Chapter 2Views on the bill

Introduction

2.1This chapter examines stakeholder views on the provisions of the Treasury Laws Amendment (Consumer Data Right) Bill 2022 (the bill). It is informed by the bill’s explanatory materials, submissions received by this inquiry, evidence provided at a public hearing in Canberra on Tuesday, 18 April 2023, and additional material submitted to the committee.

2.2This chapter provides an indicative account of the key issues raised during the inquiry and concludes with the committee’s views with recommendations on the bill. The discussion is separated into the key, high level reforms in relation to the bill.

Overall support for the measure

2.3The majority of submissions to the inquiry supported the bill and its intent to expand the Consumer Data Right (CDR) by introducing a framework to enable action initiation, a functionality which submitters across the board argued, would empower consumers to authorise, manage and facilitate actions securely in the digital economy.[1]

2.4Many submitters noted that the proposed bill would importantly, implement key recommendations and findings from the Inquiry into Future Directions for the Consumer Data Right (the Future Directions Inquiry), and the recent Statutory Review of the CDR undertaken in 2022.[2]

2.5Noting the approach taken in the bill is consistent with recommendations from the Future Directions Inquiry, FinTech Australia expressed its strong support for the proposed amendments:

The consumer data right is a transformational reform which is world leading in its ambition and scope. It is already a key driver for fintech innovation and will be even more so with the implementation of action initiation. We agree that action initiation will be a game changer for the CDR and support passage of this bill and the enabling framework for the action initiation it will establish. There is a strong foundation for action initiation to be a success.[3]

2.6FinTech Australia emphasised the benefits that the amendments would have in establishing a CDR framework which is flexible and adaptable to new models over time. These benefits include empowering consumers and businesses to do more with the CDR, driving fintech innovation and greater participation in the scheme, as well as building on the existing regulatory framework for information sharing.[4]

2.7Summarising the view widely shared by stakeholders, Finder argued that launching action initiation capabilities through the CDR framework is a crucial legislative step, stating:

Finder has strongly supported the introduction of “action initiation” to the CDR since we first outlined this recommendation in 2019. We strongly believe that the CDR can offer more value to both consumers and industry participants by allowing consumers to do more than just access data through the regime.[5]

2.8Zepto articulated that the bill will empower consumers to authorise, manage and facilitate actions securely in the digital economy. As well as strongly believing that action initiation will play a critical role in driving innovation and delivering better experiences and outcomes for consumers and businesses, Zepto argued that the quick expansion of the CDR is beneficial for Australia to keep moving forward in this space.[6]

2.9Adatree argued that increasing consumers’ ability to access and control their data through action initiation would be instrumental:

This bill represents a fantastic step forward for consumer empowerment… Action Initiation will cement CDR as a cornerstone for Australia’s digital economy at large… We are strong proponents of integrating Action Initiation in the CDR and are eager for these proposed changes to be put into effect.[7]

2.10Finally, the Commonwealth Bank of Australia (CBA) advised the committee of its overall support for the proposed measure and the importance it will play in ensuring Australia remains globally competitive, stating:

CBA believes the introduction of action initiation will further position Australia at the forefront of advanced digital economies, and we support the government’s commitment to the economy wide rollout of the CDR.[8]

Specific matters raised by stakeholders

2.11Despite supporting the intent of the bill to enable action initiation within the CDR, some submitters provided suggestions regarding the government’s proposed reforms. Key recommendations received by submitters are discussed below.

Privacy safeguards

2.12As outlined in Chapter 1, the new CDR framework encompasses privacy protections (privacy safeguards) comparable to the Australian Privacy Principles that intend to provide a higher level of protection for data used and shared within the CDR framework. The privacy safeguards apply to consumer data belonging to individuals and businesses, however, generally contain more restrictive requirements on the handling of CDR data than requirements applying to personal information under the Privacy Act 1988 (Privacy Act). The objective of the proposed amendments in the bill is to extend the privacy safeguards for action initiation so that they apply to CDR data that flows in the instruction layer of the framework, from an accredited action initiator to an action service provider.[9]

2.13Some stakeholders expressed concern that the privacy safeguards provided through both the Privacy Act and the CDR framework are not sufficient, have the potential to increase consumer harms and, that relevant reviews in this sphere should be completed before commencement of the proposed reforms.

