Submissions – Payments System Inquiry into Future Directions for the Consumer Data Right

23 April 2020

Secretariat
Inquiry into Future Directions for the Consumer Data Right
The Treasury
Langton Crescent
Parkes ACT 2600

By Email – data@treasury.gov.au

Dear Sir/Madam

Inquiry into Future Directions for the Consumer Data Right – Submission

The Reserve Bank of Australia (the Bank) welcomes the opportunity to make this submission. The Bank is a strong supporter of the Consumer Data Right (CDR) in the banking sector, where it is known as Open Banking. This is the Bank's second public submission on Open Banking.^[1]

This submission primarily addresses issues relating to the Bank's role as the principal regulator of the payments system in Australia. The Bank's mandate is to contribute to promoting efficiency and competition in the payments system and the overall stability of the financial system. Consistent with this, the Bank supports the expansion of the CDR in the banking sector to include ‘write access’ or the capability for an authorised third party to act on behalf of an individual, with appropriate safeguards regarding data security, privacy and fraud protection. Enabling write access in Open Banking has the potential to facilitate innovation and promote competition in a range of financial services, including payments.

Account switching

Enabling write access under the Open Banking regime has the potential to facilitate the ability for consumers to more easily switch to financial products that better suit their needs. While measures designed to make it easier for consumers to switch transaction accounts were introduced following the 2011 Fraser Report on cost-effective switching arrangements in banking services, indications are that uptake of these services has not been widespread.^[2]

Enabling write access in Open Banking could lead to the introduction of new services that facilitate account switching across a range of financial products. The Bank's research on credit card switching, for example, indicates that behavioural factors and practical barriers influence consumers to not search or apply for financial products with lower fees, a lower interest rate or better features in general.^[3] Commencing in July 2020, read access in Open Banking will allow the development of a range of detailed comparison services for credit and debit cards, deposit accounts and transaction accounts, and from November 2020, for mortgages and personal loans. These services will not, however, address the practical barriers consumers face when switching accounts.

The capability for an individual to direct an authorised third-party service provider to apply for a financial product on their behalf and securely migrate their account information should help overcome these barriers. In this regard, write access under Open Banking could potentially lead to the development of ‘full service’ product comparison and switching services that can manage the application process on behalf of individuals. For example, these services could: (i) conduct a detailed assessment using information collected under the CDR, (ii) make a recommendation regarding products that will reduce fees and/or interest paid or provide better features, (iii) directly apply for a product, and (iv) migrate account information, including automatic payments and internet banking address books.

The Bank recommends the Inquiry consider the design of appropriate safeguards in relation to write access in an expanded CDR framework. Providing third parties with write access to consumers’ bank accounts represents a significant change in their role in the financial sector. Accordingly, third parties would need to be appropriately licensed to ensure that they meet strict data security and privacy standards, and that they do not expose consumers to an increased risk of fraud.^[4] It will be important that these safeguards are designed in such a way that does not unduly restrict the participation of the fintech sector.

Third-party payment initiation

Currently, there are two payment methods supported by financial institutions for third-party payment initiation from individuals’ transaction accounts. Direct debit allows payments to be initiated by a merchant's financial institution, with the customer authorisation held by the merchant. Credit cards and some debit cards allow payments to be initiated by a merchant with the customer's card number and associated security information. Consumers have little ongoing control over the use of these card details, and in some cases they can be used to make fraudulent payments. Other services, such as POLI, can initiate a payment from within a consumer's internet banking. However, financial institutions discourage the use of these types of services as they require consumers to disclose their internet banking credentials to a third party.

The Bank supports the inclusion of third-party payment initiation capability in Open Banking. Consumers should have the ability to authorise third parties to initiate payments on their behalf without disclosing information that, in the hands of an unauthorised third party, could be used to initiate a fraudulent payment. It is also important that consumers have good visibility over all authorisations in place and the ability to easily cancel any authorisations.

Another development in this area is the Mandated Payments Service (MPS) for the New Payments Platform (NPP).^[5] The MPS will allow third parties, such as merchants, billers or payroll providers, to send instructions to the NPP to initiate a debit-like payment from a customer's account (rather than the customer having to initiate the payment as a credit transfer, or push payment, themselves). The MPS is currently in development; the operator of the NPP, NPP Australia, anticipates that financial institutions will begin to rollout services utilising the MPS in early 2022.

Screen scraping and the CDR

Screen scraping is a process for automated data gathering, typically used in the financial sector to obtain consumers’ account information, including account balance and transaction history. It requires consumers to disclose their internet banking credentials to a screen scraping service, typically in contravention of their bank's terms and conditions. Accordingly, the disclosure of internet banking credentials may affect consumers’ rights under the ePayments Code.

