Action Initiation under the Consumer Data Right is coming
20 February 2023
The Australian Government introduced the Treasury Amendment (Consumer Data Right) Bill 2022 to bring long-awaited action initiation to the CDR.
Action initiation (also referred to as "write access") allows a consumer to permit a service provider to initiate actions on their behalf.
Examples include initiating payments, switching service providers, opening or closing accounts, automating the processes for undertaking loan or mortgage applications or 'one stop shop' budgeting applications.
CDR action initiation regulates the "instruction layer", allowing actions to be initiated or triggered using CDR systems. It doesn't regulate the "action layer" – actions initiated using the CDR are performed using existing industry processes.
Data sharing was the foundation of the CDR regime, but action initiation is the next step in helping consumers overcome barriers to participation and decision-making in a data-driven economy. The new action initiation framework is intended to drive competitive benefits from the CDR – by allowing consumers and service providers to not only make better decisions, but to take meaningful action with reduced friction, driving new types of services.
As the CDR spreads across sectors, the Government's vision is for a new breed of "digital concierge" services that will orchestrate actions across sectors at important life decision points, driving efficiency and competitiveness – from being able to update your address information with all your providers at the same time, to having a service provider manage the entire process of significant life decisions like buying a house (involving banks, mortgage brokers, advisors, insurers, government, etc).
Action initiation also has the support of the Liberal-National Coalition, which has called the changes a "game changer" for the CDR, and intends to support the bill in its current form.
The framework for action initiation is similar to existing processes under the Consumer Data Right, with three key building blocks:
The bill introduces new roles to the CDR regime:
ASPs cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers. However, the ASP is not required to perform an action if it would not ordinarily perform that action according to its standard business practices.
This ensures that action initiation can be used to provide a process that is as frictionless as possible.
Action initiation under the CDR affects what is known as the "instruction layer". It does not affect the usual ways that ASPs perform those actions in their business (the "action layer"), and does not require an ASP to take any actions which it would not otherwise perform.
The action initiation process contemplates the following detail for these layers:
The Government intends action initiation to have widespread practical benefits, particularly in the banking, energy and telecommunications sectors. However, the potential use cases are yet to be fully explored.
Actions could make use of either payment initiation (authorisation to make payments on behalf of consumers) or other "general" initiation processes (authorisation to undertake other actions, such as updating personal details or pre-filling application forms, on behalf of consumers).
The previous Government indicated general action initiation would begin with payment-adjacent actions. Other action classes, such as managing customer information and products, product applications, and establishing relationships with new customers, would be phased, with some actions prioritised over others.
Potential use cases include:
Submitting applications for new products and streamlining opening and closing accounts | Allowing consumers to open new accounts or apply for new products from their existing service provider using an intermediary (such as a mortgage application or cash accounts for trading platforms). The previous Government indicated that, to support streamlined switching, product applications and establishing new customer relationships will be prioritised. |
Performing 'life admin' functions | Enable a fintech provider to update personal details or update employment or income information. |
Transferring funds between accounts | Automatically transferring money between accounts to avoid overdraft fees, or maximise interest returns. The previous Government indicated that bank account-to-account payment initiation would be prioritised. |
Making payments on consumer instruction | Automating the making of both push and pull (ie, direct debit) payments on request. |
Switching service providers | Switching service providers manually or automatically (eg, based on data-driven insights), simplifying the changeover process and reducing friction. |
Developing new technologies | Improving services through the use of data driven insights and executed through the use of action initiation. |
CDR use cases will mature over time from more transactional, active, user triggered activity to passive and even predictive services that are trusted to take actions on a user's behalf – for example, automatically switching between products, plans or service providers to make sure the consumer is always getting the best deal.
In its responses to Treasury's consultation on the draft bill in late 2022, the ACCC made a number of suggestions regarding liability allocation that have not appeared in this form of the bill. The ACCC also proposed that the first "actions" to be designated could be an area other than payments, such as the initiation of switching in the energy sector. We expect that the intended use cases and the liability allocation for action initiation will continue to be high priority issues for the Government and regulators to resolve as part of the action initiation design and rollout.
The success of Open Banking in the United Kingdom can provide a useful glimpse of what to expect from a similar rollout in Australia.
