Data Standards Advisory Committee meeting minutes – 12 February 2025

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all of the Data Standards Advisory Committee (DSAC) members and observers for attending meeting # 69.

The Chair acknowledged the traditional owners of the various lands from which DSAC members joined the meeting. He acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging. He joined the meeting from Cammeraygal land.   

The Chair mentioned that it had been an interesting and challenging time for the Data Standards Body (DSB) since the last meeting with the release of version 1.33 of the Consumer Data Standards and the release of a range of tools to align with that release.

The Chair announced that Dr. Ian Oppermann would take over as the Data Standards Chair for Digital ID and Consumer Data Right from 1 March 2025. He expressed his best wishes to Ian and congratulated him on his new role. 

The Chair noted that there had been a couple of team changes over the last month. Jarryd Judd had accepted a new role at DBG Health as the Platform Engagement and Innovation Partner, and as a result had stepped down from his role as Engagement Manager of the DSB. He noted that Jarryd was a long standing and valued member of the team, and he praised him for his incredible work on community engagement and wished him all the best in his new role. 

Matthew Bowd, who was leading the governance work at the DSB, had taken on a new role in the Australian Public Service Commission (APSC). He thanked him for his contributions noting that he brought a new level of discipline to various areas of work at the DSB.

The Chair noted that Alysia Abeyratne (NAB) and Jill Berry (Adatree) were apologies for this meeting, alongside a number of observer apologies. He also noted that Craig Phasey had left EnergyFlex and his replacement was currently under consideration.

Minutes

The Chair thanked DSAC members for their comments on the minutes from the 11 December 2024 meeting. The minutes were formally accepted.  

The Chair noted that the DSB were continuing to progress the threat assessment work, and they would present to the DSAC at a future meeting in 2025. 

The Chair noted that a list of proposed topics for the DSB to present at DSAC in 2025 would be drawn together over the coming months, pending input from the future Data Standards Chair. He also welcomed input and suggestions from members.

Working Group Update

A summary of the Working Groups was provided in the DSAC Papers and taken as read.

A further update was provided on the Technical Working Group by Mark Verstege.

Mark Verstege expressed to the Chair that he would be missed and acknowledged his vision and passion over the years. He noted that it had been an absolute pleasure working with him and hoped to continue to hear his voice on the CDR for many years to come.

The DSB noted that work was continuing on Decision Proposal 338 and on Authentication Uplift, both of which would be discussed today. 

The DSB noted that a consultation on the Last Customer Change Date (LCCD) for the energy sector closed last week, and the team were preparing a response to the feedback received. 

The DSB noted that Maintenance Iteration 22 commenced last week, with a release anticipated this quarter, and will potentially include Decision Proposal 361 – Energy Last Customer Change Date and outcomes from DP338. 

A further update was provided on the CX Working Group by Michael Palmyre. 

The DSB noted that they were wrapping up the CX Guidelines for the initial package on the consent review and operational enhancement work.

The DSB had submitted a new Change Request for clause 7.2 in Schedule 3 in the Rules, which outlined an alternative consent process to allow accredited ADIs to hold CDR data as a data holder (DH). 

The DSB noted that the DP361 consultation period had concluded, with the focus being on CX guidelines rather than CX standards changes. 

The DSB noted that they had completed an energy retailer survey to understand the current state of offline energy consumers, with plans to extend it to banking and NBL DHs as part of the authentication uplift consultation. 

The DSB noted that they were pushing ahead with draft standards for NBL, pending caretaker mode considerations. 

The DSB noted that they were planning on conducting CX research on consent drop off with recruitment for the research commencing soon.

Michael Palmyre expressed his heartfelt thanks to the Chair for his leadership and contributions to the CX team and the CDR Program over the years. 

One member asked the DSB for further details about screen scraping in the forward plan, and whether it was connected to Treasury's review and the Minister's announcement last year. 

The DSB clarified that screen scraping was not an explicit work item on their plan, but they consider it when thinking about drop-off and experiments.

One member asked how the DSB plan to select or recruit DHs to participate in the research on consent drop off and whether the energy sector would be included. 

The DSB explained that the initial focus of the consent drop-off research is banking, primarily to manage the scope and time required for the research. They noted that the DHs were chosen based on volume, including the majority of the major banks and a non-major, with a single ADR. The research would look at both individual and non-individual consumers to understand drop-off points better. The findings would be presented in aggregate form to provide a broader picture of the issues. 

One member sought clarification on whether one of the major banks was excluded from the research on the consent drop off and if so, questioned whether the data set would be valid and representative without including all of the four majors.

