From the Trenches: One-Year Retrospective on CDR Open Banking in Australia

In September 2022, we launched Consumer Data Right (CDR) open banking feeds, heralding a new age of sanctioned bank feeds for Australian users. Now that a year has passed, let's discuss some of the pitfalls we've discovered while onboarding users onto open banking feeds.

The future is bright for CDR open banking, but having an honest conversation about the state of CDR open banking as it applies in a personal finance context is essential — particularly during this time when the regulators are setting their sights on a world in which traditional bank feeds via screen-scraping can be deprecated.

Introduction

Last month, we attended Intersekt 2023, a fintech conference in Melbourne. Hon Stephen Jones, the Minister for Financial Services, delivered the welcome address. The clear focus was on the CDR, which was exciting to hear for both ourselves and Basiq, our data partners in Australia. It was clear that delivering quality data to consumers is a top priority for Treasury.

Likewise, the passion shown for CDR open banking data sharing was high amongst those at the coalface — ourselves, our contemporaries in personal finance software, and our data partners. We use this data to provide value to Australian consumers.

In this piece, we’ll discuss the barriers that stand in the way of CDR open banking being able to fully replace traditional screen-scraping feeds in PocketSmith. We hope this will allow you, the reader, to decide what sort of feeds you use in PocketSmith.

Barrier 1: Enduring consent doesn’t exist yet

We recently discovered that consent isn’t enduring under CDR open banking. This means that your consent to share your data between your bank and PocketSmith expires every year. Our understanding was that consent could be extended when required, and that many of the tools to enable extension had been documented by Basiq. In addition, extending consent is a straightforward process in other geographies that have introduced open banking (such as the PSD2 in the UK and Europe), so we assumed that the same would hold for the newer CDR open banking.

Sadly, though, extending consent does not work. For this reason, we’ve chosen to fall back to a defensive position — allowing consent for data access to expire after a year and guiding the user through re-authorizing these expired feeds.

We’re trying to understand why enduring consent is non-operational at this stage. It could be a deficiency in the current CDR legislation, which means that it’s impossible to extend Basiq’s consent to access your bank data. It is possible that enduring consent is simply under-tested and under-served because the majority of CDR use cases (e.g. credit and loans) don’t require it.

We understand the inconvenience of re-authorizing your feeds, especially when the process of establishing connections is unreliable with some banks. We’re sorry that the experience isn’t as good here as with traditional screen-scraping bank feeds, where enduring consent is the default.

We’re smoothing out the process by notifying you when your connections will expire and then giving you a straightforward method for reauthorizing. Our confidence is high that this will improve when September 2024 rolls around!

Barrier 2: Too many banks aren’t training their staff

If an error occurs during the CDR authorization process, customers are given a phone number to call to resolve issues.

When they do call, however, they might be told by bank staff that no third party data sharing exists, and further to this, that staff have no knowledge of the CDR.

So far this year, customer service staff from seven banks — from medium to some of the Big 4 banks — have spread this incorrect information to their customers.

This is despite these very same banks having sections of their website discussing CDR open banking data sharing available to the public.

In one case, one of our users reported that when they weren’t letting the bank off the hook, they and the customer service representative started laughing at the ridiculous stand-off they found themselves in.

In another, a bank has sent multiple letters to a customer in response to a complaint, on their official letterhead, stating that third-party data sharing under the CDR doesn’t exist.

This misinformation and demonstrable lack of knowledge erodes consumer trust in the CDR. All public information campaigns on the CDR go to waste if a customer calls their bank only to be told that third-party data sharing is unsafe and not allowed. Uptake of the CDR is based on mutual trust, and the banks are currently breaching that trust.

We’re raising these issues as they come up via Basiq, which are pushed through to the upper echelons of the bank. Unfortunately, the message is still not getting through, and we’ve heard more of the same from our customers in the past week alone.

Barrier 3: Data inconsistency between online banking and CDR data

It’s become apparent in the past year that the information users see in online and mobile banking differs from what is delivered via the same bank’s CDR APIs.

These range from differing transaction dates to more significant issues such duplicate and missing transactions, and generic transaction descriptions that make money management nearly impossible for people who transact often. For example, you might be given an “APPLE PAY” transaction, without any other context.

