This article was written by Hannah Glass, Prudence Buckland and Smriti Arora.
While some financial institutions view data as an asset and others might see it as a liability, all appreciate that management of data is essential to their future. Financial institutions are already exposed to the disruptive effect brought by the proliferation of data. An institution’s ability to manage the data itself, as well as consumer’s expectations around their data, will be key to success.
It is in this context that the Government released the Productivity Commission’s (Commission) Inquiry Report on Data Availability and Use (Final Report) on 8 May. This report recommends a new system of open access to data to facilitate competition and innovation.
The Final Report recommends the Government introduce a “Comprehensive Right” to data which will provide data holders such as financial institutions and consumers, being individuals and small to medium enterprises (entities with less than $3 million in turnover (SMEs)), a joint right to view, transfer and correct data held by data holders.
Implementing open data within the financial industry (otherwise known as open banking), appears to be high on the Government’s agenda. While the Final Report recommends that industry determine the scope of the Comprehensive Right, Treasurer Scott Morrison announced that the Government will commission an independent review to recommend the best approach to implement this regime by the end of 2017, declaring that
“open banking … will empower consumers to seek out banking products better suited to their needs and create further opportunities for innovative business models in banking that enhance competition.”
Elements of the “Comprehensive Right”
The “Comprehensive Right” is designed to improve access to, and provide joint control over consumer data. The “Comprehensive Right” comprises 5 elements:
- a perpetual joint right to access data, which entitles consumers to access any digital data “about” them held by the financial institution at the time of the request.
- a right for the consumer to receive a copy of their consumer data - this is linked to the right to access the data.
- a right to request edits and corrections to the data that is held - this entitles consumers to request that errors in their consumer data be amended. The “Comprehensive Right” extends the right in the Privacy Act 1988 (Cth), which allows individuals to request edits or corrections to their personal information, to other ‘consumer data’ and provides a similar power to SMEs. Consumers are only able to query the accuracy of the data; however, this does not provide consumers the right to appeal automated decisions (as these decisions are arrived at by the data holder’s own analysis of the information provided).
- a right to direct a data holder to transfer consumer data - this entitles a consumer to direct a data holder to provide a copy of its consumer data to any third party in machine readable form.
- a right for the consumer to be informed of the trade or other disclosure of its data to third parties.
The ability for the consumer to request that copies of their data be ‘provided’ to third parties, and to be informed of its trade or disclosure by a data holder to a third party, is key to the “Comprehensive Right”.
The final 2 elements described above – the right for a consumer to direct data holders to provide a copy of data to third parties, and the consumer’s right to be informed when a data holder provides its data to third parties – are arguably the centrepiece of this new framework. Unlike traditional property, it is control, rather than ownership of data which matters. When data is provided to a third party, in the absence of any obligation to delete that data, the original holder does not lose any rights to that original copy of data.
Allowing consumers to provide or direct a data holder to provide consumer data to a third party is said to improve consumers’ mobility between service providers, increase consumer access to complementary services, and create new business opportunities – all of which strengthen the competitiveness of the industry. For instance, compulsory ‘know your client’ (KYC) and credit checks require consumers to provide the same information multiple times to different organisations. If a consumer has a right to direct a data holder to provide its data to a third party, consumers can more easily share this data, making it easier to access services provided by that third party.
To implement this Comprehensive Right will require broad legislative change. A notable example is the Privacy Act 1988. This Act is designed to protect personal information from, amongst other things, modification or disclosure. It also provides that a data holder should either destroy or de-identify any personally identifiable information it holds. To the extent that the "Comprehensive Right" permits the disclosure of personally identifiable information, some of the protections in the Privacy Act 1988 may be abrogated. The interaction between existing laws and the instrument implementing the “Comprehensive Right” will need to be carefully considered.
The “Comprehensive Right” has changed since the earlier draft report to account for feedback received from financial institutions.
The “Comprehensive Right” in the Final Report takes account of industry feedback on the draft report released in November last year (Draft Report) to better balance commercial incentives and capabilities with consumer rights to data. The previous iteration of the right centred on the consumers' rights to data and did not fully account for data holders’ rights to that data - for example, retaining their commercial incentives to collect, maintain and add value to data.
Unlike the previous iteration, the “Comprehensive Right” recommended in the Final Report does not include a right for a consumer to request a data holder stop collecting information about the consumer, or direct a data holder to delete the consumer’s data (once that data is provided to another entity). These two components were removed following feedback which suggested that these obligations would be at odds with the “joint” control of the data between the data holder and consumer.
Other pragmatic changes to the “Comprehensive Right” were made to account for practical realities. For instance, there is no requirement in the Final Report that a consumer be alerted each time their data is provided by a data holder to a third party. Instead, the Final Report recommends that data holders publish (and regularly update) an accessible list of parties to whom consumer data has been traded, or otherwise disclosed, in the past 12 months. This requirement is easier for data holders to comply with and still achieves the intention of keeping the customer informed, which may help to foster trust and confidence around data disclosure.
Another significant change is that data holders may charge consumers for accessing data or directing a data holder to provide their data to a third party. Whilst any charge must be commensurate with the difficulty of accessing and providing the information (which will be determined by each industry with oversight by the ACCC), this acts as a deterrent to unnecessary, repeated requests for access to data.
Some changes have also been made to fit within broader policy objectives, such as abandoning the recommendation that data be provided via APIs in favour of a technology neutral approach.
Broadly speaking, these revisions show that the Final Report endeavours to strike a balance between the rights of data holders and consumers.
The report recommended that industry have the right to determine the scope of the Comprehensive Right, provided it comes to an agreement in time…
Data is created for a particular purpose, in a particular context, meaning that the nature of the information, how it is held and how it may be provided to others will differ according to the use of that data. To ensure that data is treated in an industry appropriate manner, the Final Report outlines the scope of the “Comprehensive Right”, but leaves industry participants (which, for the first time, includes both incumbents and fintechs) to come to an agreement on the precise detail of this right.
The proposed interaction between the Final Report and the industry agreement is best illustrated by the definition of ‘consumer data’. The Final Report provides that ‘consumer data’ generally refers to digital data, held by a product or service provider, identified with a consumer and associated with a service provided to that consumer. At its broadest, this may include data that is merely associated with transactions relevant to the provision of data to a nominated third party. On the other hand, the Final Report recommends that “imputed data” remain the property of the data holder and not be included in the definition of consumer data. Imputed data is information that is recorded as a characteristic of a consumer by that entity, but which is not collected directly from the consumer and is not considered to be identifiable data (such as the likelihood of someone being able to pay a debt). It might also include data which has been derived from multiple data sets and transformed to such an extent that it is probably associated with an individual consumer.
However, these are merely recommendations as the scope of the definition is ultimately to be determined by the industry itself (following recommendations of an independent reviewer) to ensure that it is workable.
If these recommendations are accepted, industry should establish a process to review and reach agreement on the exact definition of consumer data, the mechanism to transfer data and the security/liability protocols around that transfer. In the event that fintechs and incumbent financial institutions are unable to come to an agreement, the ACCC will be tasked with overseeing the implementation of the broad default “Comprehensive Right” set out in the Final Report.
…but “open banking” is a priority for the Government.
Financial institutions are singled out in the Final Report as an industry which must quickly take steps to implement the “Comprehensive Right”. In his budget speech, Treasurer Scott Morrison stated that
“The introduction of an open banking regime in 2018 will give customers greater access to their own data, empowering them to seek out better and cheaper services.”
Despite the Commission’s recommendation to Government that industry determine a workable model, as far as the banking sector is concerned, the Government has signalled other intentions. In its response to the House Economics Committee’s Review (Coleman Report) of the four major banks, the Government has said that it will introduce an open banking regime in Australia and has announced that an “independent review” will be conducted to determine the most appropriate model to enable open banking in Australia. This independent review should provide Government with a report by the end of 2017 detailing how it should implement this regime. It will be important to be engaged with this process to ensure that the scope of the Comprehensive Right in the “open banking” regime is sensible and practicable.
Given the Government’s mandate, and the difficulty of complying with the broad default provisions, if (and as soon as) these recommendations are accepted by Government, it will be essential for all parts of the industry to swiftly collaborate to define its position and arrive at a workable data regime.
Financial institutions will need to ensure that their internal systems will allow compliance with the Comprehensive Right.
Each financial institution should also consider whether its internal compliance mechanisms and IT systems will allow the institution to implement the requirements of the Comprehensive Right. Compliance policies and practices, as well as IT systems should be reviewed to ensure that there is sufficient functionality and adequate security measures in place to store, manage and transfer consumer data as required under the Comprehensive Right. From a technology perspective, it may even be worth considering whether external service providers or new technologies, such as blockchain, could be used to more easily manage consumer data and comply with the requirements of the Comprehensive Right.
A quick note on comprehensive credit reporting – it’s coming.
The Final Report also recommends that licenced credit providers report comprehensive credit information for at least 40% of all active credit accounts by 30 June 2017. If not, the ACCC and the Office of Australian Information Commission (OAIC) will be tasked with creating legislation to implement this regime. In a recent media release the Treasurer stated that financial institutions have until the end of the year to reach this 40% threshold, however, the expectation is that licenced credit providers should act quickly to provide this information, or face legislation mandating its release.
And this is only the beginning…
These changes are only the first step on the road to ‘open banking’. The Government has also tasked the Commission to conduct a review into the state of competition in the financial system to commence on 1 July 2017. It will also provide the ACCC $13.2 million over four years to establish a dedicated unit to undertake regular in‑depth inquiries into specific financial system competition issues.
Remember too that the Comprehensive Right is not the only part of the Final Report that may affect financial institutions. The Commission has also recommended that ‘high value’, high quality data be released as part of a National Interest Dataset - if it is in the national interest to do so. While the Final Report notes that public sector data will typically be designated as a ‘National Interest Dataset’ or ‘NID’, private sector data may also be designated. These NIDs will be made available to ‘trusted users’ – which may include both public and private sector entities. As such this part of the Final Report is likely to be relevant to financial institutions. Further detail regarding the NIDs, including the collection and distribution of the datasets is set out in The sum of opportunities: the Productivity Commission report calls for a new ‘data age’ for the public sector.
In short, for financial institutions, this is only the beginning.