Preparing for the Consumer Data Right: Balancing opportunity and risk
With the Consumer Data Right (CDR) underway in the banking sector, attention has now shifted to getting the energy sector CDR-ready.
The CDR offers immense opportunities for innovation in the way customers interact with the energy sector, but these opportunities must be balanced with strong privacy and data security protections. Here we take a look at the steps retailers are taking to prepare for the CDR while balancing these considerations.
What the CDR means for customers
The CDR is a landmark reform that aims to transform the way customers engage in retail markets. Previously covered here, the CDR is all about competition and empowering customers. It is based on the idea of putting data collected by companies about their customers back into the hands of those customers and their trusted agents to drive competition between suppliers.
By granting customers the right to access, use, and manage their own data, it will be easier for customers to compare and select products. Customers will be able to provide their data to accredited third parties, which can then use that data to offer products or services that are personalised to the customer’s circumstances.
This type of interaction provides immense opportunities for innovation in the way services like banking and energy are delivered. A recent Treasury Inquiry into Future Directions for the CDR contemplated the potential for the CDR to assist with “life admin”: Customers could make a trusted third party responsible for organising the essential activities of a customer.[i] With consent, this third party could swap a customer to a cheaper mobile plan or a bank with lower fees.
While the full possibilities of a more mature CDR are still down the track, as of 1 July customers with one of the four major banks can experience the first iteration, known as Open Banking. These bank customers can request data about their deposits and transaction accounts, and credit and debit cards. Further datasets like home loans will be accessible from 1 November.
Overseas experience that it will take some time for customers to build trust and awareness of the CDR. The UK’s big banks started sharing data with their customers at the start of 2018 with a slow early adoption rate, but it has since been gradually building. It was reported that the Lord Mayor of the City of London, William Russell, described their system as a “slow burn”, but added “I think that is exactly what we should expect here … (It) is not something that happens overnight. And it is also not something that customers acknowledge in a short space of time. Sometimes, there is a catch-up phase.”[ii]
While uptake levels in Australia’s banking sector are expected to follow this trend, this “slow burn” of early adoption is not a bad outcome. To unlock the opportunities of the CDR it will be critical that data security and privacy remain front and centre, and a “slow burn” will allow for these security protections to be thoroughly tested. Future sectors, like energy, continue to closely monitor how these protections operate in practice.
Preparing for the energy sector
The day before the CDR became active in banking, the Federal Government passed legislation formally designating the energy sector as next in line.[iii] The legislation confirmed the Priority Energy Datasets (i.e. the type of information) that customers will have initial access to as well as the scope of its application. Residential customers on an electricity or generic gas offer (or a bundled offer) will have access to, among other things, data about how much energy they have used, their billing history, what electrical appliances they have that are subject to special rates (e.g. controlled load) and the tariffs and usage charges of their retailer.
As the primary data holders, retailers are now working with stakeholders like the Australian Competition and Consumer Commission (ACCC) and Data Standards Body to develop an energy rules framework that ensures this data is managed in the safest possible manner. Some of the major discussion points are:
Currently there is only one level of accreditation known as ‘unrestricted’. This means a third party (known as an accredited data recipient or ADR) must comply with all privacy and security obligations to receive access to customer data. Tiered accreditation would enable ADRs to be subject to less obligations, and in return, only have access to less sensitive data. The objective of tiered accreditation is to enable more third parties to participate by reducing compliance costs.
Except for data that is already publicly available, it is probably not quite the right time to be considering tiered accreditation. Given that the CDR is primarily a right for the consumer, the focus should be squarely on having strong privacy and security protections in place for the CDR’s commencement into energy. While banking will offer some insights into how these protections work, energy has a fundamentally different data access model known as the Australian Energy Market Operator (AEMO) gateway model that will require its own testing.[iv] In these early stages a “better to be safe than sorry” philosophy should be adopted to ensure data is managed appropriately and customers can develop trust.
