Decision Proposal 350 - August 2024 Rules - Standards Impacts #350
Comments
CDR-CX-Stream
added
Category: API
CDR-CX-Stream
changed the title
|
The Treasury has now published the exposure draft rules on the consent review and operational enhancements. The rules are open for consultation until Monday 9 September 2024. Decision Proposal 350 has also been published to outline the expected impacts to the consumer experience (CX) and technical data standards to support the draft rules. The issues outlined in this paper largely relate to data recipients, though one proposal relating to a withdrawal standard being retired also relates to data holders. Consultation documents and links can be found in the original post. Feedback on this decision proposal paper will inform the binding standards to be considered by the Data Standards Chair, which will follow the making of any relevant rules. The decision proposal consultation is open until 9 September 2024. |
|
Hi We would like to query the following items: Secondary Users proposed rule change Nominated Representatives
Please advise Thanks |
|
Thanks for this input @da-banking - we've passed your queries on to the Treasury given this consultation issue only relates to the data standards. If you'd like to engage further on the rules, the Treasury has invited stakeholders to the CDR Consent Review and Operational Enhancement Amendments Stakeholder Forum, which will be held virtually on Friday, 23 August 2024, 2pm-4pm AEST. At the forum, Treasury will provide an overview of the key design features of the draft rules and the DSB will provide an overview of the associated standards changes. Attendees will have the opportunity to ask questions about the rules and standards proposals and consultation processes before making written submissions. Written submissions on the draft rules should be provided to Treasury by the 9 September 2024 deadline. Treasury is also open to any bilateral meetings as part of this consultation. If you would like to register for the forum, provide a rules submission, or arrange a meeting or have a question related to the rules, please contact the CDR Framework Unit by emailing CDRRules@treasury.gov.au. |
|
The decision proposal states that "The issues outlined in this paper largely relate to data recipients, though one proposal However, the "Nominated representatives" section includes a proposal for data holders to provide a new online service for appointing nominated representatives. And the "Current recommendation" section doesn't mention this new requirement at all in relation to a future-dated obligation period. Can we please clarify if there is a recommended future-dated obligation period for this proposed change, and if so what it would be? |
|
Hi @DW-UDA - the rules and standards are being consulted on separately. The Treasury administer the rules consultation, while the Data Standards Body (DSB) develops the standards. This decision proposal consultation only relates to the standards proposals that are being considered to support the draft rules. The rules out for consultation contain a range of other changes - they can be found here. The statement on proposals being largely limited to data recipients is only referring to the standards proposals in this consultation document. Apologies if that was not clear. Part 50 - Transitional Provisions on page 20 of this rules document outlines compliance timing. Line 501 suggests that the nominated representative changes would apply 12 months after the rules are made, as follows:
However, as noted above, please refer to the draft rules for that detail and contact the CDR Framework Unit by emailing CDRRules@treasury.gov.au if you'd like to arrange a meeting or raise questions related to the rules. |
|
This DP suggests a 6-month FDO after Standards are binded, but since the Rules are still in draft and their finalisation is unclear, setting Standards now could lead to revisions. Can the DSB clarify their assumption for an FDO, possibly 2025-05-12 or 2025-07-14? On Nominated Representatives, Biza.io has already implemented this functionality across all sectors. We offer an opt-in/opt-out feature (Default value is Client choice), inside the CDR Dashboard, based on user roles, providing binary enablement for all CDR functionality. Clarity though is needed on the definition of an "administrator". In corporate settings, banking roles can be complex. Has the DSB considered if access levels will need to be factored into the opt-in/opt-out process? This is critical as we move beyond read-only access, and early consideration could prevent costly rework. |
|
Hi @perlboy - thanks for these points. As noted in the paper, binding standards will not be considered until the rules are finalised, and the appropriate timing for the FDOs will be informed by community feedback and the timing of the final rules. Assuming the rules are made in Q4 2024, as an example, we'd then expect FDOs to be followed by 6 months or a supported date in the obligation schedule (e.g. 2025-05-12). We'll pass your query on the definition of administrator to the Treasury and encourage you to email them on CDRRules@treasury.gov.au. The @CDR-CX-Stream and @CDR-InfoSec-Stream will consider your point on access levels for nominated representatives with the Treasury. |
I don't know if that response was intentionally ambiguous but it is.... Q4 is 3 months so it's 6 months +/- 3 months OR a date aligned with the obligation schedule. It'd be helpful if the paper simply said "the next obligation schedule date after 6 months has passed".
