of a joint account holder opting out is. From the consultation paper and the current CDR rules, we understand that the effect of a consumer opting out would be that the ‘pre-approval option’ would cease to apply to the joint account and no data sharing from the account would be possible because no disclosure option would apply to the account. If this is correct, we do not see why an opt-out model necessarily means that the current ‘co-approval’ option in the CDR rules needs to be removed as suggested in the consultation paper as the ‘co-approval’ option could still be made available so that joint account holders who want to opt-out of the ‘pre-approval’ option still have the option of data sharing through the CDR regime with the approval of all joint account holders. If the ‘co-approval option’ is retained, we think it should remain optional for data holders to implement so that data holders can choose whether or not to provide it as an option to joint account holders.

The final approach to data sharing on joint accounts is an important decision which warrants careful consideration to reduce any costly rework and we appreciate the opportunity to be involved in this process.

[CDR-CX-Stream]

Thank you to those who provided feedback on our CDR rules and standards design papers. Consultation on these papers closed yesterday. Feedback received on these papers will inform the development of draft rules and standards, which will be the subject of formal consultation in the coming months.

As part of the consultation discussions, there has been a number of queries about the deferral of the joint account requirements and ‘direct to consumer’ obligations that would have applied from November 2021 (Treasury announcement). Treasury has responded to these queries with additional information, which is available on the CDR Support Portal.

This consultation is now labelled as feedback closed but we will leave this thread open in case there are any clarifications or responses to the feedback given by the DSB above.

[CDR-API-Stream]

The following feedback was received prior to cut off on the 26th of May 2021 and via email to [email protected].

The ABA has requested the feedback to be posted here.

210526 - ABA Treasury CDR opt-out proposal for joint accounts.pdf

[spikejump]

@CDR-CX-Stream with respect to your question in comment

@spikejump
Thank you for providing this valuable feedback. We note your support for option 1 for complex joint accounts, which would make data holder implementation of co-approval mandatory. We are also interested in any views you (and others) have on how the principle that ‘consent to be valid/true at the time of consent’ can be applied to co-approval.

The "principle", here being the consumers, while providing consent via the full end-to-end flow, will be presented with the authorisation screens from DHs. The DHs must know at that point in time whether an account can be shared or not. Knowing that fact, DHs can show non-sharable accounts but do not allow them to be selected. This essentially ensures when a consent is provided then whatever that's authorised for sharing can be shared and thereby ensure the consent is truly valid at the time of consent.

For those accounts that are not sharable, DHs can provide messaging to customers to inform them of the co-approval process or where to seek help to enable sharing of those accounts. The consumers may then need to rally all JA holders to approve the sharing and come back to initiate the consent flow again at a later time.

The non-sharable accounts don't have to be limited to JAs, eg., accounts that are locked due to potential fraud can be one as well. The point is only sharable accounts should be allowed to be included in a consent flow at time of consent to keep the integrity of the consent.