The government’s commitment to the development of an effective and robust data-sharing ecosystem will be tested over the second half of the year as reluctant industry participants consider a self-governance framework.
Barring a miracle, Australia’s financial institutions will fall well short of meeting the Productivity Commission’s recommended cut-off of 30 June for a “critical mass” or 40 per cent of the nation’s retail credit accounts to be captured under Comprehensive Credit Reporting (CCR).
While the Turnbull Government has committed to introducing an open banking regime, it has not yet formally responded to the May release of the Productivity Commission’s report into data availability and use of public and private sector data.
According to Australian Retail Credit Association (ARCA) consultant, David Grafton, Treasury is likely to proceed with more forceful measures if the industry continues to drag its feet and he expects some form of mandatory compliance regime by early 2018 if an industry-wide governance framework cannot be agreed on in the next few months.
Likening consumer credit providers to “kids holding hands around the pool but nobody jumping in”, Grafton said the benefits from data sharing would not be realised unless there is a clear governance framework in place that “engenders trust and balances commercial interests against those of consumer protections and privacy; a framework that currently does not exist”.
As the author of an ARCA White Paper - Emerging Trends in Data Sharing and Open Data: A Perspective for Consumer Credit Providers – Grafton argued that the key concern is to strike the right balance between consumer interests - such as data ownership rights, consent, privacy protections, data quality and security - and commercial interests including the monetisation of shared data, reciprocity, fair value exchange, liability of third parties and permissible purpose.
While there is considerable literature on the general benefits that derive from wider data sharing, in an Australian context it will realistically take two major banks or one major bank, an international bank and a credit card provider to provide the tipping point for an open-data environment.
Three years after the soft launch of CCR in March 2014 and little progress appears to have been made, which Grafton attributes to a “growing recognition that the regulatory environment in Australia is not adequate to manage the new initiatives and business models emerging in the data economy”.
“The Productivity Commission for example has explicitly recognised the need for ‘fundamental and systematic changes’ in this regard, including a new Data Sharing and Release Act and a set of ‘comprehensive rights’ for consumers that will maximise the benefits from data sharing whilst retaining key consumer protections,” he said.
Accordingly, Grafton argued, any new governance framework should seek to balance privacy concerns with economic and consumer benefit, adopting principles–based regulation and rely for operational purposes on a self-regulating code of conduct.
“The credit reporting arena provides a possible blueprint for this, comprising the overarching regulatory framework (Part IIIA of the Privacy Act), supported by a set of regulations (the Credit Reporting Code) and underpinned by a self-regulated industry ‘code of conduct’ (the Principles of Reciprocity and Data Exchange or PRDE) and a common data standard (Australian Credit Reporting Data Standards or ACRDS),” he said.
“Importantly, this framework limits the role of a regulator to ensuring regulatory compliance and leaves industry to work out and govern the myriad operational details and complexities and day-to-day intra-organisational commercial and conduct issues.”
Another issue when contemplating regulatory oversight is the question of ‘which regulator’, with Grafton’s analysis of best practice in overseas markets suggesting an economic function such as the Australian Securities and Investments Commission is preferable to a privacy function such as the Office of the Australian Information Commissioner.
“Either way, it is debateable whether an optimal balanced outcome would result should only one of these two alternative regulatory viewpoints have sole oversight over the data ecosystem,” he said. “A regulator tasked with the protection of privacy is inherently at odds with the notion of optimising data utilisation in pursuit of economic gains.”
Similarly, an economically mandated regulator aiming to optimise economic productivity or minimise prudential risks, while not blind to these matters, will not be primarily concerned about privacy issues.
However, compliance with potentially conflicting regulatory rules of conduct is far from ideal and suggests other options should be considered.
“The option of a new ‘Data Regulator’ as proposed by the Productivity Commission Inquiry into Data Availability and Use could better address this need, provided its mandate was appropriately framed to ensure that a transparent and sustainable balance between consumer privacy and commercial productivity would be achieved,” said Grafton.