Consumer Data Right rules mandate APIs, bend to bank laggards

The banking industry has secured a raft of concessions and carve outs in the first tranche of proposed rules governing the new Consumer Data Right and imminent open banking regime, with many new online bank extension brands exempt from the initial cut.

Bank West, UBank, St George, Bank of Melbourne and have all been spared inclusion under the first Consumer Data Right Rules Framework proposed by the Australian Competition and Consumer Commission released on Wednesday.

“Related brands of the four major banks will not fall within the first version of the rules,” the ACCC said in the document that appears to try and strike a balance between a fast initial implementation, technical integrity and what is physically possible for banks already struggling to find IT staff.

As expected, the Big Four will need to make “data available on credit and debit card, deposit and transaction accounts by 1 July 2019, and mortgages by 1 February 2020, including for joint accounts where digital authorisations to transact on the accounts already exist.”

All other Authorised Deposit Taking Institutions (ADIs) get another year.

Most Australian banks will also be compelled to share consumer data via an API, with standards externally set by an independent standards body in less than a year under the proposed rules, a timeline that will have IT shops in the major institutions toiling up the overtime, or pleading for extensions and exemptions.

It is understood a number of institutions have privately indicated they fear too much pressure on an already tight labour market for scarce skills risks creating an inflationary goldrush effect, especially as access to overseas labour remains restricted after the scrapping of the 457 visa.

One of the most contentious elements of the ACCC’s proposed rules is that the door appears to have been left ajar for the introduction of fees around Consumer Data Right and open banking data access and transfers, though they will not be allowed in under the initial regime.

“The ACCC proposes that in the first version of the rules, data sharing will not be subject to fees,” the paper said, but notes that “derived data” – that is data where banks say they’ve added value through the likes of analytics – is still an open question.

At the moment banks, credit agencies and consumer data brokers run tidy sidelines on harvesting and distilling trends into qualified lists.

Where there is a sting for banks is in the proposed treatment of API performance, with the ACCC proposing that the rules “include API outage and response times, against the minimum service level benchmarks set out in the standards.”

The regulator also wants to know “the average time taken to complete the authorisation procedure across all consumers and the number of times a call is made on or to the data holder’s API (to disclose a consumer’s CDR data in accordance with a consumer’s consent and authorisation).”

Here the focus is on timely response times, or mitigating the temptation to take so long that consumers forget or give up.

Those measures are backed by a transparent complaints regime, although this would be handled by the banks themselves and disclosed rather than run directly by the ACCC.