2.14For example, the Australian Banking Association (ABA) and Adatree both suggested that the outcomes of the Privacy Act Review undertaken by the government, and other proposed amendments to the Privacy Act, are considered before settling revisions to the privacy safeguards within the bill.[10]

2.15The ABA argued that the bill be amended to provide certainty that the obligation to carry out a valid CDR action request does not exclude necessary and appropriate anti-scam and cyber security checks and precautions.[11] The ABA also suggested that banks should be able to refuse an instruction where they detect or determine an elevated risk to their customers or have not received confirmation from the customer of an instruction and that this should be made clear within the bill.[12] The ABA stated:

As more Australians experience scams, frauds and cyber-attacks, banks are actively working with regulators, conducting awareness campaigns and building a range of sophisticated detection tools to pick up on unusual behaviours in close to real time to stop suspicious transactions. By the engagement of a third party standing in the shoes of the customer, action initiation potentially introduces a range of new risks for which banks may need to develop specific scam, fraud and cyber mitigation tools.

…the rules and standards can assist in reducing some risks, the draft legislation appears to open the door to actions carrying high risk (e.g., payments), while limiting the ability of banks as Action Service Providers (ASPs) to address them. This is in the context of the need to rapidly increase the maturity and scale of such preventative measures and the growing number and complexity of scams, frauds and cyber-attacks.[13]

2.16The Financial Rights Legal Centre (FRLC) supported the suggested amendments by the ABA to provide banks with the ability to apply a stronger scams approach to payments, underpinned by the view that the introduction of action initiation has the potential to increase the risks to the payment system by introducing a third party between the bank and the consumer.[14] Accordingly, the FRLC suggested that the introduction of action initiation is delayed.[15]

2.17Noting that the increase in scams and fraud is an economy-wide issue and not a risk that is unique to the CDR, Treasury confirmed the need to ensure that the CDR has the right protections in place to minimise the risk of harm for consumers and small businesses.[16] Treasury officials explained that the bill positively expands on the privacy and security safeguards from what currently exists and forms part of the government’s broader approach to combatting scams:

The bill includes privacy and security protections, such as requiring consumers' explicit and informed consent, consumer authentication and authorisation. Importantly, the bill would not prevent action service providers, such as banks, from undertaking security and other checks or refusing to perform an action provided they do not discriminate against actions provided by the CDR… the existing sectoral laws, such as those in the banking sector, would continue to govern how an action is performed. It is important that those existing regulations are fit for purpose here, and that's something that we're very mindful of in the CDR.[17]

2.18While arguing that stronger consumer protections to address scams must be put in place before moving ahead with action initiation, Mr Drew MacRae, Senior Policy and Advocacy Officer from the FRLC, supported the privacy safeguards within the bill which bring the privacy principles into CDR and action initiation as a start to dealing with privacy and security in this next phase of CDR:

CHAIR: Do you support the privacy safeguards that are in the bill now, which bring the privacy principles into CDR and action initiation as a start to dealing with privacy and security in this next phase of CDR?

Mr MacRae: Generally speaking, yes. As many of the privacy safeguards should be applied to the action initiation level as possible.[18]

2.19Concerns highlighted above, were not however shared by all inquiry participants. Cuscal who strongly articulated its support for the extension of the privacy safeguards within the bill.

The protections provided by the Privacy safeguards for CDR consumers ensure sensitive and confidential information remains protected at all stages of the process and helps to build trust within the ecosystem. Cuscal supports the bill’s extension of the Privacy safeguards.[19]

2.20Similarly, the Australian Communications Consumer Action Network (ACCAN) submitted:

Wherever possible, the most comprehensive privacy protections should apply to the CDR data used by [accredited action initiators] AAIs and [action service providers] ASPs. Ensuring that consumer data is protected when consumers interact with AAI and CDR services is crucial as in order to see significant uptake of the CDR, consumers must trust that their data will be adequately safeguarded.[20]

2.21Commenting on how consumer data and privacy issues are dealt with in the existing CDR framework and the rollout of action initiation with the privacy safeguards being introduced, the Finance Brokers Association of Australia (FBAA) advised the committee that the existing CDR framework has advantages in terms of data protection when compared to what consumers are undertaking on their own. For example, in the context of applying for finance through a broker, Mr David Carson, Regulatory Advisor from the FBAA, stated:

[…] if a consumer wants to apply for finance through a broker, they will likely email a lot of their documents. There are provisions to make bank statements available online through secure portals, but the methods of document transmission are still anchored in the older technology of emailing and sending them in. So I think any push to have that data controlled by entities that are subject to more stringent requirements would mean that the integrity of that data is better, it would mean that lenders and brokers can place greater reliance on that data not being fraudulent, and it also gives a greater level of protection to the consumers because the holders of that data meet certain minimum requirements before they're entitled to deal. Overall, we've been very supportive of the move for the CDR because we think it will produce a better customer experience; it will produce a better service provider experience; and it will increase the integrity of the whole process, which I think is important.[21]

