Posted: 02 Jun. 2020 10 min. read

Actions ahead as Open Banking gets closer

Businesses planning to engage with the upcoming open-banking regime need to act on a number of fronts to effectively comply with the ACCC’s recently released enforcement framework.

The competition watchdog and the Office of the Australian Information Commissioner (OAIC) have recently released a policy framework for how the Consumer Data Right (CDR) will be enforced ahead of open banking going live 1 July. 

Organisations need to fully understand the breadth of the obligations that they need to comply with under open banking.

A particular focus is on the audit requirements for information security for Accredited Data Recipients. However, there are 15 different dimensions of compliance, out of which only one is information security. The risk is that organisations focus too much on just that one obligation around information security.

To this end it is important that organisations undertake an internal readiness assessment or audit before they are asked for a formal audit or assessment.

The ACCC does have a right to come in and seek information. Therefore, an organisation needs to get its house in order to be ready and able to respond to an audit request.

A readiness assessment can be done by the organisation internally. However, working through the 140+ obligations can be problematic, so sometimes it makes sense to have someone independent undertake this. 

Deloitte has created an Open Data Obligations Tool that we use as an accelerator to efficiently assess an organisation’s compliance against the key requirements under the open data legislative framework. 

This should be helpful especially given there could be significant costs for businesses under the compliance and enforcement regime. 

It is really quite a complex regime with new elements such as setting up reporting on disputes, requests and refusals and completely new consent management systems required by the regulation.

A consultation paper was released in January, which floated the idea of a new class of CDR participant, intermediaries, that can sit between the data holders and the data recipients. 

Data aggregators and credit reference organisations could take on such roles. The potential is for such intermediaries to play an important role in mitigating compliance costs and helping remove some of the cost burdens for particularly the smaller players. 

In tabling the new framework, the ACCC said it would adopt a ‘strategic, risk-based approach’ to enforcing its compliance and enforcement policy, that will ‘focus on building consumer confidence in the security and integrity’ of the Consumer Data Right system.

This will require a fine balance between ensuring the rules are enforced to make sure data is secure and making it easier for people and organisations to participate in the new regime.

It is the first time the ACCC has had a regime where it is essentially the steward. The regulator absolutely recognises that the industry is learning with data holders,  data recipients and the ACCC all needing to work together to get the right outcomes.

When it comes to enforcement, the ACCC is wanting to make sure its enforcement is sufficiently robust to create consumer confidence, but not so onerous that it discourages participation, particularly from new entrants.

Written by David Giddy an ex-Principal of Deloitte. Any questions, please contact Tim Ellis.

More about the authors

David Giddy

David Giddy

Principal, Payments Advisory, Audit & Assurance

David is a Principal in our Melbourne office within Deloitte’s Australian Payments Advisory practice. His 30 years industry experience have focused on technology, product development and management, with a particular focus on Payments and Transaction Solutions. Key areas of expertise include Open Banking assurance and propositions, strategy development and execution across areas such as cards, mobile, new products and digital payments.