Legal development

Action Initiation under the Consumer Data Right is coming

Insight Hero Image

    What you need to know

    • The Government has introduced a bill to include action initiation or "write access" in the Consumer Data Right (CDR) regime.
    • Action initiation brings to life some of the foreshadowed opportunities of the CDR, with use cases ranging from the automation of payments to insight-driven service provider switching.
    • The bill sets out the framework for action initiation, but not the specific actions – Treasury will consult on which actions are introduced when, and for what sectors. We discuss some of the actions we might see below.
    • The regime brings two new roles to the CDR, the Accredited Action Initiator or AAI (who will receive action requests from consumers) and the Action Service Provider or ASP (who will perform the action request from an AAI as if it came from the consumer directly).
    • While new to Australia, the UK has had open banking payments since 2018, giving Australian businesses a picture of what we can expect.
    • Various sectors have stressed in submissions the need for extensive consultation to address industry-specific challenges, and called out that the CDR needs time to mature to build customer trust.

    What you need to do

    • Service providers (especially in the banking, energy, telecommunications and finance sectors) should start considering how their internal systems and processes are placed to facilitate action initiation.  CDR action initiation is only the "instruction layer" that triggers the action – the "action layer" will be performed by existing processes.
    • Treasury will consult on which actions should be designated in each sector.  Businesses should actively engage with these consultations to ensure that their sector-specific challenges, regulation and practices are taken into account.
    • With the Government's ambition for an economy-wide rollout of the CDR, service providers in all sectors should consider how action initiation might impact their product roadmaps and strategies – including, for example, whether to become accredited to initiate actions, such as payments or account switching.

    New bill brings "write access" to the Consumer Data Right

    The Australian Government introduced the Treasury Amendment (Consumer Data Right) Bill 2022 to bring long-awaited action initiation to the CDR.

    Action initiation (also referred to as "write access") allows a consumer to permit a service provider to initiate actions on their behalf.

    Examples include initiating payments, switching service providers, opening or closing accounts, automating the processes for undertaking loan or mortgage applications or 'one stop shop' budgeting applications.

    CDR action initiation regulates the "instruction layer", allowing actions to be initiated or triggered using CDR systems.  It doesn't regulate the "action layer" – actions initiated using the CDR are performed using existing industry processes.

    Data sharing was the foundation of the CDR regime, but action initiation is the next step in helping consumers overcome barriers to participation and decision-making in a data-driven economy.  The new action initiation framework is intended to drive competitive benefits from the CDR – by allowing consumers and service providers to not only make better decisions, but to take meaningful action with reduced friction, driving new types of services.

    As the CDR spreads across sectors, the Government's vision is for a new breed of "digital concierge" services that will orchestrate actions across sectors at important life decision points, driving efficiency and competitiveness – from being able to update your address information with all your providers at the same time, to having a service provider manage the entire process of significant life decisions like buying a house (involving banks, mortgage brokers, advisors, insurers, government, etc).

    Action initiation also has the support of the Liberal-National Coalition, which has called the changes a "game changer" for the CDR, and intends to support the bill in its current form.

    A new framework to initiate action using the CDR

    The framework for action initiation is similar to existing processes under the Consumer Data Right, with three key building blocks:

    • Declaration:  Types of actions that can be initiated using the CDR, and the classes of CDR Data Holders that are to be Action Service Providers, are added by ministerial declaration.
    • Rules:  Following a declaration, the Minister would make rules for the action type.
    • Data standards and guidelines:  The rules would work alongside the data standards prepared by the Data Standards Body. The Office of the Australian Information Commissioner would also prepare and publish guidelines relating to the privacy safeguards.

    Accredited Action Initiators and Action Service Providers

    The bill introduces new roles to the CDR regime:

    • The Accredited Action Initiator or AAI can give instructions on behalf of a consumer.  The AAI must be accredited for particular actions under the rules.  The Government expects rules will be made to require an AAI to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if they don't receive data under the CDR.
    • An Action Service Provider or ASP is required to undertake actions in accordance with those instructions.  An ASP is typically a Data Holder under the CDR specified in the declaration for an action, but the rules may also allow other entities to be voluntary Action Service Providers – for example, if an action to update a consumer's address details is made mandatory for certain data holders, the rules might allow other entities to voluntarily take advantage of the capability.

