Data Standards Advisory Committee meeting minutes – 11 December 2024

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all of the Data Standards Advisory Committee (DSAC) members and observers for attending meeting # 68.

The Chair acknowledged the traditional owners of the various lands from which DSAC members joined the meeting. They acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging. They joined the meeting from Cammeraygal land.   

The Chair welcomed new members to the DSAC and highlighted the importance of their roles in implementing the Consumer Data Right (CDR) in the national interest.

The Chair made special mention to new members Jodi Ross (Tiimely) who wrote the first foundation of the CDR rules and James Bligh who has played a significant role in the CDR working previously at the Data Standards Body (DSB) and NAB.

The Chair acknowledged the contributions of outgoing members, including Melinda Green (Energy Australia), Colin Mapp (Independent), Richard Shanahan (Tiimely), Prabash Galagedara (Telstra), Aakash Sembey (Origin Energy) and Jeremy Cabral (Finder), and expressed his gratitude for their inputs and commitment to the CDR.

The Chair emphasised the critical role of the DSAC and highlighted the legislative obligation to have an advisory board in decision making for data standards and the value of members’ feedback. They also mentioned the establishment of two consultative groups (Information Security & Non-Functional Requirements Consultative Groups) to stay connected with the community and issues. 

The Chair explained that the DSAC advises him on standards, risks and opportunities and how the Chair implements the government’s CDR policy of the CDR, designation and most importantly, the rules. They noted that the DSAC’s feedback is crucial in the decision-making process for the data standards changes.

The Chair noted the formal extension of the DSB’s responsibilities to include support for the Digital ID Data Standards Chair (currently the Finance Minister) under the Digital ID Act 2024, and as outlined in the papers. 

The Chair noted that included in the papers was an external report on the applicability of authentication frameworks, which provides inputs and perspectives for ongoing authentication uplift work, and which would be published shortly. They encouraged members to review the report.  

The Chair noted that Steven Meek (Pepper Money), David Taylor (Westpac) and Mark Wallis (Skript) were apologies for this meeting, alongside a number of observer apologies.

Minutes

The Chair thanked DSAC members for their comments on the minutes from November 2024 meeting. The minutes were formally accepted.   

The Chair noted that the DSB were continuing to progress the threat assessment work, and they would present to the DSAC at a future meeting in 2025. 

The Chair noted that a list of proposed topics that the DSB would present to the DSAC in 2025 would be drawn together over coming months, with suggestions welcome from members.

Data Standards Body Annual Overview

Naomi Gilbert the Assistant Secretary of the Data Standards Body (DSB) provided an overview of the DSB’s 2024 calendar year activities. The summary points included that:

• The year had been more introspective, focusing on maturing operations and processes as the DSB grew and took on responsibilities in Digital ID. 
• A DSB operations and processes manual had been published to allow for greater engagement and transparency. 
• The team had formalised and undertaken iterative improvements of the Standards Assessment Framework (SAF), which is used to assess and articulate changes. 
• DSB resourcing and capability uplift had taken place in risk management, cyber assurance and governance capabilities, as well as welcoming new DSAC members with additional expertise.
• Several reports from external experts were published, including those on risk management and cyber threat landscape from the University of NSW, deceptive patterns (landscape report and pressure test) from University of South Australia and authentication frameworks from PwC Indigenous Consulting (to be published).
• There were fewer standards changes throughout 2024 – four releases which captured maintenance iteration changes – with the team spending increased capacity and longer engagement periods.
• The consultative and input from the Non-functional Requirements Consultative Group (NFR CG) and the Information Security Consolidative Group (InfoSec CG) had provided insights and practical options for consideration. 
• Maintenance iterations (MI 18 to MI 21) had continued, acknowledging the positive feedback received on the greater focus on problem space exploration through those forums.
• CX standards changes had been progressed in line with the recent rules changes to implement the Consent review through DP 350 – August 2024 Rules – Standards Impacts.
• 17 CX Guidelines were progressed to support implementation of rules and standards made in the latter half of 2023.
• Various channels to provide engagement and implementation support were maintained, including YouTube, LinkedIn, and the CDR Support Portal with the ACCC.
• The DSB provided regular updates across its tooling to ensure they met the needs of the community.
• The DSB in collaboration with the ACCC had begun working on a more fine-grained understanding of user needs and on establishing a structured approach to verifying implementation needs.
• Digital ID work commenced, with the DSB working closely with the Department of Finance, Services Australia, the Office of the System Administrator, the ATO, ACCC and OAIC to adopt new roles under the legislative regime.
• With Digital ID operations have gone live on 1 December 2024, the DSB had launched a new website (dsb.gov.au) and associated rebranding.

