Closed JamesMBligh closed 5 years ago
Commonwealth Bank is supportive of the principles that have been applied to developing the Consumer Data Standards (Standards). A summary of our recommendations are below, and have attached a document containing our detailed analysis. Data_Standards_Submission_Github.pdf
With respect to the standards, Commonwealth Bank is broadly supportive of the recommendations associated with the versioning of APIs, HTTP response code definitions, and payload extensibility. Further clarity is required around the definition of fields marked as mandatory or optional. We are partially supportive of the definition of API versions with a recommendation around standardising to HTTP header versioning only. Commonwealth Bank also has strong views around technical complications relating to pagination and recommends the use of cursor based pagination as an alternate approach. Lastly, Commonwealth Bank recommend Data61 revaluate ID permanence for its complexities.
In relation to information security, Commonwealth Bank is concerned that important topics are yet to be addressed. Given the relationship between the API Standards and Security Standards, it is difficult for us to provide support around a number of topics until more clarity is provided on security.
There has been limited documentation available regarding the Information Security Standards and the lack of clarity around this is emerging as an implementation risk for the regime. Commonwealth Bank recommends that Data 61 devote additional resources towards developing standards in this area, provide additional time for review, and ensure that industry participants are able to submit separate feedback regarding the Standards for information security once they are released.
A key concern around information security is the ability for a consumer to provide fine grained consent to data being shared, and this has not been adequately reflected in the standards established to-date.
The regime should ensure that security standards define how to prevent known vulnerabilities associated with API implementations from being easily exploited through common attack vectors, such as phishing attacks. For this reason we continue to advocate for a decoupled authentication framework, as opposed to redirection frameworks from uncontrolled devices, to re-enforce safe practices and help protect consumers.
Commonwealth Bank is broadly supportive of the majority of the API definitions relating to accounts. Our primary concerns are around the scope of included data. We believe the current coarse-grained approach may lead to unnecessary over-sharing of sensitive data. For particular aspects of the standard, such as the implementation of individualised account objects and bulk data, we have technical concerns around the complexity which will result in a protracted delivery timeline. As such we suggest that they are pushed to a further version of the standards to accommodate this. The product reference data API requires further assessment. Commonwealth Bank recommends Data61 continue to work collaboratively with the industry to understand how to best represent product in the regime and refine this API. We also re-iterate our concerns about the inclusion of a direct debit payload as this data is not held by the bank. Finally, we have concerns around the potential leakage of Personal Information which is included in the payee payload.
Commonwealth Bank are not supportive of the current definition of the customer payload. We believe description and use cases of this API are not fit for purpose and could again lead to inadvertent data leakage. We recommend the deprecation of this API in favour of an amendment to the accounts payload, and use of the OAuth 2.0 UserInfo service.
BPAY is Australia’s leading payments scheme and operates for the benefit of more than 150 member financial institutions. In February 2018, the BPAY Group launched its new payment product, Osko by BPAY®, offered by more than 60 financial institutions including the four major banks. Osko® is the first product available on the NPP.
Feedback from BPAY Group, is as follows:
ExtendedTransactionData: Each overlay service for the NPP can define its own transaction data elements (eg: X2P1 may contain different data elements to X2P2). The ExtendedTransactionData element does not appear to provide the capability to identify which fields belong to which service type. Suggest that extension$type should be an object that is specific to the overlay service used, containing the data elements for that service.
For X2P1.01, the extension data should include the following fields to support the Osko product:
Note that endToEndId and purposeCode are not currently included as part of the extension data.
For X2P2.01 and X2P3.01, we would anticipate that the extension data for each will include a different set of fields to those used for X2P1.01. The data structures used for ExtendedTransactionData should support these different field sets for the different transaction types.
ExtendedTransactionData:payee has description: “Label of target PayID. Mandatory for an outbound payment”. Note that a transaction can be addressed to a BSB-Account (which is not a PayID). Would anticipate that the user entered account name would be used in this case, suggest description should be updated for clarity , eg: “the name assigned to the BSB/Account Number or PayID (by the owner of the PayID)”.
ExtendedTransactionData: should also have data element for PayeePayId (in addition to the payee field used for the name), that is populated in case where a PayID is used to address the transaction. This should also have a supporting field that identifies the type of the PayID used (PayeeAccount$Type).
PayeeAccount$Type enumeration: the enumeration values should be aligned with the NPP descriptions for aliases: email, telephone, ABN, organisation identifier. Currently listed in spec as: email, mobile, org_number, org_name.
ExtendedTransactionData:Service enumeration: the valid value is currently listed as “X2P1.01”. This should be lowercase “x2p1.01” to correspond with the NPP definition.
TransactionDetail: does not provide any fields that allow identification of the transaction type, other than if it is an NPP transaction. Should have capability to identify type of transaction for all types, eg: Direct Entry, BPAY Payment, Osko Payment, Osko Request, etc. Also, TransactionDetail also does not contain any elements that allow identification of the payee for these transaction types (eg: BSB-Account, BPAY Biller Code & CRN). Consideration should be given to adding support for additional transaction types and their corresponding data elements to TransactionDetail (or potentially ExtendedTransactionData as extensionTypes).
TransactionBasic:Description & TransactionDetail:Description: suggest further clarifying the expectations around what will be in the Description field, and its potential relationship with other description fields that exist (eg: ExtendedTransactionData:ExtendedDescription). For example, for an NPP transaction is the expectation that these fields will both contain the same value?
