Giving the Consumer Data Right a boost
Giving the Consumer Data Right a boost
A long read for CDR nerds
Introduction
I spent five absorbing and intense years working on the Consumer Data Right (CDR), initially on the industry side with the ABA and then as the General Manager of the Data Standards Body. I’ve stepped away for now, but I still strongly believe in the importance of providing consumers with safe, secure, and convenient access to their own data.
With somewhat fresh eyes after a couple of months away, I'd like to share my overall thoughts on how the CDR might be improved. These are just my personal opinions, but I think I'm in a fairly unique position as someone with a deep understanding of the CDR who no longer has a dog in the fight. I have no position to defend, no advantage to play for, no money at stake. I can just say what I think. Which doesn't mean I'm right of course, but I'd hope it at least makes my views worth considering.
Disclaimer: I've written this piece for people already steeped in the many nuanced vagaries of the CDR. If you find you need explanations of words or concepts, I recommend the cdr.gov.au website as a starting point.
There are of course many differing opinions about the current strengths and weaknesses of the CDR. Many of these opinions are highly contextual, with, for example, large data holders understandably prioritising different concerns to those that agitate start-up data recipients. For the purposes of this document I hope to avoid all those rabbit holes and instead take a broad perspective to identify the root causes of underperformance.
I’m conscious of the risk of seeming overly negative in writing this, which isn’t my intent. Given the ambition and scale of the CDR, it’s a small miracle that it’s been as successful as it has been. When first exposed to the goals of the CDR back in 2018 even I thought the CDR would most likely be derailed by its own complexity and/or active opposition from status quo players. Yet today the CDR lives and breathes and grows. This is a testament to the dedication and commitment of all involved, both within government and without.
That said…
What is holding the Consumer Data Right back?
1. Inadequate governance structure
The original sin of the CDR must surely be its governance structure. Despite endless requests from stakeholders the CDR has no operating entity, just a wishful hope that enforcing the Rules backed by standards will be enough.
Four distinct entities (Treasury, the ACCC, the OAIC and the Data Standards Chair) play key roles but none of them is explicitly in charge. While Treasury is ostensibly the lead agency, they don’t have the authority to tell the other agencies what to do. Everything relies on collegiality, which works well until it doesn’t. To make things worse there’s been a strong tendency to act as if conventional governance does exist - for example there’s a “Board” and a “Steering Committee” assisted by a “Project Management Office” administering a “Change Facilitation Process”. None of which can require anyone to do anything. Their only practical role appears to be to divert attention away from the fact that, in the event of any substantive disagreement between agencies, the program is effectively ungoverned for all but the biggest issues.
The only real authority over the whole of the CDR resides with the Minister. To a degree this is fair enough as the potential whole-of-economy impact of the CDR warrants strong and direct parliamentary oversight. In practice this is unworkable though as no Minister can ever be expected to stay on top of the complexities and nuances of day-to-day operations.
To be clear, I’m not suggesting that there have been any major problems inter-agency conflicts. In my experience everyone works together remarkably well, all things considered. The issues I’m pointing to here are (a) the lack of clear accountability for success, and (b) the constant risk of important issues falling through the cracks between the agencies.
2. Unclear focus
In principle the CDR has some clear goals. It exists to promote competition and innovation, to empower consumers to use data held about them for their own benefit, and it aims to promote a robust and trustworthy data economy. But how should these goals be prioritised in the real world where time and funds are always constrained? My perception has been that none of these goals have been pursued consistently or well.
Promoting competition implies a strong focus on enforcement, as this goal inherently requires a realignment of market power and thus strongly incentivises non-compliant behaviours at all levels by the current market “winners” (i.e., large data holders, which to date equates primarily to the major banks).
The large data holders are, by definition, the ones with the resources and incentive to lobby hard and exert influence on the CDR's design and roll-out. The government, and particularly the ACCC, have stood their ground well, all things considered. Yet, five years in, I’d struggle to point to any substantive change to the competitive landscape. I also suspect that the major data holders are feeling fairly relaxed still, which wouldn’t be a good sign if enhanced competition really was the goal.
Promoting innovation implies a focus on start-ups and fintechs, which would arguably be best served by providing targeted incentives (such as hackathons with prize money) and the active provision of technical and regulatory assistance to cash-strapped garage operations with big ideas.
