Decision Proposal 216 - Profile scope support

[CDR-API-Stream]

December 10 2021: Decision Made This decision was approved on 10 December 2021. The decision record is attached below: Decision 216 - Profile Scope.pdf

---

October 22 2021: Decision Proposal 216 Published

This decision proposal relates to the OIDC profile scope.

This paper includes a list of options proposed by the Data Standards Body (DSB) to address the current gap and covers both technical and CX standards.

Specifically, this decision proposal seeks to:

1. Identify the appropriate support for the profile scope and individual claims
2. Identify what data (claims) are supported or excluded
3. Identify the appropriate presentation of the profile scope

The decision proposal is attached below: Decision Proposal 216 - Profile Scope.pdf

The change request for this issue can be found on Standards Maintenance Profile scope not aligned with CX standards. Due to the broader considerations and options across Information Security and Consumer Experience, this issue is being consulted on as a Decision Proposal.

This consultation is sector agnostic and relates to data language standards. As a result this will be of interest to stakeholders currently involved in energy standards consultations, such as DP213.

Feedback is now open for this proposal and will close on Monday 22 November Friday 19 November 2021.

---

Edit 10.12.21: Decision made Edit: In response to community requests, the feedback window has been extended to Monday 22 November Edit: Placeholder updated; decision proposal published

[CDR-CX-Stream]

The decision proposal has been published and can be found in the original post.

Feedback is now open for this proposal and will close on Friday 19 November 2021.

[amanuel13]

Would it be possible to get an extension until cob Monday 22nd to submit. This will enable completion of sign-off in other time zones working with.

[anzbankau]

ANZ is supportive of the changes in order to provide clarity to customers on the data that they are sharing. We do not support a 1st March 2022 obligation date as this does not provide 6 months lead time, from the point when the standards are published, to allow data holders to make the required changes. We propose that changes for data holders are mandated by 1st July 2022.

[CDR-CX-Stream]

In response to community requests, the feedback window has been extended to Monday 22 November.

[WestpacOpenBanking]

Westpac supports the overarching principle that the technical standards should not be modified as a result of this decision proposal.

Additionally, we support the proposal to define CX standards for voluntary profile claims using existing data language where possible.

For Decision 2, noting that all claims in addition to the name, given_name, family_name and updated_at claims are voluntary, this decision proposal should not seek to limit voluntarily shared claims. Instead, general CX guidelines should be written for the additional voluntary claims not explicitly covered by the CX standards. E.g. “Any data requested through voluntary claims must be disclosed to the customer”. 

This decision proposal has the potential to impact a large number of participants. If this turns out to be the case, we recommend that this change is considered together with issue 435 to minimise the level of disruption to participants and consumers; and appropriate lead times for implementation are factored in.

[l-sateesh]

Thank you for the opportunity to provide feedback:-

For Decision 1: We support Option 2 as this is enabling the DRs to request fine grain customer data and is similar to the current solution, which means less build effort. We also support the clarification of the CX standards in relation to the profile scope in order to prevent the sharing of customer data without consent and confusion around sharing non CDR data (such as data of birth)

For Decision 2: We support Option 2 as it allows for extra flexibility in the system and is backwards compatible. It would also require less build effort as it’s similar to the current requirements.

For Decision 3: We support Option 2. This avoids duplication of scopes if the DR is asking both profile and CDR scopes. If a DR requests both the profile name scope and the customer basic scope the customer would be seeing the Name data request duplicated in the consent and authorization flow. This would create confusion for the customer as they are not (and should not) be concerned with the technicalities behind. The extra 2 scopes suggested in option 3 are very similar to the current CX language. The only difference is not including the occupation in the Name data cluster in the new Name Profile cluster. It should be backwards compatible. If a consent was provided before the change all the DRs and DHs have to do is ensure the correct data is shared as per the scopes on the consent.

We would recommend guidance around backwards compatibility with existing consents that include the profile scope. For any solution selected we would like to see clear expectations from Data Holders. For example for Decision 3, Option 2, it should be clearly stated if the DHs are to perform checks that the correct basic/detailed scope is present before sharing profile scope information or they should just rely on the DR doing the right thing.