We will respond in due course but this kind of goes to my initial question around defining a Standard with Rules in draft and further revisions possible (probable?). I know it's only been freshly published but there's a lot of learnings regarding cost of implementation that this first gambit of a DP and the DSB doesn't seem to have learnt (ambiguity, multiple releases of change, missing cost assessment etc). |
|
Apologies @perlboy, ambiguity was not the intention. The intention in the DP was to provide options for the community to consider as follows:
Your comment suggests that, once any standards are made, the next obligation schedule date after 6 months has passed may be preferred, which is useful feedback. |
👍 All good, was trying to decipher!
Hmm... Focus here in particular is "next obligation schedule date". Introducing an FDO that isn't aligned to the agreed 2025 dates would be a diversion from where I think the DSB was headed but also would not align with a Richards recommendation: "Changes to CDR data standards would be more manageable for the industry if limited to a small, fixed number of scheduled standards releases per year, with implementation dates providing longer lead times. Changes to CDR rules may need to be aligned to these release dates." |
|
For those interested we have put together a short video summary of Decision Proposal 350. |
|
I agree with the proposal except one aspect: Nominated Representatives. There must be CX Standards for Nominated Representatives. CDR is all about a consistent CX, and right now, the processes to nominate a Rep are anything but consistent. A "simple and straightforward" process leaves too much interpretation and ultimately hiding this step. We need CX standards to ensure what the process looks like, what active or implied selections or statements, any confirmation, etc. Also a clear action for any support/help required too. Having more instruction on what "good" is will set us up for success, since business data use cases being enabled is in the top 3 priorities of the Minister. |
|
Skript wholeheartedly agrees with Jill's feedback on the improvements required to the Nominated Representative process. The variations in implementations are actively blocking businesses trying to adopt the CDR. |
|
Thanks @perlboy - we were attempting to provide flexibility given the only proposed FDOs at this stage would be for ADRs, in case ADRs wanted to move sooner on these changes. We can align to an obligation date schedule that is 6 or more months after the standards are made (e.g. 12 May 2025), or an obligation date in the schedule that is less than 6 months after the standards are made (e.g. 17 March 2025), if feedback supports it. |
|
Thanks @jill-adatree and @markskript for these comments. The rules are proposing an obligation date for the nominated rep changes of 12 months after the rules are made. We also understand that some DHs may have online nomination processes already, which may differ to other DH processes, that would need to be considered in relation to your proposal. It would be helpful to understand what any proposed standards might state in practice, and if the intention is to have, for example, a standard regarding the length of the process, and/or what selections and statements the standards would need to consider. |
|
The DSB has developed additional wireframes to demonstrate how the rules changes may look in practice, including:
These consent flows incorporate key rules changes proposed by Treasury (see the rules consultation on Treasury’s website), including proposals 1.1, 1.2, 1.3, 1.6, 1.7 and 1.8. These have been produced in addition to the artefacts provided in DP350 and the original post. N.B. these wireframes are only illustrative examples for consultative purposes. They should not be taken as definitive guidance of compliance with the rules and should not be considered as legal or compliance references for the purposes of implementation. You can view these wireframes in Figma in this online link. |
This is a very confusing explanation and I'm a bit baffled why the back and forth is necessary, why is this being made more complicated than it needs to be? The FDO dates aren't participant specific and don't stop a participant doing it early. For organisations like Biza who are both Holder and Recipient they are the understood as the dates the DSB has agreed they will align. Not doing this is literally ignoring various feedback and the Ministers explicit direction to the Chair. Feedback: Align to the Obligation Date Schedule Is that clear enough? |
|
Today's call with Treasury and Michael (DSB) was really useful. We have the following additional comments following that call: Nominated Reps Can you explain the difference between a business consumer and a nominated rep? Should the online service allow a business consumer to remove a nominated rep (i believe this was a yes)? If so, what does that mean. i.e. should that remove them as a signatory from the account also? |
AFAIK, a business consumer is the entity. A nominated representative is a employee, director or individual to make the consent, on behalf of the business. Think of it as giving someone access to online banking - they're just an individual. The nom rep should only be in scope of CDR permissions to consent to data sharing - changing the signing authority of the account in general is well out of scope for this. |
Has any guidance from Treasury been received on this query? And as a follow-up question, in the scenario above would the 2 signatories with online access be permitted to appoint the other signatories as nominated representatives? Or are the rules intended to prevent a nominated representative from appointing another nominated representative? I can't see anything in the current rules or proposed rule changes that defines any requirements for who can be a nominated representative (other than being an individual over 18), so does anything stop a nominated representative who is a signatory for a business's accounts from appointing a nominated representative who has no operational relationship to the business's accounts? Apologies if I am missing something obvious here. |
|
Thanks all for your points relating to nominated representatives. We are discussing these points with CDR agencies and, as they are rules and potentially policy queries, our discussions will consider how best to provide any associated guidance. |
Happy to participate in any discovery the DSB would want on this with a fully functional interface.