Instead there has been a “build it and they will come” mentality. That is, there has been a reluctance to focus on high-value use cases and a determination to leave it to the market to figure out how to make a profit out of the CDR. This would have made sense if the CDR offered obvious commercial wins. The reality has been that the CDR is complex and expensive to build for. It’s not necessarily obvious that it makes sense to allocate capital towards it. Some pump priming by the government could have sped things up substantially.
Empowering consumers implies consumer-centric design with a strong emphasis on co-designing with consumers and consumer advocates to understand what is needed and valued, followed up by research to validate that what gets built ends up meeting consumer expectations.
The consumer-centricity, or lack thereof, of the CDR could be a topic for several essays. I’ll limit myself to a few pointed observations:
The only dedicated Consumer Experience (CX) research and design capability resides in the Data Standards Body. There’s no official CX input at a policy level.
Consumer representative bodies chose, after years of volunteer contributions at great cost to their limited budgets, to withdraw from engagement with the CDR because they simply couldn’t afford to remain. I don’t know the current status of this “strike”, but it really should never have been necessary. How do you craft a workable consumer data right with little or no meaningful consumer input?
Cheaper mortgages would really matter to a lot of people right now, and there are clear paths to achieving them via the CDR, but they’re not a priority. In contrast I doubt that tweaking the payment system is top of mind for most consumers but somehow that is a CDR priority. If I, in my previous role, couldn't figure out how or why this choice was made what chance does any other stakeholder have?
Enabling a “leading” data economy implies that data security, and consumer perceptions of data security, should take precedence. Without consumer trust the CDR will fail – but trust is hard to gain and easy to lose. Which arguably means that all the other goals must necessarily take a back seat.
Everyone pays lip service to data security, particularly given all the high-profile data breaches of recent times. Yet many of the key policy changes to the CDR in recent years have decreased data security. The original vision was of a regime where data could move from safe places (data holders such as banks) to other safe places (data recipients accredited to have bank-equivalent data security). What we now have instead is a conveyor belt for moving data partially or entirely outside the oversight of the regulators (e.g the “representative” model, insights, trusted advisers, and business consumer disclosure consents). I would argue that the likelihood of a trust-destroying breach directly or indirectly involving CDR data verges on certainty, given time. And then what will be the value of all the money and effort that’s gone into creating the CDR?
It should be recognised that the goals discussed above were set some years ago now by a different government. The current government hasn’t overtly repudiated these goals but Ministerial statements relating to the CDR now seem to focus more on protecting consumers from scams and replacing screen scraping. Laudable goals but do they take precedence over the “old” goals? I’m not sure that anyone really knows.
I also feel I should note a personal perception that the CDR used to be all about consent but has drifted into being primarily about data portability. This is a crucially important difference, and it bothers me that this change in emphasis appears to have occurred without any considered, evidence-based and publicly announced change in policy.
3. Shaky foundations
We’re still on the topic of trust here. Everyone understands and agrees that trust is foundational to the CDR. The CDR can only be successful if people trust that their data won’t be misused or fall into the wrong hands. Everyone also understands the fragility of trust in the face of high-profile data breaches. When discussing and promoting the CDR everyone from the Minister on down emphasises that the CDR is supposed to offer safer data sharing and protection from bad actors.
And yet…as mentioned previously there have been a long succession of policy changes that have loosened the protection of CDR data, all ostensibly in support of lower “friction” to encourage higher adoption by data recipients. There has been no rigorous published analysis of the risk vs. benefit trade-offs of these changes.
A concrete example of the nature of the risk here would be mortgage brokers. They can receive CDR data under a trusted adviser consent, but they do not themselves fall under any CDR obligations in respect of that data. Of course, most mortgage brokers have their customers’ best interests at heart and can be expected to act as diligent stewards of this data. Nonetheless, mortgage broking is a boom/bust game and every time the property market heads south there are a proportion of brokers that find themselves financially challenged and in need of cash. It’s not hard to imagine undesirable outcomes. Is the benefit arising from making it easier for mortgage brokers to receive CDR data sufficient to offset the additional risk? Does anyone know? If there is clear evidence that the trade-off is justified, why haven’t we seen it?
My suspicion is that the CDR has been saved to date primarily by its underperformance. There just hasn’t been enough CDR data out there to fuel significant data breaches or to attract the focussed attention of bad actors. A widely adopted CDR, on the other hand, might end up doomed by its own success if we don’t plug the data security holes while we still can.