The DSB confirmed that the research focused on three of the four major banks and acknowledged the members concerns. They explained that the research aimed to provide a representative data set through deep diving sessions with consumers to understand drop off points and was not intended to be a complete snapshot but rather an ongoing process to review the performance of the standards over time. 

One member asked if the scope of the research on diagnosing consent drop-off covered the energy sector and if not, would they include the energy sector in the future? 

The DSB clarified that the initial research was focused on the banking sector and any recommendations would consider the different sectors, including energy to ensure comprehensive coverage. 

One member expressed concerns about focusing only on three out of the four major banks for the consent drop-off research. They highlighted that there were unique challenges outside of the top four banks, especially for business consent and noted that smaller banks may actually perform better, which could lead to misrepresentation if not included in the research. 

The DSB acknowledged the concerns and agreed that there was a balance to be struck in representing different DHs. They emphasised that the research aimed to provide a more representative picture by conducting deep diving sessions with consumers to understand where and why drop-offs occurred. This research was not a one-time effort but part of an ongoing process to review the performance of the standards and make necessary improvements over time. 

The Chair asked the DSB to clarify the context of the current phase of the work and its focus on the three major banks. 

The DSB mentioned that the Assistant Treasurer’s letter to the Chair emphasised the importance of understanding and improving drop off points to enhance the consumer experience and the overall success of the regime. 

One member was encouraged by the attention given to the topic of consent drop-offs in the DSAC as it was critical for the future success of the regime, and directly impacts consumers and the value of the regime. They suggested that this discussion be highlighted to the incoming Chair as it’s an important issue to address going forward.

One member emphasised the importance of fixing consent drop-offs and mentioned that there were gaps or non-existent areas which contribute to these issues. They highlighted the need for more information to be supplied when drop-offs occur to help DHs address the issues effectively and that the current standards do not provide the necessary data flow and security information to fully address the drop-off problems. From next week, they would be facilitating users in raising complaints every time a consent drop-off occurs. This would enable them to provide analytics on the nature of the complaints within the process. 

The DSB acknowledged the points and agreed that they were valid issues. They clarified that the current focus of work is to evaluate and verify why drop-offs were occurring, which would provide more substance behind the technical issues.

One member asked whether the data provided was sufficient to investigate and resolve drop-off issues or whether the problem lies in the lack of willingness of DHs to investigate those issues. They emphasised the importance of keeping the consumer in mind, and setting guidelines for information that should be provided and ensuring accountability to investigate. 

The member believed that the issue was both a lack of sufficient data and a lack of willingness to investigate on the part of some DHs. 

One member highlighted the importance of diagnosing issues related to consent drop-offs to resolve them effectively. They suggested that the specific topic of information sharing around complaints, particularly related to drop-offs, be put on the agenda for the next Non-Functional Requirements (NFR) Consultative Group. 

The member raised a question about how to define “good”, “better” and “best” in the context of CDR and emphasised the need to compare the CDR context against current practices like screen scraping.  The CDR needed to match or exceed that level of performance to be considered successful to banks and consumers. 

The DSB acknowledged the question about defining success measures and targets for the CDR and mentioned that while there was no established target, the indicative goal was to achieve parity with screen scraping, which has varying conversion rates. 

Stakeholder Engagement

A summary of stakeholder engagement was provided in the DSAC Papers and was taken as read. 

Issues Raised by Members

There was a number of items raised by members which were addressed out of session. 

Decision Proposal 338

Nils Berge from the DSB presented Decision Proposal 338, noting that it addressed issues raised by various participants, including ADRs and DHs, regarding data fields or lack of specificity in the data available. This included issues about accurately describing products, supporting compliance obligations and providing comparison services. 

The DSB stated that the proposal aimed to improve data quality and support better consumer outcomes by helping them find and switch to better rates, and make better borrowing decisions. This involved enhancing data quality and usability for ADRs and other participants.

The DSB noted that the consultation process began with DP306 and included feedback from the community, leading to the development of the candidate standards. The feedback was generally positive and focused on changes to Product and Account Details schemas. 

The DSB noted that DHs raised concerns about the complexity and cost of implementing the proposed changes with some feedback suggesting pausing the consultation to focus more on cost-benefit analysis and alignment with ecosystem objectives. This led to further workshops and the application of the Standards Assessment Framework (SAF) to assess the changes.

The DSB noted that the consultation process began in December 2022 and the review of the banking maintenance backlog commenced in March 2023 to ensure the banking standards were up to date before the introduction of NBL. In June 2023 DP306 candidate standards were published and in November 2023 consultation commenced on Candidate Standards and Binding Obligation Dates (DP388).

