Originally published in  Banking Law Bulletin (2018) Volume 34, at page 28

“Open Banking” is shorthand for implementing the “consumer data right” (CDR) in the banking sector. The Open Banking Review makes specific and detailed recommendations about implementation. But customer-focus, competition, innovation, efficiency and fairness can sometimes be in the eye of the beholder: different interest groups will sometimes have different views about how best to create a CDR that achieves these aims. In responding to the recommendations of the Open Banking Review, the Federal Government will need to balance the views of regulators, banking incumbents, new entrants and consumer groups.

What is the CDR?

The CDR is the right of Australian consumers to have “open access” to their data. This right was announced by the Federal Government on 26 November 2017, in response to the Productivity Commission’s recommendation in May 2017 that a “consumer” be given a new comprehensive right to access digital “consumer data” held by a data holder.  

In the context of the banking sector, “open access” means that a consumer can initiate a data sharing arrangement by directing the holder of their banking data to share their data with a third party (data recipient). That direction may include specific instructions on what data is to be shared and with whom, and the duration of the sharing arrangement.  Broadly, the CDR is intended to enhance a consumer’s ability to have their banking data used for the provision of a service that competes with, or complements, the service that the holder of their banking data provides to the consumer. These may include comparison services that will use a consumer’s shared banking data to provide the consumer with tailored banking product recommendations.  

Who can exercise the CDR?

The Productivity Commission recommended that the “consumers” who are entitled to exercise the data right should include single persons, family groups or other groups resident at a single address in the data holder’s data set, and any entity with an Australian Business Number (ABN) and a turnover of $3 million per annum or less.  In contrast, the Open Banking Review recommends that the CDR be available to all banking customers holding a relevant account in Australia.  This is because of the potential complexity of defining businesses within and outside scope (e.g. should the test be based on turnover or number of employees), and the difficulty a holder of banking data will have in determining the status of a business at any point in time.  

Who must comply with customer data sharing directions under the CDR?

The Open Banking Review recommends that Authorised-Deposit-taking institutions (ADIs), other than foreign bank branches, should be subject to customer data sharing directions under the CDR. Further, the Review recommends that the four major Australian ADIs should comply with their customers’ data sharing directions from the first day of operation of open banking but the remaining ADIs should be obliged to share data from 12 months after that date, unless the Australian Competition and Consumer Commission determines that a later date is more appropriate.

What data is within the scope of the CDR?

The Review’s recommendations can be summarised as follows:

Type of data Recommendation
Type of data
Customer-provided data (e.g. personal address and contact details, statements of financial position provided when opening an account or applying for a loan, details of payees when instructing payments).
Recommendation
At a customer’s direction, data holders should be obliged to share all information that has been provided to them by their customer (or former customer).  But the obligation only applies where the data holder keeps that information in digital form. The obligation should not apply to information supporting an identity verification assessment.
Type of data
Transaction data (i.e. data that is generated as a result of transactions made on a customer’s account or service, such as records of deposits or withdrawals, account balances, interest earned or charged and other fees or charges incurred).
Recommendation
At a customer’s (or former customer’s) direction, data holders should be obliged to share all transaction data in a form that facilitates its transfer and use. The obligation should apply for the period that data holders are otherwise required to retain records under existing regulations. The obligation should only apply in relation to 16 specified types of deposit product and 11 specified types of lending products.
Type of data
Value-added customer data (i.e. data that results from effort by a data holder to gain insights about a customer- including income/asset checks, customer identity verification checks, credit reporting data, credit scores, data on an individual customer that has been aggregated across the customer’s accounts and standardised, cleansed or reformatted to make it more usable.)
Recommendation
Data that results from material enhancement by the application of insights, analysis or transformation by the data holder should not be included in the scope of open banking. But if directed by a customer to do so, data holders should be obliged to share the outcome of an identity verification assessment performed on the customer, provided the anti-moneylaundering laws are amended to allow data recipients to rely on that outcome.
Type of data
Aggregated data sets created when banks use multiple customers’ data to produce de-identified, collective or averaged data across customer groups or subsets (e.g. average account balances by postcode or income segment, or average size of small business overdrafts by industry segment).  
Recommendation
Aggregated data should not be included in the scope of open banking.
Type of data
Product data (features of the products that banks provide to customers).
Recommendation
Where banks are under existing obligations to disclose information on their products and services – such as on price, fees and other charges – that information should be made publicly available under open banking.

Regulatory framework to implement the CDR

The banking sector is the first sector in which the CDR is to be implemented. As a result, the Review has outlined the proposed framework for implementing the CDR generally, as well as for implementing the specific rules needed for open banking.  Broadly:

  • the Competition and Consumer Act 2010 (Cth) (Act) will be amended to set out the general (non-industry specific) objectives of the CDR;
  • a particular industry sector (like banking) will be designated by Ministerial direction as a sector in which the CDR will apply;
  • the Act will enable regulations and operational rules to be established for the application of the CDR to a particular sector;
  • the rules for open banking (and other sectors in which the CDR will apply) will be determined by the Australian Competition and Consumer Commission (ACCC) in conjunction with the Office of the Australian Information Commissioner (OAIC); and
  • there will be a set of open banking standards sitting under the open banking rules: these standards are to ensure efficient and simple implementation and compliance, interoperability between accredited parties within and across sectors and to promote competition (amongst other things, these standards will deal with methods for data transfer, data standards and security standards).      

