Decision Proposal 39 - Draft Standards

[JamesMBligh]

This thread is for feedback on the full 2 November working draft. Overarching feedback on the draft can be made here, and complete responses to the draft in .doc format can also be uploaded.

Updated 11 November 2018 Thanks to everyone who is already adding feedback to this thread. With organisations having three weeks to respond to the working draft in full, we're going to hold off on deeply engaging with this thread until after the 23rd November. We are watching and monitoring and absorbing feedback, so please do keep it coming. Cheers, Ellen

[commbankoss]

Commonwealth Bank is supportive of the principles that have been applied to developing the Consumer Data Standards (Standards). A summary of our recommendations are below, and have attached a document containing our detailed analysis. Data_Standards_Submission_Github.pdf

Standards

With respect to the standards, Commonwealth Bank is broadly supportive of the recommendations associated with the versioning of APIs, HTTP response code definitions, and payload extensibility. Further clarity is required around the definition of fields marked as mandatory or optional. We are partially supportive of the definition of API versions with a recommendation around standardising to HTTP header versioning only. Commonwealth Bank also has strong views around technical complications relating to pagination and recommends the use of cursor based pagination as an alternate approach. Lastly, Commonwealth Bank recommend Data61 revaluate ID permanence for its complexities.

Security

In relation to information security, Commonwealth Bank is concerned that important topics are yet to be addressed. Given the relationship between the API Standards and Security Standards, it is difficult for us to provide support around a number of topics until more clarity is provided on security.
There has been limited documentation available regarding the Information Security Standards and the lack of clarity around this is emerging as an implementation risk for the regime. Commonwealth Bank recommends that Data 61 devote additional resources towards developing standards in this area, provide additional time for review, and ensure that industry participants are able to submit separate feedback regarding the Standards for information security once they are released. A key concern around information security is the ability for a consumer to provide fine grained consent to data being shared, and this has not been adequately reflected in the standards established to-date. The regime should ensure that security standards define how to prevent known vulnerabilities associated with API implementations from being easily exploited through common attack vectors, such as phishing attacks. For this reason we continue to advocate for a decoupled authentication framework, as opposed to redirection frameworks from uncontrolled devices, to re-enforce safe practices and help protect consumers.

Banking APIs

Commonwealth Bank is broadly supportive of the majority of the API definitions relating to accounts. Our primary concerns are around the scope of included data. We believe the current coarse-grained approach may lead to unnecessary over-sharing of sensitive data. For particular aspects of the standard, such as the implementation of individualised account objects and bulk data, we have technical concerns around the complexity which will result in a protracted delivery timeline. As such we suggest that they are pushed to a further version of the standards to accommodate this. The product reference data API requires further assessment. Commonwealth Bank recommends Data61 continue to work collaboratively with the industry to understand how to best represent product in the regime and refine this API. We also re-iterate our concerns about the inclusion of a direct debit payload as this data is not held by the bank. Finally, we have concerns around the potential leakage of Personal Information which is included in the payee payload.

Common APIs

Commonwealth Bank are not supportive of the current definition of the customer payload. We believe description and use cases of this API are not fit for purpose and could again lead to inadvertent data leakage. We recommend the deprecation of this API in favour of an amendment to the accounts payload, and use of the OAuth 2.0 UserInfo service.

Additional Recommendations

• Testing
  • The Commonwealth Bank needs adequate testing standards to ensure we are building what is required for July. This must be included in version 1 of the Standards in December.
• Reporting
  • The administrative endpoint is still a pending decision proposal on GitHub (28th July 2018). Clarity on reporting requirements is necessary so we have time to build the required capability in time for 1 July 2019 compliance.
• Authorisation Flows
  • We understand that these proposals will be considered more fully in the information security working groups and welcome additional workshops to facilitate this discussion.