4. Perverse incentives and toxic data
Holding consumer data is expensive and risky. This is particularly true for CDR data, which comes with additional protections and regulatory oversight. This is good and necessary, and I’ve argued elsewhere that there are strong arguments for substantially beefing up these protections. Unfortunately, this inherent “toxicity” of CDR data creates some rather perverse incentives.
The greater the protections afforded to CDR data the greater the incentive for commercial players to find inventive ways to benefit from the richness of CDR data without exposing themselves to the gaze of CDR regulators. The popularity of the representative model, where entities can piggyback off an intermediary’s accreditation without having to become accredited themselves, is a case in point. Similarly, any party that can qualify as a trusted adviser would be powerfully disincentivised to pursue accreditation in their own right. And under the Business Consumer Data Consent Rules any entity planning to service only business customers will have no reason whatsoever to seek accreditation. They’re vastly better off getting their consumer data from an intermediary.
Thus, the overall impact of many of the Rules changes has been to create a kind of osmotic pressure pushing CDR data outside the CDR regulatory regime, and significantly reducing the attractiveness of CDR accreditation for anyone other than specialist data intermediaries. All of which has taken us a long way from the design intent of the original architects of the CDR without any formal pause to re-confirm publicly that the regime’s overall risk profile is still acceptable.
5. Excessive complexity and regulatory drag
The CDR is a complicated beast. Complexity makes things costly. As a CDR stakeholder you need a lot of CDR specialists to keep on top of all the changing requirements and to make sure that you can become, and remain, compliant. Complexity is also risky. Bad actors understand that complex regimes are vulnerable regimes. I can only assume the CDR makes them salivate. To make things even worse, complexity creates inertia. The more complicated something is the harder it is to modify, improve or fix it.
Ideally the CDR’s primary guiding principle should have been “do the simplest thing that could possibly work”. Instead, the shifting and/or poorly understood goals of the CDR have resulted in a regulatory patchwork that only a lawyer on the clock could love.
I don’t have a lot of sympathy for the blocking tactics of some parties who appear to want to avoid greater competition, but they do have a point about the excessive costs imposed by the CDR. If so much as a comma is changed in the CDR Rules or standards every CDR participant has to allocate highly skilled staff to assessing whether or not that comma change has a material impact on them. Many changes will be inconsequential, but some will come with multi-million-dollar costs. It’s exceptionally difficult to get a clear view of the true, CDR-wide, implementation costs of any particular change but it’s clear that (a) the costs can be large, and (b) the aggregate costs keep going up as new sectors are designated, and more data holders are obliged to comply.
Unless aggressive steps are taken to simplify the CDR the end point may be a regime that everyone knows is broken but that no one can afford to fix.
A further consideration is that the pace of technological change is increasing, and the longer-term viability of the CDR is going to depend a lot on our ability to tweak things smoothly and often to keep up. One excellent example is the concept of action initiation. I would almost guarantee that the Rules we devise today to manage action initiation by Accredited Action Initiators (AAI’s) will no longer be fit for purpose by the time action initiation goes live, when most AAI’s will probably turn out to be bots and avatars powered by Large Language Models (AIAAI’s?).
6. Poor data quality, leading to poor reliability
The commercial viability of offering services leveraging CDR data is necessarily dependent upon there being a close and reliable relationship between data request and data receipt. Businesses basing their value proposition on CDR data can’t bear a high error or failure rate messing with their customer experience. In principle this seems straightforward but in practice it turns out there are a lot of barriers to consistently sharing consumer data. Historically these barriers have been under-appreciated and there has never been enough focus on doing the hard, grinding work required to resolve the many inevitable problems. You could draw an analogy to Elon Musk’s description of “production hell” in relation to reliably producing his electric cars. Unfortunately, the CDR response appears to have been to largely deny hell’s existence. To make things worse, finding and fixing data quality issues can be very expensive for data holders and are thus a source of at least some of the complaints that CDR compliance costs are too high.
One of the unspoken assumptions of the CDR is that data holders hold well organised and well understood data. That seems like a reasonable bet - how could the data holders successfully operate their businesses if they don’t have their customer data in order? Reality is a lot messier though. Data ontologies generally have the odd property of looking clear from a distance but becoming increasingly fuzzy the closer you look.
By way of example consider a concept that is central to the CDR. What, exactly, is a “product”? For a regime expected to facilitate product comparison and switching this is pretty core but if you take time to really think about it you can quickly give yourself a headache.
