The first iteration of Australia's Consumer Data Right (CDR) is live from 1 July 2019. But with submissions only closing recently for the governing rules and standards, and legislation stranded in Parliament, the mandate will only apply to the banks' own product data for now.
The Australian Competition and Consumer Commission (ACCC) was tasked with implementing the CDR, which has been touted as allowing individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The first sector to which the CDR will apply is finance, through an open banking regime.
The banks have been preparing for the looming mandate, with Westpac CEO Brian Hartzer for example predicting the initial financial damage due to open banking to be around AU$200 million to his organisation. National Australia Bank (NAB), meanwhile, told ZDNet in December that it was pretty well-placed to handle open banking with the internal data strategy and cloud-first strategy it is currently in the process of implementing.
The big four banks were initially asked to have consumer data available by 1 July, but that deadline has now been pushed to 1 February 2020.
As of today, the four banks will need to have access to generic product data for credit and debit cards, deposit accounts, and transaction accounts made available via an application programming interface (API).
This will allow product data from ANZ, the Commonwealth Bank, NAB, and Westpac to be easily compared.
"The pilot program will lay initial foundations to test the performance, reliability and security of the system before any personal consumer data is shared. It will also give software developers and fintechs a network of financial institution's data to build and improve financial services," Westpac chief data and strategy officer Jamie Twiss said.
See also: Big four banks passing the buck on open data regulation
In November 2017, following a handful of Senate Economics Committee probes of the big four banks in Australia, the CDR was officially announced.
Fast forward to 29 March 2019 and the ACCC published draft rules that would guide the implementation of the CDR. Only a few months prior, the ACCC was unsure how banks could provide consumers with their data, but took a red marker to the calendar to say ANZ, CBA, NAB, and Westpac needed to make consumer data available on credit and debit card, deposit, and transaction accounts, at minimum, by the start of the 2020 financial year.
The rules also said all remaining banking institutions were to be ready to implement the open banking tranches around 12 months after the major banks.
While working on what open banking would look like, the ACCC decided to announce in February that energy data would join the CDR mandate in early 2020.
The draft rules were shaped around the ones for banking, and they weren't received with enthusiasm.
The Australian Privacy Foundation (APF) in March said the CDR privacy safeguards were not sufficient, and that the government has "severely" underestimated the need for more thought across the entire legislative change.
Meanwhile, the Communications Alliance is concerned that the legislation will not be overly applicable to industries other than banking, and that the rushed through process will result in a disjointed framework that is not well thought out.
Despite hearing concerns over the adequacy of the privacy safeguards the CDR, the rushed nature of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 [Provisions], the distinct banking focus the Bill will have, and whether the outcome of the CDR will serve organisations more than it will consumers, the Senate Economics Legislation Committee on 21 March recommended that it be passed.
"At the very least, it will improve on current arrangements; and it has the potential to protect and empower consumers and drive competition and innovation," the committee wrote at the time. "The committee particularly welcomes the endorsement of the Bill from innovative high technology companies."
In justifying its reasoning behind allowing the sole recommendation of the Bill be passed, the committee said provisions such as the rules-making facility under the Bill would offer the possibility to address problems as they arise.
The ACCC, eight days later, published the draft rules.
The Bill was introduced and read for the first time in Parliament on 13 February, with a second reading moved the same day. The Bill lapsed at dissolution on 11 April.
Speaking at a Criterion Conferences Open Banking event in Sydney also in March, Bruce Cooper, general manager of the ACCC's Consumer Data Right Branch said that despite a looming election, the ACCC was still going ahead with its planned deliverables of the CDR, expecting the CDR -- at least in some form -- to proceed under whatever party assumes government.
"While there remains some certainty about the timing, we are basically pressing forward with particularly the product reference data, which the timetable calls for being open by 1 July, to establish some sort of pilot that participants that will need to participate in CDR can test their systems against the rules and also to open accreditation so we basically have a vital ecosystem when we do kick off," he explained.
"We're doing that while there is that uncertainty because we feel that it won't be wasted work ... our expectation is that CDR will proceed in some form, quite similar to what it is at the moment, so continuing to work is the right way to go."
The ACCC in early June opened consultation on the technical design of the CDR Register using GitHub, an online community of developers.
The first round of consultation was for the CDR-Register API, which allows participants to retrieve details of data holders and data recipients.
The ACCC had said that by the end of June, it expected to consult on other aspects of the CDR Register design, including: Business and technical design principles; security profile and certificate management; and caching and refreshing of Register metadata.
The ACCC has not returned a request for comment, but despite security vendors jumping for a chance to comment on customer data privacy and security concerns, customer data isn't being shared while there is no legislative direction.