Third party payment initiation was part of the initial scope of the UK's Open Banking initiative, and has expanded rapidly since the Payment Services Directive (PSD2) began entering into force from 13 January 2018.
In the UK, holding a Payment Initiation Service Provider (PISP) licence to initiate payments ("write" access) carries a greater regulatory burden than an Account Information Service Provider (AISP) licence ("read only" access). Australia's action initiation framework similarly allows for additional accreditation requirements for Accredited Action Initiators, and we expect requirements to be more onerous for higher risk actions (such as payment initiation). Some actions (such as password resets) will be too high risk to be part of the Consumer Data Right.
In the UK, most customer-facing open banking solutions focus on personal payments. As at January 2022, the use of Open Banking in the UK to facilitate direct payments has accounted for over £2.4 billion of funds transferred since its rollout in 2018. A frictionless user experience, together with robust security safeguards, has been key to this success.
Successful adoption of action initiation in Australia will depend on a well-integrated payment ecosystem, with the "instruction layer" and the "action layer" interacting seamlessly.
Success will also require trustworthy identification and authentication and increases in consumer confidence – particularly in the face of recent high profile cyber-attacks. Consumers expect strong data protections at minimum, but willingness to share data is also integrally linked to the value of the service to the consumer – consumers are more likely to be comfortable sharing data where new services bring extra value or extra convenience.
In introducing action initiation, the Government argues that the CDR brings a safe and secure set of protocols and frameworks for enabling consumers to do things that they might be doing today in an unsafe way (for example, by permitting screen scraping and the sharing of passwords with service providers).
As any CDR participant can attest, the CDR regime already takes security very seriously. But could the ability for intermediaries to initiate actions such as payments or opening accounts create a new vector for fraud threats, or get in the way of current protections against fraud?
The bill imposes various obligations with the aim to protect against the risk of fraud, for example:
The existing consent and authentication processes that exist under the CDR will continue to apply, as will the security standards that must be met for accreditation.
The Government has emphasised that the bill will not prevent service providers from applying security or other checks, or refusing to perform an action consistent with existing practices.
However, the banking sector has noted that by adding an intermediary, CDR action initiation will mean the loss of some visibility of the customer, such as data about the device used, the IP address and the time and date of the customer's instruction. This behavioural data and other markers can be used to reduce fraud and cyber risks.
If the data used to combat fraud and cyber risks is different when actions are triggered by third parties under the CDR, new security or verification solutions specific to action initiation may need to be developed.
Service providers will need to consider how they will implement action initiation in their existing systems, for example to enable switching or payment initiation via an instruction that is delivered through an API call.
Service providers should be considering what limitations might be in place for these use cases, and what additional information might be needed from consumers to ensure that they can initiate actions on request.
The action initiation regime could also offer new opportunities for existing and new service providers and fintechs to trigger actions as an Accredited Action Initiator.
On top of the data sharing benefits available as an Accredited Data Recipient under the current CDR, service providers or fintechs who gain accreditation as an Accredited Action Initiator could be able to initiate payments, help consumers switch products (including as an incoming channel, to a service provider's own products) or provide multi-product management services for disparate brands and service providers.
The Government has signalled that it expects future consumer data rules to require prospective Accredited Action Initiators to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if they don't receive data under the CDR. Having a good understanding of the various pathways to accreditation and the associated administrative and regulatory burdens and costs, will help organisations make strategic choices about when and how to prepare to become a Consumer Data Right participant.
There is further discussion to be had before action initiation goes live, but the Government has already indicated that they will be pushing for more momentum behind the proposal this year.
Industry has signalled that consumer trust is key to the success of action initiation, and that allowing the CDR framework to mature is critical to earning that trust. Submissions called for meaningful sector consultation and assessment, robust cost-benefit analysis and a measured approach to introducing actions (for example, adopting a staggered approach).
One lesson that we have learned in assisting with CDR implementation is the level of interlinking complexity arises from overlaying a new regime on existing systems.
Action initiation brings great opportunities – but will not be a simple "bolt on" to existing systems and processes.
Authors: Tim Brookes, Partner; Andrew Hilton, Expertise Counsel; Geoff McGrath, Senior Associate; Sashini Walpola, Senior Associate; Jarred Gerson, Associate; Kate Pantelidis, Associate; and Shaniel Fernandes; Clerk.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.