A workshop was held to consult on DP338 changes in response to feedback, aligning with the Minister's priorities. This helped refine the proposal, leading to a decision to proceed with ten changes (out of eighteen) which were considered less complex. The overall process included multiple stages of consultation, feedback, and alignment with priorities to ensure data quality and consumer benefits. 

One member expressed concerns around the removal of 8 proposed change requests, specifically mentioning issues 566, 567, and 569. They noted that those issues directly impact lending and the analysis of loans, which were crucial for providing better borrowing decisions and aligning with the minister's direction. They questioned the rationale behind dropping these changes, suggesting that they are strongly aligned with the minister's objectives. 

The Chair acknowledged the importance of these issues raised, particularly in relation to lending use cases and the impact of account detail and loan rates. He emphasised that while these issues were deferred, they were not dismissed. The deferral was due to the need for further consultation and consensus on the appropriate solutions. He suggested that these issues should be prioritised and progressed with the new Chair. 

One member sought clarification on the extent of the cost-benefit analysis conducted for the proposed changes. They noted that the language in the document suggested limited cost-benefit analysis due to less input on proposed solution and requested more detail, including how it was applied to the changes that have been approved to proceed.

The DSB clarified that the SAF was used to assess the changes, ensuring alignment with the rules and objectives of the CDR, including the Minister's statements. The SAF considered the impact, priorities, and complexity of those changes. A cost-benefit analysis was conducted thoroughly in accordance with the SAF and was not influenced by the level of input on the proposed solutions. 

One member highlighted that the changes proposed address clear, distinct issues with use cases around switching. The cost of implementing those minor set of changes was relatively low and suggested that the community proceed with implementation. He also emphasised the importance of addressing the fixed rate mortgage drop-off for existing accounts, especially in light of the rate rises and the fixed rate cliff scenario.

The DSB acknowledged the importance of the fixed rate mortgage issue and agreed that it should be addressed to ensure that standards are made in this area as well.

The Chair acknowledged the Minister's letter and its explicit call-out of four key issues, including data quality and ecosystem uptake. He emphasised that the current set of changes in the revised DP338 aligns with the Minister's direction and priority use cases. He noted that the changes being made had virtually no resistance and were considered overdue, indicating strong support from the community.  He also mentioned that the remaining 17 changes from the original 27 would not be dismissed but would be left for the new Chair to prioritise and progress. 

The DSB noted that the final Decision included ten changes, categorised into three groups: specifying new fields and associated data requirements; add enum values for existing fields; and change the format or redefine existing fields. These changes aimed to improve data accuracy and usability. The proposed obligation date for these changes is set for September 2025. 

The DSB noted that the changes affect three main endpoints: “Get Products”, “Get Product Detail” and “Get Account Detail”. The “Get Products” endpoint would be affected by the card detail changes and the other two endpoints would be affected by changes related to card detail, eligibility, features & constraints, rate applicability and adjustments and product and account fees. The account rate structures, which were more complex, would be deferred and only affect one endpoint.

The DSB noted that changes to the banking endpoints were expected to apply to the NBL sector as well. The obligation date for those changes would precede the go-live dates for the NBL sector, ensuring that the changes were applicable when they enter the ecosystem. 

The Chair noted that the proposed standards changes had been under review for over two years and align with the Minister's reset, focusing on borrowing decisions and increasing utility and usage. The normal 48-hour consultation period for DSAC members was extended to a week. He had received a request for an extension for a further two weeks. 

One member expressed support for the current set of changes, agreeing that they should proceed.  He reiterated that we should commence discussions around account detail and what can be done for lending cases.

One member stated that they requested additional time to assess the feasibility of a September milestone obligation date for the four changed items in DP338. This was to ensure that the seven-month delivery timeframe was achievable for their team. 

The Chair acknowledged the members request for a two-week extension and noted that he would take that into consideration. 

One member emphasised the challenge of mobilising internal teams, especially when items have changed. They noted that it can be difficult to schedule meetings with the right individuals due to different structures and delivery teams. 

One member emphasised the importance of implementing changes and moving forward, acknowledging the need for some allowances but stressing the necessity of progress. 

One member suggested organising workshops focused on specific use cases and involving participants who represent those use cases within the CDR ecosystem. They highlighted the importance of the DSB proactively engaging with different groups, like lending or accounting platforms, to ensure they are aware of relevant issues and can provide input. 

