Consumer Data Right kicks off in energy

On Tuesday, energy became the second sector to enter the Consumer Data Right (CDR) ecosystem. This is the culmination of many years of hard work, effort, and resources, but has not been without significant hurdles along the way.

Here we take a closer look at how the big three retailers – Origin, AGL, and EnergyAustralia – navigated these challenges to deliver a multi-million dollar project for customers. The lessons learned are instructive for smaller retailers and other future data holders who are about to begin their own journey.

CDR in a nutshell

The CDR enables a customer to authorise a trusted third party to access their data for the services they use. The third party can then “read” that data to inform a customer about things (e.g. their energy use) or recommend them to make certain decisions (e.g. switching to a better credit card rate). Over time, the CDR will evolve to enable “write” access (third parties can initiate actions like the one above on behalf of the customer). Figure 1 shows the intended benefits.

Figure 1: Anticipated Benefits of CDR

Source: Australian Government

As of Tuesday, energy customers with either Origin or AGL can now use these CDR services, while Energy Australia customers will need to wait until May 2023.[i] Residential customers with other retailers will be able to start using the CDR from November 2023 onwards.[ii]

Where it all began

The concept of a CDR was born out of a Productivity Commission recommendation in 2017 about data availability and use. From this recommendation, the then Treasurer Scott Morrison declared that the CDR would be rolled out, sequentially, into three sectors: banking, energy, and telecommunications.

Work to prepare the banking sector for CDR began in early 2018. Having banking as the first cab off the rank gave energy and future sectors an opportunity to learn from their successes and mistakes. But it also created some dilemmas that persist today. When Treasury started to design the initial CDR rules and regulations, it seemed they were only for banking – for example, the first draft rules were titled CDR draft rules (banking). Energy stakeholders participated in the consultations regardless, but meaningful input was difficult because consultations were focused squarely around preparing banking.

As the CDR regime progressed however, it became clear the intent was for these rules to be general and apply economy wide (i.e. to all sectors). This created some impracticalities in the development of the general rules. For example, to help inform the privacy rules, energy participants were asked to comment on the assessment of risks associated with datasets – but these datasets were only relevant to banking, not energy.

The making of the energy rules

By early 2019, Treasury had split its focus and began contemplating what CDR in the energy sector might look like. To do this there would be a set of sector-specific rules that sit alongside the general rules. The sector-specific rules would address key design questions, such as:

• How will customer data be delivered in the energy sector?
• What are the priority datasets for delivery in the energy sector?
• Which energy retailers would start first?

These sector-specific rules laid the groundwork for the CDR in energy and took about a year to finalise. There was some agreement and some sticky differences between stakeholders about what the initial rules should look like. Data holders favoured an incremental approach that saw the CDR start small and grow over time proportionate to customer uptake. This would keep costs down and ensure stronger data protection, but would also limit the initial functionality of the CDR. In contrast, data recipients wanted a CDR with much higher functionality to entice customers to use it, but this would mean greater implementation costs and privacy risks.

The challenge of having sector-specific rules and general rules was illustrated when, midway through consultation on the energy sector-specific rules, Treasury announced a significant expansion of the general rules that saw the CDR’s functionality expand beyond data holder expectations into areas of tiered accreditation and giving data to non-accredited persons. This significantly increased the complexity of implementation as data holders now had to consider and prepare for new accreditation regimes while the rules for energy had yet to even be agreed upon.  

Then came the technical standards

Despite these complexities, it was only once the rules were final that the real work began. It was now time for retailers to begin building the technical standards that enable the CDR to function. Technical standards is a loose term to refer to the back-office processes that authenticate a customer’s identity, ensure customer data is delivered safely and securely, control the dashboard on a customer’s phone etc. Their development was coordinated through the aptly named Data Standards Body (DSB). For retailers with millions of customers, this was a gigantic task.

It required the recruitment of additional and dedicated IT experts, partnerships with third party solution providers, and millions of dollars in investment to build a safe and secure CDR ecosystem. These costs were only matched by the time spent, with the big retailers participating in two years of workshops, fortnightly catchups, implementation calls, and maintenance iteration processes with the DSB to ensure their ecosystems were ready for the go live date.

And not to mention, most of this work was done during a period of significant covid disruption.

So what are the lessons learned that future CDR participants should take heed of?