The general point here is that the devil is in the details and these details can make or break the CDR for data recipients and consumers.
7. Inadequate consultation and research
Everything about the CDR is complex and nuanced, particularly at the many points of intersection between policy and technology. The CDR is a grand experiment where literally no one can tell you for sure how things will progress and evolve over time. Fully understanding the CDR and its implications requires expertise over many realms - technical, legal, CX, security, privacy, policy and so on. No one has the whole picture. And yet, under the current structure, the CDR is defined by Rules which are drafted by Treasury.
I don’t mean to cast aspersions here. There are many talented and dedicated public servants working in Treasury. They do have some quirks though:
The Canberra bubble is real (albeit metaphorically so, as many Treasury people don’t actually work in Canberra). The world outside Treasury is seen from some distance.
My experience was that there’s a bit of a siege mentality. Which, to be fair, is understandable given the level of overtly self-serving and sometimes aggressive lobbying that has to be endured.
They’re reflexively secretive. It’s drilled into everyone that leaking sensitive or protected information is a mortal sin so it’s simpler to just assume that everything needs to be kept hidden.
They’re policy generalists that typically move roles every couple of years. Given that it takes about a year to fully come to grips with the very specific and technical challenges of the CDR this doesn’t leave much time for even the good people to become useful. Staff churn in CDR is a killer.
They tend to have – how can I put this delicately? - an underlying assumption that Treasury knows best. That’s a dreadful generalisation of course but I still think it explains some of the aversion to fully embracing stakeholder inputs.
All the above has led to what I see as an inadequate approach to consultation, which is approached more as a problem to be managed than as an opportunity for rich and insightful dialogue. Which is a great and dangerous shame as the CDR is a reform that really needs to be informed by the collective wisdom of everyone.
A subset of this point is the attitude to research. You might expect that something as new and potentially impactful as the CDR would be informed by plenty of formal (and published) research. And yet in reality we don’t have an objective, research-backed evidence base for CDR policy choices. The Data Standards Body’s CX team does do a lot of research of course but it’s important to understand that the DSB exists solely to advise the Data Standards Chair in the making of standards, which are legally required to fit within the Rules (made by the Minister with the advice of Treasury). The DSB has no official role in supporting or advising Treasury.
How can we do better?
You don’t need to be a rocket scientist to suggest practical ways to address the above points. In a forlorn attempt at brevity I’ll stick to broad brush strokes for now, recognising that little presented here is particularly new.
1. Rethink the CDR’s governance
First and foremost, the governance structure of the CDR needs to change. There needs to be an operating entity with clear responsibility and authority to make the CDR a success. This would need to be a body where the various domain experts could work side-by-side, developing and maintaining deep CDR expertise over years. Most importantly this entity will have to actively lead, as opposed to merely implementing government policy.
Such an entity can and should have a broader remit than just the CDR. The various data-centric initiatives across many realms (including, for instance, Digital Identity and the Office of the National Data Commissioner) really can’t continue to operate independently of each other. It’s self-evidently undesirable to require businesses and consumers to comply with multiple, poorly aligned sets of regulations and standards for consumer data.
2. Clearly state priorities
The government needs to state, clearly and specifically, what it wants the CDR to achieve, as an ordered list of priorities. Resources will always be limited so when faced with trade-offs how should choices be made? This list needs to include a recognition of the fact that all such priorities will be moot if public trust is lost.
Once priorities have been made clear the next step has to be identifying how to measure the extent to which each priority is being achieved - i.e., what metrics need to be collected to determine if we’re winning? These metrics must be shared publicly in a timely manner. There will always be the need for occasional course corrections, but these will be difficult to pull off if most stakeholders are travelling blindfolded.
3. Keep it simple
The CDR really has to be made much simpler, which in my opinion largely boils down to stopping being half-pregnant about data security. Here are a couple of very different ways of going about this:
Return to the original vision of ensuring that CDR data is always held with bank-equivalent security - that is, get rid of all the exceptions. This would mean requiring all recipients of CDR data to be accredited and subject to active oversight by the regulator. No representative model, no insights, no trusted advisers, no business consumer disclosure consents. While the downsides of this approach are obvious, they could be mitigated by driving down compliance costs, for example by allowing third parties to compete to provide accreditation services. Of course, requiring all data recipients to improve their data security will impose costs many won’t like but the upside will be that large parts of the economy will get better at data security (which is ostensibly a major goal of the government after all, no?). Chances are this approach would result in a smaller CDR, at least in the near term, but the trade-off may be worth it for greater resilience and sustainability.
