Data Standards Advisory Committee meeting minutes – 13 November 2024

Chair Introduction

The Data Standards Chair (Chair) opened the meeting and thanked all committee members and observers for attending meeting # 67.

The Chair acknowledged the traditional owners of the various lands from which the committee members joined the meeting. They acknowledged their stewardship and ongoing leadership in the management of water, land and air and paid respect to their elders, past, present and those emerging. They joined the meeting from Gadigal land.   

The Chair also recognised Remembrance Day and remembered those who have not only fallen, but those who had served or currently serving, and thanked them for their service.

The Chair noted that the Data Standards Body (DSB) had published version 1.32.0 of the standards in late October, which included minor defect changes consulted on during maintenance iteration #20.  The latest maintenance iteration #21 concluded on 13 November. 

The Chair confirmed that Decision Proposal 350, which relates to standard changes around the consent review, had been distributed to the DSAC members for feedback. 

The Chair noted that the Data Standards Advisory Committee (DSAC) refresh was ongoing and would be finalised shortly. However, they noted that Colin Mapp and Melinda Green (Energy Australia) had signalled that they would not be continuing their membership, and the Chair extended they’re thanks to them both.

The Chair noted that the updated Terms of Reference has been included at Appendix A, which reflected minor changes to the way the group works and the number of meetings per year. 

The Chair also welcomed Matthew Bowd (Director – Governance) and Matthew Shaw (Solutions Architect) who had recently joined the Data Standards Body (DSB).

Minutes

The Chair thanked the DSAC Members for their comments on the Minutes from the 9 October 2024 meeting.  The Minutes were formally accepted.   

The Chair noted that the DSB were continuing to progress the threat assessment work, and they would present back to the DSAC at a future meeting in 2025. 

The Chair also thanked those members who were not seeking reappointment to the DSAC for their valuable contributions to the Committee.   

The Chair noted that a list of proposed topics that the DSB would present to DSAC members had been included in the papers. 

Working Group Update

A summary of the Working Groups was provided in the DSAC Papers and was taken as read.

A further update was provided on the Technical Working Group by Mark Verstege.

The DSB noted that:

• the NFR Consultative Group had paused until the end of year and would resume in February 2025. 
• the InfoSec Consultative Group was close to completing the authentication uplift piece of work, with the initial consultation expected before the end of the calendar year.
• Decision Proposal 350 had been circulated to DSAC for feedback, with the release being published shortly thereafter. Depending on the timing, it would be published separately or combined with the result of Maintenance Iteration 21. 

A further update was provided on the CX Working Group by Michael Palmyre. 

The DSB noted that:

• Decision Proposal 350 had been circulated to the DSAC and they welcomed feedback by cob 14 November. The decision focussed on CDR receipts, 90-day notification and amending consents. Two areas that had not progressed included the retiring of withdrawal standards and nominated representative changes. 
• they had progressed draft CX guidelines to support the consent review and operational enhancements which were being consulted on via Change Request 674.   
• they were working on several Change Requests as part of Maintenance Iteration 21 which addressed issues including drop offs and streamlining. 

Stakeholder Engagement

A summary of stakeholder engagement including upcoming workshops, weekly meetings and the maintenance iteration cycle was provided in the DSAC Papers, which were taken as read. 

Items raised by Members for Discussion

Jill Berry from Adatree raised an issue regarding success metrics which Treasury would address as part of their regular update. 

Non-Functional Requirements (NFR) Consultative Group Update

Mark Verstege from the DSB presented the findings regarding problems identified by the NFR Consultative Group, including:

• from a data holder perspective, concerns and considerations around costs; and
• from a data recipient perspective, concerns as to whether the CDR could address, or had the capacity to address, future growth.

It was noted that since inception, uptake and data sharing had accelerated exponentially with 2 billion API calls with 226,000 connected consumers. The DSB outlined that those numbers continue to grow and at present, there were 138 data holders’ brands actively sharing consumer data. The DSB noted that this data could be found at www.cdr.gov.au under the performance dashboard. 

It was noted from a growth perspective, over the last year the CDR had generated more data sharing traffic than the previous 3 years combined with 1.2 billion API calls being made in the last 12 months. Year-on-year growth had doubled compared to 599 million API calls in 2023 with 1.2 billion calls from Oct 2023 to Oct 2024, and data holders reported 99.27% service availability throughout 2024.

It was noted over the past month (October 24) there had been significant growth versus this time last year with 144.6 million API invocations (2.4 x growth from Oct 23) with the connected data holders and availability remaining consistent. 

It was noted that the NFR CG had been established in February 2024 with representation from energy, banking and data recipients to help understand ecosystem issues and opportunities that could be addressed.

Some of the CDR ecosystem issues identified are:

• Capacity constraints in data collection with the emergence of larger energy consumers such as developers.
• Current API data collection limits total customers between 200-500,000, affecting accounting platforms and data platforms using screen scraping and transitioning from screen scraping to the CDR.
• ADRs need up-to-date and accurate data, otherwise it leads to data quality issues, processing complexity and unnecessary API calls limiting total customer growth.
• Data holders are scheduling full day or multi-day and daytime outages of CDR systems. ADRs cannot connect to data holders to collect data or establish new consents, and they lose customers and experience loss of revenue.
• The challenge of responding to large data requests within the same response time as smaller requests.
• Data that doesn’t change frequently must still be returned as quickly as previous data history.  They must hold historical data for all account types in high performance data caches.

