Responses to the following questions reflect the CDR Rules as made on 22 December 2020.
The new rules give a data holder the ability to effectively treat the joint account as a singly-held account if the data holder considers that is necessary to prevent physical or financial harm or abuse. All of the below answers assume that is not the case.
- As per the scenarios outlined in the CDR - Rules - Joint account guidance scenarios pdf scenario 2, John has set the account election settings as 'Sharing Allowed' for Account 4 and Tom has not enabled the account election settings (None) for Account 4. In both account holders' dashboards this Account 4 will be displayed but unavailable for selection (as per the document it will indicate that the JAMS election step is not completed by one of the account holders.). Is this expectation correct?
- Should we anticipate that the banks will still allow selection and prompt a sharing request email or similar to Tom?
- Once Tom updates the account election setting to 'Sharing Allowed' (at a later point in time) for Account 4 - Is John required to follow the consent process again and re-consent in order to access data for account 4? Here we assume that consent associated with the initial access token only relates to account 1,2 and 3 and although account 4 was initially desired, it was unable to be consented to at that point in time by either party. Is there another mechanism that the Data Holders would implement in such a scenario? E.g. Acknowledging the request for account 4 data and simply preventing access to account 4 until consented to by both parties?
- Can you select an account where sharing has not been enabled by the other party of the joint account? If no, does this mean customer will have to repeat the process later?
- If yes, will that trigger a notification to second account holder?
- If yes, once second account holder authorises, will data begin to flow through for that account or is re authentication required anyway?
- The new rules do not prevent the account from being available for selection or authorisation. Instead, the application of the new rules mean that account 4 must be displayed and available for selection, and John must be able to indicate a disclosure option preference as part of the authorisation flow (clause 4.10). John may therefore provide an authorisation associated with the joint account without any input from Tom. However, data on the joint account must not be shared until a disclosure option applies (i.e. Tom has indicated a matching disclosure option preference). If the disclosure option that applies is co-approval, additional steps are required as per clause 4.11 of Schedule 3.
- Per Schedule 3 clause 4.7, the data holder would be required to notify Tom that John has indicated a disclosure option (election) on the joint account and invite Tom to select the same option. Clause 4.7 sets out how this should happen.
- Our answers above are likely to address this query where the authorisation is ongoing. However, for completeness, we note that for once-off authorisations, Tom would need to indicate a disclosure option in the short window before the ADR collects the data. The technical standards currently support a 2-10 minute window in which this must occur, but are looking to extend this window to 24 hours. If Tom does not indicate a disclosure option within this timeframe for the once-off scenario, John would have to commence a new consent process after Tom indicated a disclosure option.
Alternatively, if John wanted to add a joint account to an existing ongoing authorisation, the amended rules allow ADRs to invite consumers to amend their consents from July 2021. If an ADR supported this, John could use the amending consent mechanism to associate the joint account with the authorisation provided to that ADR.
- Yes, in flow election will allow you to select the account and a disclosure option. Data holders must implement in flow election under clause 4.10 of the rules.
- Yes, if one joint account holder indicates a disclosure option on a joint account clause 4.7 requires data holders to invite other joint account holders to indicate a disclosure option or no disclosure option on that account. Data holders are also required to notify joint account holders where a person gives, amends or withdraws an authorisation associated with a joint account, or if an authorisation expires, as per subclause 4.16(1).
- Generally, data will begin to flow through for that account once a disclosure option applies to the account, but please refer to the response above for more detail.