That's generally how it works in existing implementations although they can appoint themselves or others with pre-existing relationships (i.e. signatory), otherwise it is a paper based overlay to the same outcome.
They would still need to be able to authenticate. The most likely pathway to this is onboarding into online banking.
With a special callout to the the nominated rep acting in the business consumer capacity to remove a nominated rep (including themselves).
In circumstances they are still able to read the contents of the account? If so, the authorisation would be for the data sharing component (ideally as an individual action). Other account functions aren't in scope right now.
👍
Agreed with data sharing being the first of many CDR specific permissions.
Can the signatories ask for information about previous transactions?
Can they both read it? Current implementations have all nominated representatives with equal privilege or via paper enablement. For the purposes of sharing if anything this now makes those reading the data accountable.
They are a signatory, by definition they have an operational relationship as part of the Corporations Act. Either they (or the other nominated reps) would be ineligible because they have either actively disabled sharing permissions (or actively enabled them). I presume what the default is would be left to data holder discretion (both still meet the definition of "providing a service").
Every persona being talked about is assumed to already be able to read the data, the CDR sharing is explicit and informed rather than being implied by proxy of internet banking access. If memory serves, in existing implementations all Nominated Representatives are notified of sharing when establishment occurs. Realistically if another nominated representative was made aware of it they could contact the Recipient in the business consumers ("CDR consumer") capacity and request data deletion etc. Edit: Apologies for lots of edits, collating into one response. |
|
Thanks to those that contributed to DP350. This consultation is now closed. The DSB will work with the Treasury regarding the nominated representative proposals for standards and guidelines, which will be considered following a review of the submissions. The DSB is also working with CDR agencies to develop responses to the outstanding queries in this thread. |
CDR-CX-Stream
added
Status: Feedback Period Closed
|
Regarding nominated representatives, we would like to suggest a missing element is performance or SLA requirements for data holders. There is no benefit to the ecosystem to have any process without KPI/SLA expectations. Consumers have become accustomed to online banking and related digital services. They are attempting to share data with an ADR via an online and real-time service. Therefore, an online process must provide the same expectations and experiences. We suggest
The current experience of forms taking several weeks (or even months) to approve is not sustainable. It's causing significant friction and is hindering the adoption of CDR. We need to make these changes to ensure a smoother and more efficient process. |
|
Thanks to those who raised queries regarding the nominated representative process, which have now been discussed with CDR agencies. To avoid confusion, responses and guidance will be held off until any final rules relating to the nominated representative changes are made. |
Friday 9 August: Decision Proposal Published
Overview
The Treasury has published the exposure draft of the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No.1) Rules 2024 (the ‘August 2024 draft rules’) for consultation until Monday 9 September 2024.
The draft rules outline proposed changes to support the consent review and operational enhancements. The rules consultation documents and privacy impact assessment (PIA) can be found on the Treasury's website here.
Decision Proposal 350 outlines impacts to the consumer experience (CX) and technical data standards to support the August 2024 draft rules. The issues outlined in this paper largely relate to data recipients, though one proposal relating to a withdrawal standard being retired also relates to data holders.
The specific topics identified in this paper include:
Consultation Documents
The decision proposal can be found below:
DP350 - August 2024 Rules - Standards Impacts (PDF)
DP350 - August 2024 Rules - Standards Impacts (DOCX)
The community should read this decision proposal paper in conjunction with the Treasury’s consultation documents (found here), which outline other details and changes relating to the consent review and operational enhancements.
The DSB has prepared visual examples to demonstrate how a range of the consent review changes may manifest in a consent flow, which can be found here. These artefacts should be considered in relation to this decision proposal consultation, but should not be taken as compliance references for the purposes of implementation.
Feedback
Feedback on this decision proposal paper will inform the binding standards to be considered by the Data Standards Chair, which will follow the making of any relevant rules.
You can submit responses to this consultation up until 9 September 2024. Feedback may be provided on this GitHub page. Stakeholders are also encouraged to raise queries on this GitHub page, which may help inform the development of feedback.
Feedback posted on GitHub is public by nature at the time of submission. Content posted on GitHub should be made according to the community engagement rules published by the DSB.
Stakeholder forum
The Treasury and DSB will also host an online stakeholder forum on Friday 23 August at 2pm via Microsoft Teams. This forum will supplement the written submissions process and to answer questions about the exposure draft rules, proposed data standards, and the consultation process. If you would like to participate in this forum, register your interest at CDRRules@treasury.gov.au.
Edit 27.9.24: Consultation closed on Monday 9 September
Edit 9.8.24: Decision proposal published for consultation
The text was updated successfully, but these errors were encountered: