Business Insight

Action Initiated? Action initiation under Australia's Consumer Data Right becomes law 

By Geoff McGrath, Andrew Hilton, Sashini Walpola and Jarred Gerson

05 September 2024

Share Share
swirl background
Share

    What you need to know 

    • Australia has new laws to bring action initiation or "write access" to the Consumer Data Right (CDR). After almost three years before Parliament, the new laws were passed unamended and with bipartisan support.
    • The move follows a range of announcements to reset Australia's Consumer Data Right – reducing cost and complexity, with a focus on high value use cases to drive consumer benefits. Read more on Resetting Australia’s Consumer Data Right.
    • Action initiation brings to life some of the foreshadowed opportunities of the CDR, with use cases ranging from the automation of payments to insight-driven service provider switching.
    • The new laws set out the framework for action initiation, but not the specific actions – Treasury will consult on which actions are introduced when, and for what sectors.
    • Energy switching may be an early target – the Government's "high priority" use cases are borrowing decisions, energy switching and accounting services to small business. The Data Standards Body is already exploring experimental standards, with the Government drawing attention to energy switching and real estate application experiments.
    • The regime brings two new roles to the CDR, the Accredited Action Initiator or AAI (who will receive action requests from consumers) and the Action Service Provider or ASP (who will perform the action request from an AAI as if it came from the consumer directly).
    • Various sectors have stressed the need for extensive consultation to address industry-specific challenges and called out that the CDR needs time to mature to build customer trust.

    What you need to do  

    • Service providers (especially in the banking, finance, and energy sectors) should consider how their internal systems and processes are placed to facilitate action initiation. CDR action initiation is only the "instruction layer" that triggers the action – the "action layer" will be performed by existing processes.
    • Treasury will consult on which actions should be designated in each sector. Actively engage to ensure that sector-specific challenges, regulation, and practices are taken into account. The CDR reset includes better alignment between CDR, Digital ID and privacy reforms – keep across developments in Digital ID and privacy reforms to understand the likely future of action initiation.
    • Service providers in all sectors should consider how action initiation might impact their product roadmaps and strategies – including, for example, whether to become accredited to initiate actions, such as triggering payments or account switching.

    "Write access" coming to the Consumer Data Right

    After almost three years before Parliament, the Treasury Laws Amendment (Consumer Data Right) Act 2024 to bring long-awaited action initiation to the CDR is now law. The bill was passed unamended and with bipartisan support on 15 August 2024, receiving assent on 26 August 2024.

    Action initiation (also referred to as "write access" for some use cases) allows a consumer to permit a service provider to initiate actions on their behalf.

    Examples include initiating payments, switching service providers, opening or closing accounts, automating the processes for undertaking loan or mortgage applications or 'one stop shop' budgeting applications.

    CDR action initiation regulates the "instruction layer", allowing actions to be initiated or triggered using CDR systems. It does not regulate the "action layer" – actions initiated using the CDR are performed using existing industry processes.

    Data sharing was the foundation of the CDR regime, but action initiation is the next step in helping consumers overcome barriers to participation and decision-making in a data-driven economy. The new action initiation framework is intended to drive competitive benefits from the CDR – by allowing consumers and service providers to not only make better decisions, but to take meaningful action with reduced friction, driving new types of services.

    A new framework to initiate action using the CDR

    The framework for action initiation is similar to existing processes under the Consumer Data Right, with three key building blocks:

    Framework for action initiation

    • Declaration – Types of actions that can be initiated using the CDR, and the classes of CDR Data Holders that are to be Action Service Providers, are added by ministerial declaration.
    • Rules – Following a declaration, the Minister would make rules for the action type.
    • Data standards and guidelines – The rules would work alongside the data standards prepared by the Data Standards Body. The Office of the Australian Information Commissioner would also prepare and publish guidelines relating to the privacy safeguards.

    Accredited Action Initiators and Action Service Providers

    The bill introduces new roles to the CDR regime:

    • The Accredited Action Initiator or AAI can give instructions on behalf of a consumer. The AAI must be accredited for particular actions under the rules. The Government expects rules will be made to require an AAI to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if it doesn't receive data under the CDR.
    • An Action Service Provider or ASP is required to undertake actions in accordance with those instructions. An ASP is typically a Data Holder under the CDR specified in the declaration for an action, but the rules may also allow other entities to be voluntary Action Service Providers – for example, if an action to update a consumer's address details is made mandatory for certain data holders, the rules might allow other entities to voluntarily take advantage of the capability.

    ASPs cannot treat valid instructions from an AAI any differently to how they would treat direct instructions from consumers. However, the ASP is not required to perform an action if it would not ordinarily perform that action according to its standard business practices.

    This ensures that action initiation can be used to provide a process that is as frictionless as possible.

    Action initiation is the "instruction layer"

    Action initiation under the CDR affects what is known as the "instruction layer". It does not affect the usual ways that ASPs perform those actions in their business (the "action layer") and does not require an ASP to take any actions which it would not otherwise perform.

    The action initiation process contemplates the following detail for these layers:

    • Instruction Layer – A standardised framework under the CDR enabling a consumer to give instructions about actions to an Accredited Action Initiator. The Accredited Action Initiator sends an action request to the Action Service Provider, who authenticates the consumer requesting that the relevant action be carried out.
    • Action Layer – The process of undertaking an action itself. Once an instruction is given, the Action Service Provider is then required to carry out the request as if the request as if it had come from the consumer directly.

    Action initiation process

    Image text (for accessibility)

    Consumer
    Consumer makes request to Compare Co to switch from Provider A to Provider B, and consents to these actions.

    Accredited Action Initiator
    Compare Co
    Compare Co instructs Provider A to close the consumers account, and instructs Provider B to open a new account for the consumer.

    Action Service Provider
    Provider A Provider B
    Provider A carries out the 'close account' action, subject to authentication, then notifies Compare Co.
    Provider B carries out the 'open account' action, subject to authorisation and authentication, then notifies Compare Co.

    'Open account' and 'close account' actions occur outside the CBR, using the Providers' existing industry processes.

    What kinds of CDR actions could we see?

    Treasury will consult on which actions are introduced when, and for what sectors, but we expect a focus at least in the short term on "low hanging fruit" – use cases with lower cost, complexity and risk to implement, and clear consumer benefits – consistent with the Assistant Treasurer's recent approach to Resetting Australia's Consumer Data Right.

    In a letter to the Data Standards Chair, the Assistant Treasurer identified as high priority use cases:

    • those relating to borrowing decisions;
    • energy switching; and
    • accounting services to small businesses.

    He also supported continued use of experiments, mentioning in particular those involving energy switching and real estate applications.

    Actions could make use of either payment initiation (authorisation to make payments on behalf of consumers) or other "general" initiation processes (authorisation to undertake other actions, such as updating personal details or pre-filling application forms, on behalf of consumers).

    Potential use cases in the longer term could include:

    Submitting applications for new products and streamlining opening and closing accounts

    Allowing consumers to open new accounts or apply for new products from their existing service provider using an intermediary (such as a mortgage application or cash accounts for trading platforms).

    The previous Government indicated that, to support streamlined switching, product applications and establishing new customer relationships will be prioritised. 

    Performing 'life admin' functions

    Enable a fintech provider to update personal details or update employment or income information.

    Transferring funds between accounts

    Automatically transferring money between accounts to avoid overdraft fees or maximise interest returns.

    Making payments on consumer instruction

    Automating the making of both push and pull (ie direct debit) payments on request.

    Switching service providers

    Switching service providers manually or automatically (eg, based on data-driven insights), simplifying the changeover process and reducing friction.

    Developing new technologies

    Improving services through the use of data-driven insights and executed through the use of action initiation.

     

    CDR use cases will mature over time from more transactional, active, user triggered activity to passive and even predictive services that are trusted to take actions on a user's behalf – for example, automatically switching between products, plans or service providers to make sure the consumer is always getting the best deal.

    In its responses to Treasury's consultation on the draft bill in late 2022, the ACCC made a number of suggestions regarding liability allocation that have not appeared in this form of the bill. The ACCC also proposed that the first "actions" to be designated could be an area other than payments, such as the initiation of switching in the energy sector. We expect that the intended use cases and the liability allocation for action initiation will continue to be high priority issues for the Government and regulators to resolve as part of the action initiation design and rollout.

    International insights

    While most jurisdictions have started their open data journey with open banking and a focus on payment functionality, Australia envisaged a consistent "whole-of-economy" approach, with an initial focus on data sharing. Australia has the opportunity to look at overseas experiences – not only to understand high value action use cases, but also to consider if internationally standardised approaches might help control implementation costs by reducing the need for customised software systems.

    The United Kingdom is looking to expand on the success of open banking to other sectors of the economy through a new Digital Information and Smart Data Bill (announced in the 17 July 2024 King's Speech).

    Third party payment initiation was part of the initial scope of the UK's Open Banking initiative and has expanded rapidly since the Payment Services Directive (PSD2) began entering into force from 13 January 2018. The penetration and adoption of open banking data sharing and payments continue to grow in the UK – with payments penetration overtaking data sharing for the first time in August 2023.

    In the UK, holding a Payment Initiation Service Provider (PISP) licence to initiate payments ("write" access) carries a greater regulatory burden than an Account Information Service Provider (AISP) licence ("read only" access). Australia's action initiation framework similarly allows for additional accreditation requirements for Accredited Action Initiators, and we expect requirements to be more onerous for higher risk actions (such as payment initiation). Some actions (such as password resets) will be too high risk to be part of the Consumer Data Right.

    In the UK, most customer-facing open banking solutions focus on personal payments. As at January 2022, the use of Open Banking in the UK to facilitate direct payments has accounted for over £2.4 billion of funds transferred since its rollout in 2018. A frictionless user experience, together with robust security safeguards, has been key to this success.

