ACCC & DSB | CDR Implementation Call Agenda & Meeting Notes | 6 March 2025
When: Weekly every Thursday at 3pm-4:30pm AEST
Location: Microsoft Teams
Meeting Details: Join on your computer, mobile app or room device Click here to join the meeting
Meeting ID: 446 019 435 001
Passcode: BU6uFg
Download Teams | Join on the web
Join with a video conferencing device
[email protected]
Video Conference ID: 133 133 341 4
Alternate VTC instructions
Or call in (audio only)
+61 2 9161 1229,,715805177# Australia, Sydney
Phone Conference ID: 715 805 177#
Find a local number | Reset PIN
Learn More | Meeting options
- 5 min will be allowed for participants to join the call.
- This call is jointly facilitated by the ACCC and the DSB, and we welcome observers from APRA, OAIC and the Treasury.
The Consumer Data Right Implementation Calls are recorded for note taking purposes. All recordings are kept securely, as are the transcripts which may be made from them. No identifying material shall be provided without the participant's consent. Participants may [email protected] should they have any further questions or wish to have any material redacted from the record.
By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.
⭐ indicates change from last week.
| Type | Updated | Links |
|---|---|---|
| Standards | Version 1.33.0 | Published: 18th of December 2024 Change log |
| Maintenance | Iteration 22 runs fortnightly through to April Decision Proposal 364 - Maintenance Iteration 22 |
Link to consultation |
| DSB Newsletter ⭐ | 28 February 2025 | View in browser here |
| Consultation | Noting Paper 363 - Applicability of Authentication Frameworks | Link to consultation |
| Guidance ⭐ | Updated Collection & Use Consent, and Amending Consents CX artefacts and requirements. This includes visual, UI and experiential updates, as well as new and updated rules, standards and guidelines references. | - Collection and Use Consents Guideline & change log Amending Consents Guideline & change log |
| Guidance | Updated Data Holder CX artefacts and requirements to reflect Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024. This includes visual, UI and experiential updates, as well as new and updated rules, standards and guidelines references. | - Authorise: Authorisation to disclose joint account data Guideline & change log - Consent Management (Data holder): Authorisations Guideline & change log - Consent Management (Data holder): Withdrawal Guideline & change log - Consent Management (Data holder): Account permissions - Secondary Users Guideline & change log |
| Guidance | Recently revised guidance to reflect the v7 rules | - Compliance guide for data holders – energy - Compliance guide for data holders – banking - Joint account implementation guidance - Secondary users in the banking sector fact sheet - Secondary users in the energy sector fact sheet - Quick reference guide to finding documents in the CDR legislative framework - Introducing a new software product - Ceasing secondary user sharing - Managing implementation, product and plan changes – data holder obligations |
| Tooling ⭐ | Updated tools to align with the latest CDS v1.33.0 - Mock Data Holder (Java) - Product Comparator (Demo): Updated Banking DH information sections (Energy updates are yet to come) |
Mock Data Holder (Java) Release Note Product Comparator Demo |
| Tooling | Recently updated tools to align with the latest version of CDS (1.33.0) | - Postman Collection - JSON schema tools - Type Definition Library - Test Data Generator - JS Holder SDK |
Provides a weekly update on the activities of each CDR stream and their work.
| Organisation | Stream | Member |
|---|---|---|
| DSB | Technology | Mark |
None this week.
Questions will be received by the community via Microsoft Teams chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.
In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.
