Action Initiated? Action initiation under Australia's Consumer Data Right becomes law
05 September 2024
05 September 2024
After almost three years before Parliament, the Treasury Laws Amendment (Consumer Data Right) Act 2024 to bring long-awaited action initiation to the CDR is now law. The bill was passed unamended and with bipartisan support on 15 August 2024, receiving assent on 26 August 2024.
Action initiation (also referred to as "write access" for some use cases) allows a consumer to permit a service provider to initiate actions on their behalf.
Examples include initiating payments, switching service providers, opening or closing accounts, automating the processes for undertaking loan or mortgage applications or 'one stop shop' budgeting applications.
CDR action initiation regulates the "instruction layer", allowing actions to be initiated or triggered using CDR systems. It does not regulate the "action layer" – actions initiated using the CDR are performed using existing industry processes.
Data sharing was the foundation of the CDR regime, but action initiation is the next step in helping consumers overcome barriers to participation and decision-making in a data-driven economy. The new action initiation framework is intended to drive competitive benefits from the CDR – by allowing consumers and service providers to not only make better decisions, but to take meaningful action with reduced friction, driving new types of services.
The framework for action initiation is similar to existing processes under the Consumer Data Right, with three key building blocks:
The bill introduces new roles to the CDR regime:
ASPs cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers. However, the ASP is not required to perform an action if it would not ordinarily perform that action according to its standard business practices.
This ensures that action initiation can be used to provide a process that is as frictionless as possible.
Action initiation under the CDR affects what is known as the "instruction layer". It does not affect the usual ways that ASPs perform those actions in their business (the "action layer") and does not require an ASP to take any actions which it would not otherwise perform.
The action initiation process contemplates the following detail for these layers:
Image text (for accessibility)
Consumer
Consumer makes request to Compare Co to switch from Provider A to Provider B, and consents to these actions.
Accredited Action Initiator
Compare Co
Compare Co instructs Provider A to close the consumers account, and instructs Provider B to open a new account for the consumer.
Action Service Provider
Provider A Provider B
Provider A carries out the 'close account' action, subject to authentication, then notifies Compare Co.
Provider B carries out the 'open account' action, subject to authorisation and authentication, then notifies Compare Co.
'Open account' and 'close account' actions occur outside the CBR, using the Providers' existing industry processes.
Treasury will consult on which actions are introduced when, and for what sectors, but we expect a focus at least in the short term on "low hanging fruit" – use cases with lower cost, complexity and risk to implement, and clear consumer benefits – consistent with the Assistant Treasurer's recent approach to Resetting Australia's Consumer Data Right.
In a letter to the Data Standards Chair, the Assistant Treasurer identified as high priority use cases:
He also supported continued use of experiments, mentioning in particular those involving energy switching and real estate applications.
Actions could make use of either payment initiation (authorisation to make payments on behalf of consumers) or other "general" initiation processes (authorisation to undertake other actions, such as updating personal details or pre-filling application forms, on behalf of consumers).
Potential use cases in the longer term could include:
Submitting applications for new products and streamlining opening and closing accounts | Allowing consumers to open new accounts or apply for new products from their existing service provider using an intermediary (such as a mortgage application or cash accounts for trading platforms). The previous Government indicated that, to support streamlined switching, product applications and establishing new customer relationships will be prioritised. |
Performing 'life admin' functions | Enable a fintech provider to update personal details or update employment or income information. |
Transferring funds between accounts | Automatically transferring money between accounts to avoid overdraft fees or maximise interest returns. |
Making payments on consumer instruction | Automating the making of both push and pull (ie direct debit) payments on request. |
Switching service providers | Switching service providers manually or automatically (eg, based on data-driven insights), simplifying the changeover process and reducing friction. |
Developing new technologies | Improving services through the use of data-driven insights and executed through the use of action initiation. |
CDR use cases will mature over time from more transactional, active, user triggered activity to passive and even predictive services that are trusted to take actions on a user's behalf – for example, automatically switching between products, plans or service providers to make sure the consumer is always getting the best deal.
In its responses to Treasury's consultation on the draft bill in late 2022, the ACCC made a number of suggestions regarding liability allocation that have not appeared in this form of the bill. The ACCC also proposed that the first "actions" to be designated could be an area other than payments, such as the initiation of switching in the energy sector. We expect that the intended use cases and the liability allocation for action initiation will continue to be high priority issues for the Government and regulators to resolve as part of the action initiation design and rollout.
While most jurisdictions have started their open data journey with open banking and a focus on payment functionality, Australia envisaged a consistent "whole-of-economy" approach, with an initial focus on data sharing. Australia has the opportunity to look at overseas experiences – not only to understand high value action use cases, but also to consider if internationally standardised approaches might help control implementation costs by reducing the need for customised software systems.