The DSB noted that Duncan Anderson from the Department of Finance was attending the meeting as an observer. He was welcomed and invited to introduce himself.

Duncan Anderson introduced himself as leading the team working on Digital ID legislation and rules at the Department of Finance. He expressed excitement about the Digital ID program and looked forward to deepening engagement with the CDR regime.

A summary of the focus for 2025 included:

• Producing a Digital ID Data Standards change roadmap in collaboration with the Department of Finance, consolidating consultation feedback, and analysing alignment and complementary areas between Consumer Data Standards and Digital ID Data Standards. The team would also consider how the two regimes (CDR and Digital ID) can be brought together in practical use cases. 
• Progressing authentication uplift through multiple consultation phases, incorporating extensive community input, threat intelligence and external expert advice.
• Progressing the Non-bank Lending (NBL) rules and consulting on associated standards, preparing for potential 2026 implementation.
• Maturing processes around collating user needs, verifying them, and underpinning planning and development of implementation support, particularly for NBL, with this knowledge.
• Live user research to further the evidence base in addition to input to date from ADRs, DHs and GetMetrics, to provide insights to address drop-offs.
• The Account Origination Experimentation completed earlier this year, for which supporting guidance would be released early next year. Experimentation efforts for 2025 would look to support energy switching exploration.
• Being mindful of the election year and its implications on what can be progressed in this environment.

The Chair observed that from the outside this work looks orderly, stylish and purposeful but noted that there was significant process management that the DSB handled throughout the year. They thanked Naomi Gilbert and the DSB team for their work in making this all happen. 

They also mentioned that the year involved introspection and some disappointment due to the capping of CDR activities by the Minister's letter, noting that this was a personal view given high ambition for what the CDR regime could do for consumers. They noted, however, that the clarity provided offsets that disappointment.

They also highlighted the upcoming election and its implications, including a caretaker period, which will affect the standards process. 

One member acknowledged the extensive work done by the DSB team and the importance of having a good steer from Naomi Gilbert and the team. They emphasized the significant coverage and contributions of the DSB. They also advocated prioritising the implementation of app-to-app authentication as a voluntary standard, and ahead of the other authentication uplift changes to achieve early benefits.

One member supported the suggestion on app-to-app authentication, emphasising that experimentation could help reduce compliance costs. They highlighted that experimenting with app-to-app authentication would allow time to iron out any kinks and ensure security before broader implementation. Successful experimentation would be a significant win for consumers, making the process more secure and efficient. 

Working Group Update

A summary of the Working Groups was provided in the DSAC Papers and was taken as read.

A further update was provided on the Technical Working Group by Mark Verstege.

The DSB highlighted that more data was shared through the CDR in the past 12 months than in the previous three years combined, indicating significant growth in the CDR community. 

The DSB mentioned several final consultations and standards releases planned for the remainder of the year, including Maintenance Iteration 21 which was then with the DSAC for review and comment. They noted that Maintenance Iteration 21 would go into version 1.33 of the standards. 

The DSB noted upcoming consultations on redirect-to-app and the last customer change date (LCCD) decision for energy and that these would have extended consultation periods over the festive season to ensure thorough feedback from the community. 

The DSB expressed gratitude to the DSAC members for their advice and input, and also to the Tech team for their hard work and dedication throughout the year. 

A further update was provided on the CX Working Group by Michael Palmyre. 