[ghost]

BPAY is Australia’s leading payments scheme and operates for the benefit of more than 150 member financial institutions. In February 2018, the BPAY Group launched its new payment product, Osko by BPAY®, offered by more than 60 financial institutions including the four major banks. Osko® is the first product available on the NPP.

Feedback from BPAY Group, is as follows:

ExtendedTransactionData: Each overlay service for the NPP can define its own transaction data elements (eg: X2P1 may contain different data elements to X2P2). The ExtendedTransactionData element does not appear to provide the capability to identify which fields belong to which service type. Suggest that extension$type should be an object that is specific to the overlay service used, containing the data elements for that service.

For X2P1.01, the extension data should include the following fields to support the Osko product:

• extendedDescription: the 280 character description associated with a payment
• endToEndId: unique identification, as assigned by the initiating party (Payer), to unambiguously identify the transaction
• purposeCode: code used to describe the underlying reason for the transaction

Note that endToEndId and purposeCode are not currently included as part of the extension data.

For X2P2.01 and X2P3.01, we would anticipate that the extension data for each will include a different set of fields to those used for X2P1.01. The data structures used for ExtendedTransactionData should support these different field sets for the different transaction types.

ExtendedTransactionData:payee has description: “Label of target PayID. Mandatory for an outbound payment”. Note that a transaction can be addressed to a BSB-Account (which is not a PayID). Would anticipate that the user entered account name would be used in this case, suggest description should be updated for clarity , eg: “the name assigned to the BSB/Account Number or PayID (by the owner of the PayID)”.

ExtendedTransactionData: should also have data element for PayeePayId (in addition to the payee field used for the name), that is populated in case where a PayID is used to address the transaction. This should also have a supporting field that identifies the type of the PayID used (PayeeAccount$Type).

PayeeAccount$Type enumeration: the enumeration values should be aligned with the NPP descriptions for aliases: email, telephone, ABN, organisation identifier. Currently listed in spec as: email, mobile, org_number, org_name.

ExtendedTransactionData:Service enumeration: the valid value is currently listed as “X2P1.01”. This should be lowercase “x2p1.01” to correspond with the NPP definition.

TransactionDetail: does not provide any fields that allow identification of the transaction type, other than if it is an NPP transaction. Should have capability to identify type of transaction for all types, eg: Direct Entry, BPAY Payment, Osko Payment, Osko Request, etc. Also, TransactionDetail also does not contain any elements that allow identification of the payee for these transaction types (eg: BSB-Account, BPAY Biller Code & CRN). Consideration should be given to adding support for additional transaction types and their corresponding data elements to TransactionDetail (or potentially ExtendedTransactionData as extensionTypes).

TransactionBasic:Description & TransactionDetail:Description: suggest further clarifying the expectations around what will be in the Description field, and its potential relationship with other description fields that exist (eg: ExtendedTransactionData:ExtendedDescription). For example, for an NPP transaction is the expectation that these fields will both contain the same value?

[AmexAUopenbanking]

American Express Australia has the following feedback in relation to the draft standards in addition to the questions and comments raised during the working group sessions.

General Questions: Many of the fields specified in the Standards are marked as optional or not mandatory to provide. American Express feels that to enable more robust usage of the Open Banking capability that unless no data is held for a particular data element that the standard should align to the wider regulations and ensure that more data elements should be made mandatory to supply to a data recipient.

To assist with resource and capacity planning will there be a draft character limits placed on each field or are all fields assumed to have no fixed character limit?

Transactions

Foreign Exchange rate used for a transaction is an important data element that is not currently included in the Standard. American Express's position is that this should be included as a transaction level data element.

For transactions that are not Institution to Institution but follow a merchant to consumer model the Standard should clearly define which data element should carry the merchant name and details for consistency across users

Some edge cases for certain transactions types occur, in situations where charges are presented late (up to 6 months) or disputed transactions are suspended on a customers account certain mis-match in date and time of transaction type (Pending/Posted) may occur. These should be added to the test cases when testing the robustness of the Standard after the next draft release.