Concerns were raised around the difference between attended and unattended scenarios in handling transactions. It was suggested that NFRs might need to be different for attended (real-time) and unattended (batch) scenarios and vary for different sectors. 

A query was raised regarding the need for clarity on everyday risks vs outlier concerns, and what the focus should be. The member queried whether large energy account holders or accounting platforms would regularly request data for thousands of accounts and whether this was an edge case. They advised there was a need to focus on core consumer use cases that were realistic and common use cases, such as daily transaction updates for banking customers. 

The DSB noted that this was a genuine concern of participants with real life cases raised in the CG where a daily collection of all customers to get an update of transactions was a very common use case.

The DSB explained that in the energy sector, it was common for consumers, especially commercial and industrial ones, to have multiple accounts due to property holdings. This led to scenarios where a single consumer had hundreds of accounts. These large consumers, such as developers or entities managing shopping centres, often need to share data for multiple properties, which can involve significant data volumes. 

A member reiterated that the most common use case in energy involved individual consumers wanting to view their energy usage profile to determine appropriate plans, which requires 12-24 months of historical data only. The Chair noted that this work was focused currently on looking at issues but not yet solutioning nor focusing on specific use cases at this point in time.

It was suggested that it would be helpful to categorise the needs and issues identified as whether needing to be addressed now, next and later to better understand their urgency and impact as it was important to distinguish between problems that are currently affecting the ecosystem, potential issues in the near future, and those that are projected to be concerns later on. It was also recommended assessing whether the issues impact specific use cases or the entire ecosystem. 

It was highlighted that this was the consumer data right not the corporate data right and that these were use cases more suited for corporates.

The Chair noted that commercial and industrial organisations (C&I) had been designated as customers under the CDR and therefore can’t be excluded. 

It was highlighted that some of the issues and solutions discussed might be too significant to be addressed within a maintenance iteration and may require a decision proposal. It was also suggested the importance of considering non-technical solutions, such as reviewing the Privacy Safeguard 11 (PS11) requirements in relation to CDR to address some of the compliance and operational challenges faced by data holders.

The Chair noted that he was watching this space closely to ensure that they address the high value use cases that the Minister had asked them to unlock, i.e. borrowing decisions, energy switching and facilitating the involvement and use of CDR by accounting platforms.

The DSB noted that whilst there may be some small opportunities to take things through a maintenance iteration, most of the issues raised would require a decision proposal and significant consultation.

The DSB noted that the key opportunities for sustainable growth and performance in the ecosystem include “ecosystem performance”, “ecosystem growth” and “reducing system impacts”. 

From an ecosystem and performance perspective there was a need to reduce data collection inefficiencies which included providing better guidance for ADRs and to make fewer API calls while still obtaining the necessary data, as opposed to standards changes. 

From a growth perspective, the idea of asynchronous data sharing was highlighted to improve performance without increasing infrastructure costs for data holders. The DSB noted that AEMO was currently trialling this approach. 

The DSB noted intended next steps could include:

Now:

• Progressing additional CX guidelines to accommodate larger consumers in the energy sector, which also applies across sectors. 
• AEMO is currently developing a trial for asynchronous data sharing to understand performance efficiencies. 
• Consulting on discovery to improve interoperability within the ecosystem. 

Next:

• Looking at more substantive pieces to drive better efficiency within the current NFR by potentially sharing data in bulk using asynchronous approaches. 
• Exploring additional operational enhancements to address constraints in the standards, such as removing the need for data holders to calculate and return the number of pages of data in advance. 

Later:

• Continuing to identify and implement additional operational enhancements to improve data sharing processes and reduce inefficiencies. 
• Developing and consulting on larger decision proposals to address significant issues and opportunities identified in the consultative group, ensuring comprehensive solutions for the ecosystem. 

The importance of success metrics was emphasised to inform the prioritisation of the next steps, and that clear, measurable success metrics were necessary to guide the work on NFRs and other initiatives. 

ACCC Update

Verushka Harvey, the General Manager of the Solutions Delivery & Operations Branch of the CDR Division at the ACCC provided an update on various aspects of the CDR, including guidance revisions, compliance matters, new representative arrangements, and technology updates.  Further details followed:

