As foreshadowed last year, off the back of the former government's response to the Treasury's Inquiry into Future Directions for the Consumer Data Right and with the support of the newly-elected Albanese government, Treasury has put forward the Treasury Laws Amendment (Measures for Consultation) Bill 2022: Consumer Data Right – Implementing Action Initiation (the Bill). This enables them to progress with plans to implement Action Initiation as part of Australia's overall transition to an economy-wide roll out of the Consumer Data Right (CDR).
Action Initiation will allow third-parties to initiate actions beyond their current capacity of mere data sharing with a customer's consent. This third-party could receive powers equivalent to a 'digital power of attorney'. The ultimate goal is for the consumer to merely 'push a button' and be able to grant a third party the power to apply for, accept, pay for and manage new products and services on behalf of the consumer.
The Bill proposes to expand the pre-existing CDR provisions within the Competition and Consumer Act 2010 (the Act) to implement Action Initiation into the CDR regime. This would allow consumers to share their data and initiate actions securely in a manner that is both time and cost efficient.
New entities introduced
The Bill introduces two new CDR entities in relation to Action Initiation:
- Accredited Action Initiator (AAI) – an accredited entity that is able to instruct Action Service Providers on a consumer's behalf.
- Action Service Provider (ASP) – an entity that carries out instructions received from an AAI.
The proposed Action Initiation would consist of two parts: the 'instruction layer' and the 'action layer'. The instruction layer enables a consumer to give consent for an AAI to send an action initiation request to an ASP, such as a bank. The ASP will then carry out the requested action in the 'action layer'.
Importantly, the 'instruction layer' will sit within the CDR regime, but the 'action layer' will not. This means that CDR rules relating to Action Initiation will only apply to the 'instruction layer', and not the 'action layer'. This is illustrated by the proposed section 56BGA(4)), which clearly states that the CDR Rules 'cannot include rules requiring an ASP for a type of CDR action to perform (or not perform) a CDR action of that type in a particular way'. Presumably, any regulation that would typically apply to any actions within the 'action layer' will continue to apply.
Obligations and rules for CDR entities
To ensure consumer protection, the Bill specifies certain high-level obligations for the newly introduced entities.
Under the proposed Bill, AAIs must:
- act efficiently, honestly and fairly when initiating CDR actions (section 56BZA);
- only initiate actions in accordance with a consumer's valid request (section 56BZB); and
- comply with existing privacy safeguards.
Section 56BGA provides for the inclusion of additional requirements on AAIs in the CDR Rules, in particular around the types of CDR actions, and requirements around instructions so that they are valid.
Similarly under the proposed Bill, ASPs must:
- not discriminate against AAIs, meaning they must accept all valid instructions from AAIs if they ordinarily perform actions of that type (section 56BZC). Importantly, Treasury has clarified that ASPs can still refuse an action if they would not ordinarily complete the requested action. For example, a bank would be permitted to decline to action a payment if the consumer does not have sufficient funds in their account.
- not charge a consumer a premium on action requests received through an AAI (section 56BZD(2)). For example, a bank is still entitled to charge a consumer a home loan application fee regardless of whether the application was received via the CDR regime. However, no additional fees can be charged to the consumer simply because the consumer submitted the application via an Initiator.
- not charge AAIs more than a reasonable fee to for processing the requested action. Providers would be allowed to charge a fee for receiving instruction from Initiators, (section 56BZD(1)). Importantly, the ACCC will monitor the fees charged for processing actions and may intervene to determine a reasonable fee (section 56BZE).
- comply with existing privacy safeguards (to the extent of the 'instruction layer'. See 'Extension of Privacy Safeguards' section below).
What actions can be initiated first?
The proposed Bill allows for the Minister to declare the different types of actions for which an instruction may be given under CDR. In addition, for each of these action types, the Minister can declare the classes of data holders of CDR data that are to be ASPs for that type of action (section 56ACA). Treasury has stated that prior to any declaration of an action type by the Minister, there will be a compulsory period of public consultation on the proposed action type. This will take into account factors such as competition, public interest, consumer interest and regulatory impact.
Consistent with the current CDR regime, following a declaration regarding an action type, the Minister will then make accompanying CDR Rules for that action type. These rules will cover recordkeeping, reporting and audit requirements, accreditation criteria, use of CDR data, how consent and authorisations will occur and fees, among others.
Extension of Privacy Safeguards
As raised above, the Bill intends to extend the existing CDR privacy safeguards to Action Initiation. In particular:
- there will be a focus on the instruction layer of the Action Initiation regime. This means these safeguards will only apply to ASPs to the extent they are operating within the 'instruction layer'. Otherwise, ASPs are to handle any data received during the 'action layer' in accordance with the Privacy Act; and
- the safeguards will always apply to AAIs, who are required to be Accredited Persons.
Treasury has provided a table of the proposed application of the CDR privacy safeguards to AAIs and ASPs.
Next steps in implementing Action Initiation
Action Initiation's implementation and the CDR's continued expansion in Australia will undoubtedly stoke increased competition between providers. Businesses who act first in taking advantage of Action Initiation will reap the benefits of the disrupted market.
If you are a business or person that could apply to become an AAI, you should consider how your business may benefit from the regime. While implementation is a challenge, there will likely be big rewards for organisations that move first on this front.
If you are a party that is interested in or may be affected by the rollout of action initiation, we encourage you to prepare a submission to Treasury and email it to [email protected]. Submissions on the Bill close on 24 October 2022. Guidelines to preparing a submission can be found in the submission guidelines.
We will provide further updates as the consultation proceeds. In the meantime, if you feel any of these proposed changes could impact your business, feel free to contact us for assistance.
For more information on the CDR, how you may be impacted and how you can benefit from the regime, please contact us.
Links to key material
Treasury Laws Amendment (Measures for Consultation) Bill 2022: Consumer Data Right – Implementing Action Initiation