Account

The data holder will attempt to mask any PII known to be held when being passed however for customer input fields such as NickName the Standard should specify that once consent is obtained the data will be passed as is without further investigation or masking if customers choose to enter PII in fields where they should not.

MaskedAccountNumber field should be increased to the last 5 digits. Last 3 digits for American Express accounts are very common so last 4 digits would be the minimum to differentiate between cards held by a single consumer with American Expresses preference to display last 5 digits.

ProviderType element Standard should include Charge Card as distinct from CreditCard.

balance$type element Standard should include Charge Card as distinct from CreditCard.

Product

The Fee field should have an additional field to determine the frequency with which the fee type is charged (Monthly, Annually etc.)

ProductDiscount - Open question on if this element should be used to pass data on non dollar discounts and acquisition offers such as points bonuses etc.

ProductFeature The valid list of types documented only cover a small subset of features available, an additional field should be defined to enhance the information passed in this field.

American Express hopes to continue to provide feedback and participation in the sessions and looks forward to the next revision of these standards.

[UltradataOpenBanking]

Ultradata would like to thank Data61 for the open process associated with the creation of the Data Standards and has the following feedback in relation to the draft CDR standards.

Consent / Authentication / Authorisation

• Should an authorisation become null and void if the operational arrangement of the customer changes? For example, if the customer becomes a joint account holder or signatories change on a business entity? This is not currently accommodated.
• Are there plans for APIs to access authorisation data from a Data Holder or for APIs to access consent data from a Data Recipient? Discussion in the CX workshop highlighted the benefit of supporting aggregated consent/authorisation management to simplify consumer access.
• Are there plans for APIs to update (for example, switching from basic to detailed access to customer data) authorisation data from a Data Holder? Alternatively, is this expected to be achieved by first rescinding consent and then cycling through the consent / authentication / authorisation process again? If so, this would appear to impose unfortunate constraints on the CX.
• What plans are there for Data Holders to notify Data Recipients that a consumer has rescinded access to their information? Will this be managed by an API that the Data Recipient must support?
• What plans are the for the accreditation authority to notify Data Holders that a Data Recipient’s accreditation has been rescinded? Will this be managed by an API that the Data Holder must support?
• The rules framework requires a Data Holder to report on API performance. What plans are there to publish APIs for Data Holders to report on performance against SLAs. Alternatively, is there an expectation that reports will be submitted in a prescribed format? If so, when will the requirements around this be available?

Scheduled payments / Standing orders

• Ultradata concurs with the position from @BrianParkerAU and others. Being able to switch banking relationships from one financial institution to another would appear to be a core requirement and so being able to move scheduled payments in this process (notwithstanding the omission from the ACCC Rules Framework) would be highly desirable and arguably a higher priority than direct debits. Recognising the exigencies of the current timeline, Ultradata would support the introduction of APIs to for this purpose in a future edition of the standards.

Direct Debits

• Conforming with the requirements of the APIs for direct debits is not an issue for Ultradata.

Transactional Data

• Ultradata supports the proposal to include an “enable detail” flag when calling GET /accounts/{accountId}/transactions to reduce the need to make additional calls to get transaction detail from GET /banking/accounts/{accountId}/transactions/{transactionId}
• Ultradata will be able to support the inclusion of transaction type, merchant name, merchant category code and BPAY biller details such as biller code, name and CRN. These data elements will allow for a much more precise categorisation of transactions and reduce the need for consumers to parse information from narratives.
• Ultradata is able to support the requirements of the API with regards to the provision of pending and posted transactions.
• Extended transaction data for NPP will likely include messages that contain private information from the consumer perspective. An additional authorisation scoping level might be needed to determine whether this information is shared with a Data Recipient. A separate API for extended remittance advice (RI) might be considered in a future draft. These types of data are likely to become richer (with larger payloads) over time as NPP expands, adding further weight to managing the retrieval of this information in a separate API.