The DSB noted that the year was busy with a mix of design, build, operate, and maintain activities throughout. They noted that a significant amount of CX guidelines were delivered earlier in the year to support the rules and the standards, particularly for the new business consumer provisions. 

The DSB noted that the consent review was a major focus, with good responses and some feedback provided to participants. They noted that the CX guidelines for the consent review were available for comment and input in draft form on GitHub. 

The DSB noted that earlier this year discussions around drop-off issues were held, with a mini working group and further evidence collection in response to the minister's focus on these issues. 

The DSB covered that they had conducted workshops on LCCD with ADRs and DHs to discuss risks and benefits, leading to ongoing work on a decision proposal. 

They noted that the DSB was drafting a decision proposal related to NBL, building on work done over the past two years. 

The DSB extended thanks to everyone for their engagement and collaboration throughout the year.

The Chair acknowledged that the current approach had been to avoid providing CX guidance or standards in the competitive space but mentioned that there seemed to be a sentiment amongst participants that they could potentially go somewhat further in providing guidance in this area. They suggested that it be worth considering the “may”, “should” and “must” process more thoroughly in 2025. 

One member sought clarification on the CX guidelines that were out for consultation and whether those updates were based on the recent rules changes that covered the interaction between CDR consent processes and Privacy Act requirements, especially concerning the ADI exemption rule. 

The DSB clarified that the focus of the updated CX guidelines was on the consent review changes, which included the accredited person becoming a data holder of the data. They acknowledged the need for guidance in this area and indicated that it was on their list to address, especially if there were demand for it. 

One member emphasised that the problems with consent drop-offs are primarily live issues, such as users failing to log on or not receiving their OTPs, rather than issues with the screens or compliance with guidelines. They advocated that future analysis should focus on live implementation issues, observing actual consumer interactions rather than just reviewing the flow screen. 

The DSB agreed and noted that they were planning to conduct live user research to observe actual implementation issues, and were in the process of determining the best approach, including whether to focus on a representative sample across DHs and ADRs or to base it on volume. 

One member suggested the DSB act as a mini-ADR to conduct mystery shopping, involving testing participant platforms without the risk to real consumer data.

The DSB acknowledged the suggestion but highlighted the practical challenges and current approach of using existing ADR solutions for testing and collaboration alongside the cost implications. 

A further update was provided on stakeholder engagement by Jarryd Judd. 

The DSB noted that 2024 had been an interesting and exciting year with the focus on maintaining consistency across their channels, including LinkedIn and other social media, to ensure a consistent message and engagement with implementation teams.

They noted that the DSB had introduced a DSB calendar for self-service on events and opportunities, improving accessibility for community engagement. 

The DSB noted that efforts were made to refine guidance on the CDR support portal, including adding change logs to updates for better clarity.

The DSB noted that the weekly Implementation Call continued with consistent attendance, providing a platform for discussing updates and complex issues. 

The DSB noted that they had launched a new website (dsb.gov.au) and introduced new branding to cover their expanded remit, including Digital ID support. 

Items raised by members for discussion

There were no issues raised by members this month for discussion. 

DSAC focus in 2025

The Chair invited new members to introduce themselves and share their expectations and desired outcomes for 2025.  They emphasised the importance of understanding DSAC members’ expectations, and the outcomes members wished to achieve. 

Jodi Ross introduced themself as the Chief Risk and Compliance Officer at Tiimely, a company supporting loan origination journeys for direct-to-consumer home loans, working with a number of partners in the white mortgage space. They noted that they had been involved in the CDR since 2018, including roles at the ACCC and Treasury, and then moving into fintech and recently having been appointed to the FinTech Australia board. 

They emphasised the importance of continued engagement from the DSB and related agencies with the CDR community, especially during the CDR reset. They suggested a targeted focus on key use cases identified by the Minister, working together as a community to implement these based on recent rule changes and to bring the use cases to life. They highlighted the need for more guidance from regulators, particularly when it comes to CX who do a great job, and that there is a role particularly in the lending space, to advance the CDR to the next level.