The guiding rule for CDR eligibility is that a consumer must have an account with a retailer. This raises additional questions about whether certain groups should be added to, or excluded from, this rule. Some exceptions have broad acceptance, such as regulators and retailers agreeing that minors should be excluded due to the high security risks. But different views remain on whether to exclude categories like ‘inactive’ accounts (the account a customer has with its old retailer), ‘offline’ customers (customers who do not have an online account) or large commercial and industrial customers.
Given the expected initial low uptake of the CDR by customers, the implementation and compliance costs of including inactive accounts and offline customers may outweigh any customer benefit. For offline customers, there needs to be greater clarity as to how a digital service can safely and securely support offline customers before a decision is made. With respect to commercial and industry customers, these large customers already have bespoke data sharing arrangements with their retailer so are unlikely to benefit from the CDR.
The ACCC is currently considering two models for customer authentication: Model 1 requires data holders, such as retailers, to carry out customer authentication, while Model 2 gives the gateway (AEMO) a more significant, centralised role.
Model 1 appears to be the safer option for all participants as it poses less risk. It allows retailers to leverage their existing relationships with customers to develop a robust system of authentication. Retailers are more familiar with the privacy and security obligations associated with authenticating a customer, as similar processes are already embedded in the way retailers interact with their customers. This is consistent with a recent Privacy Impact Assessment of the CDR in energy, which found Model 1 has comparatively fewer privacy risks.[v]
The idea of expanding the CDR to cover ‘write access’ was recently considered in both the Treasury inquiry and the Australian Energy Market Commission’s (AEMC) annual Retail Energy Competition Review.[vi] Write access involves customers authorising third parties to add, change, and manage their data on their behalf. In the energy sector, it could involve switching a customer to a better deal based on an analysis of that customer’s data.
While the potential uses of write access are wide-ranging, so are the security risks, and therefore it should be considered once the CDR ecosystem is tried and tested, rather than at its commencement. Retailers must follow strict rules when switching a customer (such as gaining their Explicit Informed Consent) to ensure the customer understands what they are agreeing to. Allowing third parties to potentially switch customers without these protections risks creating poor customer outcomes.
These risks were also highlighted in the ACCC’s Retail Electricity Pricing Inquiry report, which recommended introducing a mandatory code of conduct that requires third parties to act in the best interests of the customer.[vii] This recommendation should be implemented first before write access is entertained.
While there is still some time until the CDR is ready for the energy industry, retailers continue to work closely with government, regulators and other stakeholders to make sure its implementation is as smooth, safe, and cost-efficient as possible. The reform offers great opportunities for customers who can take more control of their energy data especially as more “smart” devices become increasingly connected, while driving increased competition between suppliers.
For more on the Consumer Data Right visit https://www.cdr.gov.au/.
[i] Treasury, ‘Inquiry into Future Directions for the Consumer Data Right: Issues Paper’, Australian Government, March 2020, p3.
[ii] James Eyers, ‘Expect open banking to be a slow burn’, Australian Financial Review, 15 June 2020, https://www.afr.com/companies/financial-services/expect-open-banking-to-be-a-slow-burn-minister-20200612-p551xv.
[iii] Consumer Data Right (Energy Sector) Designation 2020.
[iv] ACCC, ‘Consumer Data Right in Energy: Position Paper – Data Access Models for Energy Data’, August 2019, https://www.accc.gov.au/system/files/ACCC%20-%20CDR%20-%20energy%20-%20data%20access%20models%20position%20paper%20-%20August%202019.pdf.
[v] KPMG, ‘Consumer Data Right in the Energy Sector: Supplementary Privacy Impact Assessment for the Commonwealth Department of Treasury’, 30 June 2020, p9.
[vi] Treasury, ‘Inquiry into Future Directions for the Consumer Data Right: Issues Paper’, Australian Government, March 2020; AEMC, ‘2020 Retail Energy Competition Review’, 30 June 2020, https://www.aemc.gov.au/sites/default/files/documents/2020_retail_energy_competition_review_-_final_report.pdf.
[vii] ACCC, ‘Retail Electricity Pricing Inquiry – Final Report’, June 2018, recommendation 34.