ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Clarification of Energy PRD Obligations #611

Closed CDR-API-Stream closed 1 year ago

CDR-API-Stream commented 1 year ago

Description

The Treasury have recently published the exposure draft rules for non-bank lending. This includes some proposed rule changes to address the issues uncovered last year around the discovery of energy PRD endpoints served by AER. These rules are intended to resolve the obligations for energy retailers with regard to PRD endpoints and are proposed to indicate that this obligation will be realised via the standards.

To avoid the need for an implementation date to be included in the rules the DSB are suggesting that the standards be amended to indicate that there is no obligation on retailers. This would effectively be a formalisation of the current state situation but it would also mean that the rules can be made without creating an immediate obligation.

The DSB would then consult with the community on removing this statement from the standards along with a reasonable future dated obligation.

Area Affected

There are two options for the area of the standards to be changed:

  1. The statement could be added to 'Security Endpoints' section of the standards where the base URIs are described
  2. The statement could be added to the 'Shared Responsibility' section. While energy PRD is not a shared responsibility data cluster it is analogous and this could be a logical place for the statement to appear.

Change Proposed

A statement would be added to the standards to the effect that energy retailers do not have to expose energy PRD via their public base URI

perlboy commented 1 year ago

While I'm in support of the objective of the thematic of this proposal it is likely legally insufficient to state "energy retailers do not have to expose" because Rules override the Standards and NP248 specifically includes a statement of:

In light of the obligations and context outlined above, this section describes a series of suggested implementation patterns that can be used by energy retailers to meet their obligations under the CDR rules and standards.

The proposed Rules wording suggests that the Standards set one or more processes for forwarding which the noting paper and the official DSB account suggested it had. Further the rules also talk about a transfer mechanism for the request that should also be unambiguously clarified.

What is absent from the Rules (and possibly DSB) consideration is why the Register can't be a mechanism for lookup of base uris suitable for retrieving this data. It is, in essence, exactly that for Banking now.

Pasting the Rules for reference:

A retailer that has not chosen to provide a product data request service must nevertheless, if: (a) it becomes aware that a CDR consumer is attempting, or has attempted, to make a product data request for required product data to it or through it; and (b) the standards set one or more processes for forwarding such a request to the AER or the Victorian agency as appropriate; forward the request using one of those processes in a way that conforms with the relevant data standards.

On this basis it is critical the Standards are more explicit than "do not have to" and in fact state explicitly that they do not specify such a process so that observers are not confused, mislead by or rely upon previous statements made by the DSB. It's also important to explicitly outline that the Standards neither provide a mechanism to forward nor to transfer such a request so Energy retailers voluntarily providing Energy PRD (if they exist or are about to exist) will become immediately non-compliant.

Suggested wording would be something like:

nils-work commented 1 year ago

A fix for this issue has been staged for review: https://github.com/ConsumerDataStandardsAustralia/standards-staging/commit/d320d243af59eb314c487113495fa69a36ec2ce6

nils-work commented 1 year ago

This change has been incorporated into version 1.27.0