The United Kingdom is looking to expand on the success of open banking to other sectors of the economy through a new Digital Information and Smart Data Bill (announced in the 17 July 2024 King's Speech).
Third party payment initiation was part of the initial scope of the UK's Open Banking initiative and has expanded rapidly since the Payment Services Directive (PSD2) began entering into force from 13 January 2018. The penetration and adoption of open banking data sharing and payments continue to grow in the UK – with payments penetration overtaking data sharing for the first time in August 2023.
In the UK, holding a Payment Initiation Service Provider (PISP) licence to initiate payments ("write" access) carries a greater regulatory burden than an Account Information Service Provider (AISP) licence ("read only" access). Australia's action initiation framework similarly allows for additional accreditation requirements for Accredited Action Initiators, and we expect requirements to be more onerous for higher risk actions (such as payment initiation). Some actions (such as password resets) will be too high risk to be part of the Consumer Data Right.
In the UK, most customer-facing open banking solutions focus on personal payments. As at January 2022, the use of Open Banking in the UK to facilitate direct payments has accounted for over £2.4 billion of funds transferred since its rollout in 2018. A frictionless user experience, together with robust security safeguards, has been key to this success.
Australia will also be watching what other jurisdictions are doing:
Successful adoption of action initiation in Australia will depend on a well-integrated payment ecosystem, with the "instruction layer" and the "action layer" interacting seamlessly.
Success will also require trustworthy identification and authentication and increases in consumer confidence – particularly in the face of recent high profile cyber-attacks. In Australia, the Assistant Treasurer has mentioned that integration between Digital ID mechanisms and action initiation will be critical for ensuring consumer safety. Consumers expect strong data protections at minimum, but willingness to share data is also integrally linked to the value of the service to the consumer – consumers are more likely to be comfortable sharing data where new services bring extra value or extra convenience.
The Government argues that CDR brings a safe and secure set of protocols and frameworks for enabling consumers to do things that they might be doing today in an unsafe way (for example, through screen scraping and password sharing).
As any CDR participant can attest, the CDR regime already takes security very seriously. But could the ability for intermediaries to initiate actions such as payments or opening accounts create a new vector for fraud threats, or get in the way of current protections against fraud?
The action initiation regime imposes various obligations with the aim to protect against the risk of fraud, for example:
The existing consent and authentication processes that exist under the CDR will continue to apply, as will the security standards that must be met for accreditation.
The Government has emphasised that the action initiation regime will not prevent service providers from applying security or other checks, or refusing to perform an action consistent with existing practices.
However, the banking sector has noted that by adding an intermediary, CDR action initiation will mean the loss of some visibility of the customer, such as data about the device used, the IP address and the time and date of the customer's instruction. This behavioural data and other markers can be used to reduce fraud and cyber risks.
If the data used to combat fraud and cyber risks is different when actions are triggered by third parties under the CDR, new security or verification solutions specific to action initiation may need to be developed.
Service providers will need to consider how they will implement action initiation in their existing systems, for example to enable switching or payment initiation via an instruction that is delivered through an API call.
Service providers should be considering what limitations might be in place for these use cases, and what additional information might be needed from consumers to ensure that they can initiate actions on request.
The action initiation regime could also offer new opportunities for existing and new service providers and FinTechs to trigger actions as an Accredited Action Initiator.
On top of the data sharing benefits available as an Accredited Data Recipient under the current CDR, service providers or FinTechs who gain accreditation as an Accredited Action Initiator could be able to initiate payments, help consumers switch products (including as an incoming channel, to a service provider's own products) or provide multi-product management services for disparate brands and service providers.
The Government previously signalled that it expects future consumer data rules to require a prospective Accredited Action Initiator to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if it doesn't receive data under the CDR. Having a good understanding of the various pathways to accreditation and the associated administrative and regulatory burdens and costs, will help organisations make strategic choices about when and how to prepare to become a Consumer Data Right participant.
While the action initiation framework has now been legislated, it does not identify or allow any specific types of actions under the CDR. Further work is required to identify high value actions, and to undertake the consultation necessary to declare an action and prepare the rules and data standards that would give effect to the action mechanisms.
Industry has signalled that consumer trust is key to the success of action initiation, and that allowing the CDR framework to mature is critical to earning that trust. Industry has previously called for meaningful sector consultation and assessment, robust cost-benefit analysis, and a measured approach to introducing actions (for example, adopting a staggered approach). If recent announcements on resetting Australia's CDR are a guide, those calls have been heard, although at this early stage the impacts of the “reset” remain to be seen.
One lesson that we have learned in assisting with CDR implementation is the level of interlinking complexity arises from overlaying a new regime on existing systems.
Action initiation brings great opportunities – but will not be a simple "bolt on" to existing systems and processes.
Additional Author: Kate Pantelidis, Lawyer.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.
Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.
This material is current as at 5 September 2024 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up