Alternatively, we could fully accept the argument that it’s the consumer’s data and they should be able to do with it what they wish. Under this model it would still be necessary to enforce a consistent approach to consent, to ensure that consumers act with full information, but all restrictions on who a consumer can share their data with would be removed. Past the point of consent there’d be no concept of “CDR data”, nothing to regulate, nothing to enforce. There are plenty of obvious risks with this approach but there are ways to mitigate these risks (particularly if the Privacy Act is appropriately updated). And in any case the current leaky structure isn’t obviously much better so what exactly would we be losing?
Whichever path is chosen the next key step will then be to fully commit to enforcing the simpler regime. Many of the so-called data quality problems that bedevil the CDR at present are basically a result of, to put it politely, under-investment in CDR compliance by data holders. Admittedly amplified by the fact that CDR compliance is made extra difficult by regime complexity.
4. Aim to be understood
It needs to be made much, much easier to understand the CDR (both its current state and proposed changes) at every level from legislation down through the Rules and standards to the operating procedures. To date, achieving this level of understanding has been an intractable knowledge management problem, particularly as the key information is created and maintained across four very distinct entities.
The recent emergence of viable AI chatbots offers a relatively easy solution. It’s now technically straightforward to use AI to draw together everything publicly known about the CDR by all parties and to offer this information via a conversational interface. There’s not even any need for the government to build and maintain any bots - all that is required is to make the information easily discoverable and digestible by 3rd-party bots and the market will do the rest. Complete and timely clarity about obligations will directly correlate to lower compliance costs and a more functional and useful CDR. Additionally, a fully informed stakeholder community will be vastly better at calling out Rules and standards missteps before they’re implemented.
5. Embrace the CDR community
The government needs to adopt a genuine, enthusiastic, and proactive co-design approach to the CDR in partnership with all stakeholders. The people who stand the best chance of understanding what really will and won’t work are the people directly experiencing the real-world costs, risks, and benefits. This will necessarily extend to the government spending non-trivial sums on making the co-design process accessible to everyone - e.g., by finding creative ways to financially support smaller parties and individuals that make significant contributions. Note that this doesn’t have to mean giving “the community” decision rights. Eventually the designated umpires (currently the Minister and the Data Standards Chair) have to make the final calls. But literally everyone can and should be able to add their views and insights to open discussions that will inform those calls.
In addition to a genuine co-design approach Treasury needs to commit to an open, research-driven, evidence-based development process for setting and maintaining the CDR Rules. There is too much that the CDR is attempting that is new and poorly understood to leave to behind-closed-doors guesswork by government generalists.
Conclusion
The challenges for the CDR are many but we have already made enough progress to demonstrate that the CDR is entirely possible, and that there are no insuperable technical barriers. Underperformance to date can, in my opinion, all be traced back to program management failures of one kind or another. Speaking from the perspective of my former role as a CDR bureaucrat, we have often been our own worst enemy.
The ultimate solution, as I see it, starts with leadership. Admittedly this begs the obvious question, “by whom?” In the current structure it’s not easy to see who has the responsibility or authority to lead. I imagine the official answer would be that responsibility for the CDR is shared but that’s just a recipe for confusion and plausible deniability (“we didn’t do the thing because we thought you were doing the thing” and/or “we didn’t do the thing because we weren’t funded to do the thing”.)
Correcting the governance shortcomings of the CDR will take time and, to be honest, there will always be problems. That will still be ok though if we are able to build from a clear understanding of what the government expects the CDR to be, and if the government in turn is responsive to what the wider community values. Clarity of purpose combined with transparency of process will ultimately be enough to solve most problems.
Which of course begs the question of how the CDR program might be changed to bring about such clarity and transparency. Take it from me, the government isn’t set up to do smart things quickly. So what can we do to provide a constructive push? If you read this far, I’m genuinely interested to hear your ideas.
An interesting read, thank you. Agree simplicity is needed, particularly for the consumer. As CDR data disclosed to a Trusted Adviser is no longer CDR data, I'm for letting the consumer to be in actual control and to release their data, filtered through an ADR, to whoever they wish. Move the liability with the data.