We believe this difference is because the data exists in silos: The data displayed with online and mobile banking versus the data delivered over the CDR. Without regulation covering the need for consistency between their platforms, screen-scraping will often win out in terms of data quality, because the data is retrieved directly from the online banking platform that the consumer uses.

This further erodes consumer trust in the CDR, as users see online banking as the verified source of truth, and yet that same data is delivered with different fidelity and details when accessed over CDR open banking.

Fortunately, we’ve been told that the ACCC is focusing on data quality for the remainder of this year, and we’re raising these issues with banks via Basiq when they get brought to our attention. However, it takes some time for fixes to be put in place for these issues, if indeed fixes will ever come without regulation around data consistency. There is massive variation in banks’ responsiveness to these data quality issues.

Security concerns notwithstanding, these are some of the reasons fintechs are still backing screen-scraping. Over the years, screen-scrapers have developed extensive systems and internal consistency checks to ensure that data anomalies are dealt with because of the inherently volatile nature of gathering financial information directly from a website.

When CDR was launched, the expectation was that these systems and checks would no longer be required. Transactions now had internally consistent IDs, and data wouldn’t spontaneously change — so the assumption was that the tight-rope walk of consistency checking would be a thing of the past.

Unfortunately, this wasn’t what the banks delivered with their CDR data. IDs would be missing or would change, or the data would change between one sync and the next. This means that data providers like Basiq are faced with back-tracking on the assumptions of a clean pipe of transactions via CDR and re-implement the consistency checks to prevent duplicate and missing transactions. This is still a moving target, and improvements continue to be made as new missing and duplicate transaction issues crop up.

The lack of data consistency between CDR data and online banking means traditional screen-scraping feeds win out here. These technologies retrieve consistent data directly from the online banking interface and are built defensively to address duplicate and missing transactions.

Barrier 4: CDR is incomplete for the financial sector

Australians still cannot see all of their financial information in PocketSmith through the CDR because only the banking sector is covered, leaving out vast swathes of the financial industry.

Non-bank lenders were skipped in the first iteration of the CDR. This means data from these lenders — from credit card providers like American Express to dedicated non-bank home loan providers like homeloans.com.au — needs to be brought in via screen-scraping. Superannuation accounts — a core part of most Australians’ finances — can’t be connected via CDR open banking.

While some banks make business and trust accounts available under their CDR program, most avoid doing so even though the data is mostly the same as banking data: Accounts, balances, and transactions.

This means that people have an incomplete picture of their finances unless they fall back to traditional screen-scraping bank feeds, dramatically impacting a key use case for CDR data.

This is a poor introduction to the CDR for newcomers, who will find an incomplete regime that still requires a variety of methods — including screen-scraping — to access their data.

Despite it all, the future is bright

We remain optimistic about the CDR in Australia. The intent is great, most stakeholders are passionate, and the promised outcomes are coming to fruition. The CDR will continue to give consumers secure access to their banking data.

We’ve spent a year in the trenches, and these are the insights we’ve gained. We believe it’s important to bring you on the journey because we want you to feel secure in the knowledge that the issues you’re experiencing are not unique, that we recognize the flaws in the system, and that we’re doing everything we can to improve it.

The CDR is the coming together of different sectors: The government, the financial industry and fintechs, to produce something positive for all Australian consumers. These teething issues are the price of progress.

We’re hopeful that at our two-year retrospective, we’ll look back upon these times as a mere bump in the road. In the meantime, we will push for better-informed bank staff, simple methods of extending consent, and high-quality, consistent data available for all sectors of the financial industry.

When this happens, we’ll fully support the broader deprecation of screen-scraping technologies. But we’re not there yet.

In the meantime, we’ll always go to bat for you: Our users, the first movers, and the all-important C in the Consumer Data Right. We will keep working to ensure that all stakeholders are holding up their end of the deal so that you can get better visibility into, and control of, your financial lives.

This article is provided by PocketSmith: pocketsmith.com

Previous
Previous

EZYREMIT COMPANY OFFICIALLY OPENS REPRESENTATIVE OFFICE IN JAPAN

Next
Next

Making 2FA/MFA robust against smishing and related attacks