Australia’s Consumer Data Right may create a new wave of federated identity providers

It’s been two years now since the first Australian banks started offering to share certain types of data upon customer request, though — due to a phased introduction — about six months since all major and non-major banks achieved the same level of sharing.

The Consumer Data Right (CDR) scheme will expand to utilities in November and to telecommunications operators sometime in 2023 — with more sectors in line to be added beyond that.

It is now so much more than “open banking”. As more industries join, the scheme is starting to look more like an enabler or driver for “open industry”, and that is firmly by design. As the government says, “the CDR is designed to be an economy-wide right … A new sector will be assessed and designated every year.”

But while more and more businesses are opening their data holdings and positioning themselves to receive customer data from other businesses, consumer use of these data-sharing rights and capabilities is yet to gain the kind of traction first anticipated.

Some of this comes down to awareness: research by PwC Australia this year found that only 42 per cent of people “had even heard of open banking” and understood “what it means for them”, while “a further 31 per cent knew of it, but didn’t use it … because they lacked an understanding of the benefits”.

Benefits are perhaps more easily explainable with active use cases, but many of these are yet to materialise. The CDR was meant to make comparing providers and products easier and open the door to products “specifically and accurately tailored to your circumstances”.

While this hasn’t yet occurred, there is some really good, visionary work underway that makes use of CDR data.

Case in point, the race among financial institutions and fintechs to establish a single dashboard that an individual can use to view their total net wealth. Such systems could dramatically speed up processes such as loan pre-approval, as well as give consumers something really useful — a single place from which to track all their finances, no matter how many companies have a slice of those affairs. This is a race that is still very much in progress and is a very much worthwhile endeavour for banks and fintechs alike to continue pursuing.

VIEW ALL

However, the point I really want to make is that the CDR — and the potential benefits that accrue to industry participants and customers alike — is about more than just data sharing and access.

In fact, data sharing might be the most difficult use case to demonstrate value.

We could feasibly reach a point where the value of the CDR scheme isn’t the data right itself, but what else the CDR infrastructure can do.

Social login, reimagined

A core piece of infrastructure required by businesses participating in the CDR is a digital identity system.

Central to the functional operation of a consumer data right is that the process is privacy-preserving and allows for informed consent. Businesses must adopt technology that allows them to expose and protect account data via APIs in a security framework.

An API gateway on its own is insufficient to keep customer data protected and ensure proper consent management. To turn the CDR requirements into a competitive advantage and be able to quickly adapt and earn consumer trust, businesses must take action to modernise their infrastructure, with identity and access management (IAM) at its core.

The same IAM system that facilitates data sharing for the CDR may also have other uses.

In standing up an IAM system for the CDR, businesses must validate a customer’s identity to an auditable level. Through this process, they effectively create a digital credential that could be reused by the customer to access other services, should that option be made available.

In that way, a digital identity or credential created for CDR could become a new verified digital credential — and the business that manages or verifies that identity, a kind of federated identity provider.

At a time when a number of parties and consortia in Australia are separately building digital identity systems and credentials that are designed to authenticate access to a range of government and private sector services, CDR-compliant organisations could soon join that fray.

The scheme may ultimately usher in a range of new digital identity service options, run by banks, utilities, telcos and more: single digital logins that can be used to authenticate and establish identity with a range of online services.

It’s not clear if this is on the radar, let alone the roadmap, of many CDR participants. As a non-data-oriented use case, it sits outside what most people envision the CDR to create, or be.

Nevertheless, it’s an exciting opportunity: not only does it provide a new way for CDR-compliant organisations to leverage their technology investments, but it also gives consumers the option of a digital credential that gives them access to all their data across services they consume, and more.

Ashley Diffey is the head of Asia-Pacific and Japan at Ping Identity.