2.22The Office of the Australian Information Commissioner (OIAC), the independent Commonwealth Regulator responsible for co-regulating the CDR, articulated that implementation of the bill would positively expand their role in relation to investigating privacy safeguard breaches or possible breaches in relation to action service providers. The OIAC explained that these powers include assessment and auditing powers to ensure that participants are managing CDR data in accordance with the privacy safeguards, and complaint management tools, such as conciliation and alternative dispute resolution.[22]

2.23Furthermore, in relation to the expansion of privacy protections, Ms Elizabeth Hampton, Deputy Commissioner, OIAC, informed the committee that the bill will further protect consumers data and privacy alongside other privacy protections in place which require compliance from CDR participants:

Ms Hampton: …The CDR does include very specific privacy protections that go to the CDR regime that build on some of the fundamentals that already exist in the Privacy Act but apply them with greater specificity to the particular acts and practices of the CDR regime.

CHAIR: In relation to the controls on action initiation, does that extend privacy protections further?

Ms Hampton: It does. In the way that I have mentioned earlier, it takes the strengthened CDR protections and applies them with specificity to the particular actions that are contemplated in the bill.[23]

Duty to act efficiently, honestly and fairly when initiating CDR actions

2.24The proposed action initiation framework requires accredited persons to act efficiently, honestly, and fairly when initiating CDR actions. Initiating CDR actions include proposing to give an instruction on behalf a potential CDR consumer for a type of CDR action. Under the bill, failing to act in this manner would be a contravention of the Competition and Consumer Act 2010 (CCA). Modelled on a core obligation in the Australian financial services licensing regime in the Corporations Act 2001 and adapted for the CDR context, the obligation is intended to capture actions contrary to a consumer’s interest.[24] Some stakeholders suggested that the obligation should be more broadly applied across the CDR framework and made recommendations to strengthen the bill to this effect.

2.25While concerned with the obligation to act honestly and fairly (but not efficiently), Zepto suggested that the obligations on accredited persons should be fit-for-purpose and reflect the responsibilities the persons are taking on.[25]

2.26EnergyAustralia submitted that the bill should go further to mitigate risks and capture actions contrary to a consumer’s interest, stating:

A stronger consumer protection and high standard would be an obligation to act in the consumer's best interests. This would squarely and more effectively address the risks around an AAI acting as the customer's agent which is the core concept behind AI.[26]

2.27The FRLC suggested that the duty should extend to all accredited persons activities under the CDR, including the collection, handling, and use of CDR data under the read only access regime—not limited only to initiating actions. It was argued that this would be an important step ‘in light of the over-reliance on consent and disclosure as the two key protections for consumers who engage with the CDR…’[27] Despite this concern, the organisation noted in its submission its overall support for the obligation.[28]

2.28Notwithstanding the above suggestions, the Telecommunications Industry Ombudsman outlined its support for, and importance of the extended privacy protections with the bill:

Our position on the CDR action initiation amendment bill is that we support reforms that continue to reduce complexity for consumers but are underpinned by strong privacy protections.[29]

2.29Treasury articulated the policy underpinning the introduction of the duty within the bill to capture actions contrary to a consumer’s best interest and noted that it is an obligation familiar to many CDR participants:

[…] the bill obliges accredited action initiators to act efficiently, honestly and fairly when seeking to or sending action instructions on behalf of a consumer… The policy basis for including this for action initiation is that it's consistent with a recommendation of the future directions inquiry and it's intended to be closely aligned with the obligation in the Australian financial services licensing regime. It's an obligation that is readily understood and is quite familiar to many CDR participants. It's not the sole obligation on accredited persons initiating actions, but it's expected to form an important part of the consumer protection framework. It recognises that in issuing an instruction to undertake an action there will be some more risk introduced into the CDR framework. It was considered to be an important inclusion and protection for consumers.[30]

Sectorial coverage and stakeholder consultation

2.30As outlined in Chapter 1, the CDR is in the process of being rolled out on a sector-by-sector basis to create an economy wide framework.[31] Some stakeholders raised concerns regarding sectorial coverage of the CDR framework and the introduction of action initiation, which are outlined below.

