Nearly one in every three Australian mid-tier credit unions, building societies and other institutions do not comply with open banking, while others that are compliant on paper have systems that do not work in practice.
A two-month investigation by iTnews uncovered resource capacity and technical challenges with implementing Australia’s complex open banking regime.
Many mid-tier banks and credit unions lack the internal capacity and capability to meet aggressive timelines set by the government and enforced by the Australian Competition and Consumer Commission (ACCC).
With large numbers of authorised deposit-taking institutions (ADIs) required to hit the same compliance deadlines at the same time, they are all pulling from the same finite pool of skills at once.
In addition, core banking system providers, including Ultradata and Data Action, are relatively small and have their own capacity constraints that mean they are unable to help all their customers make the requisite changes to meet the open banking deadlines.
November 1 was the “phase two” deadline for open banking, which required ADIs to be able to share data they held on a customer’s home loans, mortgage offsets and personal loans.
According to the ACCC, of the 92 ADIs in Australia, 66 are active data holders under the consumer data right - the mechanism for open banking - as of November 1.
Of the remaining 30, half were granted an exemption by the ACCC that extends compliance deadlines beyond November 1 or had “no relevant products”.
The other 15 ADIs are simply “non-compliant with their obligation to share consumer data,” an ACCC spokesperson told iTnews, though the commission expects “more of those ADIs to become active data holders in coming days and weeks.”
The ACCC argued compliance had improved over time.
The November result, for example, is a significant improvement from July 1 when more than 50 ADIs missed the phase 1 deadline - requiring the release of savings and other transactional data on request. This number included those that were granted formal exemptions.
By late September, the ACCC recorded a total of 40 ADIs that were still non-compliant with phase 1 data sharing obligations.
At the same time, the level of outstanding non-compliance is clearly an ongoing cause for concern, with the ACCC warning ADIs without exemptions in mid-September that they risked enforcement action if they did not change their tune.
The situation may also be considerably worse, since even those that comply with the rules on paper don't necessarily have working systems.
Recent tests of institutions that are compliant on paper show that many cannot produce data on request, and instead return error messages, incomplete or incorrectly formatted data - highlighting the ongoing challenges with the implementation of open banking in Australia.
Core banking
As with phase 1, the issue for non-compliant credit unions, mutual and customer owned banks is the difficulty they face getting their core banking systems to comply.
iTnews understands that two of the main core banking system providers, Ultradata and Data Action, which count the likes of G&C Mutual Bank and 86 400 among clients, have had the most difficulty helping customers comply with the open banking deadlines.
Data Action confirmed to iTnews that it had worked to rectify most issues experienced by its client base.
The provider told iTnews it worked “diligently” with its clients “to roll out DA’s Open Banking solution” and to ensure compliance obligations are met.
“Currently, 14 Data Action clients are listed on the Consumer Data Right website as CDR data holders, which represents a significant percentage of all compliant providers,” it said.
“We have one client outstanding, with an approved exemption provided by the ACCC, as they are due to migrate onto our core banking platform next year.
“Going live with Data Action’s Open Banking solution was a complex process, and required significant coordination between Data Action, the ACCC and clients, with testing performed in multiple environments.
“We all worked together closely to understand requirements, update timelines, and manage potential risk.
“Data Action’s process included being careful to architect our open banking solution with regards to how it would interact with our core banking platform, and meet CDR requirements.”
Detailed questions were also put to Ultradata by iTnews on the number of its ADI customers that met and missed compliance deadlines, and that sought clarification of the reasons for non-compliance.
Company representatives did not respond to multiple calls and emails over several weeks.
However, Ultradata made a general media statement on Friday last week to say that it had achieved the Novermber 1 go-live for 27 "mutual financial institutions" as at November 12.
The vendor has previously said it has 37 clients that have open banking and consumer data right obligations.
An Ultradata spokesperson could not be reached to clarify the difference between the two figures.
Outsourcing solutions
Some smaller institutions were able to meet obligations by using third party integration services.
Australian fintech Biza.io, for instance, helped Regional Australia Bank (RAB) meet its obligations well before the July 1 deadline and has since gone on to assist over 20 others.
Biza.io was able to provide RAB with tools to reach data holder status in the space of only three months.
RAB’s chief digital officer at the time Rob Hale told iTnews the bank reached out to Biza.io as there was “no proven data holder platform in the market at the time”.
“Meeting technical standards and stringent information security is a complex undertaking and we were fortunate to find a company that specialises in this work at that time,” Hale said.
He said RAB’s choice to use Biza.io gave it the confidence that it would remain compliant into the future when more challenging technical and security obligations are set to kick in.
Building external solutions
While RAB was able to find a solution outside of its standard core banking platform, Biza.io’s chief customer officer Mark Perry told iTnews in August that some core platforms could not cater to this model.
At the time, Perry told iTnews that Australia’s smaller banks relied on core banking platforms to help meet the July deadlines.
While the likes of RAB were able to meet phase 1 requirements “there are a large number that haven’t come on board yet,” he said.
“This is why a lot of people are having problems still getting to compliance, because their core banking vendors are finding it difficult to expose that data to essentially a public interface.”
So far, Biza.io says it has delivered seven banks into production with its data holder-as-a-service solution on time.
Editors note: Since this story was filed, the ACCC said 66 ADIs are compliant, up from the 61 on November 1. This means 26 ADIs are non-compliant. The breakdown of the 26 with or without an exemption is being clarified.