Response to Review into Open Banking in Australia – Final Report


Follow us on LinkedIn

23 Mar 2018
  • Compliance and Regulation

Mr Scott Farrell
Open Banking Review Secretariat
The Treasury
Langton Crescent
Parkes ACT 2600         

By email:

Dear Mr Farrell,

Re: Response to Review into Open Banking in Australia – Final Report

Amstelveen welcomes the opportunity to respond to the Commonwealth’s Review into Open Banking. We support the implementation of an Australian Consumer Data Right and have identified a number of pertinent considerations for its application within a banking context.

We understand that the overall purpose of Open Banking is to give consumers greater control over sharing of their data. This is intended to enable more accurate product offerings for consumers and enhance competitiveness in the financial services industry.

In this submission we have identified four considerations worthy of further attention.

1. Include other payment providers and credit reporting agencies within the scope of Open Banking

In its current form, Open Banking does not require non-ADIs to be subject to the data sharing requirements. This includes credit reporting agencies and payment providers, and most critically the New Payments Platform (NPP). The submission highlights that the proposal only covers banking data and hence that these data recipients should not be within scope. However, there are a number of payments services and credit reporting agencies that hold customer data that is intrinsically linked to providing banking services. Our view is that they should also be considered under the Open Banking framework.

The NPP, launched in February 2018, is an industry wide initiative made up of a consortium of participating financial institutions, which aims to roll out real time clearing and settlement of payments. Along with supporting payments innovation, one of the primary benefits of the NPP is reduced switching costs for consumers. The cornerstone of this is PayID, the payment addressing service. Customers can link their phone number, e-mail address or ABN to their bank account and use this to address payments rather than their BSB/account details. It is envisioned that in the future this will simplify the process of redirecting direct debits to a new bank account, as a customer only needs to port their PayID rather than update all direct debits. However, these PayID linkages are currently stored by SWIFT in a proprietary database on behalf of NPP termed the ‘addressing service’. Access to these linkages as part of a data sharing regime could prove useful for merchants and payments innovators in offering payment and direct debit services.

Likewise, access to data held by other payments providers, such as BPay and PayPal, could also help in achieving the objectives of Open Banking. PayPal, for example, holds transaction records of customers just as ADIs do and BPay holds records of bill payments for small, medium and large businesses. Access to this data would also promote competition and innovation in payments – the most critical of banking services.

Lastly, credit reporting data is crucial to providing lending services. Innovative lending services such as those based on a model of peer-to-peer lending, for example SocietyOne, MoneyPlace, etc., rely on credit reporting data. Access to this data was already acknowledged in the Open Banking report as an advantage for incumbent banking providers. The Australian Retail Credit Association (ARCA), which is made up of the major banks and credit reporting bodies, already have a set of standards and data schemes in place for the sharing of credit reporting data. Overlaps with these standards and schemas should be considered in the context of those developed as part of the Open Banking Framework.


  • Consider the feasibility of expanding the scope of Open Banking regulation to include access to PayID data as part of the NPP, as well as key payment data such as transactional records that are held by payment providers such as PayPal and BPay.
  • Examine opportunities to collaborate with the ARCA on data exchange standards and schemas.

2. Address points of friction for consumer consent and privacy

It has been proposed that customers should be able to provide persistent authorisation for access to their data, however it is also stated that ‘all authorisations should expire after a set period’. These two recommendations appear contradictory.

The notion of using a set expiry is clearly aimed at mitigating the risk that a customer forgets that a persistent authorisation has been granted. With expiry applied to authorisations, the impact is reduced, as the period during which a customer’s data is accessed without their intent is decreased. However, despite the application of a time limitation, consumers will inevitably fail to keep track of authorisations which have been granted. This is particularly the case in an environment where consumers often use multiple banking and financial services providers.

The review attempts to address this risk by proposing that customers should be able to manage authorisations transparently. It appears to imply that this would be an obligation on the part of banking providers themselves. Given that a single person may have multiple banking providers and a series of authorisations provided to each, it may be worth considering the creation of a central location for accessing banking data authorisations. This would not be unprecedented; the Australian Taxation Office operates a ‘Find My Super’ service which provides a central location for users to locate their Superannuation accounts.


  • Consider the creation of a central location for customers to access details of banking data authorisations which they have provided.

3. Given the failure rate of technology changes, consider allowing a longer timeline for implementation

The technical process of implementing Open Banking will be a large undertaking for affected data providers. Their provision of banking data externally will necessitate careful consideration of system design and development. Banks tend to operate complex legacy systems, so the addition of externally-facing APIs will be time-consuming.

The complexity of performing technology changes on customised systems means that they have a relatively high rate of defects. Rigorous testing will be required and controls around fraud prevention, monitoring, sanction screening, redundancy and reconciliation will need to be considered. The proposed 12-month timeline for implementation may increase the risk that quality is compromised, or control requirements, which are often considered as a lower priority to delivery of functionality, are descoped.


  • The review has proposed a phased approach which focuses on implementation by larger ADIs first; it should go further by providing a longer timeframe for technical implementation of the framework. In addition, the review should identify the specific priority of requirements to be developed and a phased timeline for delivery of those requirements. Phasing and prioritisation could also be performed by data type.

4. Undertake a more rigorous identification of the benefits of implementation

One of the stated aims of Open Banking is to enable easy transfer of banking services between providers. As described earlier, this benefit will be enabled through the NPP, which has already commenced implementation. It is worth specifically identifying the remaining benefits to enable an effective assessment of the viability of implementation, given the significant costs and risks. These benefits will also be a key indicator of potential consumer uptake.

If Open Banking is implemented, early and specific identification of benefits will also enable the relative success of the framework to be measured, which will be a useful input to the application of the Consumer Data Right to other industries and contexts.


  • Identify the intended benefits of the Open Banking framework and confirm that they are sufficient, given the implementation costs and risks.
  • Consider early measurement of benefits after the initial phase of implementation, as an indicator of whether to continue rolling out the implementation to smaller entities and other data types.


We hope that the identified considerations are useful in the design of Open Banking framework. We would welcome the opportunity to discuss these in further detail at any time in the future.


David van Gogh
Managing Director

Phone:     +61 422 229 683
Address:  Level 11, 570 George Street, Sydney NSW 2000

Response to Review into Open Banking in Australia – Final Report
Download the article

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?