‘No backlog’ in Open Banking accreditation process, says CDR operations chief

Daniel Ramos ACCC CDR Open Banking
Dr Luke Deer (L), discussion moderator, Daniel Ramos (R), ACCC

One of the chief technologists overseeing the Consumer Data Right’s (CDR) implementation has quashed suggestions of a supposed “backlog” in accredited data recipient (ADR) applications, stressing that processes remain on track and urging eligible business to move their applications forward “as soon as possible”.

“From time to time, we see the press refer to a ‘backlog’ of applications. I want to share with you that that is not the case,” said Daniel Ramos (pictured right), the Australian Competition and Consumer Commission’s (ACCC) general manager of the CDR’s operational delivery.

Speaking at FST’s Banking Summit, Ramos revealed that so far just six ADR applications have been formally submitted to the ACCC – the regulator charged with overseeing the implementation of the consumer data-sharing scheme.

However, he said, nearly 100 businesses have so far created accounts through the CDR’s participant portal, considered the first crucial step in the opt-in accreditation process.

“The ACCC is now considering these applications and working actively to commence the [accreditation] process,” Ramos said.

He added that at least 39 applications remain “in development” – effectively meaning that a business has commenced the ADR application process but has yet to formally complete its submission to the regulator for assessment.

Whilst acknowledging that the full accreditation process “can take some time”, particularly in addressing outstanding security issues unearthed during ACCC audits, Ramos stressed that that does “not represent a backlog in processing time” at the regulator’s end.

“As long as all the information has been provided, and the application’s completely correct, we tend to find that it doesn’t take very long to be assessed.”

Accreditation as a data recipient is one of the key conditions of full participation in the Consumer Data Right, including the first phase of the CDR’s rollout multi-industry rollout, Open Banking.

ADR businesses are entrusted to receive and use consumer data in order “to provide a product or service”. Consumers must give their consent to transfer personal data between the data holder and an ADR.

Accreditation recognises that a business is able to receive consumer data securely and manage it in line with the rules and safeguards of the CDR.

“All businesses that ACCC accredit go through a rigorous process to ensure they meet security, privacy, and transparency standards, and must also demonstrate that their technology solution complies with the rules and standards,” said Ramos.

By July 2021, all authorised deposit-taking institutions (ADIs) will be required to share their savings and transaction account data with ADRs.

Beyond the mandated big four, so far just two businesses have been accredited as data recipients – Frollo, a financial software and API developer, Regional Australia Bank (RAB).

(Since 12 October, the ADR list has grown to three, with financial software developer, Intuit, receiving the stamp of approval to begin receiving CDR data).

Both Frollo and RAB were among 10 businesses selected to participate in Phase One testing for the data-sharing regime, which was based on their intention and ability to meet the accreditation criteria by the original February 2020 CDR deadline (subsequently postponed to 1 July this year)

Eight businesses, including neobank 86400, Identitii a regtech developer and Moneytree, a fintech, dropped out of the full accreditation process following the initial testing period, with most stating they had reallocated resources to meet Covid-19 challenges.

According to Ramos, businesses that have made more recent applications for an ADR “are quite diverse”, including an assortment of accounting services, digital identity and digital wallet providers, lenders, bill payment management, budgeting and payroll management services, comparison services, and technology companies.

While the application and assessment process remains “rigorous”, he said, “ensuring data recipients can be trusted in the CDR ecosystem”, Ramos said he is conscious of costs and tech resource challenges of joining the scheme, stating that he wants “as many ADRs” involved as possible.

“We’re currently working on some measures that work to reduce the cost of getting the audit certificate that’s needed as part of the accreditation process.”

Slow start, but exponential growth

Conceding the scheme has got off to “quite a slow start” since its July launch, Ramos said that, nevertheless, cumulative API numbers around consent flows – in effect, a measure of the number of times a consumer will initiate consent for data to flow to an ADR – have “risen significantly week on week”.

Consent flow rates tallied from just these last few weeks already make up around half of all consents made since the July launch, he said.

“We are noticing that it is definitely ramping up over time and more recently.”

“Part of the slow burn, if you can call it that, is the conservative approach around go-live, the decision by the data recipients to throttle on their own side, which we thought was really responsible, as well as the relatively small public campaigning around the CDR, which is also somewhat intentional to try to get the fundamentals right before they are broadly publicised.”

Timeframe to CDR ready

Owing to the multi-staged accreditation process – with auditing by the regulator frequently uncovering as yet unresolved IT security issues – the time from “first requesting access to the portal” to operating fully within the scheme, can be difficult to predict, he said.

“Once you’ve requested access to the portal, that will give you a feel for the types of things we need. Without having done that, it might be difficult for you to know what might be expected of you.”

Reviews of applications tend to unearth “one or two things” that need to be addressed – “typically, that tends to be around IT security”, Ramos noted – where more information is needed from applicants.

“Once it’s been submitted, there’s no backlog, so as long as all the information has been provided, the application’s completely correct, we tend to find that it doesn’t take very long to be assessed.”

Once these outstanding issues have been cleared by the ACCC, upon which accreditation is granted, applicants must then “prepare their technology” to ensure it supports CDR strictures and conformance testing.

This essentially means that an organisation may be accredited without necessarily having the all tech infrastructure in place to fully participate in the scheme.

“What we find sometimes is that the accreditation process might be completed, but then there might be some months between the organisation being ready to have their technology solution [able to] plug into the CTS (Conformance Test Suite) [and] run through conformance testing – that might take a few iterations, if issues come out of that – before being ready to start.”

According to Ramos, the end-to-end process, from application to participation, therefore remains “quite variable” and largely dependent on the maturity of the entire organisation.

Accreditation tiers

While ADR applicants are currently obligated to apply for unrestricted access to CDR data, it remains “a high bar for accreditation” – one that should not necessarily be mandated for all participants in the scheme, Ramos said.

He believes the accreditation process for unrestricted access may be an unnecessary cost and resource imposition for a number of businesses that may only require lower levels of access to data.

He said the ACCC’s goal, based on the Federal Government’s 2018 Open Banking report, has always been “to introduce different tiers of accreditation supporting a wider range of businesses and use cases”.

These risk-based tiers would, he said, be based “on the potential harm of data to the consumer”.

“The unrestricted level intentionally sets a very high bar for accreditation – it’s the gold standard.”

“[It recognises] that a person that’s accredited at the unrestricted level is able to receive any Consumer Data Right data in scope under the regime, subject to consumer consent.”

However, he said, “we want to support applicants that can safely operate in the system at a lower level of accreditation”.

The regulator has opened an industry consultation into the proposed multi-tier accreditation system, alongside proposals for new third party data recipient consent rules, and functionality changes to enhance the “consumer experience”.

Submissions for the proposed changes close on 29 October 2020.