[commbankoss]

CBA is supportive of the proposed changes, but does not support a compliance date earlier than September 2022. This will provide data holders with appropriate lead time (a minimum of 6 months) and not impact delivery of changes relating to the CDR Rules version 3.0, which are due in July 2022.

[biza-io]

Please find attached our response to Decision Proposal 216: Profile scope support: DP216 - Profile Scope Support.pdf

Biza.io supports the recommendations but believes the DSB should consider the claims implied by the profile scope in the context of individual claims with individual data cluster language as doing so alleviates complexity regarding existing arrangement behaviour should additional claims be supported post consent. Additionally we believe the proposed implementation timeline of March 2022 is unrealistic especially given the reversal of previous DSB guidance on this matter and instead recommend that the DSB carefully construct a sustainable pathway forward and provide suitable notice (min. 6 months) for Holders to comply.

[amanuel13]

Decision Proposal 216 - Profile scope support Thank you for the opportunity to provide feedback: - The core tenant of our response is that all customer data available should as per their CDR right be made accessible to the customer via the direct access interfaces (i.e. web and mobile) and permissioned via the regulated interfaces. This includes the sharing with their explicit consent of this data to their agents and third parties. Decision 1 We support Option 2 enabling Data Recipients to request the additional customer data and it be provided if held by DH. We also support the clarification of the CX standards in relation to if a request only contains the profile scope or if a request contains both the profile and customer scopes. This will make clear for customers having to be made aware and consenting to the additional consumer data being requested and whom it will be shared. Decision 2 We support the flexibility provided under Option 2 as it will help facilitate the ability of DHS and DRS to leverage existing requirements development and meet the proposed 1 March 2022 mandate timeline. Decision 3 We also support Option 2 as this make it clear whether the DR is asking only the profile or both profile and also consumer data CDR scopes. If a DR requests both the profile name scope and the additional customer data, the customer’s awareness of and explicit consent would be required, is specified in the request and supporting standards. We support the provision of CX and standards guidance to DH and DRS in making customers aware of and obtaining explicit consent to what additional data is being requested and how it will be made available and used by DRS and if appliable their third-party agents. . To ensure proper governance we support that in requiring DHS to provide the additional customer data if available, they perform checks whether only the profile or profile and additional customer data has been specified in the authorisation consent and request. Implementation Mandate Although believing that while the outlined provisioning of the decisions and options will facilitate the ability to leverage existing builds by DHS and DRS. We support providing six-months lead time for development and implementation following approval and publication of the standard.

[NationalAustraliaBank]

Decision 1 : NAB supports option 2 to retain profile scope and have an agreed set of individual claims.

Decision 2: NAB supports option 1.

Decision 3: NAB Supports option 1a which will introduce independent Profile data clusters and language.

As these changes will have impacts to our current implementation, we request 6 months of lead time for these obligations to take effect.

[CDR-CX-Stream]

Thanks to those who provided feedback. This consultation is now closed. Feedback will be reviewed and considered as part of the standards finalisation process.

[CDR-CX-Stream]

This decision was approved on 10 December 2021. The decision record can be found in the original post.

[da-banking]

Hello @CDR-CX-Stream Is it possible to get an extension on this obligation until November 2022? Because of the joint account obligations date being at the same time, it makes it challenging to deliver both in the same timeline.

[CDR-CX-Stream]

Hi @da-banking The majority of responses to the timing proposal supported a minimum 6 month lead time, which was incorporated into the standard that was made on 10 December (providing more than 6 months). As the standards have now been made with a compliance date of July 2022, extensions would only be permitted if the DH received an exemption from ACCC.

[CDR-CX-Stream]

This conversation will be locked as the consultation window closed on 22 November. This issue will be closed when the decision for DP216 is reflected in a standards website release.

[CDR-API-Stream]

This decision was incorporated into release v1.15.0.

[CDR-CX-Stream]

These standards were incorporated into v1.15.0 and this issue will now be closed.