2.31For example, the Insurance Council of Australia (ICA) stated that while the CDR does not currently apply in the insurance industry, the extension of the CDR to the general insurance sector (after a sectoral assessment and consultation with the industry), will arguably pose unique issues.[32] In this regard, the ICA suggested that the government should undertake comprehensive consultation prior to expansion of the CDR to the industry, and that overall, its application to the sector would not be beneficial to consumers nor the industry. The primary basis for this concern, which is also shared by others, being that accreditation costs are likely to be substantial for the industry and beyond the capacity of some businesses.[33]

2.32Expressing the view that beyond the banking sector, the CDR is relatively new to Australia, Telstra felt that the implementation of action initiation across all sectors is premature. Considering that current reviews in relation to cyber security, electronic surveillance and data breaches are underway, which may influence the way in which the CDR is optimally designed and implemented by business, it was suggested that progression of the proposed legislation to the telecommunications sector is delayed until the surrounding legislative and policy environments are more settled:

We look forward to working with Treasury on the continuing implementation of CDR in the telecommunications sector but urge caution on enabling the new legislation which could apply to all sectors when enacted until the CDR is more fully understood and embedded in the economy. In our view, given CDR in banking is much more progressed, we consider a more appropriate policy response at this time is to proceed with action initiation in banking only. Only once CDR is more fully embedded in other industries such as energy and telco should extending action initiation be considered.[34]

2.33However, the above concerns were not shared by all, with submitters commenting that the bill establishes enabling framework and that commencement of action initiation would occur following periods of consultation and through legislative instruments issued by the Minister.

2.34Several inquiry participants highlighted that it is important that the framework legislation for action initiation (which would have substantial work being undertaken through regulations), is implemented in a sustainable way, involving a high level of involvement and consultation with stakeholders enthusiastic to participate.

2.35The Financial Data and Technology Association commented on some of the practical aspects of rolling out action initiation within the bill:

We started with banking. We've moved on to energy. We have non-bank lending. We've got telco in the works. What action initiation also does is to give us an insight into what datasets are not there to enable the use cases that might matter to consumers. We can't quite narrow in on that until we have the opportunity to actually learn by doing and start practising some of these things. I think the ability for industry to have that, be it class exemptions or a particular ability to explore within certain bounds, such as in pilots, definitely creates the opportunity for businesses and the public sector to actually learn how to develop a CDR framework as critical infrastructure for Australia to move us towards this top 10 digital economy by 2030.[35]

2.36Emphasising that consultation is a crucial part of ensuring the successful rollout of action initiation, Mr Kieran McKenna, Chief Risk Officer from Cuscal stated:

In terms of the engagement, I think we've proven to date that that's been really important, and it's super important in the next stage of action initiation, because we as industries and cross-industries need to test these things. The big thing is that the engagement should be around how the technology is going to look and feel and then how it appears in the consumer's hands. You need to focus on what that consumer experience is going to be, and part of that process can be a testing strategy.[36]

2.37In relation to the expansion of the CDR framework, officials from Treasury outlined in detail the multiple and comprehensive consultation processes and stakeholder engagement involved in relation to the rollout of action initiation that would be undertaken under the proposed framework. Ms Emily Martin from Treasury advised the committee:

We've already held an action initiation workshop with industry—that had over 100 participants—and looked at a number of the issues you would have heard raised this morning around the technical flows of information, the potential use cases, the benefits for consumers and how we might go about thinking about this because it is new reform for the CDR. In addition to that, we also have a number of forums in which industry participate. We have a CDR implementation advisory committee. We have a CDR design and strategy forum. Under the DSB…we have the Data Standards Advisory Committee. They advise on the technical standards that come into play after rules are made in the CDR system. There are multiple opportunities for industry and others to interact with the CDR and be involved in consultation. The ACCC and OAIC also have other mechanisms for undertaking consultations on their specific parts of the program. I would say that we're constantly engaged in consultation.[37]

2.38Finally, from an industry stakeholder perspective on the framework legislation, FinTech Australia succinctly summarised the views broadly held by inquiry participants, stating:

We understand there is a long implementation road ahead. Action initiation won't be up and running overnight. Significant further work and consultation will be required to implement specific action types and new data standards. But this bill is an important first step which will kickstart a new era of CDR powered innovation.[38]

Fee determinations

2.39A minority of submitters raised potential concerns regarding the regulation of Ministerial powers to make decisions regarding fee charging under the proposed action initiation framework and suggested that this aspect of the measure could be to the detriment to consumers.

2.40In a joint submission to the inquiry, Chartered Accountants Australia and New Zealand, CPA Australia and the Institute of Public Accountants (CA ANZ, CPA Australia, IPA) stated:

We are concerned by the proposal in the bill to allow the Minister to make a decision that an accredited action initiator may charge fees to transmit an instruction. This is not something that is for the benefit of consumers but appears to incentivise persons to become accredited action initiators in the CDR eco-system.... Where fees are charged, it may not be transparent to the consumer why those fees are being charged. Moreover, where a consumer considers the fees unreasonable, the avenue for review is lengthy and complex.[39]

2.41FinTech Australia expressed potential concerns regarding the lack of clarity or a framework for the regulation of fee charging, arguing there is currently no regulation of the fees that can be charged by action service providers for receiving instructions. As a result, FinTech indicated that this may result in price discrimination, explaining that:

[…] if an [Action Service Provider] ASP charges a fee to an [Accredited Action Initiator] AAI, CDR action initiation may not be a price competitive option for consumers and they may not choose to engage with action initiation through the CDR as a result. The anti-discrimination principles for the action layer in the Draft Legislation will be of limited value if ASPs are able to charge unlimited fees for receiving instructions.

2.42Similarly, ACCAN considered that should a cost be associated with accessing accredited action initiation enabled CDR services it would have the potential to dissuade consumers from using the service. Accordingly, the organisation suggested action initiation in the CDR should not impose additional fees to ensure maximum utilisation and benefit for consumers. ACCAN stated:

Ensuring that an AAI enabled CDR does not impose additional fees on consumers is crucial to its effectiveness and widespread adoption. Should a cost be associated with accessing AAI enabled CDR services it would likely dissuade consumers from using the service.[40]

2.43Addressing the concerns raised by submitters in relation to fee determinations, Treasury informed the committee the mechanisms that the Australian Competition and Consumer Commission (ACCC) would have in place under the framework, to monitor and intervene if any issues arose in this area:

The bill would enable the CDR rules—so that's the next stage after the legislation, and the minister makes the rules—to determine if a fee could be charged by an action service provider for processing an instruction received from an accredited action initiator. The ACCC would be able to intervene if it considered charges were unreasonable. Action service providers would be able to charge fees in the action provided they do not charge a higher fee because the instruction was received through the CDR. So if they already charge fees, they couldn't charge something higher just because the instruction is coming through the CDR framework. For example, if opening new home loan accounts was an action type, a bank would be able to charge a consumer a home loan application fee for a request that came through the CDR—banks charge these fees now—but it could not charge a higher fee than what would be applied outside the CDR.[41]

Effectiveness of the measure

2.44While inquiry participants welcomed action initiation, some stakeholders were concerned about the potential effectiveness of action initiation within the CDR. Namely, that it would increase the complexity of the existing CDR framework and may not be beneficial for consumers and industry alike.

2.45CA ANZ, CPA Australia, IPA felt:

The bill significantly increases the complexity around “who can do what” within the CDR ecosystem. This makes it challenging for a consumer to make an informed choice when they first need to determine if the person, they wish to initiate an action is accredited for that specific action.[42]

2.46Mr Damir Ćuća, CEO and founder of Basiq Pty Ltd, outlined concerns in relation to the standardisation of practices across sectors and the potential impacts that this may have on industry. In particular, he noted a possibility for industry consolidation under larger banks, and under large platforms providing action initiation.[43]

2.47While specifically commenting on dispute resolution pathways available to consumers if a complaint arises as part of the action initiation process, the Telecommunications Industry Ombudsman were concerned that the introduction of a third party (accredited action initiator) could create complexity for consumers trying to understand how to resolve a dispute. For example, a situation may arise where consumers are not aware of whether it was the initiator of the action request or the entity taking the action that they should raise a complaint against, or both.Notwithstanding these concerns the Ombudsman noted broad consultation would help address these issues. The Ombudsman acknowledged that ‘the solution to this problem doesn't necessarily need to be addressed in the bill, and it could be resolved through subordinate instruments or government coordinated action’.[44]

2.48Despite the concerns outlined above, many inquiry participants articulated that the measure would, among other things, have a positive impact on industry and consumers by streamlining processes and improving competition.