Ruth Hatherley introduced themself as the CEO and founder of MoneyCatcha, a company that helps businesses and enterprise customers get faster product and pricing offers through distribution channels like aggregators, brokers, lenders, and comparison sites. They noted MoneyCatcha’s difference of handling both Product Reference Data (PRD) for CDR for home loan products as a product repository, as well as CDR customer data under the trusted advisor model with Adatree, providing a unique perspective in the market.

She emphasised the importance of applying rigorous data standards to the NBL sector as they expand out offers in the home loan and pricing market. They noted rigour of the standards was important to ensuring faster and accurate pricing offers to consumers. They also highlighted the need to closely watch the timeline for the NBL rollout and expressed an interest in closer insight of this. 

Craig Phasey introduced themself from EnergyFlex, a company that focusses on energy transition from fossil fuels to renewable energy. He emphasised the criticality of timing and time of use to ensuring the renewable system is utilised.

They highlighted the need for data, specifically through the CDR, to provide insights and manage energy use dynamically. They noted that they saw the CDR as being a key element in addressing climate change through energy and their current focus is on residential users, although the big power is in business users, which presents challenges to date. They noted their main goal is for dynamic engagement of users through CDR on a daily basis, stressing the importance of safety, security, and trust. 

James Bligh introduced themself, mentioning long-term involvement with the CDR and their current role as CTO at Product Cloud which manage PRD, and work with Consumer Data Advocate to represent how CDR can benefit Australians. 

They expressed interest in addressing compliance costs, noting that current efforts may not be effectively reducing these costs. They also flagged the importance of expanding the CDR for innovation, including voluntary standards and adoption to generate value and demonstrate benefits.

Danielle Smith introduced themself from Xero, an accounting software company for small businesses with 1.86 million customers in Australia, within which Danielle’s role involves engaging with financial services and government on matters affecting Xero’s business. They mentioned the importance of data from banks as a foundational element of what makes an accounting platform for small business work well. They noted they have established processes for collating bank data and turning it into accounting data and to date, have been sitting on the sidelines of the CDR. As the regime changes, they noted an intention to formalise a project of work on the CDR in the following calendar year. For 2025, they aimed to understand the CDR in more detail with regard to accounting companies. 

Sam Bendat introduced themself as the founder and CEO of Solving Zero, a company that uses energy data to help homes manage consumption and find better energy rates. They mentioned their past invitations to speak at the All Energy Conference and the Percy Foundation about using AI with energy data to help consumers save money. 

They highlighted the issue of DH data quality as a significant challenge, and they aimed to address and improve data quality to reduce the time spent on resolving these issues.

Dan Jovevski introduced themself from WeMoney, a financial platform aimed at addressing the consumer debt crisis in Australia. They noted that WeMoney had been accredited in 2022 and has achieved 900,000 downloads, primarily targeting individuals aged 18 to 40 with high rates of consumer debt. They mentioned WeMoney’s partnerships with various non-bank lenders and energy providers to help consumers identify better opportunities to save. 

Their goals included bringing together participants from other sectors and players coming into the CDR, such as NBL and energy sectors, to help them understand the benefits of CDR and create a more inclusive ecosystem. 

Jessica Booth introduced themself from Biza, a company focused entirely on the CDR, providing DH solutions for around 20% of banking consumers and over 75% of energy consumers. 

They emphasised the importance of NBL coming into the CDR and ensuring it happened on time. They also highlighted the important to them of action initiation, particularly around energy account switching, and the development of voluntary standards to make CDR useful for Australian consumers.

Steve Kemp introduced themself from SISS Data Services, a data aggregator working with banks on direct feeds for over 10 years and accredited for CDR, with Steve’s role covering strategic partnerships with a focus on accounting and enterprise resource planning platforms like Microsoft and Oracle. They noted that they had previously been with Intuit QuickBooks, as the executive sponsor for CDR, where they worked on rules and regulation changes and had undergone Intuit’s accreditation approximately four years ago. 

They expressed an interest in issues of nominated representatives and seeing it progressed given their business is focussed primarily on accounting software; continuing efforts to reduce friction in consent; ensuring data quality is at the right level; and enhancing awareness and consistent communication about CDR as an ecosystem to accelerate take-up rates. 

