09 February 2018

Australian Open Banking Review Released

The Australian Government has released the Report of the Review into Open Banking. The Treasurer's speech can be found here and the media release here. The Review provides advice on the design and implementation of Australia’s Open Banking system. It is the first stage in a broader consumer data right which is to include other sectors including energy and telecommunications. I was appointed to lead the Review in July 2017.

Open Banking would give customers a right to direct that the information they already share with their bank be safely shared with others they trust. It is designed to give customers more access to, and control over, their information, leading to more choice in their banking and more convenience in managing their money, and resulting in more confidence in the use and value of an asset mostly undiscovered by customers – their data.

Open Banking is to be part of the Consumer Data Right in Australia, a more general right being created for consumers to control their data, including who can have it and who can use it. Banking is the first sector of the Australian economy to which this right is to be applied and Open Banking is the way that this is to happen. More sectors of the economy are to follow (energy and telecommunications have been announced already) and Open Banking needs to work together with them to form a single, broader framework.

The Report sets out detailed findings and recommendations to many complex and challenging issues. However, four simple principles emerge from it:

  • Open Banking should be customer-focussed. It should be for the customer, be about the customer, and be seen from the customer’s perspective. 
  • Open Banking should encourage competition. It should be done to increase competition for the banking products and services available to customers so that customers can make better choices.
  • Open Banking should create opportunities. It should provide a framework on which new ideas and business can emerge and grow, establishing a vibrant and creative data industry.
  • Open Banking should be efficient and fair. It should be effected with security and privacy in mind, so that it is sustainable and fair, without being more complex or costly than needed.

These principles of who Open Banking should be for, why it should be done, what it should do and how it should be achieved, are shown in the following interactive diagram, setting how they relate to some key considerations for the Review, and recommendations which have been made. Summaries of the recommendations relating to each of these key questions can be found by clicking on them in the diagram. Hopefully, this will provide a useful introduction to the Review not only to those connected with banking in Australia, but because of the breadth of the Consumer Data Right, those involved in the energy and telecommunications sector, and the data sector more generally.

