Australia's Consumer Data Right ("CDR") regime in the banking sector ("Open Banking") is live as of 1 July 2020. The Australian Government has also formally extended the CDR to the energy sector, with implementation expected in late 2021. The primary goal of CDR is to allow customers to more easily compare and switch providers if they find a better deal elsewhere, resulting in increased competition and innovation.
| what you need to know - key takeaways |
- Australia is one of a number of jurisdictions around the world developing Open Banking.
- Australia's Open Banking regime has been launched. From 1 July 2020, customers of Australia's four major banks (ANZ, CBA, NAB and Westpac) can direct their bank to disclose their banking data from a range of personal accounts to accredited data recipients.
- In November 2020, the four major banks will be required to make consumer information from other accounts available (such as joint accounts, home loans and personal loans). From mid-2021 onwards, non-major authorised deposit-taking institutions ("ADIs") will be required to begin sharing consumer data.
- The Australian Competition and Consumer Commission ("ACCC") and the Office of the Australian Information Commissioner ("OAIC") will be monitoring compliance with, and enforcing the, CDR regulatory obligations. Their recently released joint Compliance and Enforcement Policy for the CDR explains the approach they will take to encourage compliance and prevent breaches.
- On 26 June 2020, the CDR was formally extended to the energy sector. Once implemented, energy retailers and certain other data holders will be required to provide access to consumers' electricity data, billing data and additional data sets such as distributed energy resources and plan information for electricity and natural gas.
- The ACCC and Australia's Data Standards Body are working to finalise rules and technical standards for operation of the new CDR regime for the energy sector, and industry stakeholders are encouraged to participate in this process.
|
What is the CDR, and what does it mean for me?
The CDR is a data portability reform that the Australian Government intends to roll out economy-wide, sector-by-sector, starting with banking, followed by energy and telecommunications. The objective of the CDR is to:
- provide consumers with the ability to efficiently and conveniently access their personal data held by businesses ("data holders"); and
- authorise the secure sharing of that data to trusted and accredited third parties ("accredited data recipients").
The CDR also requires businesses to provide public access to information on specified products that they offer.
The CDR aims to give consumers the ability to access and use more information about themselves, and about their use of products in order to improve their ability to make informed comparisons and switch to other providers if they find a better deal elsewhere. This is expected to encourage competition between providers, leading to better prices and more innovative products and services, enhancing consumer welfare.
Implementation, compliance and enforcement
The CDR regime is implemented by a framework consisting of legislative provisions in Part IVD of the Competition and Consumer Act 2010 (Cth) ("CCA"), rules made by the ACCC under the legislation1 ("CDR Rules") and technical consumer data standards made under the rules by the designated Data Standards Body, CSIRO's Data61 ("Data Standards"). The ACCC is responsible for accrediting data recipients.
The ACCC and the OAIC are jointly responsible for monitoring compliance with, and enforcing the, CDR regulatory obligations, with the ACCC focusing on general compliance, and the OAIC on privacy issues relating to the handling of consumer data by data holders and accredited data recipients. Breaches of the regulatory obligations attract significant civil penalties, among other consequences.2
The ACCC's and OAIC's joint Compliance and Enforcement Policy for the Consumer Data Right ("Policy") published in May 2020 explains the approach they will take to encourage compliance and prevent breaches. The ACCC and OAIC will be actively monitoring compliance relying on stakeholder intelligence / complaints, mandatory periodic reports from data holders and accredited data recipients, audits and assessments of data holders and accredited data recipients, and information requests and compulsory notices.
In determining the appropriate enforcement approach, the ACCC / OAIC will consider factors including:
- the impact of the conduct on consumers;
- whether the conduct was "deliberate, repeated, reckless or inadvertent";
- the extent of potential gain from the conduct;
- whether the conduct indicates systemic issues;
- whether the business has displayed a corporate culture of compliance, including effective compliance programs; and
- whether the conduct was self-reported and the level of cooperation with the ACCC.
Relevantly, the following conduct has been identified as "priority conduct" likely to result in significant detriment to consumers and the integrity of the CDR, "always" giving grounds for the consideration of enforcement action:
- data holder refusal: repeated refusal to disclose consumer data (or frustrate the process of disclosure) by intentionally circumventing the Rules or Data Standards;
- misleading or deceptive conduct: conduct that misleads a person into believing that another person is a CDR consumer or that a valid request or consent has been made, "holding out" that a person is accredited when they are not, or misleading representations by data recipients regarding the nature or benefits of the CDR service provided;
- invalid consent: accredited data recipients collecting data without valid consent;
- misuse or improper disclosure of consumer data: intentional misuse or improper disclosure of CDR consumer data by an accredited data recipient, inconsistent with the consent provided by a CDR consumer, particularly where consent has been withdrawn. This would also include circumventing the "data minimisation principle", which requires authorised data recipients to only collect the minimum data they need to provide the products the consumer has consented to; and
- insufficient security controls.3
Data holders and accredited data recipients, in their dealings with each other, competing providers and consumers, also remain subject to other parts of the CCA, including the Australian Consumer Law.
