The content of this post was updated on February 28, 2020 to reflect the current regulatory position.
Open Banking can seem a daunting task for any bank who is working towards a compliance deadline. It requires you to understand the regulation, map your internal systems to meet the needs of the regulation, keep your customers happy, and stay competitive all at the same time.
Our experiences with PSD2 compliance in EU and Open Banking in the UK taught us that while compliance is a large task, it can easily be addressed by assigning priorities. Once your priorities are set, you can then build a team and strategy towards each priority and get to your compliance goals much faster.
Here’s how you need to go about it.
1) Understanding the Regulation
What is the regulation?
The Consumer Data Right (CDR) is a regulation that gives customers the right to direct that their data be shared with others they trust. This improves their ability to compare and switch between products and services and encourages competition between service providers. This leads to better prices for customers as well as more innovative products and services.
It will initially be implemented in the banking (open banking), energy, and telecommunications sectors and then rolled-out economy-wide on a sector-by-sector basis.
Who’s in charge?
The regulation is implemented under the dual-regulation model where the Australian Competition and Consumer Commission (ACCC) will act as the lead regulator, with strong support from the Office of the Australian Information Commissioner (OAIC).
The Treasury will manage amending the necessary laws to enable the implementation of the CDR in Australia. Data61 will act as the data standards body that will develop open standards on how to securely open up access to customer data.
How does the phased implementation work?
The implementation deadlines set by the ACCC remain subject to change at this point. However, taking the phasing timetable published with the rules and a proposed revised timetable currently under consideration, the following can be determined:
- The Big 4 banks - National Australia Bank, Commonwealth Bank of Australia, ANZ, and Westpac - are to comply fully with their data sharing obligations by July 1, 2021 onwards, starting with:
- Product reference data for credit and debit cards, deposit accounts, transaction accounts, mortgage, and personal loan accounts from February 1, 2020
- Consumer data for credit and debit cards, deposit accounts, and transaction accounts from July 1, 2020, and other products covered by the CDR rules from November 1, 2020 onwards
- All other banks are to comply fully with their data sharing obligations by February 1, 2022 onwards, starting with:
- Product reference data for credit and debit cards, deposit accounts, and transaction accounts from July 1, 2020
- Consumer data for all products covered by the CDR rules from July 1, 2021, onwards with an earlier February 1, 2021, deadline becoming applicable either to banks voluntarily opting in to an early disclosure scheme or to banks that have been accredited under the rules as data recipients
As the CDR regime evolves, we expect these deadlines to be subject to further change, meaning it's important that banks and their implementation partners keep a close eye on the regulatory process.
How does the bank, customer and data recipient relationship work?
Banks need to enable the opening of the above datasets via secure APIs. Third Party Providers (Data Recipients) will be given an accreditation by the ACCC based on their competence to receive and manage customer data in a secure manner. Banks will need to onboard accredited Data Recipients to access their data APIs. Once the APIs are connected to the data recipient applications, consumers will provide the bank with their consent on which data should be shared with whom for what purpose and which period. Once the bank receives explicit consent to share the customer’s data, the bank will issue a unique access token to the data recipient on behalf of the customer so that the relevant customer data can be consumed through the API.
2) The Technology Building Blocks You Need
Open banking involves securely opening up data via APIs. This makes it evident that the two most important technology components you’ll need are API management and governance technology and a robust identity and access management platform.
A few key features that your API management platform will have to facilitate include data recipient onboarding and accreditation validation, sandbox environments and production access, tooling for Data Recipients and API lifecycle management, creation, versioning and security (OAuth2).
In order to ensure that data and its access is secure, your identity and access management technology will have to facilitate strong customer authentication, by way of multi-factor authentication, and consent management, which allows users to provide data sharing consent based on data sets, for a specific period, to a specific set of recipients. Users should also be able to revoke or update consents as and when they need to.
The above is the bare minimum required to securely open up data via APIs. The next step is to ensure that you create great customer experiences. You can do this by providing strong authentication exemptions by way of adaptive authentication for low risk data accesses. You can also fix customer pain points through detection and analysis of delays within the customer journey. Additionally you should identify fraudulent attempts at accessing data without permission and DDOS attacks that can bring down the system. In order to meet these requirements, you need a strong data analytics platform, which can easily collect, correlate and analyze the data, and provide notifications and outputs in real time.
To accomplish open banking compliance you first need to understand which of your existing technology components can be reused to achieve regulatory requirements. Then fill the missing gaps with new technology, preferably with purpose built components that are pre-configured for Australian Open Banking compliance. A good integration layer will also allow you to easily introduce new technology components while leveraging the capabilities of your existing technology.
3) Agility for the Future
Staying agile is a critical part of open banking success. Implementing an open banking solution that caters to the current compliance needs is not the end of the road. New iterations of specifications and features will be introduced down the line and a bank should be able to adapt quickly with minimum invasion to status quo. Furthermore, the number of Data Recipients will keep increasing and your systems need to ensure that the control of the third party providers are monitored for any anomalies or misuse.
So, how does being agile help you? By becoming agile you can respond to market, regulatory, competitive or customer-driven changes faster. This means that you get these initiatives to your customers quickly, with the added bonus of gaining new customers through first mover advantages. The bottom line is, agility helps you become a market leader and not a follower.
All in all, open banking does not have to drive you up the wall. All you need is to do is get a good understanding of what your priorities are, get the right people for the job and ramp up your technology to do the work. This will make compliance that much faster and simpler.
Find out more about WSO2 Open Banking for Australia.