Question

This is a question to the ACCC regarding rule 4.25. See CDR Rules.

What is the intent behind offering the customer an alternative channel to withdrawing their consent via the dashboard?

Outages of eBanking are rare, short, and, where planned, arranged at times less likely to impact. If, for whatever reason, eBanking (and the dashboard) were temporarily unavailable, it would still be significantly quicker to wait for it to be returned to service and withdrawal performed via the dashboard than to write to us and request the bank to action.

Customers also have the ability to revoke consent via the ADR. Our intention was not to offer an alternative, as we understood the rules to offer this as a valid approach and we do not believe it is in the spirit of the regime (ie the consumer is empowered to manage their own sharing arrangements). We do not want staff managing customer consent and do not believe this is appropriate. We intend that our staff supports the customer if they require help, but that the customer always manages the sharing of their data. We welcome comment from both the ACCC and other ADIs.

Answer

This rule was amended earlier this year to enable more flexibility for data holders, and this query relates to a settled ACCC policy position that has already been subject to several public consultations.

Consent in the CDR must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn (see rule 4.9). Allowing consumers to be able to withdraw authorisation through an alternative channel supports the principle that consent should be ‘easily withdrawn’.

An alternative channel also ensures consumers are able to continue to interact with data holders regarding their CDR authorisations through channels they currently leverage and are familiar with in their normal banking experiences. We understand a number of the initial data holders have used telephone communication as their alternative channel. We consider this may also assist CDR consumers with lower levels of digital literacy.

We do not agree with the view that a data holder would be compliant if it only offered withdrawal of authorisation through the consumer dashboard. Rule 4.25 requires that the consumer must be able to withdraw authorisation at any time via the data holder’s consumer dashboard or a simple alternative method of communication. In order for a consumer to be able to withdraw via either method, data holders must make both methods available to consumers.

We also do not agree that an alternative channel means consumers are not managing their own sharing arrangements. The intention of the CDR is that consumers are in control of their data sharing, and we consider an alternative channel to increase consumer control.