The ACCC is a very active, well-resourced regulator, and we expect it to closely monitor and vigorously enforce compliance with the CDR. Having regard to the Policy, current and prospective data holders and accredited data recipients should make sure they understand their regulatory obligations and have robust compliance systems in place.
Rollout in the banking sector
The banking sector was first in line for the implementation of the CDR regime, and will be the test case for the effectiveness of the regime.
Following the commencement of the Rules on 6 February 2020, Australia's big four banks were required to start sharing product reference data in a standardised format, facilitating better product comparisons. From July 2020, the major banks are required to share certain consumer data, such as data relating to credit and debit cards, deposit accounts and transaction accounts, with accredited data recipients where directed by a consumer to do so. A wider range of consumer banking data must be made available from November 2020 (including data relating to mortgage and personal loans, investment loans, joint accounts, closed accounts, direct debits, scheduled payments and payees).
Other ADIs are required to share product data from October 2020, and will be required to begin sharing consumer data from 2021.4
As at July 2020, two accredited data recipients have completed the necessary steps to securely receive data – Frollo Australia and Regional Australia Bank. A further 39 providers have reportedly begun the process to become accredited data recipients.5
Extension to the energy sector
On 26 June 2020, the CDR was formally extended to the energy sector.6 The designation instrument captures consumer data sets relating to the sale or supply of electricity, including where electricity is bundled with gas. Coverage of data sets about products is broader and includes electricity, gas and dual fuel plans.
Information that has been made part of the scope of the CDR in energy includes individual consumer information as well as information about the sale or supply of electricity to a customer (including other products or services offered, such as free energy efficiency assessments or discounts on non-energy products), as well as metering data, NMI (national metering identifier) standing data, DER (distributed energy resource) register data and billing data for that consumer.
Several steps need to occur before the CDR regime becomes effective in the energy sector, including the development of operational and technical rules by the ACCC and the Data Standards Body, and the technical build. The timeframes for implementation are still to be confirmed, but it is expected that implementation may commence in late 2021.7
The ACCC is currently consulting on the energy rules framework, including the extent to which additional rules, or amendments to the existing Rules, will be required to accommodate the energy sector.8 Unlike for Open Banking, where data is provided by data holders directly to accredited data recipients, for the banking sector, the Australian Energy Market Operator ("AEMO") has been selected as the gateway between data holders and accredited data recipients (except in respect of data which AEMO itself holds). This gateway model, and the unique characteristics of energy data and markets, mean that changes to the current Rules are necessary.
During the remainder of this year, we will likely see a number of specific rules proposed for the implementation of the CDR in the energy sector. These will require significant engagement from energy sector participants – particularly retailers. Once the CDR rules and technical standards are settled, it may be necessary to uplift retailer systems to ensure that the capability to provide consumer data is available.
It will also be useful to keep an eye on the operation of the new CDR rights in the banking sector, including the extent of consumer engagement with the CDR. As this is a very new regime in Australia, lessons may be gained from seeing how it operates in other sectors.
For more details on CDR in the energy sector, see:
- Competition and Consumer (Consumer Data Right) Rules 2020, made in February 2020, and amended on 19 June 2020 to clarify their intended operation. The Rules will be regularly updated to expand the scope of the CDR, including to other sectors.
- For corporations, the greater of AUD10 million per breach, three times the value of the benefit obtained from the breach, or 10% of annual turnover where the value of the benefit cannot be determined. These penalties can only be imposed if the ACCC brings court proceedings and liability is established. Other enforcement options include administrative resolutions, infringement notices, court enforceable undertakings, suspension or revocation of accreditation by the ACCC, certain determinations and declarations by the OAIC relating to privacy issues.
- ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right, May 2020.
- See the rollout timetable on the new CDR website, available here.
- ACCC, "Consumer Data Right goes live for data sharing", 1 July 2020.
- See Consumer Data Right (Energy Sector) Designation 2020 (Cth), and Josh Frydenberg and Angus Taylor and More Power to Compare and Switch Energy Providers, 29 June 2020.
- Based on indications from the Australian Energy Regulator (AER), Australian Energy Market Operator (AEMO) and Australian Energy Market Commission (AEMC).
- The ACCC is seeking submissions by 28 August 2020, and looking to publish draft energy rules for consultation in Q4 of 2020.
