- CDR, or open banking, is about giving consumers the right to direct data to people they trust.
- Being a recipient of open banking data could give CAs greater access to information about their clients.
- Becoming accredited for CDR will require meeting specific criteria and carefully reviewed responsibilities.
By Prue Moodie
A world in which we can direct the likes of Google and Facebook to do as we choose with our data may never exist. But a world in which Australian consumers and businesses can direct the big banks to stream their banking data to third parties is upon us.
This new legislation is called consumer data right (CDR), but is often simply referred to as “open banking”. It is being promoted as a way to help Australians shop around for cheaper financial products, boost financial innovation, and to loosen the big banks’ grip on customers.
From 1 July 2020, Australians will be able to access not only their own deposit and credit card data from the “big four” banks, but also instruct those banks to send that data to accredited third parties. The data feed will be dynamic, meaning those third parties will see transactions in real time. They could be technology companies specialising in finance, which will use the data to provide customised information and products to consumers, or be financial intermediaries, such as accountants, who can use the data to improve their client service.
Consumers will have control over transmission of their data, determining what the bank sends, who receives it and for how long they can access it. According to the current CDR schedule, as of 1 November, the regime will also apply to mortgage data held by Australia’s big banks. Due to the economic effect of COVID-19, implementation dates for smaller banks have been delayed.
What’s in it for accountants?
There are good reasons for accountants to be interested in CDR, says Phil O’Sullivan, managing associate at international law firm Allens. At its heart, CDR is about giving consumers the right to direct data to people they trust, he explains.
Accountants typically score high on trust, with surveys frequently placing them in the top tier of trustworthy professionals along with doctors, teachers and engineers. High levels of trust mean consumers are likely to take seriously their accountant’s explanation of the benefits of data sharing.
“Being a recipient of the data will give accountants greater access to information about their own clients,” says O’Sullivan.
“Being a recipient of the data will give accountants greater access to information about their own clients.”
Aggregation is the all-important concept here, and when it comes to data, there are two broad levels of it.
“Fintechs have a motivation to pool clients’ information to innovate products and services for consumers to use, such as categorising spending habits and other patterns, and creating new products based on this information,” says O’Sullivan.
Accountants may be motivated to aggregate data from different banks relating to one individual or one business. They can use that deeper understanding of a client’s business affairs to provide a customised advisory service.
“It will allow accountants to identify cost savings more readily, to the benefit of their business clients,” says O’Sullivan. “It will also allow them to improve the client experience.”
PwC Australia’s banking and capital markets partner, Sam Garland, adds: “The type of information that will be available will allow business customers to gain more information about the performance and patterns of their businesses. Any party that helps facilitate this should benefit from a rich information source.”
A CDR data feed could even be a worthwhile tool for accountants wanting to help businesses get back on their feet post-COVID-19.
Consulting CFO Matthew Tribe CA believes that for businesses recovering from the lockdown, the major concerns will relate to cash flow and reassuring investors the business has navigated a changed consumer/business environment, and has the cash flow to support future growth.
“CDR will make bookkeeping and transactional processing simpler and more efficient,” says Tribe. “Along-term effect might be faster and more accurate offshore financial data processing. At present, when you offshore, the overseas team you use doesn’t necessarily understand context. Assuming you get the correct permission from the customer, CDR might allow the overseas team more insight into a customer’s circumstances.”
However, Tribe does have some doubts. “I can’t see how CDR helps with subjective elements of financial reporting, such as forecasting or understanding more complex corporate structuring, which are particularly important when it comes to applying for government assistance packages and loans.”
“I can’t see how CDR helps with subjective elements of financial reporting, such as forecasting or understanding more complex corporate structuring, which are particularly important when it comes to applying for government assistance packages and loans.”
The CDR accreditation hoops
In late April, the CDR legislation’s main regulator, the Australian Competition and Consumer Commission (ACCC), had not published final accreditation guidelines.
However, based on the draft version, and on the ACCC’s CDR Rules, Bryony Evans, partner with King & Wood Mallesons law firm, cautions that if an accounting firm’s main interest is better client service rather than providing new commercial services and products – such as budgeting apps – the firm should weigh up accreditation carefully.
“Becoming accredited requires specific criteria to be satisfied, and accredited persons have responsibilities which require careful review and management,” she says.
Accreditation may not even be necessary for some accountants. Batch feeds and screen scraping techniques (see left) already provide the means for accounting firms – through their associations with fintechs – to delve into client banking data.
Accreditation may be optional
There’s another reason for financial intermediaries to hold off on full CDR accreditation. It’s possible that the ACCC, which is overseeing CDR, may allow a form of CDR data sharing between accredited persons and non-accredited third parties.
A spokesperson for the ACCC told Acuity in late April it was “currently developing amendments to the CDR rules that will address substantive policy issues such as use of intermediaries by accredited data recipients.”
If this variation is allowed – lawyers Acuity interviewed were not willing to speculate about the ACCC’s decision – it will become easier for accountants to become recipients of CDR data, either through a low level of accreditation or through an association with a fully accredited recipient.
In July, Trend Micro announced the availability of Australia’s first open banking automated compliance check: Trend Micro Cloud One™ – Conformity. Built on AWS, the solution provides companies and auditors with automatic and continuous testing of the controls that accredited data recipients must have in place, while also reducing costs involved in the initial and ongoing accreditation requirements.