2.49For example, Adatree argued that the consumer benefits of action initiation are obvious and that the reforms will empower consumers to interact with their service providers and simplify the process of switching accounts.[45]

One way that we can think about action initiation is it's opening it up to be a two-way method of communication. I can receive all the information from my bank and then, through the same process that I actually receive that information, I can act on that information immediately or directly with my bank so that they can then use it to make more informed choices and smooth all the processes around things like… switching or account management or any of those kinds of areas… It really does reduce the mental load and it has the opportunity to reduce the mental load in more of that everyday management of financial services, and additional services as we move to have energy and telcos included as all of these systems…[46]

2.50Adatree further stated that the changes provided by action initiation ‘will be instrumental improving competition and reducing the concentration of power among a few large players’.[47]

2.51ACCAN and ARCA also indicated that the bill has the potential to improve competition and save consumers time and money by easily allowing them to compare plans (for example in sectors such as telecommunications).[48] Summarising the views of both organisations on this point, ARCA submitted:

[…] beyond simply receiving and using data, the ability for a consumer to have an action initiated on their behalf will also have a significant impact on the provision of credit, which could bring increased competition and other consumer benefits…[49]

2.52Similarly, Finder explained the difference that action initiation will make for consumers in comparison to the current read-only CDR framework. For example, the organisation submitted that without action, a customer will still need to go through the same onerous process, for example, to change providers or make or cancel a payment.[50] Finder drew the committee’s attention to recent analysis it has undertaken and its findings in relation to the possible savings that action initiation will have for consumers. Extrapolated data presented in Finder’s submission outlined that action initiation enabled switching in the sectors where CDR is designated could save consumers more than $1000 a year.[51] Finder argued:

Payment initiation through the CDR will help to reduce transaction costs for consumers and businesses. It will also ensure that the existing CDR/payment infrastructure already present in the banking sector is better utilised…as a result, we believe that action-initiation CDR will be the catalyst to make CDR highly valuable for Australian consumers.[52]

2.53Cuscal succinctly expressed its views on the benefits of action initiation as follows:

By enabling third-party providers to take actions on behalf of consenting consumers, the Bill will make consumer interactions with the CDR more efficient, removing friction and so realising the benefits of CDR for both companies and individuals.[53]

2.54Likewise, FinTech Australia commented:

We spend a lot of time as consumers managing our money, for instance moving things around, checking our balances, going through finding better deals to save money that might be in banking and financial services but also in energy, insurance and other areas. This particular bill enables industry to actually do what it does well, which is exploring product service and business model innovation. That leverages this digital infrastructure of critical national importance to give people their time back. Time is the most precious resource that we have, and I think at this point in time, with all the macroeconomic forces that are at play, the importance of payments and enabling people to save money, get better deals, is extremely important to our society and our economy. I think this supports that trajectory with existing infrastructure that has been laid down already in this world-leading reform.[54]

2.55As outlined above, inquiry participants also argued that the proposed amendments would enable industry to grow across a range of sectors, in more ways than one, which would have a positive impact on competition.

2.56Speaking in relation to the financial services industry and the CDR, Zepto argued:

[…] there are two things that CDR offers. The first is promoting innovation…The second is access to infrastructure… by allowing companies, and smaller companies and fintech companies—after they've been accredited of course—to access that infrastructure is creating a level playing field, and that's critical in order to allow and promote competition in the industry and, ultimately, for the benefit of consumers through better, cheaper products. That's an important point. It's something that we see in the payments industry as well, with the new payments platform. The major banks have been the traditional custodians of that area but now, increasingly, smaller players have a role to play there in trying to compete. The great thing about the consumer data right is that we're starting from a base level, from a level playing field, and that's the second way I think this piece of legislation would be promoting competition.[55]

2.57During the public hearing, the FBAA discussed the interaction of finance and mortgage brokers with the CDR and argued that action initiation is an appropriate next step in the rollout of the framework and would be ‘extremely beneficial to this industry and to consumers’.[56] In particular, that action initiation would round out the regime by empowering consumers to better utilise and access information, further strengthening the current framework that is in place.[57]

2.58In relation to stakeholder perspectives on the anticipated positive aspects of the bill, Treasury informed the committee that it is expected that action initiation will assist consumers to better manage their circumstances and, ‘will reduce complexity, time and cost for consumers looking to safely get better deals and services and will unlock new business models, drive innovation and boost competition’.[58] Treasury also said the proposed amendments are expected to increase in participation of businesses providing and offering services to consumers through the introduction of action initiation.[59] Ms Emily Martin from Treasury stated:

[…] the bill has largely been designed to mirror the existing data sharing legislation in order to build off the strong foundation that is already in place for the CDR. This approach minimises the complexity and regulatory burden of action initiation for CDR participants by leveraging a framework that is familiar to the industry. Enabling action initiation in the CDR is part of the government's commitment to expand the CDR across the economy and grow the opportunities for consumers to make use of their own data for their benefit.[60]

Committee view

2.59The committee welcomes the strong support for the bill to amend the Competition and Consumer Act 2010 to expand the CDR to enable action initiation.