    ASPs cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers. However, the ASP is not required to perform an action if it would not ordinarily perform that action according to its standard business practices.

    This ensures that action initiation can be used to provide a process that is as frictionless as possible.

    Action initiation is the "instruction layer"

    Action initiation under the CDR affects what is known as the "instruction layer". It does not affect the usual ways that ASPs perform those actions in their business (the "action layer"), and does not require an ASP to take any actions which it would not otherwise perform.

    The action initiation process contemplates the following detail for these layers:

    • Instruction Layer: a standardised framework under the CDR enabling a consumer to give instructions about actions to an Accredited Action Initiator. The Accredited Action Initiator sends an action request to the Action Service Provider, who authenticates the consumer requesting that the relevant action be carried out.
    • Action Layer: the process of undertaking an action itself.  Once an instruction is given, the Action Service Provider is then required to carry out the request as if the request as if it had come from the consumer directly.

    What kinds of CDR actions could we see?

    The Government intends action initiation to have widespread practical benefits, particularly in the banking, energy and telecommunications sectors.  However, the potential use cases are yet to be fully explored.

    Actions could make use of either payment initiation (authorisation to make payments on behalf of consumers) or other "general" initiation processes (authorisation to undertake other actions, such as updating personal details or pre-filling application forms, on behalf of consumers).

    The previous Government indicated general action initiation would begin with payment-adjacent actions.  Other action classes, such as managing customer information and products, product applications, and establishing relationships with new customers, would be phased, with some actions prioritised over others.

    Potential use cases include:

    Submitting applications for new products and streamlining opening and closing accounts

    Allowing consumers to open new accounts or apply for new products from their existing service provider using an intermediary (such as a mortgage application or cash accounts for trading platforms).

    The previous Government indicated that, to support streamlined switching, product applications and establishing new customer relationships will be prioritised.

    Performing 'life admin' functions
    Enable a fintech provider to update personal details or update employment or income information.
    Transferring funds between accounts
    Automatically transferring money between accounts to avoid overdraft fees, or maximise interest returns.

    The previous Government indicated that bank account-to-account payment initiation would be prioritised.
    Making payments on consumer instructionAutomating the making of both push and pull (ie, direct debit) payments on request. 
    Switching service providersSwitching service providers manually or automatically (eg, based on data-driven insights), simplifying the changeover process and reducing friction. 
    Developing new technologiesImproving services through the use of data driven insights and executed through the use of action initiation.

    CDR use cases will mature over time from more transactional, active, user triggered activity to passive and even predictive services that are trusted to take actions on a user's behalf – for example, automatically switching between products, plans or service providers to make sure the consumer is always getting the best deal.

    In its responses to Treasury's consultation on the draft bill in late 2022, the ACCC made a number of suggestions regarding liability allocation that have not appeared in this form of the bill.  The ACCC also proposed that the first "actions" to be designated could be an area other than payments, such as the initiation of switching in the energy sector.  We expect that the intended use cases and the liability allocation for action initiation will continue to be high priority issues for the Government and regulators to resolve as part of the action initiation design and rollout.

    Open Banking payments in the United Kingdom 

    The success of Open Banking in the United Kingdom can provide a useful glimpse of what to expect from a similar rollout in Australia.

    Third party payment initiation was part of the initial scope of the UK's Open Banking initiative, and has expanded rapidly since the Payment Services Directive (PSD2) began entering into force from 13 January 2018.

    In the UK, holding a Payment Initiation Service Provider (PISP) licence to initiate payments ("write" access) carries a greater regulatory burden than an Account Information Service Provider (AISP) licence ("read only" access). Australia's action initiation framework similarly allows for additional accreditation requirements for Accredited Action Initiators, and we expect requirements to be more onerous for higher risk actions (such as payment initiation).  Some actions (such as password resets) will be too high risk to be part of the Consumer Data Right.

    In the UK, most customer-facing open banking solutions focus on personal payments.  As at January 2022, the use of Open Banking in the UK to facilitate direct payments has accounted for over £2.4 billion of funds transferred since its rollout in 2018.  A frictionless user experience, together with robust security safeguards, has been key to this success.