    Australia will also be watching what other jurisdictions are doing:

    • New Zealand is currently looking to expand its open banking framework to introduce consumer data rights which will incorporate action initiation from the outset. Government consultations have emphasised that the new laws would make it easier for customers to switch providers for services such as banking, electricity, and telecommunications. A Senate Committee report on the proposed Consumer and Product Data Bill is due 22 January 2025.
    • In its April 2024 budget, Canada announced its plans to implement its "Consumer-Driven Banking" framework by 2025 – with plans to make sure the regime is interoperable with Personal Finance Data Rights rules recently finalised in the United States.

    Successful adoption of action initiation in Australia will depend on a well-integrated payment ecosystem, with the "instruction layer" and the "action layer" interacting seamlessly.

    Success will also require trustworthy identification and authentication and increases in consumer confidence – particularly in the face of recent high profile cyber-attacks. In Australia, the Assistant Treasurer has mentioned that integration between Digital ID mechanisms and action initiation will be critical for ensuring consumer safety. Consumers expect strong data protections at minimum, but willingness to share data is also integrally linked to the value of the service to the consumer – consumers are more likely to be comfortable sharing data where new services bring extra value or extra convenience.

    Challenges and Opportunities

    Cyber, privacy and fraud risks

    The Government argues that CDR brings a safe and secure set of protocols and frameworks for enabling consumers to do things that they might be doing today in an unsafe way (for example, through screen scraping and password sharing).

    As any CDR participant can attest, the CDR regime already takes security very seriously. But could the ability for intermediaries to initiate actions such as payments or opening accounts create a new vector for fraud threats, or get in the way of current protections against fraud?

    The action initiation regime imposes various obligations with the aim to protect against the risk of fraud, for example:

    • accredited persons are subject to a new obligation to act efficiently, honestly and fairly when initiating actions, and civil penalties apply to misleading a person into believing a person is accredited when they are not;
    • existing privacy safeguards will be updated to apply to CDR data that flows in the instruction layer. The privacy safeguards would also apply to AAIs, and some privacy safeguards would apply to ASPs; and
    • the consumer data rules may include rules that apply to AAIs or ASPs, that regulate the security, storage or deletion of certain data that is disclosed to the AAI or ASP under the action initiation regime.

    The existing consent and authentication processes that exist under the CDR will continue to apply, as will the security standards that must be met for accreditation.

    The Government has emphasised that the action initiation regime will not prevent service providers from applying security or other checks, or refusing to perform an action consistent with existing practices.

    However, the banking sector has noted that by adding an intermediary, CDR action initiation will mean the loss of some visibility of the customer, such as data about the device used, the IP address and the time and date of the customer's instruction. This behavioural data and other markers can be used to reduce fraud and cyber risks.

    If the data used to combat fraud and cyber risks is different when actions are triggered by third parties under the CDR, new security or verification solutions specific to action initiation may need to be developed.

    Implementation and existing systems

    Service providers will need to consider how they will implement action initiation in their existing systems, for example to enable switching or payment initiation via an instruction that is delivered through an API call.

    Service providers should be considering what limitations might be in place for these use cases, and what additional information might be needed from consumers to ensure that they can initiate actions on request.

    Accreditation as an opportunity

    The action initiation regime could also offer new opportunities for existing and new service providers and FinTechs to trigger actions as an Accredited Action Initiator.

    On top of the data sharing benefits available as an Accredited Data Recipient under the current CDR, service providers or FinTechs who gain accreditation as an Accredited Action Initiator could be able to initiate payments, help consumers switch products (including as an incoming channel, to a service provider's own products) or provide multi-product management services for disparate brands and service providers.

    The Government previously signalled that it expects future consumer data rules to require a prospective Accredited Action Initiator to first be accredited to receive data under the CDR (as an Accredited Data Recipient), even if it doesn't receive data under the CDR. Having a good understanding of the various pathways to accreditation and the associated administrative and regulatory burdens and costs, will help organisations make strategic choices about when and how to prepare to become a Consumer Data Right participant.

    Next Steps

    While the action initiation framework has now been legislated, it does not identify or allow any specific types of actions under the CDR. Further work is required to identify high value actions, and to undertake the consultation necessary to declare an action and prepare the rules and data standards that would give effect to the action mechanisms.

    Industry has signalled that consumer trust is key to the success of action initiation, and that allowing the CDR framework to mature is critical to earning that trust. Industry has previously called for meaningful sector consultation and assessment, robust cost-benefit analysis, and a measured approach to introducing actions (for example, adopting a staggered approach). If recent announcements on resetting Australia's CDR are a guide, those calls have been heard, although at this early stage the impacts of the “reset” remain to be seen.

    One lesson that we have learned in assisting with CDR implementation is the level of interlinking complexity arises from overlaying a new regime on existing systems.

    Action initiation brings great opportunities – but will not be a simple "bolt on" to existing systems and processes.

    Want to know more?

    Additional Author: Kate Pantelidis, Lawyer. 

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 5 September 2024 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts