Information Security Consultative Group meeting minutes – 25 June 2025

Published date
InfoSec minutes

Meeting details

Committee meeting
No. 23
Meeting date
Meeting time
10:00am to 12:00pm
Location
Remotely via MS Teams

Attendees

  • Hemang Rathod, Chair
  • Mark Verstege, DSB
  • Sameer Bedi, NAB
  • Olaf Grewe, NAB
  • John Harrison, Mastercard
  • Macklin Hartley, WeMoney
  • Ben Kolera, Biza
  • Aditya Kumar, ANZ
  • Stuart Low, Biza
  • Julian Luton, CBA
  • Dima Postnikov, Connect ID
  • Tony Thrassis, Frollo
  • Mark Wallis, Skript

  • Nils Berge, DSB
  • Chrisa Chan, TSY
  • Bikram Khadka, DSB
  • Holly McKee, DSB
  • Terri McLachlan, DSB
  • Michael Palmyre, DSB
  • Abhishek Venkataraman, ACCC
  • Fiona Walker, TSY
  • Christine Williams, DSB

  • Darren Booth, RSM
  • Nick Dawson, Frollo
  • Matt Shaw, DSB

Chair Introduction

Hemang Rathod, the interim Chair of the Information Security (InfoSec) Consultative Group welcomed everyone to the meeting, acknowledged the traditional custodians of the land and paid respect to elder’s past, present and emerging.

The Chair noted that members Darren Booth (RSM) & Nick Dawson (Frollo) were apologies for this meeting.  A number of observers also sent their apologies. 

Mark Verstege from the DSB noted that the Data Standards Advisory Committee (DSAC) is currently undergoing an expression of interest process for reforming, with new appointments expected shortly. As part of the DSAC reform, the consultative groups, including the InfoSec Consultative Group will come to an end. He acknowledged the hard work and valuable input from all members, emphasising the positive impact on standards and decision making.

Minutes

Minutes

The Chair thanked members for their comments on the Minutes from the 28 May 2025 meeting. The Minutes will be formally adopted and published on the Consumer Data Standards (CDS) website. 

Action items

The Chair noted that the Actions Items were taken as read.

Consultation Draft 369 – Redirect to App – Draft Standards

Mark Verstege from the DSB provided an update on Consultation Draft 369, highlighting changes such as adjusting the levels of assurance, extending obligation dates and retaining decoupled authentication.  

The DSB noted that adjustments were made to move away from solely referring to TDIF requirements, adopting standardised definitions for single and multifactor authentication sourced from NIST. An optional alignment with Digital ID was retained. 

The DSB noted that obligation dates were extended to 24 months, balancing the needs of different participants, including those requiring more time for implementation.

The DSB noted the standards retained the possibility for data holders to support decoupled flows within their domain, clarifying that compliant solutions can include web-to-app experiences. 

Participants highlighted the need for flexibility and clarity in the standards to accommodate different participant needs and technical challenges. This included considerations for implementation feasibility, cost, and complexity. 

The DSB introduced the proposed changes for phase two of authentication uplift focusing on improving the minimum baseline security. The changes included removing OTP related constraints for web-based authentication, enhancing OTP security, discouraging the use of SMS and email-based OTP delivery mechanisms, mandating MFA for sharing personal information, and improving data holder reporting on completion rates and digital enforcement.

The group discussed the implications of removing OTP-related constraints and mandating MFA for sharing personal information. Concerns were raised about the usability of OTPs, the impact on offline consumers, and the need for clear definitions of pseudo-randomness and MFA. The importance of aligning with the rules team and considering the impact on different sectors was emphasised.

The group discussed the importance of encouraging consumers to adopt digital channels and create online accounts. While some participants supported providing optional pathways for app installation, others raised concerns about the potential friction and the need to ensure that existing authentication methods are used. The need for alignment with the rules team was highlighted. 

The proposal to allow data holders more flexibility in providing authentication flows was discussed. Participants noted the need to ensure that all eligible consumers are captured and raised concerns about the impact on specific scenarios, such as consumers using shared computers in libraries. The importance of consulting with the rules team was reiterated. 

The group discussed the need to update metrics to allow targeted monitoring and enforcement and to provide meaningful real-world data for improving standards. The proposed implementation timeframe for the changes was aligned with the R2A obligation date to minimise impacts on the NBL sector. Participants emphasised the importance of considering the impact on different sectors and ensuring alignment with the rules team.

Meeting Schedule

No further meetings have been scheduled. 

Any Other Business

No other business was raised.

Closing and Next Steps

The Chair concluded the meeting by acknowledging the valuable contributions of all members and noting that this was the last InfoSec Consultative Group session. He expressed hope that future groups would continue the work and thanked everyone for their efforts. 

Meeting closed at 12:00

Download

InfoSec CG Minutes - 25 June 2025 [PDF  161 kB]