One member emphasised the importance of considering the impact of non-compliance and incorrect data interpretation on consumers and technology companies. They mentioned that non-compliance and data errors led to additional costs for technology companies, as they need to invest in engineering and write rules to manipulate the data. They volunteered to provide data on specific use cases and quantify the costs associated with data errors and challenges, highlighting the broader implications for both consumers and companies. 

Authentication Uplift Noting Paper

Mark Verstege from the DSB outlined the authentication uplift consultation process, including the current state of authentication standards, the proposed direction, and the consultation questions. The goal was to develop best practice security standards for DH authentication.

The DSB highlighted the importance of the Information Security Consultative Group (InfoSec CG), which included representatives from various banks, vendors, Treasury, ACCC, and OAIC. The group had been instrumental in ensuring all stakeholders understand and contribute to the development of best practice security standards. 

The DSB noted that the CDR rules require the Chair to establish authentication standards that meet best practice security requirements. This included setting standards for the safe and secure disclosure of CDR data where accredited persons act on behalf of consumers. The Chair may also make standards directing accredited persons to implement appropriate authentication controls for accessing consumer data.

The DSB noted that the purpose of the consultation paper was to provide context on the current state of the Data Standards and inform subsequent consultations on uplifting authentication standards across the CDR. 

The DSB noted that the current authentication standards had been assessed through independent reviews and were no longer considered best practice. The existing standards involved a single factor and a single authentication method, and were primarily web-based which limits the use of app-based authentication. They don’t allow DHs to use their existing authentication methods and channels which had led to a higher consumer drop-off rate. The current standards focus on authentication for authorising data sharing agreements, but not beyond that. 

The DSB noted that the CDR data flows involved the initial authentication of the DHs customer, which is the mechanism to authorise the disclosure of data to an accredited person. Whilst authentication is a critical control, it must be complemented by other controls to mitigate the risks of unintended data disclosure. This consultation focused on forming an opinion of best practice with respect to DH authentication. The paper also considered the potential need for ADR authentication standards, which would be addressed in an additional consultation. 

The DSB noted that new data access models, including DRs such as affiliates with a lower tier of accreditation and CDR representatives, had been introduced by the CDR rules, altering the threat landscape and necessitating a review of authentication standards. The CDR had also introduced disclosure consents which allowed CDR data to be disclosed from an ADR to an unaccredited person outside of the CDR ecosystem. It was noted that unaccredited persons receiving CDR data could be exempt from complying with the Privacy Act if they were a small business with an annual turnover of $3,000,000 or less. 

The DSB highlighted the importance of a comprehensive approach to data flows, considering both authentication and complementary controls, and the impact of expanded access models and sector inclusion on the threat landscape.

The DSB noted that the design principles for developing a common agreement on authentication standards focussed on a risk-based approach with the data standards aiming to achieve outcomes for consumers, including data safety, rather than focusing on specific implementation methods. This approach considered the sensitivity of the data being disclosed and the actions beyond data sharing that are commensurate with the risks involved. The responsibility for choosing authentication methods or factors was transferred to CDR participants who hold the data, as they were best equipped to manage the risk in a regulatory environment that deals with data breaches. The standards enable participants to leverage their existing investments in security and gain synergy from future investments that protect both CDR data and other data collected for different purposes.

The DSB noted that the risk-based approach focused on setting a minimum baseline of security that enabled innovation and ongoing adaptation. It aimed to reduce the risk of excessive implementation costs caused by the development and use of detailed specifications that may quickly become outdated in a rapidly evolving cybersecurity landscape. The framework was designed to result in a higher net benefit to Australia from the CDR program than a prescriptive approach might achieve. 

The DSB noted that the working hypothesis for best practice in authentication standards was informed by the threat landscape, independent reports, and feedback from the InfoSec CG. Key points of the working hypothesis include:

• Authentication controls were commensurate to the risk of the data being disclosed or the action being performed. 
• Authentication controls lower the likelihood and severity of harms to consumers and participants commensurate to the risks. 
• Authentication leads to comparable or better conversion rates and usability when compared to current practices.
• Authentication should not result in unwarranted friction
• Authentication is accessible and inclusive and allows a diverse range of people to authenticate regardless of their background, situation, experience, or personal characteristics. 
• Authentication is applied consistently across designated sectors and comparable participants. 

The DSB noted that the goal was to focus on outcomes rather than specific requirements. To achieve the outcomes, implementations need to be measurable, and standards enforceable. The Chair’s opinion of best practice authentication should be reviewed on a regular basis and remain responsive to the dynamic threat landscape, program, consumer and DH risks, technology innovation, and consumer behaviours. With greater flexibility and choice, implementors will need to review their risk assessments on ongoing basis to ensure their controls remain appropriate.