Open questions about open banking

The Review is specific, detailed and wide-ranging. I do not know how it was produced so quickly. Almost every issue one can think of is identified and dealt with. What follows is a shallow dive into two areas that I believe would be of interest to banking, regulatory and Fintech lawyers generally.

Is Tournier adequate for customer data that is not personal information?  

As noted above, the CDR will be exercisable by companies and other artificial legal persons, not just natural persons. The Review notes that as such customers’ data may not be personal information, the Privacy Act 1988 (Cth) (Privacy Act) will not cover all of the data involved in open banking. The Review adds that:

remedies for privacy breaches for some businesses will lie under the common law. The common law imposes a contractual duty of confidentiality on banks not to disclose the affairs of their customers – whether individuals or businesses – unless the disclosure falls within four limited exceptions.    

The Review then recommends that small business customers should be given access to external and internal dispute resolution services for confidentiality disputes similar to those that exist for individuals under the Privacy Act.

There are several obligations that could (and perhaps should) be imposed on a bank when it handles a customer’s data that is not personal information. In the same way that organisations handling personal information under the Privacy Act have obligations that go beyond just keeping personal information confidential, should banks handling customer data that is not personal information be subject to obligations as to:

  • the purposes for which they use that data;
  • the quality of that data;
  • notification of data breaches in relation to that data; and
  • other matters that apply to the handling of personal information under the Privacy Act?   

Some other jurisdictions recognise that bank confidentiality should be expanded to address the proper use by banks of the confidential information that they hold. If such an expansion is to occur in Australia, it would need to be by statute.

The Review notes that:

The references to “confidentiality” and “some of the protections” may suggest that a CDR system participant’s handling of customer data that is not personal information will be regulated in relation to disclosure (confidentiality) only, in line with Tournier.  However, the Review includes example “direction to transfer” rules that stipulate that:

though the data recipient does not need to inform the data holder of all intended uses, there are prescribed uses that should be presented to the customer for permission (consent) to be considered informed. These uses would be expected to include:

  • the primary purpose for which the data is being transferred
  • on-selling of data
  • direct marketing
  • transfer of data outside the Consumer Data Right system; and
  • transfer of data overseas.

I agree with this approach. In my view, there are conceptual and practical difficulties with imposing Privacy Act-type obligations across the board on data recipients when they handle customer data that is not personal information. But it would be appropriate to impose more limited Privacy Act-type use and disclosure and notification obligations on such data recipients, at least where the data relates to small business customers. This seems to be the direction in which the Review is heading.   

Should “screen scraping” be prohibited?

The Review notes that in the absence of an Open Banking solution, “screen scraping” technology is used by many FinTech businesses to access a customer’s banking data. “This involves the customer providing their FinTech, or an associated ‘data aggregator’ with their access credentials that the FinTech uses to log into the bank’s online banking interface. The technology then extracts the customer’s data – such as their account balance and transactions –from the information that the customer would be able to see on their screen.”  The Review adds that screen scraping is “risky”, unstable” and “costly” and is presently popular out of necessity, not because it is an elegant technology design for data sharing.  

In relation to risk, the Review notes that screen scraping may adversely affect a customer’s protection from fraud. This is because the customer’s handing over of login credentials to enable screen scraping may be a violation of the bank’s terms and conditions. As a result, the customer may bear fraud risk if those credentials are compromised.

In the end, the Review concludes that open banking should not prohibit or endorse screen scraping, but should aim to make this practice redundant by facilitating a more efficient data transfer mechanism.

An issue that is related to screen scraping is the issue of “payment initiation” or “write access” as it is described in the UK.  “Write access” is the ability of a customer to give third parties the ability to transact on the customer’s behalf (e.g. by initiating a payment). “Write access” is sometimes facilitated by screen scraping technology. The Review notes that payment initiation or “write access” was not part of the terms of reference for the review and so has not been considered to be part of the initial scope of Open Banking in Australia. As a result, “write access”, like screen scraping generally, still dwells in an uncertain place.   

Customer-focus, competition, innovation, efficiency and fairness (the guiding principles for the Review) can sometimes be in the eye of the beholder: different interest groups will sometimes have different views about how best to create a CDR that achieves these aims. In responding to the recommendations of the Open Banking Review, the Federal Government will need to balance the views of regulators, banking incumbents, new entrants and consumer groups.

David Kreltszheim, Special Counsel, Cornwalls. The views expressed are the author’s and do not necessarily reflect those of Cornwalls.