Selena Liu introduced themself from Energy Australia, the third-largest retailer on the east coast, focusing on clean energy transition which is paramount to them in the energy sector. They noted that Energy Australia was also leaning into the challenge of large-scale generation portfolio and is focussed on customer homes. 

They noted an interest in starting the energy switching experiments to understand and implement high value use cases. They emphasised the critical role of data in managing the clean energy transition, particularly in residential settings. 

The Chair invited existing members to introduce themselves and share their expectations and desired outcomes for 2025. 

Drew MacRae introduced themself from the Financial Rights Legal Centre as one of the DSAC’s Consumer Representatives. They emphasised the need for more consumer protections within the CDR framework, addressing flaws at the legislative, rules, and standards levels. They noted an interest in addressing some of the specific things that have arisen out of the Department of Social Services’ financial counselling pilot, which demonstrated that vulnerable consumers find the current system too unsafe to use. 

Jill Berry introduced themself from Adatree. They stressed the importance of defining success metrics for the CDR, indicating that this is a recurring request. They highlighted the need for ACCC to work on enforcement to ensure data quality, suggesting that Privacy Safeguard 11 is insufficient. They called for established timelines for resolving issues raised by stakeholders, citing recent unresolved issues with a client. They mentioned the need for alignment between the CDR and Digital ID frameworks, noting discrepancies such as age requirements, accreditation rules and CX standards.

Tony Thrassis introduced themself from Frollo. They emphasised the need to understand how customers navigate the consent and authorisation process, noting issues with drop-offs and the importance of learning from consumer experiences. They mentioned plans to conduct surveys after failed consents to gather consumer feedback and potentially facilitate complaint submissions. They highlighted the importance of accurate and reliable data for income detection and verification in lending, and called for a focus on implementation, including new rules such as DHs not supplying data if someone is in hardship, and the need for standards around voluntary adoption.

Stuart Stoyan introduced themself and noted their involvement in CDR since day one, and background in fintech, previously being the chair of FinTech Australia. They emphasised the importance of focusing on specific areas where the CDR can create value, noting that this has been a constraint in the past. They expressed encouragement at the increased focus in direction from the Minister and Chair’s letters and an interest in focusing on two to four areas where the DSAC could create value, noting that one of biggest constraints to the CDR to date had been its broad scale value to end users. 

Gavin Leon introduced themself as the Open Banking and Digital ID lead at CBA. They suggested standards development priorities would benefit from focus in 2025 on FAPI 2.0 and fine-grained consents to facilitate more secure data sharing and improve consumer uptake. They recommended a targeted, voluntary authentication standards uplift to move away from one-time passwords to app-to-app authentication, benefiting both ADRs and DHs. They expressed an interest in seeing an experimentation agenda focused on customer journeys aligned to the Minister’s priorities and to consider extending CDR scope to other sectors, such as government data sets. They advocated for simplifying data standards, in line with Treasury's efforts to simplify CDR scope, with a focus on data field requirements and clarity of optional, mandatory or conditional meanings.

Zipporah Szalay introduced themself from ANZ. They highlighted the importance of anchoring community-based changes to a problem or value, noting the need to yet operationalise and elevate the Standards Assessment Framework and ensure communications, particularly on what priority community-based changes are anchored to, are at a consumable level for tracking and visibility. They also emphasised the need for a comprehensive end-to-end threat assessment of the CDR ecosystem to ensure safety and security. They mentioned specific operational challenges within the CDR ecosystem, like ACCC’s certificate renewal processes, which did not fall within the remit of the DSAC, but nevertheless noted a critical need for understanding the cyber risk, problems and priorities and a relevant forum for moving those issues forward.

The Chair acknowledged the significance of ‘operate’ and ‘maintain’ for the CDR (as opposed to ‘build’), noting that there was no dedicated forum for proper examination of operational issues within the CDR ecosystem. They stressed the importance of surfacing issues in a respectful and constructive manner, even though the DSB had limited scope to make changes in those areas. 