Key contacts

Interactive Image <h2>Which customers could use Open Banking?</h2> <br/> See recommendations 3.7 and 3.8<br/><br/>Open Banking should be available for customers holding an account in Australia with an Australian Authorised Deposit-taking Institution. This includes individuals and small business.<br/><br/>See also <span class='crossPopup' onclick='crossPopup(20)'>Who could be subject to Open Banking?</span> and <span class='crossPopup' onclick='crossPopup(12)'>What information could Open Banking apply to?</span> <h2>How could customers control the sharing of data?</h2> <br/>See recommendation 4.5.<br/><br/>Data should only be transferred under Open Banking in accordance with the customer’s direction, which should be explicit, fully informed and able to be permitted or constrained according to the customer’s instructions. <h2>How could customers’ privacy protections be preserved?</h2> <br/>See recommendations 4.1 and 4.2 <br/><br/>Data recipients under Open Banking should be subject to the Privacy Act. The privacy protections applicable to Open Banking should be modified as suggested in the Report. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(4)'>How could customers get help if something goes wrong?</span> <h2>How could customers get help if something goes wrong?</h2> <br/>See recommendations 2.10 and 4.4 <br/><br/>Open Banking should have internal and external dispute resolution processes to resolve customer complaints. Small business customers should be given access to internal and external dispute resolution services for confidentiality disputes similar to those that exist for individuals under Privacy Act. <h2>Could customers stop the sharing of information?</h2> <br/>See recommendation 5.6 <br/><br/>Customers should be able to grant persistent authorisation to receive data. However, they should also be able to limit the authorisation period at their discretion, revoke authorisation and be notified periodically they are still sharing information. All authorisations should expire after a set period. <h2>How could customers learn about Open Banking?</h2> <br/>See recommendation 6.4 <br/><br/>The ACCC as lead regulator should coordinate the development and implementation of a timely customer education programme for Open Banking. Participants, industry groups and consumer advocacy groups should lead and participate, as appropriate, in consumer awareness and education activities. <h2>When could Open Banking start?</h2> <br/>See recommendations 6.1 and 6.3 <br/><br/>A period of approximately 12 months between the announcement of a final Government decision on Open Banking and the commencement date should be allowed for implementation in relation to transaction and product data. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(8)'>Could Open Banking be phased-in?</span> <h2>Could Open Banking be phased in?</h2> <br/>See recommendations 6.2 and 6.3 <br/><br/>From the date that Open Banking commences, the four major Australian banks should be obliged to comply with a direction to share data under Open Banking. The remaining Authorised Deposit-taking Institutions should be obliged to share data from 12 months after the commencement date, unless the ACCC determines that a later date is more appropriate. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(7)'>When could Open Banking start?</span> <h2>Where could the rules be found?</h2> <br/>See recommendation 2.1 and 2.5 <br/><br/>Open Banking should be implemented primarily through amendments to the Competition and Consumer Act 2010 (Cth) that set out the overarching objectives of the Consumer Data Right. The amendments should enable the designation of a sector by Ministerial direction and create the power to set out regulations and operational rules for sectors. The Standards should include transfer, data and security standards. <h2>Which regulators could be involved?</h2> <br/>See recommendation 2.2<br/><br/>Open Banking should be supported by a multiple regulator model, led by the ACCC, which should be primarily responsible for competition and consumer issues and standards-setting. The OAIC should remain primarily responsible for privacy protection. ASIC, APRA, the RBA, and other sector-focussed regulators as applicable, should be consulted where necessary. <h2>What customer interface could be used?</h2> <br/>See recommendations 5.1 and 5.9. <br/><br/>Data holders should be required to allow customers to share information with eligible parties via a dedicated application programming interface (API).  However, Open Banking should also allow users who do not use online banking to authorise the sharing of information through service channels which are ordinarily provided by the data holder. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(13)'>How could data transfer take place?</span> <h2>What information could Open Banking apply to?</h2> <br/>See recommendations 3.1 to 3.6<br/><br/>Open Banking should apply to transaction information on the types of accounts listed in the Report, if those accounts are in Australia. It also should apply to product information on certain widely available products. It could apply to customer-provided information in the future. It should not apply to value-added data or aggregated data sets. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(18)'>Could Open Banking be used for KYC?</span> <h2>How could data transfer take place?</h2> <br/>See recommendations 5.2 to 5.4 <br/><br/>The data transfer standards should be determined by the Data Standards Body. The starting point for the data transfer mechanism should be the UK Open Banking specification (including the authorisation and authentication flow) but the specification should not be adopted without appropriate consideration. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(11)'>What customer interface could be used?</span> and <span class='crossPopup' onclick='crossPopup(17)'>How could the rules be set?</span> <h2>How could information security be maintained?</h2> <br/>See recommendation 4.8 <br/><br/>In order to be accredited to participate in Open Banking, all parties should be required to comply with designated security standards set by the Data Standards Body. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(21)'>With whom could information be shared?</span> <h2>Could there be a charge for customers?</h2> <br/>See recommendation 3.11 <br/><br/>Transfers of customer-provided and transaction data under Open Banking should be provided free of charge. <h2>How could liability for data breaches be allocated?</h2> <br/>See recommendation 4.9 <br/><br/>A clear and comprehensive framework for the allocation of liability between participants in Open Banking should be implemented. This framework should make it clear that participants in Open Banking are liable for their own conduct, but not the conduct of other participants. <h2>How could the rules be set?</h2> <br/>See recommendations 2.4 to 2.6 <br/><br/>The ACCC, in consultation with the OAIC, and other relevant regulators, should be responsible for determining rules for Open Banking and the Consumer Data Right. The rules should be written with regard to consistency between sectors. A Data Standards Body should be established to work with the Open Banking regulators to develop standards. This body should incorporate expertise in the standards-setting process and data-sharing, as well as participant and customer experience. <h2>Could Open Banking be used for KYC?</h2> <br/>See recommendation 3.4 <br/><br/>If directed by a customer to do so, data holders could be obliged to share the outcome of an identity verification assessment performed on the customer, provided the anti-money laundering laws are amended to allow data recipients to rely on that outcome. <h2>How could participants be accredited?</h2> <br/>See recommendations 2.7 to 2.9 <br/><br/>Participants should be accredited using a tiered, risk-based accreditation model which has regard to existing licensing regimes. The ACCC should determine the criteria for, and method of, accreditation. Accreditation criteria should not create an unnecessary barrier to entry by imposing prohibitive costs or otherwise discouraging parties from participating in Open Banking. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(21)'>With whom could information be shared?</span> <h2>Who could be subject to Open Banking?</h2> <br/>See recommendation 3.8 <br/><br/>The obligation to share information at a customer's direction should apply to all Authorised Deposit-taking Institutions (ADIs), other than foreign bank branches. The obligation should be phased in, beginning with the largest ADIs. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(22)'>Could data recipients also have to provide data?</span> and <span class='crossPopup' onclick='crossPopup(1)'>Which customers could use Open Banking?</span> <h2>With whom could information be shared?</h2> <br/>See recommendations 2.7 and 3.10<br/><br/>Only accredited parties should receive Open Banking data. Authorised Deposit-taking Institutions should be automatically accredited to receive data under Open Banking. A graduated, risk-based accreditation standard should be used for non-ADIs. <br/><br/>See also <span class='crossPopup' onclick='crossPopup(19)'>How could participants be accredited?</span> <h2>Could data recipients also have to provide data?</h2> <br/>See recommendation 3.9 <br/><br/>Entities participating in Open Banking as data recipients should be obliged to comply with a customer’s direction to share any data provided to them under Open Banking, plus any data held by them that is transaction data or that is the equivalent of transaction data. <h2>Could the framework be used in other sectors?</h2> <br/>See recommendations 2.1 and 2.3 <br/><br/>Banking should be designated as a sector to which a much broader Consumer Data Right should apply. The legislative framework for Open Banking should embed a customer and competition focus in Open Banking, and allow the Consumer Data Right to be scalable across sectors. <h2>Could Open Banking prevent other methods of sharing data?</h2> <br/>See recommendation 1.1 <br/><br/>Open Banking should not be mandated as the only way that banking data may be shared. Allowing competing approaches should provide an important test on the design quality of Open Banking and the Consumer Data Right.


I encourage all of those interested to read the Report and engage with the next phases in the development of Open Banking and the Consumer Data Right. Also, I thank all of those from the banking, fintech, technology, regulatory and consumer communities who assisted me with the Review by their contributions and engagement. As I have been asked to continue my work with the Australian Government in developing the Open Banking and consumer data framework, I look forward to further engaging with these, and the energy and telecommunications, communities to build together an adaptable and efficient system that is not only safe, but also supports innovation.

Please contact me, or other members of the King & Wood Mallesons Digital Economy team, if you would like to know more.