Moneytree Financial Technology is a specialist financial data consolidator whose app already allows consumers and small businesses to transport all of their financial data to and from a range of services through an application programming interface (API) connection. Moneytree intends to become an accredited intermediary under CDR legislation.
In its submission to the ACCC’s CDR consultation paper, Moneytree commented on the large financial and human resource investments that would likely be required to achieve full accreditation.
“This could lead to a smaller pool of CDR participants, which can lead to limited value creation for data owners and participants, which could ultimately work against the CDR regime’s goals of bringing more and better competition to Australia’s data economy.
“It is appropriate for downstream providers to have lower, and possibly no, accreditation for various reasons … Smaller downstream recipients – for example, accountants – would only handle a small number of consumers’ data and thus have a lower exposure risk.”
Many submissions, including those from Visa and Xero, agreed. Others were more cautious. PayPal, for example, said it did not support the receipt and use of CDR data by non-accredited parties. The Australian Banking Association was also dubious.
The key to privacy under CDR
Whatever conclusions the ACCC reaches about a lower level of accreditation for smaller intermediaries, it is likely that any intermediary in the CDR regime will need to demonstrate they can comply with the new set of CDR-specific privacy safeguards that were published by the Office of the Australian Information Commissioner (OAIC) in late February.
“Professional services firms which are used to handling personal information in line with the Australian Privacy Act 1988 will be familiar with many concepts in the CDR Privacy Safeguards,” says Evans. “However, the CDR safeguards introduce new requirements.”
Consent is the major difference. In its Privacy Safeguard Guidelines publication, the OAIC writes that an entity governed by the Australian Privacy Principles can collect personal information – other than sensitive information – if it is reasonably necessary for one or more of the entity’s functions or activities. Where consent is involved, it can be either express or implied.
By contrast, the OAIC writes, consent is the primary basis on which an accredited person can collect and use data under the CDR Privacy Safeguards.
The OAIC makes these points about consent:
An accredited person can only collect data in response to a valid request from the consumer, and can only use or disclose a consumer’s CDR data in accordance with the consumer’s consent.
The consumer must make a valid consent to an accredited person for that person to be able to collect and use their CDR basis, and consent is a fundamental component of a valid request.
Consent is valid for 12 months.
What will happen to the banks?
When commissioning the 2017 review into open banking that resulted in CDR, Treasury was clear its intent was to loosen the ties that bind customers to the big banks.
The terms of reference stated: “[Open banking] will deliver increased consumer choice and empower bank customers to seek out banking products that better suit their circumstances.”
However, successive governments, even when railing against the big four banks, have generally considered their presence a desirable feature of the Australian financial system, providing it with stability and strength.
While in theory CDR could weaken the big four banks as they reel from COVID-19’s effect on earnings, in reality they are well qualified to become accredited data recipients. CDR may simply result in greater customer churn from one bank to another.
Regardless of the long-term effects on banks, CDR regimes clearly establish they are the holders of data, not the owners.
Post-CDR, banks will lose exclusive control of consumer data while consumers will gain more. A burning question is whether consumers will use that to their best advantage.
New Zealand is also in the process of introducing open banking. After initially hoping the change could be industry-led, in December 2019 Minister for Commerce Kris Faafoi, impatient at the slow pace of development, directed government officials to issue a discussion paper on CDR legislation in the first half of 2020.
The idea of data sharing with third parties is not new, but as uno Home Loans founder and chief innovation officer, Vincent Turner, says: “CDR will make the data more consistent and it will introduce a more secure environment for consumers.”
What does that mean for accountants? Rather than being stewards of a customer’s financial situation once a year, “It’s not too great a leap [for accountants] to go from that to a kind of continuous assessment,” says Turner.
Batch feeds and screen scraping: the fintech view
Ian Boyd, Xero’s financial industry director, Australia and New Zealand, says his company is already operating in a CDR-like environment, taking in a customer’s bank data and providing it to their accountant or directly to small businesses – with the account holder’s permission.
Picture: Ian Boyd, Xero’s financial industry director, Australia and New Zealand.
At Xero, the transfer is done through bank-feed integrations. Called batch feeds, they have been built with the help of technology resources at each of the banks – but there are differences between this and CDR. “The timing will speed up under CDR,” says Boyd, adding the breadth and depth of what can be provided to accountants and bookkeepers will also improve.
“Breadth relates to the number of products. Eventually, all banking products will be covered by CDR. We don’t have relationships with all the authorised deposit institutions [ADI] at present, and CDR will cover all ADIs.
“Depth relates to data. We’ll get more product information. At the moment we get the transaction details of a mortgage account, but we may not know the interest being charged or repayment terms.”
Other fintechs use techniques collectively known as screen scraping that do not require explicit approval from banks but do require approval and passwords from customers.
uno Home Loans’ chief innovation officer Vincent Turner says uno’s mortgage interest savings tool is based on screen scraping. The tool provides real-time monitoring of the interest a customer is paying on a mortgage and suggests ways of saving interest or switching to another product.
“It’s done without the blessing of the financial institutions,” says Turner. “It’s fair to say many customers have some trepidation about it, although 70% of our customers opt for screen scraping in order to access the mortgage interest tool.”
We’re digital serfs in data’s dark ages
The printing revolution brought intellectual property rights. Should the digital revolution bring the right to personal data ownership?Read more