• On 22 October, Intuit Inc. surrendered their accreditation, which was accepted on 24 October by ACCC. 
• On 22 October, the ACCC published the ACCC CDR Compliance Review of Energy Sector Authorisation Processes following a targeted compliance review of selected energy sector data holder authorisation processes. They would continue to closely monitor data holder compliance with their authorisation related obligations and engage with the relevant data holders to ensure any outstanding compliance concerns were identified as part of the review.
• On 4 October, the ACCC published version 6 of the Performance Dashboard, including additional data holder metrics related to performance errors and authorisation completion.
• On 31 October, the ACCC Chair delivered a speech at the opening of the Gilbert + Tobin Financial Services Forum focused on strengthening competition and consumer engagement in financial services and highlighted the CDR which supports that.
• On 10 October, the ACCC decommissioned the consumer API endpoint, and replaced it with the Public Register API to capture data as per Rule 5.2.4, 5.25 and 5.2.7. This simplified the maintenance work going forward and increased their security posture by removing redundant endpoints. 
• The division recently conducted program increment planning for the next quarter, focusing on new features for the RAP conformance test suite and automation of internal processes. 
• Five new representative arrangements were notified to the ACCC, and two representative arrangements ended. 
• The Trustee for the Government Employees Superannuation Board (Western Australian Government) was activated as a software product for Yodlee, with CDR data being shared under the CDR insights model. Account verification will be used to confirm account details for payment of large superannuation funds at the employee’s retirement, and CDR data will be utilised for the bank account verification purposes.

Treasury Update

Claire McKay, Assistant Secretary of the Data and Digital Policy Branch, Digital, Competition and Payments Division at Treasury provided an update on several key areas as follows:

TSY acknowledged the importance of success metrics and noted that they are working on them. They emphasised that the metrics needed to be measurable and relevant to the goals of the CDR, that the development of these metrics were a priority, and they were considering various factors to ensure they effectively measure the success of the CDR initiatives. 

Further discussion emphasised the necessity of having measurable metrics to inform the next steps and prioritisation of work and crucial for guiding the efforts of various teams. One member expressed disappointment on the progress to date.

Another member questioned how screen scraping events could be measured, noting that it might be technically challenging to measure screen scraping events per day. TSY acknowledged the challenges in measuring the number of screen scraping events and emphasised the importance of focusing on the update of CDR as a more practical measure. They also considered various ways to measure and track transition from screen scraping to CDR usage.

One member inquired about the nature of the Minister’s letter, questioning whether it was a prescriptive mandate or more of a directional sentiment. They sought clarification on whether the letter explicitly mandated specific use cases for the CDR Chair or was it more general guidance.

The Chair clarified that they interpreted the Minister’s letter as explicit and responded with a letter of intent, outlining how they planned to progress based on the Minister’s expectations. They mentioned that they had not received any follow-up from the Minister, and therefore assumes deemed acceptance of their response.

TSY noted that the Minister published a media release on 12 November around the CDR rule changes to drive consumer up take. They noted that this was based on feedback received during consultation which included significant feedback on the nominated representative change, leading to a decision to undertake more targeted consultation to find a better solution that supported business consumers access to CDR. 

One member expressed disappointment with the new rules, stating that they do not move the needle or address key issues. They highlighted that the rules do not include changes that would significantly increase CDR uptake such as business data consents or nominated representatives. They also believe that feedback provided over the past year had not been adequately addressed and the current rules drop feels like a missed opportunity. 

TSY noted that the feedback on nominated representatives indicated that the proposed changes would impose significant costs without achieving the desired outcome, and that more time would be needed to be spent consulting to find a better solution. 

TSY noted that the updated non-bank lending rules were expected to be out for consultation within the next week or so.

One member acknowledged the frustration with the delays and the limited scope of the new rules. However, they wanted to acknowledge that TSY were making the efforts to get it right by considering all stakeholder feedback and maintaining good visibility of the process.

One member noted that from their point of view, the bundling of consents was an important step and emphasised it as a significant and necessary change. They also suggested that most screen scraping organisations would be likely using CDR and proposed that an informal volume read from these organisations could provide powerful insights into the uptake of CDR compared to screen scraping. They noted that this could help demonstrate the value of CDR and support further political and stakeholder engagement.

One member inquired about the Strategic Review by the Minister asking if it was still taking place prior to the end of the year. TSY confirmed that the Ministers Speech at CEDA was the outcome of the Strategic Assessment.

One member highlighted the Minister's priorities, particularly focusing on the borrowing use case. They suggested that it would be beneficial to have the Australian Financial Complaints Authority (AFCA), and the Australian Securities and Investment Commission (ASIC) invited to a future meeting to discuss how they want to handle complaints if a person instructed to have their data deleted, especially in the context of responsible lending applications. They noted that this would help address potential demand constraints and improve the use of CDR in priority cases. 

One member commented that in the context of responsible lending applications, the consumer credit rules would override a request to delete data if the person had been granted a loan. They noted that this meant that the lender could hold on to the data and ignore a deletion request. However, they outlined that if the person did not become a customer, the credit rules would not apply, and the data would need to be deleted, which creates complications for lenders.

Meeting Schedule

The Chair advised that the next meeting would be held remotely on Wednesday 11 December 2024 from 10am to 12pm.  

Other Business

No other business was raised.

Closing and Next Steps

The Chair thanked the DSAC Members and Observers for attending the meeting and their contributions, especially those who will be departing the DSAC as part of the refresh. They acknowledged their efforts on this nationally significant initiative and wished them well.

Meeting closed at 11:20