The DSB noted that the consultation paper would be published this quarter and will focus on redirect to app, which had strong support from both DHs and DRs. This method had shown significant improvements in conversion rates in other regions, such as the UK. 

The DSB noted that in the second quarter, there would be a consultation to review ADR authentication issues and determine if standards were necessary and appropriate. Analysis of the FAPI 2.0 specification would also be conducted to introduce a risk-based framework and stronger authentication controls, including multi-factor authentication based on data sensitivity. 

The DSB noted that in third quarter and beyond, consultations would focus on measuring success, decoupled authentication, and exploring interoperability with existing digital ID ecosystems. 

The DSB noted that as part of the consultation they would be seeking feedback from the community on a number of questions including: 

• Does the paper provide a fair overview of current and relevant security practices? What other practices, if any, should be considered?
• Have the risks, threats, and data flows have been appropriately assessed? What alternative considerations exists? 
• Do you agree with the Chair's working hypothesis of best practice security for the purposes of DH authentication? What other principles or considerations that should be taken into account? 

The Chair noted that the work on the consultation paper and the issues it addressed was just the start of a more extensive process. He stressed the importance of community feedback on the consultation paper and encouraged DSAC members to provide their input on the key questions outlined in the paper. 

One member inquired when feedback was expected on the consultation paper. The Chair responded saying by early next week so they can incorporate changes and publish the consultation by the end of the week.

One member highlighted the importance of considering the ADR perspective in the context of authentication requirements, especially in relation to the Australian Prudential Regulation Authority’s (APRA) requirements like Prudential Standard CPS 234 and CPS 230. They emphasised the need for CDR standards to align with existing frameworks to avoid creating bespoke requirements, which could be a barrier to entry and participation in CDR. 

One member agreed and noted the importance of aligning CDR standards with existing frameworks and emphasised that many of those considerations should be addressed in the CDR rules rather than just the standards. They suggested that principle-based or risk-based items should be incorporated into the rules governing the regime to ensure comprehensive coverage.

One member highlighted the need to rethink the InfoSec rules in Schedule 2 of the CDR Rules and suggested that those rules be restructured to focus more on principles. They emphasised the importance of aligning those rules with broader standards frameworks to ensure consistency and reduce barriers to entry for participants. They stressed that addressing this alignment is becoming a critical issue that needs to be tackled to improve the overall effectiveness and participation in the CDR ecosystem.

One member highlighted the complexity and fragmentation within the current system particularly in the context of InfoSec, which affects both consumers and the overall user experience. 

The Chair expressed strong support for the model of having a single Standards Chair for both Digital identity and the CDR. He believed that the model would provide enough influence to help reduce fragmentation and align standards more effectively. He emphasised that the rules need to reflect this alignment, not just the standards, and highlighted the importance of this work continuing with broad involvement.

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 12 March 2025 from 10am to 12pm. 

Other Business

One Member thanked the Chair for his service, highlighting the effort and energy the Chair has put into the CDR community which had been inspiring and a significant reason for his continued involvement in the CDR ecosystem.

Closing and Next Steps

The Chair noted that it had been a great honour to serve the Australia people for the last 7 years.  He expressed his gratitude for the support and contributions of various stakeholders, including Treasury (Scott Morrison, Jane Hume and Stephen Jones); the Data Standards Body Executive Directors (Ellen Broad, Warren Bradey, Barry Thomas and Naomi Gilbert); leaders from the ACCC (Commissioner Sarah Court and Peter Crone); OIAC Commissioners (Angelene Falk & Elizabeth Tydd); and the support of the DSAC which had an material impact on the progress and commitment for all involved in the CDR and its success. He acknowledged the collective effort that had driven the success of the CDR initiative.

He mentioned that he intended to remain engaged with the CDR ecosystem, focusing on helping participants progress their use of the CDR to maximise consumer benefits. 

He encouraged the DSAC members to continue their vigorous efforts to ensure the CDR's benefits reach all consumers in Australia, emphasising the importance of mainstream adoption and the ongoing commitment to the initiative. 

The Chair praised the DSB for their incredible support and capability, highlighting the positive environment they had created. He acknowledged the continuity and capability within the DSB, noting the overlapping baton passing amongst the executive directors and the significant impact this had on the progress and commitment to the CDR. He emphasised that the DSB's approach to policy development and consultation was an exemplar for the country, showcasing effective collaboration and impactful results.

Meeting closed at 11:58