Australian Government Delays Implementation Of Open Banking After Facing Practical Issues With The New Consumer Data Right - Financial Services

Introduction to Open Banking

In 2019, the Australian Government passed new laws to provide new rights for consumers and small businesses to their data from July 2019. We summarised the background on the new laws in our alert on 14 December 2018: Australian Consumer Data Right law: what you need to know and we explained their impact in our alert on 8 August 2019: Australian Government passes Consumer Data Right legislation on 1 August 2019.

Our August 2019 alert provided you with an outline of the timetable for the commencement of the regime. This alert updates you on that, as there is now a delay to some parts of the regime which had originally been planned to go live on 1 February 2020.

Delay to the introduction of the Consumer Data Right

As we explained in our August 2019 alert, the Australian Competition and Consumer Commission (ACCC) is the lead regulator for the new Consumer Data Right (the CDR – being a right of consumers to data portability in certain sectors, such as banking). The ACCC is supported by the federal privacy regulator in Australia, the Office of the Australian Information Commissioner (OAIC).

On 20 December 2019, the ACCC announced¹ that the phased roll-out of the sharing of consumer data and product reference data (PRD) across the whole of the banking sector will not be tested in time for a February 2020 launch.

The consequence is that the implementation timetable is adjusted so that the obligations for the four major banks to share consumer data will now commence on 1 July 2020 rather than 1 February 2020. Other obligations for data sharing that were to commence in July 2020 will now be deferred to November 2020.

The updated timetable as follows:

Major banks will be required to share PRD for credit and debit cards, deposit accounts, transaction accounts, mortgage and personal loan accounts from 1 February 2020 and for non-major banks, the deadline is 1 July 2020.
Major banks will be required to share consumer data relating to credit and debit cards, deposit accounts and transaction accounts from 1 July 2020.
Major banks will be required to share consumer data relating to mortgage and personal loan accounts from 1 November 2020.
Major banks will be obliged to share certain more complex data sets including relating to joint accounts, closed accounts, direct debits and scheduled payments from 1 November 2020.

The ACCC also said that the timing for sharing of consumer data by the non-major banks and the on-boarding of additional accredited data recipients in the first quarter of 2020 needs further consideration.

The ACCC will make their CDR Rules² (which cover the foundational rules required to implement the Consumer Data Right in banking) to reflect these changes.

Comment

From our point of view, we are not surprised by the delayed implementation as there remain some meaty issues to be resolved – all of which have been raised in the various consultations and working groups. Two examples that spring to mind are as follows:

The Consumer Data Right regime will allow consumers to require data holders to share their data with "accredited persons". But there are issues with the ACCC's proposed rules for how the CDR is to operate which including the criteria that the Data Recipient Accreditor (currently the ACCC) will apply when considering an application for accreditation. None of the organisations who would be seeking accreditation initially would have been able to meet the relevant certification by February 2020.
Another issue to be resolved relates to how consumers can consent to the sharing of their data when there are, for example, joint accounts. The ACCC's rules do not specify if a single account holder's consent is enough or if concurrent consent is needed. So, for example, if a husband and wife share an account, would they be considered by the bank as one consumer, and so they could not each establish separate sharing arrangements for the same account under a single consent constraint or could they be treated as separate consumers and each have different consents in place as to the sharing of the banking data? Consent traceability is one of the fundamental pillars of the new regime and so the processes supporting it need to be clear.

The success of the Open Banking launch is critical given that, following implementation of the Consumer Data Right in this sector, the telecommunications and energy sectors are next in line.

We will keep you updated as to events.

Footnotes

1. At https://mailchi.mp/accc.gov.au/update-to-cdr-timeline-announced ↩

2. See https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/cdr-rules-banking ↩

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.