Decision Proposal 160 - CX Standards | Non-individuals | Partnerships | Secondary users

[CDR-CX-Stream]

June 25: Decision Made This decision was approved on 25 June 2021. The decision record is attached below: Decision 160 - Non-Individuals - Partnerships - Secondary Users.pdf

---

May 11: Decision Proposal Published This decision proposal relates to non-individuals, partnerships, and secondary users.

Specifically, this consultation seeks to determine:

1. Appropriate options to inform and facilitate sharing for non-individuals, partnerships, and secondary users
2. Appropriate messaging to display to account holders withdrawing secondary user instructions

The relevant decision proposal is attached below: Decision Proposal 160 - Non-Individuals - Partnerships - Secondary Users.pdf

Feedback is now open for this proposal and will close at 5pm on Tuesday 8th June 2021.

---

February 9: Original Placeholder: This is a placeholder issue for consultation on CX Standards for non-individual consumers, business partnerships, and secondary users.

This proposal is not yet ready for publication. This placeholder issue has been opened to gather initial community commentary on the scope and content of the proposal.

While the intention is for this consultation to focus on the relevant items raised in Noting Paper 157*, the DSB encourages feedback on any additional CX Standards and CX Guidelines that the community views as required for the purposes of non-individual consumers, business partnerships, and secondary users.

*Items 12-14. Item 16 on secondary user withdrawal standards will be dealt with separately.

---

Edit: Decision proposal published, which incorporates a proposal for secondary user instruction withdrawals. Edit: Decision made.

[CDR-CX-Stream]

Decision proposal 160 on non-individuals, partnerships, and secondary users has now been published.

The relevant decision proposal is attached to the original post.

Feedback is now open until 5pm on Tuesday 8th June 2021.

[commbankoss]

CBA looks forward to providing a response to this consultation. In the interim we have a clarification request:

Could the DSB please define what is meant by the term ‘non-nominated persons’? Does this mean any person who has not yet been nominated as the nominated representative in the context of business accounts? Given the Rules for who can be appointed as a nominated representative are not restrictive to those persons who are able to transact on the business account, is it the case that anybody is technically a non-nominated representative?

[CDR-CX-Stream]

Hi @commbankoss,

That is correct, we have used the term 'non-nominated persons' to mean 'any person who has not yet been nominated as the nominated representative' to share non-individual or partnership data.

The scenario we are tending to is where a user can successfully authenticate using credentials they would normally use for a partnership or non-individual consumer, but the user has not been made a nominated person and as such cannot share partnership or non-individual data.

In relation to the second query, Note 3 in Rule 1.13 states the following for non-individuals and partnerships:

In the circumstances of paragraphs (1)(c) and (d), a person or partnership that does not have a nominated representative will not able to give or amend authorisations, or use the dashboard to manage authorisations (see subrule 1.15(2A)), and accordingly, the data holder will be neither required nor permitted to disclose the requested CDR data under these rules.

[WestpacOpenBanking]

Westpac welcomes the opportunity to comment on the Decision Proposal 160: Non-Individuals, Partnerships and secondary users.

We agree with the assessment that there are scenarios where data holders cannot show specific accounts and we are supportive of Option 2 as a way to provide a better customer experience in those scenarios.

We recommend that, where possible, accounts that a user owns or has secondary user instructions for should be displayed during the account selection step of the authorisation flow. We would welcome the development of more specific guidelines with regard to the scenarios where accounts may be excluded.

We also remark that under the current proposal and existing CX standards, that if a secondary user grants consent to share CDR data, then only that secondary user has the ability to elect that any collected or derived data be deleted when it becomes redundant data. In particular, if an account holder wishes to revoke a consent granted by a secondary user and have any shared or derived data deleted, then they have no means to indicate that the deletion should occur.

We are not supportive of Option 3 as a mandatory requirement – the minimal mechanism proposed may result in unneeded requests being sent to many customers. We suggest that this optional proposal could be improved by:

• Targeting notifications to owners of particular accounts
• Allowing data holders to limit the frequency of requests to avoid ‘spamming’ issues
• Setting guidelines to ensure that customers receiving notifications are adequately informed before approving requests

[da-banking]

Can you please clarify the distinction between a "Nominated Representative" and a "Secondary User"?