1. CDR implementation is bigger and more costly than you think

A constant challenge for both policymakers and industry has been estimating the breadth and depth of CDR implementation. This was no better illustrated than when the energy sector was required to do a major pivot on its data delivery model halfway through implementation. The original delivery model involved the Australian Energy Market Operator (AEMO) serving as a gateway between data holders and data recipients. But AEMO soon realised that building this gateway was going to be prohibitively expensive, so it was agreed to shift to the peer-to-peer model used now where retailers provide the data directly to third parties on behalf of the customer.  

Energy found that its challenges with ascertaining the size and cost of implementation were echoed in its conversations with banking. There were so many unknowns like the one described above that stretched already tight timeframes. Future data holders would do well to keep this message in mind when starting their own implementation journey.

2. Banking is the front runner and sets the pace of reform

The government desire to see the CDR’s functionality continually grow means there are regular consultations to expand the rules. These consultations are framed around the progress of the CDR in banking and draw on banking-centric use cases to showcase the opportunities and risks of future expansion. The challenge is, though, that these reforms are part of the general rules so capture all CDR participants.

As has already been alluded to, this has created an ongoing dilemma for energy (and future data holders) which must grapple with building its own systems, while also keeping one eye on how the general rules are expanding. An example of this was only last month when Treasury began consultation on introducing action initiation into the CDR – a significant expansion. While energy data holders participate in these consultations in good faith, it is ultimately a tough ask to assess the benefits and risks of expanding the rules, when the initial rules are still being implemented.

3. An economy wide CDR is easier said than done

From the outset, industry has supported, and continues to support, the intent of Treasury to make the CDR economy-wide. This means that the rules and functionality should, to the extent possible, apply consistently across all sectors to give customers a seamless experience. 

But as the rubber hit the road, it was apparent there are some differences between sectors that cannot be resolved. An example of this came in the form of joint accounts where it was discovered that the joint account holder arrangements used in banking and energy were irreconcilably different and any agnostic standard would be highly confusing for customers. Positively, industry worked together with Treasury and the DSB to come up with a workable alternative.

Similar challenges lay ahead for consent arrangements. The energy sector has unique consent obligations through its requirement to obtain Explicit Informed Consent (EIC) from a customer. This EIC requirement is strict and poses a higher standard for obtaining customer consent than what data recipients are used to. Foreshadowed reforms to consent are seen by many in the energy industry as lowering protections for customers and incongruous with existing obligations to capture and store consents.[iii]

These types of highly esoteric but important granularities have shaped implementation and will continue to occupy significant time as the CDR expands.

4. The CDR can’t exist on hype alone

There is no shortage of speculation about the types of services and offerings that the CDR can provide to customers. It has been envisaged that the CDR can be used to switch a customer to a new energy provider, put them on a better mortgage rate, or even serve as a type of “life admin” that does all these things automatically. But building the regulatory and technical groundwork to enable these possibilities is expensive, and right now, not nearly proportionate to the (low) customer uptake.

At some stage, the current philosophy of “build it and they will come” will need to be reconsidered. There have been government reports in the past raising concern about the low customer awareness and recommended educational campaigns to remedy this.[iv] Likewise, the recent Statutory Review saw a need to let existing systems mature before new expansions are rolled out.

What’s next for the CDR in energy?

Despite the enormity of effort to date, Tuesday only marks the beginning of CDR in energy. For those big retailers that have started, another suite of reforms awaits implementation within six months’ time. Meanwhile, for the remaining retailers, they will need to start preparing for their initial implementation this time next year.  

If the experience to date has taught us anything, it is that every day counts.

[i] Energy Australia was initially scheduled to commence from November 15 but received a six-month extension to its implementation date.

[ii] A full definition of retailer categories for CDR can be found at https://www.cdr.gov.au/rollout/cdr-energy-sector. Retailers below the threshold of 10,000 small customers do not have data holder obligations, unless they wish to participate voluntarily as data holders.

[iii] Australian Government, Future Directions for the Consumer Data Right’, October 2020, https://treasury.gov.au/sites/default/files/2021-02/cdrinquiry-final.pdf, p40.

[iv] The Senate, ‘Select Committee on Financial Technology and Regulatory Technology’, Commonwealth of Australia, Interim Report, September 2020, p219.