Screen scraping has emerged as a solution to the difficulties faced by consumers in sharing their banking data with third parties. A range of providers offer white-labelled screen scraping services to the financial sector; however, the nature of these services means it is often unclear which screen scraping provider is facilitating the service. A consequence of the absence of an accreditation framework for screen scraping providers is that consumers could be unable to make informed decisions before disclosing their internet banking credentials. This is an area of concern for certain products – for example, payday loans – and may give rise to situations where vulnerable consumers experience pressure to disclose their internet banking credentials to secure short-term finance.^[6] Additionally, screen scraping presents a range of data security, privacy and fraud risks to consumers.

Open Banking presents an opportunity to enhance the security, speed and stability of data exchange in the financial sector. The Bank supports the CDR reducing the reliance of the financial sector on screen scraping and suggests that the Inquiry examine if a ban on screen scraping for data available under the CDR – as has been introduced in the United Kingdom – would support the financial sector's transition away from the practice.

Linkages and interoperability with existing frameworks and infrastructure

Digital identity

Digital identity services allow people to securely prove who they are in the digital environment. Such services are increasingly important to support the development of Australia's digital economy. They can help build trust in a range of online interactions and facilitate new areas of digital commerce.

The Bank has supported work by the payments industry, led by the Australian Payments Council (APC), to facilitate the development of digital identity services in Australia. The APC completed the first version of a ‘TrustID’ digital identity framework in June 2019. The framework sets out various requirements to facilitate the emergence of an interoperable network of competing private or public digital identity solutions in Australia. The framework is designed to allow individuals to establish their digital identity online with a preferred service provider and then to use those credentials to prove who they are when interacting online with other businesses.

The Bank recommends the Inquiry consider the role of digital identity services and the TrustID framework in Open Banking, noting that digital identity services would facilitate consumers receiving the full benefit of services delivered under the CDR. For example, digital identity services could reduce frictions faced by consumers when switching accounts and applying for other financial products that require financial institutions verify the identity of their customers.

New Payments Platform

The NPP, launched in February 2018, is a fast retail payments system developed by a consortium of 13 financial institutions, including the Reserve Bank. The NPP provides the clearing and settlement infrastructure through which financial institutions can provide their household, business and government customers with the ability to make fast, versatile and data-rich payments on a 24/7 basis. The Bank, with input and assistance from the Australian Competition and Consumer Commission, undertook a public consultation on NPP functionality and access in 2018/19.^[7]

As discussed earlier in this submission, from early 2022 the Mandated Payments Service (MPS) will enable the NPP to provide payment initiation services. The Bank welcomes the development of the MPS, but is of the view that it should not be the only solution for payment initiation within the CDR framework. The CDR framework must be fit for purpose for a range of different account types, institutions and payment streams. Currently, more than 65 million accounts are reachable by the NPP – around 90 per cent of accounts that will eventually be reachable. However, the NPP does not currently provide access to some account types, including credit card and loan accounts.

For example, a potential use case that relates to a range of different accounts is a money management application that provides an aggregated view of a consumer's accounts across multiple financial institutions. With the expansion of the CDR to include write access, the application could, in addition to helping the consumer manage their budget, remind the consumer of upcoming credit card or personal loan repayments, and initiate the repayments on behalf of the consumer.

The Bank recommends that the CDR framework remain agnostic with regard to the different payment systems operating in Australia to ensure the ongoing success of Open Banking.

The Bank would be happy to discuss any of these matters further with the Inquiry.

Yours sincerely

Tony Richards
Head of Payments Policy
Payments Policy Department

Endnotes

The Bank provided a submission to the 2017 Review into Open Banking in Australia. See: <https://www.rba.gov.au/publications/submissions/financial-sector/review-into-open-banking-in-australia/pdf/submission-to-the-review-into-open-banking-in-australia-september-2017.pdf>. [1]

The Report recommended that the banking sector implement processes to allow customers to sign a single form to authorise their new financial institution to arrange the transfer of all automatic transactions linked to the customer’s account and to inform associated creditors and debtors about the new account details. See: <https://treasury.gov.au/publication/banking-services-cost-effective-switching-arrangements>. [2]

The Bank’s 2016 Consumer Payments Survey found that most credit card holders do not receive a net monetary benefit from their credit card. Around 50 per cent of loss-marking cardholders did not consider switching cards, 16 per cent considered switching and only 9 per cent switched cards. See: <https://www.rba.gov.au/publications/rdp/2018/2018-11/barriers-to-switching.html>. [3]

Some of the risks arising from Open Banking could potentially be mitigated by requiring entities to have appropriate liability insurance. [4]

See page 11 of the NPP roadmap: <https://www.nppa.com.au/wp-content/uploads/2019/10/NPP-Roadmap-2019_28-Oct-2019-final.pdf>. [5]

In a joint submission to the Senate Select Committee on Technology and Regulatory Technology, the Financial Rights Legal Centre and the Consumer Action Law Centre noted “we are aware of financially vulnerable clients providing log-in details to payday lenders, only to have the payday lender use the log-in details later to identify when a consumer is getting low on cash and subsequently directly advertise to that consumer.”. See: <https://consumeraction.org.au/20191223-fintech-review/> [6]

See: <https://www.rba.gov.au/payments-and-infrastructure/new-payments-platform/functionality-and-access-report.html> [7]