CDR Demands Open Business APIs
CDR is taking an industry approach, piloting an Open Banking regime and then an Open Energy scheme, with Open Telco discussions and debates beginning to take place. There will likely be a common thread among the CDR rules for all sectors, but every sector will have associated rules and considerations that are industry-specific. All companies that own data will become Data Holders, while the companies able to accept and view that data will become Data Recipients, though most will likely play both roles by building and consuming open APIs across Australia. Industry-specific API standards will help pave the way for interoperability and rapid testing/adoption.
Australian Open Energy
Ever the competition watchdog, the ACCC has determined that an Open Energy program will be implemented in the first half of 2020, to help consumers use their own energy data to find cheaper services, and promote transparency and innovation. The data will likely include connection point information, contact details, metering data, billing information, product information, average daily load and distributed energy resources register data. Since energy data on an individual consumer may be held by a number of organisations, the ACCC gathered stakeholder feedback on three different CDR models in March 2019:
Australian Energy Market Operator (AEMO) would be the sole data holder for data recipients to connect to. All other data holders would need to build APIs to provide data to AEMO. AEMO would handle authentication/authorisation with consumers and make the complete data available to Data Recipients via API.
The AEMO would source all the data it doesn’t hold and maintain a gateway to access the data. All Data Holders would still be responsible for getting consumer authorisation for their portion of a consumer’s data before it gets released to a Data Recipient.
All Data Holders would be responsible for open APIs that could be accessed by all Data Recipients (most similar to Australian Open Banking). The Data Holders would be responsible for consumer authentication/authorisation, and delivering an API for Data Recipients to use.
Australian Open Telco
Organisations within the telecommunications industry sector should be taking steps today to understand the data sets they hold that could be subject to the CDR, as well as the status of their data and API security posture in general. Due to speculations and concerns that have been expressed by stakeholders in the telecommunications industry, telecommunications companies may also wish to involve themselves in ongoing ACCC consultations and submissions. For example, the Communications Alliance Ltd. submitted a number of concerns, one of which is that the Bill was developed with a banking focus and “bears the very real risk that those later sectors will be forced to operate within a legislative and regulatory framework that has a distinct ‘banking flavour’ but lacks sufficient consideration of the particularities of other industry verticals.”
Regardless of how Australian Open Telco shapes up, the same opportunities and threats are facing the telecommunications industry as in Banking and Energy. Since identity and access management capabilities are critical for API security, many telecommunications companies are assessing their existing infrastructure to modernise legacy identity and access management systems that aren’t able to handle the security implications of working with Data Recipients.