American Express Australia has the following feedback in relation to the draft standards in addition to the questions and comments raised during the working group sessions.
General Questions: Many of the fields specified in the Standards are marked as optional or not mandatory to provide. American Express feels that to enable more robust usage of the Open Banking capability that unless no data is held for a particular data element that the standard should align to the wider regulations and ensure that more data elements should be made mandatory to supply to a data recipient.
To assist with resource and capacity planning will there be a draft character limits placed on each field or are all fields assumed to have no fixed character limit?
Transactions
Foreign Exchange rate used for a transaction is an important data element that is not currently included in the Standard. American Express's position is that this should be included as a transaction level data element.
For transactions that are not Institution to Institution but follow a merchant to consumer model the Standard should clearly define which data element should carry the merchant name and details for consistency across users
Some edge cases for certain transactions types occur, in situations where charges are presented late (up to 6 months) or disputed transactions are suspended on a customers account certain mis-match in date and time of transaction type (Pending/Posted) may occur. These should be added to the test cases when testing the robustness of the Standard after the next draft release.
Account
The data holder will attempt to mask any PII known to be held when being passed however for customer input fields such as NickName the Standard should specify that once consent is obtained the data will be passed as is without further investigation or masking if customers choose to enter PII in fields where they should not.
MaskedAccountNumber field should be increased to the last 5 digits. Last 3 digits for American Express accounts are very common so last 4 digits would be the minimum to differentiate between cards held by a single consumer with American Expresses preference to display last 5 digits.
ProviderType element Standard should include Charge Card as distinct from CreditCard.
balance$type element Standard should include Charge Card as distinct from CreditCard.
Product
The Fee field should have an additional field to determine the frequency with which the fee type is charged (Monthly, Annually etc.)
ProductDiscount - Open question on if this element should be used to pass data on non dollar discounts and acquisition offers such as points bonuses etc.
ProductFeature The valid list of types documented only cover a small subset of features available, an additional field should be defined to enhance the information passed in this field.
American Express hopes to continue to provide feedback and participation in the sessions and looks forward to the next revision of these standards.
Ultradata would like to thank Data61 for the open process associated with the creation of the Data Standards and has the following feedback in relation to the draft CDR standards.
Consent / Authentication / Authorisation
Scheduled payments / Standing orders
Direct Debits
Transactional Data
Change cadence, obsolescence, versioning etc
Error Handling
Organisation v customer v agent
Thanks for the extensive feedback. The feedback period was extended due to specific requests. If there is outstanding feedback please send it via email to cdr-data61@csiro.au. Any email feedback will be posted on this thread for transparency.
The planned steps from here are as follows:
-JB-
Customer Owned Banking Association (COBA) submission received via email to the CDR mail box 22 November 2018 003_20181122 - COBA submission - Consumer Data Standards.pdf
Australian Retail Credit Association (ARCA) submission received via email to the CDR mailbox 22 November 2018. 024_ARCA Submission to Data61 draft Consumer Data Standards.docx
SunTec Business Solutions submission received via email to the CDR mailbox 22 November 2018.
illion submission received via email to the CDR mailbox 22 November 2018. 035_23 11 18 illion - Data61 (Data Standards) Submission Final.pdf
Finder submission received via email to the CDR mailbox 22 November 2018. 037_Finder - Feedback on working draft of Open Banking standards.docx
Visa submission received via email to the CDR mailbox 22 November 2018. 038_2973_001.pdf
AGL submission received via email to CDR mailbox 26 November 2018. 039_AGL submission - Data61 API standard submission final.pdf
Law Council of Australia submission received via email to CDR mailbox 22 November 034_2018 11 23 - Consumer Data Standards.pdf
As of 9am 27 November, this is all submissions received via the CDR mailbox.
Apologies everyone - two submissions were missed in the CDR mail box. Uploading now.
Submission 031 from Xero Ltd received via email to CDR mailbox 23 November 2018. 031_ConsumerDataStandardsAustralia feedback to decision proposal 39 - Draft Standards.pdf
Submission 033 from CommsAlliance received via email to CDR mailbox 23 November 2018.
033_181123_CA Submission Draft API Standards_SUBMITTED (1).pdf
Hi everyone. I was hoping to get this out over the weekend but the quantity and, more importantly, quality of the feedback that was provided meant that it took a bit longer to process and get reviewed than I anticipated.
Please find attached here a PDF containing a summary of the feedback received that has also be categorised. Draft Standards Feedback Summary - Feedback Cycle 1.pdf
The feedback that was policy or security related has been passed on to the relevant teams. The feedback that was related to the API standards has either been accepted or responded to.
I will now open two new issues. One specifically for product reference data - as this is clearly an area that needs specific focus - and one for comments against the standards as a whole. Comments or requests for clarification can be posted there.
-JB-
FinTech Australia was given an extension to the 23 November deadline. Submission 034 attached, received via email to the CDR mailbox Friday 7 December 2018. Final 2 Fintech Australia Open Data WG Consumer Data Standards Submission_AU_Active01_904003094_2.DOCX.pdf
This thread is for feedback on the full 2 November working draft. Overarching feedback on the draft can be made here, and complete responses to the draft in .doc format can also be uploaded.
Updated 11 November 2018 Thanks to everyone who is already adding feedback to this thread. With organisations having three weeks to respond to the working draft in full, we're going to hold off on deeply engaging with this thread until after the 23rd November. We are watching and monitoring and absorbing feedback, so please do keep it coming. Cheers, Ellen