For the budget 2017 – 2018, the treasury of the government announced the introduction of the Open Banking regime in Australia. Aim of Open Banking is to increase competition in the financial service industry providing customers with more choice about financial products and services. The regime is designed to give customers more control over their personal data.
In July 2017, the treasury commissioned a report to evaluate how Open Banking should be implemented in Australia. The resulting report by Scott Farrell (“Farrell” report) listed several recommendations which were accepted and scheduled for implementation.
Open Banking Governance
According to the “Farrell” report and subsequent announcements, the Open Banking regime will be governed in the following way:
The Treasury will adapt the legislation where necessary in order to pave the way for introducing the Open Banking regime. First drafts of the new legislation for Consumer Data Right (CDR) were released already. As soon as these amendments become effective, customers will gain more control over their data.
The Australian Competition and Consumer Commission (ACCC) is responsible for the promotion of competition and customer-focussed outcomes. To preserve consumer rights, corresponding rules and accreditation for Open Banking participants will be developed. The accreditation scheme covers accreditation criteria and respective processes. Additionally, the ACCC will be responsible for enforcement in case of serious or systemic breaches.
The Data Standards Body is responsible for the development of technical standards for data transfers and systems. Standards include data formats, transfers, authentication, security and policy application. CSIRO’s Data61 was appointed to form the Data Standards Body.
The Advisory Committee advises the Data Standards Body with regards to data standards. It comprises representatives from Fintechs, the financial service industry as well as consumer and privacy groups. Members have been announced recently.
The Office of the Australian Information Commissioner is in charge of preserving consumer privacy. This goes along with the Notifiable Data Breach Scheme (NDB) which became effective in February 2018.
Sector-specific Regulators will be consulted according to their areas of responsibility and as necessary.
Timeline for Implementation
The Open Banking regime will be introduced in stages over the next four years:
In the first phase, the four major banks Commonwealth Bank of Australia (CBA), Australian and New Zealand Banking Group (ANZ), Westpac Banking Corporation (Westpac) and National Australia Bank (NAB) are required to be compliant by July 2020.
To be able to incorporate the learnings from the first phase, the remaining banks have time to be compliant with the requirements of the Open Banking regime until July 2022. However, if required, the ACCC can adjust the timeline as necessary.
Stated objective of the Open Banking regime is to give customer more control over their personal data. This implies that customers need to gain trust in organisations to preserve their privacy before they agree to share their data on a wider scale. In order to achieve this, major challenges need to be addressed. These challenges touch various levels:
On an organisational level, the challenge will be to establish a sophisticated consent management mechanism. Purpose of the consent management mechanism is to evidence customer agreement to share personal data with other parties. Other parties include related corporate bodies of the same organisation or 3rd parties such as Fintech companies. Implied capabilities of the content management mechanism include:
- unambiguous identification of a client even across multiple business functions and potentially across multiple jurisdictions
- unambiguous identification of data sets or sub-sets which can be shared according to client’s consent
- unambiguous identification of purposes the client gave consent to (the currently suggested purposes as outlined in the “Farrell” report may not be sufficient)
- management of time limits on given consent if requested by client
In order to provide these capabilities, customer data needs to be encapsulated, i.e. stored and accessed centrally according to given consent. This is usually not the case in larger organisations in which various functions may serve the same client but use duplicate data sets.
On industry and cross-industry level, one challenge is to create a level playing field for all companies benefiting from the Open Banking regime – including Fintech and Tech companies.
According to various press releases, large Tech companies such as Google or Amazon may stand to benefit most from the Open Banking regime. In addition to their own big data, they will gain access to additional (banking) data concerning the same customers.
For example, Google has access to the browsing history of a client. With the personal data from financial institutions, the browsing history can be enriched with the spending pattern of that customer. Marketing, advertisement and sales activities can be further streamlined to reach that particular client. In fact, Google has already an arrangement with Mastercard to use financial transaction data of customers. With access to that data, success of targeted marketing and spending can be tracked closely. Open Banking would enable Google (and other Tech companies) to cover more customers and extract even more value from data sets.
Since Fintech companies and financial institutions do not have access to same data sets (e.g. browsing history), they will be in a more detrimental position from the start.
Community and Societal Level
On this level, the challenge will be to level the playing field for customer unwilling to share their personal data. Since personal data represents an asset with a real value attached to it, companies may not be willing to provide their products & services to customers who choose not to disclose personal data to other parties. While this might not pose an issue for products & service improving convenience, the question arises if and how more basic products & services such as bank accounts, money transfers etc. can be used by that particular customer group.
In summary, the challenge will be to ensure that customers not willing to share their personal data are not disadvantaged.
First published on Enforcd.
 The final report by Scott Farrell can be found under: https://static.treasury.gov.au/uploads/sites/1/2018/02/Review-into-Open-Banking-_For-web-1.pdf
 Refer to: https://static.treasury.gov.au/uploads/sites/1/2018/08/Consumer_Data_Right_EM_T316972.pdf or https://static.treasury.gov.au/uploads/sites/1/2018/08/Consumer_Data_Right_Ready_Reckoner_T316972.pdf
 Members of the Advisory Committee: https://www.csiro.au/en/News/News-releases/2018/Advisory-Committee-for-the-Data-Standards-Body-announced
 Source from the Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme