Background: Self-reporting implementation gaps
The purpose of this article is to provide guidance to data holders about the ACCC’s expectations regarding information provided about compliance gaps (also known as implementation gaps) for inclusion on the active data holder rectification schedule.
The ACCC expects data holders to self-report potential non-compliance with CDR obligations. When self-reporting, data holders should provide clear, accurate information.
The ACCC’s active data holder rectification schedule lists data holders who have self-reported potential non-compliance with various CDR obligations. Data holders may self-report implementation gaps via the rectification schedule submission process outlined in the Service Management Portal User Guide.
The ACCC publishes the information provided by data holders on the CDR website to provide transparency for accredited data recipients and consumers on the types of implementation gaps and when they will be resolved.
The ACCC considers all reports of potential non-compliance in line with the ACCC/OAIC Joint Compliance and Enforcement Policy for the CDR. Listing an issue on the active data holder rectification schedule does not preclude the ACCC from pursuing compliance or enforcement action in-line with this policy.
Guidance for clearly articulating compliance gaps
When describing compliance gaps, data holders should adhere to the following principles:
- Do not use generic descriptors. Be descriptive and include specific references to the obligation affected:
- Generic: “Some details not disclosed”
- Specific: “Get Account Details API version 3 is not currently available. Calls to the version 2 endpoint are functioning as normal.”
- Generic: “Open Banking CDR Standards v1.23”
- Specific: "Not supporting Authorisation Code Flow as a method of client authentication as required by version 1.23 of the CDR Standards"
- Generic: “GetMetrics v4”
- Specific: “Unable to deliver GetMetrics v4 endpoint by compliance date of 1 November 2023 as required by Consumer Data Standards”
- Ensure language is appropriate for the likely compliance gap audience, which may include informed consumers, by using plain language and avoiding acronyms and codes. Gaps that are only likely to be encountered by data recipients can use more technical language:
- Technical: “CX Flow terminates with 404 when non-individual consumer doesn’t correctly complete account selection”
- Simplified: “business and joint account holders receive a 404 error if they do not select an account”
- define acronyms, even commonly used ones, such as FDO, IB, OTP, NPP in full – (Future Dated Obligation, Internet Banking, One-time password, New Payments Platform)
- Use standardised language that is referable to external sources:
- Endpoint response times are not currently compliant with the non-functional requirements of the Consumer Data Standards
- Include information that clearly communicates the extent and nature of the compliance gap. High impact compliance gaps should be more descriptive and make clear what the likely impact is. Low impact compliance gaps can be less descriptive but must still provide enough information for the likely audience to understand it:
- Unclear: “Data presented via the CDR APIs is not commensurate with data presented via the primary digital channel”
- Preferred: “Data disclosed through Get Transactions endpoints is not commensurate with data shown via the primary digital channel. Data may be delayed by 1-7 hours.”
- Generic: Customers on legacy platforms do not experience commensurate latency
- Specific: Customers with ‘Business Bank’ branded products may experience delays of up to 100 milliseconds
- Generic: One time password when providing consent is not working
- Specific: One time passwords are not currently being accepted for certain consumers, meaning some consumers cannot currently share their data via CDR
Where an entity involved in CDR has concerns about their own compliance, or the compliance of others, we encourage them to contact the ACCC CDR Compliance Team via accc-cdr@accc.gov.au, or use the report and enquiry functions on the CDR Website. Queries may also be raised via the CDR Support Portal.
Comments
0 comments
Please sign in to leave a comment.