Lisa Schutz introduced themself as the founder CEO of Verifier. They emphasised the need in 2025 for operational maturity of the CDR, addressing structural questions on how it runs and ensuring accountability for outcomes. They acknowledged that the DSB and DSAC becomes a watering hole for the raising of issues, and that adding Digital ID increases the complexity. They highlighted the importance of considering the CDR Statutory Review in the context of the Minister's directions, suggesting quick wins like harmonising single touch payroll with CDR without heavy lifting from the DSB.

The Chair provided their perspectives following the feedback from DSAC members. They emphasised the importance of integrating CDR and Digital ID, highlighting the need for convergence between the two regimes where appropriate and possible, particularly in credential levels. They noted that they saw this integration as central to Australia's digital economy and the digital conversion of the nation. 

They secondly stressed the importance of focusing on high value use cases which are not sector bound, particularly in borrowing decisions. They mentioned the need to consider a wider scope for data to enrich these use cases and potentially mitigate concerns raised by consumer advocates.

They highlighted the need to address issues related to consent, friction, drop-offs, and data quality. They also acknowledged the role of enforcement and compliance in maintaining data quality and ensuring operational maturity. 

They discussed the importance of uplifting authentication processes, especially in the context of the changing cyber threat landscape. They emphasised this need for improved authentication methods as more sectors, including superannuation and insurance, move towards digital operations. 

They mentioned the ongoing efforts to improve the Standards Assessment Framework, to ensure it provided a clear and logical documentation of problem statements, triage, options and proposed solutions. They finally emphasised the importance of iterating and maturing this framework. 

One member acknowledged that data quality is a significant issue, with many anecdotal reports of problems. They suggested having more concrete data on the types and extent of data quality issues would be valuable. This included understanding whether issues are syntactical (related to payloads) or semantic (related to interpretation). They also proposed that having statistics on security breaches related to CDR would help in risk-based discussions about security and consent, noting this data would indicate whether the current baseline security is adequate or whether further improvements were needed.

ACCC Update

Verushka Harvey, the General Manager of the Solutions Delivery & Operations Branch of the CDR Division at the ACCC was an apology for the meeting. No ACCC update was provided.

Treasury Update

Claire McKay, Assistant Secretary of the Data and Digital Policy Branch, Digital, Competition and Payments Division at Treasury provided an update on several key areas as follows:

TSY noted the ongoing consultation on NBL rules open through to 24 December 2024. They noted that this rules package also included changes following the targeted consultation that had taken place earlier in the year, aimed at reducing the scope of some obligations, following from the Minister’s speech in August 2024. 

TSY discussed their targeted consultation on nominated representatives, focusing on alternative solutions to supporting small business access to the CDR. They noted TSY had been engaging with various stakeholders to date and would be providing advice to the Minister in the new year. 

One member expressed concern about the increase in the threshold for NBL lending from $500 million to $1 billion, highlighting that many small mutuals with loan portfolios under $100 million had been participating in the CDR for years. They questioned the rationale behind this increase, suggesting it created a double standard.

TSY explained that the decision to propose to increase the threshold to $1 billion for NBL was based on a cost-benefit analysis, and that they had considered the lessons learned from other sectors and the impact of the obligations on smaller entities being aware of what entities were operating in this space. 

The member raised a further concern about the double standard in the de minimis threshold for product inclusion. They pointed out that while there is a threshold for products with fewer than 1,000 customers, there is a proposal to exclude products like foreign currency accounts, which are important for accounting platforms. They emphasised that products with tens or hundreds of thousands of users should not be excluded. 

TSY explained that the products proposed for exclusion were based on targeted consultation feedback. They emphasised that the consultation was open for wider feedback at that point in time and that they were open to making further changes based on the feedback they receive. 

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 12 February 2025 from 10am to 12pm.  

Other Business

No other business was raised.

Closing and Next Steps

The Chair welcomed new members and thanked continuing members for their contributions throughout the year. 

The Chair wished everyone a happy and safe festive period, emphasising the importance of taking a break. 

Meeting closed at 11:51