Our understanding is as follows:

• A non-individual (e.g. a business) may have Nominated Representatives that can authorise data sharing on its behalf. E.g. an individual may be authorised to disclose data that relates to a particular business, such as it's CommonOrganisation data, accounts held by the business, etc. In this example, the agentFirstName, agentLastName, agentRole would be the details of the Nominated Rep authorising the disclosure.
• A Secondary User is someone who may be able to authorise data sharing for an account held by another individual. E.g. it's common for an individual who is the sole holder of a credit card account to allow another person (e.g. a spouse) who is not an account holder to transact on the account. In this example, the account holder may permit the other individual (their spouse) to be a Secondary User.

Should a Nominated Representative (Individual A) acting on behalf of a business be permitted to specify that a Secondary User (Individual B) is able to authorise sharing of an account data held by that business?

[CDR-CX-Stream]

Thanks @WestpacOpenBanking and @da-banking for your comments.

@da-banking in response to your queries:

A nominated representative is an individual who has been given the ability by a non-individual or partnership to provide, amend, and manage authorisations on behalf of the non-individual or partnership (see rule 1.13(1)(c) and (d), in Subdivision 1.4.2).

A secondary user is distinct to a nominated representative. A secondary user is a person with account privileges, but they can only share CDR data relating to that account if the account holder makes a secondary user instruction (see rule 1.13(1)(e) in Subdivision 1.4.2).

The rules specify that data holders must provide a service that can be used by the account holder to make (and revoke) a secondary user instruction. Can you clarify if your query relates specifically to the ability for a nominated representative who is not an account holder to provide a secondary user instruction?

[da-banking]

Thanks for the response @CDR-CX-Stream

Yes, that's what we would like to clarify.

Normally, a nominated representative (an individual) would be the one to login to Internet Banking to perform actions on behalf of a business (as opposed to the business entity itself logging in). We think it would make more sense for a nominated representative to be the one who can provide a secondary user instruction to another individual.

[CDR-CX-Stream]

@da-banking in response to your last query:

The rules do not intend for DHs to be required to provide secondary user functionality for non-individuals and partnerships. This is because non-individuals and partnerships can make a secondary user a nominated representative, rather than providing the somewhat duplicated secondary user instruction functionality. Treasury intends to clarify this position in a future version of the rules.

The rules require a nominated representative management service to be provided, but are silent on who can make an individual a nominated representative, and who can be made into a nominated representative. This is up to DHs to determine with non-individuals and partnerships.

[commbankoss]

Given non-secondary users and non-nominated representatives are distinct concepts, Commonwealth Bank has reviewed and addressed each separately:

For non-nominated users, we recommend combining options 2 & 3 – use of generic message and ability for the user to Request sharing rights from the authorisation flow.

For non-secondary users, we also recommend combining options 2 & 3 – use of generic message and ability for the user to Request sharing rights from the authorisation flow.

Commonwealth Banks also supports the proposed recommendation for withdrawing secondary user instructions.

Lastly, we request at least 6 months lead time for implementation of changes arising from this decision proposal.

[anzbankau]

ANZ is supportive of both options 1 and 2 and we agree that an appropriate level of descriptive language in the flow is necessary to guide the user. ANZ does not support option 3 and feel that the decision to invoke secondary sharing authorities should remain the prerogative of the account holder.

[SelenaLiuEA]

Good afternoon All,

Please see EnergyAustralia’s feedback below:

Secondary User Instruction Withdrawal

Instruction 1 requires data holders to advise the customer that “removing a secondary user instruction will stop all current and future data sharing for secondary users”. We question whether the reference to secondary users should actually be singular – the secondary user - to reflect that sharing can be disabled for a single secondary user and not all secondary users (if this is the case).

We question the need for Instruction 2 which requires data holders to advise the consumer that the consumer should review the consequences with the other account user(s) before removing the secondary user instruction. The decision of the account user is ultimately at their discretion so adding this information is not strictly necessary. The more content on a page the less likely a customer is likely to absorb it all. If the customer has invested the effort in going through the process to deactivate a secondary user, they have most likely made an active and clear decision. In terms of wording, an alternative would be to engage the customer with a question: Are you sure you want to disable the secondary user? Yes / No. This will give them a chance to correct if they accidentally clicked on the previous button.

[CDR-CX-Stream]

Thanks to all who provided feedback. Feedback on this decision proposal is now closed. Submissions will be reviewed before finalising DP160 for the Data Standards Chair to consider.

[CDR-CX-Stream]

This decision was approved on 25 June 2021. The decision record can be found in the original post.

Standards changes arising from this decision will be incorporated into the v1.11.0 release.

[CDR-API-Stream]

The changes to be included in v1.11.0 have been staged for review here: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.11.0...dp/160

[CDR-CX-Stream]

This decision has been reflected in the v1.11.0 release of the CX Standards. The issue will now be closed.