16/03/2023: This guidance article was prepared by the ACCC, Data Standards Body and Treasury.
This knowledge article has been produced in response to CR557, which seeks to understand how authorisations relating to joint accounts and secondary users should be displayed on data holder dashboards.
In principle, an authorisation will always be visible on the data holder (DH) dashboard of account holders when the authorisation was initiated by another account holder (i.e. a joint account holder) or a secondary user. The status of the authorisation may change for the non-initiating account holder to an 'inactive' state if the authorisation has expired, or there are no longer any relevant accounts being shared as part of the authorisation. For example:
Relevant accounts no longer being shared in an authorisation
If a relevant account is no longer being shared as part of an authorisation, then the account should still be displayed in the non-initiating account holder's view of the authorisation. The authorisation may still display as ‘active’ to the non-initiating account holder if other relevant accounts remain in the authorisation, but the specific relevant account for which data is no longer being shared may be tagged as 'inactive' or ‘disabled’. The CX Guidelines for ‘Withdrawing approvals’ present a possible visual design solution for this state in relation to joint accounts.
If no relevant accounts are being shared as part of the authorisation, then the authorisation should still be displayed on the non-initiating account holder’s dashboard, but the authorisation itself should no longer display as ‘active’ to the non-initiating account holder. This is because the contents of the authorisation no longer relate to the non-initiating account holder. There are currently no CX guidelines demonstrating this state.
In both scenarios, the non-initiating account holder’s view of the authorisation may not always correspond with the actual status of the authorisation for the initiating account holder or secondary user. That is, the authorisation may display as ‘inactive’ for the non-initiating account holder despite the actual authorisation remaining active. Neither scenario would alter the status of the actual authorisation for the initiating account holder or secondary user, as accounts are dissociated from authorisations as per the technical standards.
The ceasing of sharing for a particular account can occur for several reasons, which may include:
- For all accounts: because the account being shared has become ineligible and is no longer supported by the data holder
- For joint accounts:
- because an approval to disclose joint account data in relation to a particular authorisation has been removed under rule 4A.13(1)(d)(ii) of the CDR Rules; or
- the disclosure option for that account has been changed to a 'non-disclosure option' under rule 4A.7 of the CDR Rules
- For secondary users:
- because the secondary user instruction has been withdrawn by the account holder under rule 1.15(5)(b)(ii) of the CDR Rules; or
- the disclosure of secondary user data to a particular accredited data recipient (ADR) has been blocked under rule 4.6A of the CDR Rules - this is currently required as of March 2023, but the Treasury is considering possible changes to the rules for this requirement
- because an account holder has chosen to stop a secondary user disclosing data in relation to a particular authorisation - this is currently optional as of March 2023
Technical implementation
The technical implementation of these dashboard display options is at the DH's discretion, provided it remains compliant and produces the intended outcome. For example, a DH may implement functionality such that the relevant account is physically removed from the authorisation, and only visually displayed in the arrangement for record and historical purposes. Alternatively, a DH may implement this functionality in a way that the disclosure of data from the relevant account is technically 'paused'. However, regardless of the DH's choice of technical implementation, certain conditions may exist for who can re-commence data sharing and how data sharing for an account may re-commence, such as:
Joint accounts
- If the disclosure option is changed to a non-disclosure option, a joint account holder or secondary user of the joint account cannot re-share the joint account through a new or amended consent. In this instance, it would display as an unavailable account in the authorisation flow. Sharing from that account can only occur again if all joint account holders agree to a less restrictive disclosure option. If an approval for the relevant account has remained in place for an active arrangement, and a less restrictive disclosure option is re-introduced, then the sharing of data from that account must automatically re-commence.
- If an approval to disclose joint account data in relation to a particular authorisation has been removed, a joint account holder or secondary user of the joint account can add the joint account to a new or amended consent where the pre-approval or co-approval disclosure options apply to the joint account.
Secondary users
- If a secondary user instruction has been withdrawn, the secondary user cannot re-share the account data through a new or amended consent. In this instance, it would display as an unavailable account in the authorisation flow to the secondary user. If an account holder makes a new secondary user instruction for the same secondary user, the sharing of data must automatically re-commence for any of the secondary user's authorisations that remain active.
- If an account holder enacts the ADR block under rule 4.6A of the CDR Rules the secondary user cannot re-share the account data with the specified ADR through a new or amended consent. In this instance, it would display as an unavailable account in the authorisation flow to the secondary user.
- If an approval for a secondary user to share data as part of a particular authorisation has been removed, the secondary user of the account can add the account to a new or amended consent.
- If an account holder gives a secondary user instruction, and the account holder then becomes ineligible under rule 1.10B, the secondary user instruction remains current unless withdrawn by the account holder.
See CDR Rules:- Main section, div 1.3, 1.10B - Meaning of eligible
- Main section, div 1.4, subdiv 1.4.2, 1.13(1)(e) - Consumer request service
- Main section, div 1.4, subdiv 1.4.3, 1.15(5)) - Consumer dashboard, Data Holder
If an account holder has withdrawn an instruction, removed an approval, applied the 'ADR Block', or set the joint account disclosure option to a 'non-disclosure option', then the DH must not disclose data relating to that account. However, the DH does not need to report these as 'refusals' to disclose data. This is because the account holder, not the DH, has made the choice to cease the sharing of data in relation to an account. As such, disclosure is prohibited by the rules, rather than being at the DH’s discretion.
When an account holder withdraws a secondary user instruction, the rules do not require a notification to be sent to the ex-secondary user.
Comments
0 comments
Please sign in to leave a comment.