Change cadence, obsolescence, versioning etc

• The advice at recent workshops is that a more agile approach will follow with updates to the standards and these will be “small and often”. What will be the expectation on Data Holders and Data Recipients to implement these updates?

Error Handling

• Ultradata’s view is that that a poor developer experience will result if only the http status code is returned without partial responses. This will likely lead to additional help desk cases from Data Recipients and unnecessary effort to diagnose root cause of issues when an informed error would suffice.

Organisation v customer v agent

• Ultradata intends to support this by following the conventions of existing internet banking applications.

[JamesMBligh]

Thanks for the extensive feedback. The feedback period was extended due to specific requests. If there is outstanding feedback please send it via email to cdr-data61@csiro.au. Any email feedback will be posted on this thread for transparency.

The planned steps from here are as follows:

1. Feedback will be collated and reviewed over the next few days
2. Changes to the standards based on the feedback will be recommended internally and reviewed
3. Changes will be applied over the weekend
4. A summary of changes and issues that more feedback is requested for will be posted
5. A new feedback period of two weeks will be opened next Monday

-JB-

[ellenbroad]

Customer Owned Banking Association (COBA) submission received via email to the CDR mail box 22 November 2018 003_20181122 - COBA submission - Consumer Data Standards.pdf

[ellenbroad]

Australian Retail Credit Association (ARCA) submission received via email to the CDR mailbox 22 November 2018. 024_ARCA Submission to Data61 draft Consumer Data Standards.docx

[ellenbroad]

SunTec Business Solutions submission received via email to the CDR mailbox 22 November 2018.

032_CDR-Consumer Data Standards- Working Draft- Submission by SunTec Business Solutions- Nov 2018.docx

[ellenbroad]

illion submission received via email to the CDR mailbox 22 November 2018. 035_23 11 18 illion - Data61 (Data Standards) Submission Final.pdf

[ellenbroad]

Finder submission received via email to the CDR mailbox 22 November 2018. 037_Finder - Feedback on working draft of Open Banking standards.docx

[ellenbroad]

Visa submission received via email to the CDR mailbox 22 November 2018. 038_2973_001.pdf

[ellenbroad]

AGL submission received via email to CDR mailbox 26 November 2018. 039_AGL submission - Data61 API standard submission final.pdf

[ellenbroad]

Law Council of Australia submission received via email to CDR mailbox 22 November 034_2018 11 23 - Consumer Data Standards.pdf

As of 9am 27 November, this is all submissions received via the CDR mailbox.

[ellenbroad]

Apologies everyone - two submissions were missed in the CDR mail box. Uploading now.

Submission 031 from Xero Ltd received via email to CDR mailbox 23 November 2018. 031_ConsumerDataStandardsAustralia feedback to decision proposal 39 - Draft Standards.pdf

[ellenbroad]

Submission 033 from CommsAlliance received via email to CDR mailbox 23 November 2018.

033_181123_CA Submission Draft API Standards_SUBMITTED (1).pdf

[JamesMBligh]

Hi everyone. I was hoping to get this out over the weekend but the quantity and, more importantly, quality of the feedback that was provided meant that it took a bit longer to process and get reviewed than I anticipated.

Please find attached here a PDF containing a summary of the feedback received that has also be categorised. Draft Standards Feedback Summary - Feedback Cycle 1.pdf

The feedback that was policy or security related has been passed on to the relevant teams. The feedback that was related to the API standards has either been accepted or responded to.

I will now open two new issues. One specifically for product reference data - as this is clearly an area that needs specific focus - and one for comments against the standards as a whole. Comments or requests for clarification can be posted there.

-JB-

[ellenbroad]

FinTech Australia was given an extension to the 23 November deadline. Submission 034 attached, received via email to the CDR mailbox Friday 7 December 2018. Final 2 Fintech Australia Open Data WG Consumer Data Standards Submission_AU_Active01_904003094_2.DOCX.pdf