Information Security Consultative Group meeting minutes – 28 May 2025

Chair Introduction

Mark Verstege, the Chair of the Information Security (InfoSec) Consultative Group welcomed everyone to the meeting, acknowledged the traditional custodians of the land and paid respect to elder’s past, present and emerging.

The Chair noted that member Nick Dawson (Frollo), Macklin Hartley (WeMoney) and Mark Wallis (Skript) were apologies for this meeting.  A number of observers also sent their apologies. 

Minutes

The Chair thanked members for their comments on the Minutes from the 2 April 2025 meeting. The Minutes would be formally adopted and published on the Consumer Data Standards (CDS) website. 

The Chair noted that the Actions Items were taken as read.

The Chair noted that there were significant changes occurring at the Data Standards Body (DSB), which will result in a number of team members leaving over the next couple of months. This will create a gap in continuity for the consultative group and future consultations. The group will continue meeting until the end of June 2025 to finalise the Redirect to App Consultation and focus on the FAPI 2 uplift. 

The Chair noted that other items, such as the general uplift of authentication and targeting of authorisation drop-offs, will be addressed by a future group. He indicated that there will be a hiatus in consultations and delivery due to these changes. The DSB will look at reforming the consultative group in the future. 

One member highlighted that the group is composed of volunteers who do not receive monetary benefits for their participation. He expressed frustration over the lack of clear direction from the government and questioned the point of continuing without a concrete plan.

The DSB acknowledged their concerns and suggested raising them at the in-person CDR & Digital ID Standards: Industry Forum in Sydney on the 11 June or separately via the DSB Chair. 

One member expressed surprise that the meeting was going ahead, as they understood that the DSB Chair wanted to refresh the Data Standards Advisory Committee (DSAC) membership and review the working groups and committees.

The DSB explained that the Consultative Groups had not been disbanded, and that once the DSAC was reformed, the Consultative Groups would be reviewed, including membership. The focus and intent of this meeting was providing a summary of feedback around Consultation Draft 369.

The DSB provided a link to the Miro board for an activity to discuss the feedback received from the consultation submissions on  and encouraged participants to share their thoughts and comments. 

One member questioned the complexity and implementation costs mentioned by banks regarding the proposed standards changes. He acknowledged that there was more work required due to the duplication of the authorisation flow, and he did not understand why it would impact other channels. He sought clarification on whether there was something very prescriptive in the  proposal that justified the concerns raised by banks.

The DSB noted that some stakeholders misunderstood the Redirect to App proposal, thinking it implied the need to create an app specifically for supporting Redirect to App. They clarified that the intent was to define a simple way of enabling app launch while deferring to the authentication practices of the app providers. 

The DSB highlighted the history of authentication choices, noting that OTP was presented by banks as the workable solution during the initial standards development. They emphasised the need for the Data Standards Chair to form an opinion on best practice security for authentication standards, considering the evolving threat environment and recent data breaches in Australia. They noted that the goal was to support an alternative channel allowing data holders to employ stronger existing authentication practices.

One member highlighted that the cost and complexity arguments suggested by banks might be exaggerated, as successful implementation had been achieved by other banks with much lower costs. He emphasised that the complexity is not from Redirect to App but from the forced application lifecycle management of these institutions.

One member clarified that App to App itself does not impact authentication channels and can be implemented without changing authentication levels. He suggested separating app to app implementation from changes to authentication levels to avoid impacting existing banking channels. He emphasised that proper implementation of app to app would enhance authentication without needing to prescribe specific levels initially. 

The DSB explained that the proposed standard incorporated credential level 3 from TDIF to correct a previous gap or mistake. They clarified that this was not about creating new authentication levels but ensuring completeness against the TDIF specification. 

One member highlighted that the proposed changes would require banks to start treating their existing authentication channels as needing to comply with new requirements, which is a significant change. He mentioned that while some banks might choose to comply with these requirements due to other initiatives like AGDIS, it is still a change that not all banks are currently prepared for. He emphasised that this change is not necessarily required by all banks at the moment, and it would be a new compliance burden for many. 

One member expressed support for the app-to-app implementation but opposed having the choice of authentication methods taken away from them. They had made a strategic decision to get accredited under AGDIS and they are looking forward to interoperability within government services, but this should remain a business decision. He argued that TDIF was not ready for the private sector and that its standards are designed for government departments and not private sector implementations. 

The member pointed out that banks already ensure secure authentication for their customers and that the proposed standard would regulate how banks authenticate all customers, which feels like overreach. He suggested the need for different credential levels is unnecessary at the moment, as action initiation is not yet implemented, and a simpler definition of single factor or multi-factor authentication would suffice. He emphasised that the proposed standard conflates the need for different credential levels with the app-to-app flow, which are two separate issues. He also noted that TDIF is an accreditation framework, and without accreditation, it is unclear how banks would know if they have met the requirements. They highlighted potential conflicts between the proposed standard and existing upstream standards, which could create implementation challenges.

One member expressed surprise that the conversation had returned to initial points and emphasised the need to acknowledge the ground covered so far. He reiterated that the OTP piece was overly prescriptive and hoped the limitations of TDIF were clear to everyone. He suggested focusing on a risk framework to rationalise the conversation without being overly prescriptive. 

The member called for the group to continue on the path set out initially, aiming for a tactical fix to improve security and customer experience without unnecessary prescription. He emphasised the importance of aligning the objectives of ADRs and data holders while acknowledging the strengths and limitations of different players in the ecosystem. He highlighted the need for a prescriptive approach to facilitate risk assessment for smaller organisations, making it easier to comply with standards. 

One member criticised the farcical cost estimates provided by representative bodies in submissions to CD369, which they believe are not representative of reality, except for potentially the big four banks. He emphasised that risk assessment is not a fairytale for smaller organisations and that a prescriptive approach is preferred because it simplifies compliance and risk assessment for these organisations. 

The member pointed out that smaller organisations rely on standardised checklists to comply with regulations, which is easier than creating their own risk assessment documents. He mentioned that the cost of compliance would be incurred regardless of whether the DSB provides a prescriptive standard or not, and that the same outcome would be achieved through different means. He highlighted the importance of having a standardised approach to facilitate compliance and risk assessment for smaller organisations.

The member also mentioned that the big three energy companies are generally supportive of the direction towards TDIF because they see potential cost savings and benefits from standardising on government identity verification systems. The smaller energy companies would likely follow the lead of their vendors and make decisions based on price as long as they comply with basic regulatory requirements. 

The member noted that for non-bank lenders (NBLs), they see the feedback from banks as a competitive opportunity and are eager to move forward without the same regulatory constraints, potentially gaining a market advantage. He emphasised that NBLs are ready to proceed and are only constrained by whether the government will allow them to do so. 

The DSB introduced the second activity, which aimed to gather feedback on the approach to implementing Redirect to App. The focus was on understanding the support for mandatory versus optional implementation and the preferred lead time for these changes. 

Feedback was provided via the Miro board by group members. 

The DSB introduced a third activity, seeking thoughts on i). What do participants want to focus on until the end of June and ii). What is on their wish list for changes in the CDR within the scope of this working group, in addition to Redirect to App?

Feedback was provided via the Miro board by group members.

Meeting Schedule

The Chair advised that the next meeting was scheduled for 11 June 2025, but the time would need to be adjusted to accommodate the Industry Forum which is scheduled for the same day. 

ACTION:  DSB to reschedule 11 June meeting

Any Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked members for their participation and feedback. He mentioned that the group will continue to meet over the next month, which will include two more meetings to bring the current topics to a decision. 

Meeting closed at 12:00