| Ticket # | Question | Answer |
|---|---|---|
| 2501 |
Get Metrics data refresh Is there a confirmed period of time that data needs to be refreshed for Get Metrics data, a higher frequency add cost burden. What would be the maximum that would be allowed (i.e. 24 hours)? |
There is no latency requirement specified for the Get Metrics data. You could consider though that it provides a range of metrics from hourly to monthly, so being as low as 5 minutes may not be necessary. Some existing guidance on this topic may be found here - What is acceptable data latency for providing metrics? - Metrics reporting current day - Frequency of Calls to Get Metrics |
| 2498 |
Get Transaction Detail V2 Implement the Get Transaction Detail V2 in March to enable clients to share their NPP data at earliest with the ADR’s. In this regard for a particular scenario we would like to validate our approach. Scenario: As a data holder, we will need to support both versions of the Get Transaction Detail API until at least 14th July 25 and possibly after that date until V1 is deprecated. The Get Transaction detail is called based on “Is Detail Available” data item when true. Up until now we were extracting NPP data only for X2P1.01 service as required now with extended services in V2 the data retrieved will be for all NPP services, so all services associated with the NPP will return “Is Detail Available” = TRUE. This results in a scenario where ADR can call either V1 or V2 version of the Get Transaction Detail API. If ADR calls with Get Transaction Detail V1 for a service other than X2P1.01 then it becomes challenging to respond to the ADR as: - The transaction data exists but cannot be accurately represented using the Version 1 payload structure. - The service type does not align with the Version 1 API, which exclusively supports "X2P1.01" services. To manage the response our approach would be to throw a 406 Not Acceptable error, accompanied by the following error message { "errors": [ { "code": "UnsupportedVersion", "title": "Unsupported Version", "detail": "The requested transaction details are not available in API Version 1. Please use Version 2 for non-X2P1.01 services." } ] } Q1. Can you please confirm if the proposed approach is a viable option? Q2. If the above approach is not viable, how should data holders manage the transition period where both API versions are supported, particularly when dealing with transactions that can only be fully represented in the newer version (V2)? |
Answered on this issue thread 664 |
| 2497 |
Get Customer Detail API response schema Seeking clarification regarding the Get Customer Detail API response schema, specifically the behaviour of the customerUType field. Based on the documentation (Customer Detail v2 Schema), the assumption is that the response will include either the person or organisation object, depending on the value of customerUType, but never both simultaneously. Can you confirm if this assumption is correct? Or is there any scenario where both person and organisation objects could appear in the same response? |
Only one object is expected to be specified, depending on the consumer type. More details related to this query are available in this guidance - Get Customer response for sole trader - Sole trader Get Customer API ResponseCommonCustomer response |
| 2494 |
Infosec endpoints that should be captured under HighPriority invocation metrics In CDS Specification under performance requirements, it is stated that infosec endpoints should be captured in the HighPriority tier. Is there a place I can find the list of endpoints that falls under infosec endpoints? Endpoints seems outdated. Are all endpoints mentioned under Security Endpoints considered as InfoSec endpoints? |
Yes, "InfoSec endpoints" generally refers to the endpoints described in the Security Endpoints section. If you believe there are specific endpoints in your solution that should be included or excluded, I'd be interested in hearing any feedback or suggestions that may improve service insight for the Regulator. I'm not sure where you found the [2] link, but it refers to a deprecated version of the Standards |
| 2492 |
ADR Using a + delimiter to separate scopes in an auth request An ADR is using + in the auth requests to separate scopes The OAuth 2.0 standard (RFC 6749) and OpenID Connect require space-separated scopes, meaning scope values should be separated by spaces (%20), not +. https://datatracker.ietf.org/doc/html/rfc6749 Section 3.3 does specifically say space delimited or the authorisation request, which also refers to section 3.3. An example of would be &scope=openid+common%3Acustomer.detail%3Aread +common%3Acustomer.basic%3Aread Is it acceptable to use the + delimiter to separate scopes rather than %20? Our server does not accept + and hence would like some guidance on the requirement to support + or not |
'scope' is an optional parameter at the authorize endpoint, but the value in the PAR would be expected to override it. A '+' is a form-encoded space as noted in https://www.rfc-editor.org/rfc/rfc6749#appendix-B, so I think that behaviour could be aligned to the spec. |
Attendees are invited to raise topics related to the Consumer Data Right that would benefit from the DSB and ACCCs' consideration.
| Organisation | Stream | Update |
|---|---|---|
| NAB | Banking | Kogan Money Credit Cards data holder brand will be unavailable between 14-17 March 2025, due to a major technology migration. Specific outage timeframe and details will be published on the Get Outages endpoint. If you have a registered client with the brand, this may impact your CDR application and active data sharing arrangements. Please reach out to [email protected] if you have any questions. |
View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.
| Data Standards Body | Consumer Data Right | Digital ID | Contact & Media |
| Chair | Standards | Accreditation Standards | Website |
| News | Maintenance Iteration | AGDIS Standards | |
| Advisory Committee | CX Guidelines | Calendar | |
| Support Portal | |||
| YouTube | |||
| GitHub | |||
| Newsletter |