Frollo backs regulator’s warning on CDR compliance


Brandon How
Reporter

Australia’s largest accredited data recipient under the Consumer Data Right scheme has backed the regulator’s warning that it intends to take enforcement action to ensure compliance if the banks and other data holders don’t start sharing more information.

At the end of July, Australian Consumer and Competition Commission (ACCC) chair Gina Cass-Gottlieb said that the regulator would “consider enforcement action against data holders who are not meeting their obligations” under the consumer data right (CDR).

Reacting to the warning, FinTech firm Frollo’s chief information officer and interim chief executive Tony Thrassis highlighted two issues that are inhibiting the development of services by accredited data recipients, and where the regulator could step in to help.

Firstly, he is concerned with the range of data made available by data holders, particularly the availability of data classed as optional.

Secondly, the staggered and delayed rollout of the open banking system along with regularly missed deadlines added complexity to development, which in turn has limited the products data recipients can offer consumers.

Frollo chief information officer Tony Thrassis

Regarding the range of data available, which Mr Thrassis refers to as data quality, he noted that all banks in the open banking system currently provide data classed as mandatory, but some do not provide optional data.

The CDR guidance document for data holders describes data as optional if it is not expected that banks collect it. However, if optional data is held by a bank, it must be provided under the CDR. Optional data is different to voluntary data, which is not required to be available under the CDR rules. Examples of optional data include merchant names for purchase and biller information.

Mr Thrassis sees a role for ACCC compliance enforcement in this area as it can be hard for data recipients like Frollo to determine whether a bank collects optional data, but is withholding it. In a previous study undertaken by Frollo around 80 per cent of banks were providing optional data, with the average data holder sharing 87 per cent of the 26 pieces of data investigated by Frollo.

The CDR was first rolled out to the big four banks in July 2019 followed by the non-major banks in July 2021. The deadline for making data from different financial products was also staggered into three phases. Mr Thrassis said the staggered rollout has made it difficult for data recipients to develop their services.

“Imagine you’re an accredited data recipient and you’re trying to offer a service that’s holistic, well then you suddenly have to take into account what products are there and what products are not there. Then you have to think what happens with my product if it requires information from non-major banks, whose products are also phased.

“You’re dealing with a number of dimensions for your product to work. You have a choice, you either cater for all that or you just delay your product to your consumers until all that is in place.”

Many banks were not able to meet all their obligations by phase deadlines and have reported implementation gaps. With rectification plans in place, Mr Thrassis anticipates that most obligations will be met by the end of the next quarter.

However, the ACCC said it has “not endorsed these [rectification] proposals as a satisfactory resolution of non-compliance and may still take compliance or enforcement action where appropriate, in line with the ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right”.

Mr Thrassis also acknowledged that the process can be extremely complex for banks to undertake. He highlighted that data from business accounts may take longer if you consider that some organisations may have up to 500 representatives accessing a shared business account.

This has caused further delays in other open banking features. Changing joint account consent to opt-out was initially meant to come into effect in July but has been delayed by around three months. Non-major banks are also not required to share joint account information after the April 2022 deadline was extended to October.

Mr Thrassis said that some banks have been slow to comply because providers of their core banking platform and data holding solution have been unable to deliver a working system.

“It has been a problem for those banks that have used some of these common platforms, because the common platforms don’t have to comply, the banks have to comply. But they’ve got poor banking platforms and solutions being supplied to them causing them to not meet their obligations. That’s going to be difficult to enforce compliance,” Mr Thrassis said.

Do you know more? Contact James Riley via Email.

Leave a Comment