2.60The committee notes that for the intended benefits of action initiation to be realised, extensive consultation and consideration, road mapping and a measured rollout of action initiation will be required.

2.61The committee is reassured by the extensive, ongoing and continual consultation processes industry has openly been engaged with which will continue to inform and resolve any roll out issues in relation to action initiation as and when they arise.

2.62The committee is encouraged by evidence that data sharing within the CDR has far greater protections than standard non-CDR data sharing practices, and that the privacy principles of the CDR are good.

2.63The committee is reassured that the CDR and proposed reforms in the bill to expand safeguards to action initiation are an enhanced privacy regime and acknowledges businesses also play an important role in appropriately protecting CDR data and privacy.

2.64The committee is of the view that the mechanisms for facilitating fees in the CDR rules, and the capacity to monitor and intervene fee determinations, are appropriate. The committee is of the view that the mechanisms for facilitating fees in the CDR rules, and the capacity of the ACCC to monitor and intervene fee determinations are appropriate.

2.65The committee is persuaded by evidence from a broad range of stakeholders that the implementation of action initiation will have many advantages, allowing consumers to better manage their circumstances, reduce the complexity of data sharing as well as significantly save time and costs in relation to important, every day activities involving their finances.

2.66The committee is satisfied that the bill will support a range of innovative business models and agrees with evidence from industry stakeholders that the reforms would drive the development of new CDR powered products and services. The committee believes that in turn, this will boost competition and reduce the time pressures, cost and complexity experiences by consumers and small businesses.

2.67On balance, the committee believes that the proposed amendments reflect recommendations by recent reforms and reviews on the CDR to enable action initiation and, that this framework legislation will place consumers at the centre of an innovative data-sharing system that protects their privacy, giving them the ability to opt-in and determine when and how they share their data with accredited businesses and professionals of their choosing.

Recommendation 1

2.68The committee recommends that the bill be passed.

Senator Jess Walsh

Chair

Senator for Victoria

Footnotes

[1]See, for example: Finder, Submission 7, [pp. 1–2]; Adatree, Submission 15, p. 1; FinTech Australia, Submission 6, p. 1; EnergyAustralia, Submission 5, [p. 1]; Zepto, Submission 3, p. 1; Commonwealth Bank of Australia (CBA), Submission 14, [p. 1]; Cuscal, Submission 13, [p. 2]; Australian Communications Consumer Action Network (ACCAN), Submission 8, p. 1; Mr Peter White, Managing Director, Finance Brokers Association of Australia (FBAA), Proof Committee Hansard, 18April 2023, p. 16.

[2]Department of the Treasury (Treasury), Statutory Review of the Consumer Data Right Report, 29September 2022; Treasury, Inquiry into Future Directions for the Consumer Data Right Final Report, 23 December 2020. Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 18.

[3]Mr Nick Kavass, Policy Lead, FinTech Australia, Proof Committee Hansard, 18 April 2022, p. 1.

[4]FinTech Australia, Submissions 6, p. 2; Mr Nick Kavass, Policy Lead, FinTech Australia, Proof Committee Hansard, 18 April 2022, p. 1.

[5]Finder, Submission 7, [p. 2].

[6]Zepto, Submission 14, p. 1; Mr Gabriel Perrottet, Senior Legal Counsel, Public Policy and Regulation, Zepto Payment, Proof Committee Hansard, 18 April 2023, p. 7.

[7]Adatree, Submission 15, p. 1.

[8]CBA, Submission 14, [p. 1].

[9]Explanatory Memorandum (EM), p. 30.

[10]Australian Banking Association (ABA), Submission 12, pp. 2–3; Attorney-Generals Department, Privacy Act Review Report, 16 February 2023, https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report (accessed 19 April 2023). The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. The Privacy Act Report contained 116 proposals to strengthen and modernise Australian privacy law. Stakeholder feedback through a consultation process is currently underway to inform the government’s response to the report.

[11]ABA, Submission 12, pp. 2–3.

[12]ABA, Submission 12, p. 2.

[13]ABA, Submission 12, pp. 3–4.

[14]Financial Rights Legal Centre, Submission 11, p. 3.

[15]Financial Rights Legal Centre, Submission 11, p. 2.

[16]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 21.

[17]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 21.

[18]Exchange between Senator Jess Walsh, Chair, and Mr Drew MacRae, Senior Policy and Advocacy Officer, Financial Rights Legal Centre, Proof Committee Hansard, 18 April 2023, p. 14.

[19]Cuscal, Submission 13, p. 2; Mr Kieran McKenna, Chief Risk Officer, Cuscal Ltd and Mr Damir Ćuća, CEO and Founder, Basiq Pty Ltd, a subsidiary of Cuscal Ltd, Proof Committee Hansard, 18 April 2023, p. 11.

[20]ACCAN, Submission 8, p. 2.

[21]Mr David Carson, Regulatory Compliance Consultant, FBAA, Proof Committee Hansard, 18 April 2023, p. 17.

[22]Ms Elizabeth Hampton, Deputy Chair, Office of the Australian Information Commissioner, Proof Committee Hansard, 18 April 2023, p. 22.

[23]Exchange between Senator Jess Walsh, Chair and Ms Elizabeth Hampton, Deputy Chair, Office of the Australian Information Commissioner, Proof Committee Hansard, 18 April 2023, p. 22.

[24]EM, pp. 19–20.

[25]Zepto, Submission 3, p. 4.

[26]EnergyAustralia, Submission 4, p. 2.

[27]Financial Rights Legal Centre (FRLC), Submission 11, p. 1.

[28]Mr Drew MacRae, Senior Policy and Advocacy Officer, Financial Rights Legal Centre, Proof Committee Hansard, 18 April 2023, pp. 14–15.

[29]Ms Cynthia Gerbert, Ombudsman, Telecommunications Industry Ombudsman, Proof Committee Hansard, 18 April 2023, p. 12.

[30]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 22.

[31]EM, p. 57.

[32]Insurance Council of Australia (ICA), Submission 9, p. 3.

[33]ICA, Submission 9, pp. 1–2. Regarding accreditation costs, see also, Chartered Accountants Australia and New Zealand, CPA Australia, IPA (CA ANZ, CPA Australia, IPA), Submission 17, pp.1–2.

[34]Telstra, Submission 1, [p. 2].

[35]Mr Mathew Mytka, Regional Director, Regional Director for Australia and New Zealand, Financial Data and Technology Association, Proof Committee Hansard, p. 6.

[36]Mr Kieran McKenna, Chief Risk Officer, Cuscal Ltd, Proof Committee Hansard, 18 April 2023, p.10.

[37]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 20.

[38]Mr Nick Kavass, Policy Lead, FinTech Australia, Proof Committee Hansard, 18 April 2022, p. 2.

[39]Charted Accountants Australia and New Zealand, CPA Australia and the Institute of Public Accountants (CA ANZ, CPA Australia, IPA), Submission 17, p. 2.

[40]Australian Communications Consumer Action Network (ACCAN), Submission 8, p. 2.

[41]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 23.

[42]CPA ANZ, CPA Australia, IPA, Submission 17, p. 1.

[43]Mr Damir Ćuća, CEO and Founder of Basiq Pty Ltd, a subsidiary of Cuscal Pty Ltd, Proof Committee Hansard, 18 April 2023, p. 10.

[44]Ms Cynthia Gerbert, Ombudsman, Telecommunications Industry Ombudsman, Proof Committee Hansard, 18 April 2023, p. 13.

[45]Adatree, Submission, p. 3.

[46]Mr D'Arcy Mullamphy, Policy and Compliance Lead, Adatree Pty Ltd, Proof Committee Hansard, 18 April 2023, p. 5.

[47]Adatree, Submission 15, p. 4.

[48]ACCAN, Submission 8, p. 1.

[49]ARCA, Submission 4, p. 1.

[50]Finder, Submission 7, p. 3.

[51]Finder, Submission 7, p. 3. This analysis is based on the following products/ services: home loans, savings accounts, electricity, phone and internet plans, credit cards, personal and car loans.

[52]Finder, Submission 7, p. 2.

[53]Cuscal, Submission 13, [p. 2].

[54]Mr Mathew Mytak, Regional Director, Financial Data and Technology Association ANZ (FinTech Australia), Proof Committee Hansard, 18 April 2023, p. 4.

[55]Mr Gabriel Perrottet, Senior Legal Counsel, Public Policy and Regulation, Zepto Payment, Proof Committee Hansard, 18 April 2023, p. 5.

[56]Mr David Carson, Regulatory Compliance Consultant, FBAA, Proof Committee Hansard, 18April2023, pp. 17-18.

[57]Mr David Carson, Regulatory Compliance Consultant, FBAA, Proof Committee Hansard, 18April2023, p. 18.

[58]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 18.

[59]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 19.

[60]Ms Emily Martin, Assistant Secretary, Policy and Engagement Branch, Consumer Data and Digital Division, Treasury, Proof Committee Hansard, 18 April 2023, p. 18.