How does a consumer discover the base URI for the Product Reference Data (PRD) endpoint? Should it be advertised on the DH (Data Holder) website?
Accredited Data Recipients (ADRs) can determine the location of unauthenticated APIs via the PublicBaseURI via the CDR Register APIs.
DHs are also encouraged to submit their PRD endpoints to the the public repository of PRD data maintained by the DSB: https://github.com/ConsumerDataStandardsAustralia/banking-products-comparator/blob/master/public/datasources.json
The ACCC has provided this guidance:
Under rule 1.12 of the Competition and Consumer (Consumer Data Right) Rules 2020, a data holder is required to provide an online service that can be used to make product data requests to be disclosed in machine readable format and in accordance with the data standards. In this regard, the consumer data standards require the provision of unauthenticated API end points which are publicly available.
We understand that there may have been different interpretations of what making the PRD API publicly available constituted in practice. To avoid doubt, we consider that providing this information on a data holder’s website ensures the publicly available requirement of the standards is unequivocally met.
See Competition and Consumer (Consumer Data Right) Rules, Division 1.4, Subdivision 1.4.2, section 1.12 Product data request service.
Because public endpoints are accessible to API consumers beyond ADRs, public consumers that are not ADIs (Authorised Deposit-taking Institutions) benefit from DHs advertising the location of these APIs on their website.
No, different endpoints are not acceptable. It is expected that all public endpoints are accessible via the
PublicBaseURI meaning Get Status, Get Outages and PRD endpoints are available via the same
With a single unauthenticated end point that combines Get Status and Get Outages details for both unauthenticated and authenticated API's, consideration should be given to the consumers of Product Reference Data. These consumers have no access to the authenticated banking APIs, yet are given details about their status/outage. Are these details relevant to consumers of Product Reference Data?
Unauthenticated APIs including Get Status and Get Outages are intended to be available to public clients and consumers, not just ADRs. Knowing the status of the CDR availability for a DH is considered a useful service to non-ADRs. In a similar approach to open information, banks currently notify their customers of upcoming scheduled maintenance or unexpected outages.