    Successful adoption of action initiation in Australia will depend on a well-integrated payment ecosystem, with the "instruction layer" and the "action layer" interacting seamlessly.

    Success will also require trustworthy identification and authentication and increases in consumer confidence – particularly in the face of recent high profile cyber-attacks.  Consumers expect strong data protections at minimum, but willingness to share data is also integrally linked to the value of the service to the consumer – consumers are more likely to be comfortable sharing data where new services bring extra value or extra convenience.

    Challenges and Opportunities 

    Cyber, privacy and fraud risks

    In introducing action initiation, the Government argues that the CDR brings a safe and secure set of protocols and frameworks for enabling consumers to do things that they might be doing today in an unsafe way (for example, by permitting screen scraping and the sharing of passwords with service providers).

    As any CDR participant can attest, the CDR regime already takes security very seriously.  But could the ability for intermediaries to initiate actions such as payments or opening accounts create a new vector for fraud threats, or get in the way of current protections against fraud?

    The bill imposes various obligations with the aim to protect against the risk of fraud, for example:

    • accredited persons are subject to a new obligation to act efficiently, honestly and fairly when initiating actions, and civil penalties apply to misleading a person into believing a person is accredited when they are not;
    • existing privacy safeguards will be updated to apply to CDR data that flows in the instruction layer. The privacy safeguards would also apply to AAIs, and some privacy safeguards would apply to ASPs; and
    • the consumer data rules may include rules that apply to AAIs or ASPs, that regulate the security, storage or deletion of certain data that is disclosed to the AAI or ASP under the action initiation regime.

    The existing consent and authentication processes that exist under the CDR will continue to apply, as will the security standards that must be met for accreditation.

    The Government has emphasised that the bill will not prevent service providers from applying security or other checks, or refusing to perform an action consistent with existing practices.

    However, the banking sector has noted that by adding an intermediary, CDR action initiation will mean the loss of some visibility of the customer, such as data about the device used, the IP address and the time and date of the customer's instruction.  This behavioural data and other markers can be used to reduce fraud and cyber risks.

    If the data used to combat fraud and cyber risks is different when actions are triggered by third parties under the CDR, new security or verification solutions specific to action initiation may need to be developed.

    Implementation and existing systems

    Service providers will need to consider how they will implement action initiation in their existing systems, for example to enable switching or payment initiation via an instruction that is delivered through an API call.

    Service providers should be considering what limitations might be in place for these use cases, and what additional information might be needed from consumers to ensure that they can initiate actions on request. 

    Accreditation as an opportunity

    The action initiation regime could also offer new opportunities for existing and new service providers and fintechs to trigger actions as an Accredited Action Initiator.

    On top of the data sharing benefits available as an Accredited Data Recipient under the current CDR, service providers or fintechs who gain accreditation as an Accredited Action Initiator could be able to initiate payments, help consumers switch products (including as an incoming channel, to a service provider's own products) or provide multi-product management services for disparate brands and service providers.

    The Government has signalled that it expects future consumer data rules to require prospective Accredited Action Initiators to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if they don't receive data under the CDR. Having a good understanding of the various pathways to accreditation and the associated administrative and regulatory burdens and costs, will help organisations make strategic choices about when and how to prepare to become a Consumer Data Right participant.

    Next Steps

    There is further discussion to be had before action initiation goes live, but the Government has already indicated that they will be pushing for more momentum behind the proposal this year.

    Industry has signalled that consumer trust is key to the success of action initiation, and that allowing the CDR framework to mature is critical to earning that trust.  Submissions called for meaningful sector consultation and assessment, robust cost-benefit analysis and a measured approach to introducing actions (for example, adopting a staggered approach).

    One lesson that we have learned in assisting with CDR implementation is the level of interlinking complexity arises from overlaying a new regime on existing systems.

    Action initiation brings great opportunities – but will not be a simple "bolt on" to existing systems and processes.

    Authors: Tim Brookes, Partner; Andrew Hilton, Expertise Counsel; Geoff McGrath, Senior Associate; Sashini Walpola, Senior Associate; Jarred Gerson, Associate; Kate Pantelidis, Associate; and Shaniel Fernandes; Clerk.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest