Open Banking

Frequently asked questions

• Data Holder and data sharing

  What is a Data Holder?
  Data holders are data givers under the Consumer Data Right (CDR). These are the providers who currently hold consumer data. Registered Data Holders are required to share client data with a nominated accredited data recipient when a client directs them to.

  
  What is an accredited provider?
  An accredited provider is one which has successfully undergone the Australian Competition and Consumer Commission (ACCC)’s accreditation process to become an Accredited Data Recipient (ADR).

  Data recipients are data receivers under the Consumer Data Right (CDR).  These are the providers who receive a consumer’s data after the consumer has given their consent. The data recipient will then use this data to offer a service the consumer has requested (e.g. comparison of products).

  Only accredited providers can operate within Open Banking and offer services under CDR.

  
  Is BOQ becoming an Accredited Data Recipient?
  BOQ becoming a Data Holder in late 2021 sets the foundations required for us to become an Accredited Data Recipient (ADR) in 2022. As an ADR, BOQ can realise the benefits of data sharing and analytics to obtain valuable insights, better understand our clients’ needs, and offer more tailored products and services. This supports our vision “to be a digital bank of the future with a personal touch”.

   

  How do I know who is an accredited provider?
  Consumers can confirm if a provider is accredited by looking for the logo on the right, or by viewing the list of current accredited providers on the official the Consumer Data Right (CDR) website.

  As CDR has just been launched in Australia, there are currently only a limited number of accredited providers. As CDR grows over time, more and more providers will become accredited.

  
  How safe is it to share my data?
  Many precautions have been factored into the Open Banking data sharing environment, such as:

  • The standards, format and process for data sharing under the Consumer Data Right (CDR) has been established by the Data Standards Body (DSB)
  • Only providers that have met the Australian Competition and Consumer Commission (ACCC)’s accreditation process are able to participate in Open Banking as a data recipient. Providers must demonstrate that they meet technical and system requirements to receive data and comply with data standards, and adhere to many legal requirements
  • Providers are only able to collect and use data as required to provide a product or service, in line with the client consent provided
  • The CDR is co-regulated by the ACCC and the Office of the Australian Information Commissioner (OAIC), who jointly monitor compliance to CDR regulations. They work together to respond to issues, including taking enforcement action if needed. More information can be found in the ACCC/AIOC Compliance and Enforcement Policy for the Consumer Data Right.

  
  Do I have to share my data?
  There is no obligation for you to share your personal data. Open Banking is an opt-in service, so the choice is completely yours. When choosing to share your data, you have control over:

  • Whether you want to share your information or not
  • What information you wish to share
  • The specific purpose for which your data will be used
  • Who you share your information with
  • When you want to stop sharing your information

  Also, if you do decide to share your data, you are able to revoke your consent on this data sharing at any stage.

  
  What data can I share?
  Clients with individual, non-individual, sole trader and joint accounts can opt-in to share data for most savings and transactions accounts, term deposits, credit cards, home loans and mortgage offset accounts and eligible business products.

  Please note:

  • Changes in your customer and account data (including balances and transactions) may only be made available for sharing after 24-48 hours. Changes in credit card data are generally made available as they occur.
    
  • Pending transactions are not yet available for sharing.
    
  • Interest rates, fees and product features associated with individual accounts are not yet available for sharing.
    

  
  Who can share data?
  To be eligible to participate in data sharing, you must:

  • Be at least 18 years of age, and
    
  • Hold at least one open and online account with BOQ Specialist, 
    
  • The process will start on an accredited provider’s website or app. The whole process takes less than two minutes.
    

  
  
  How do I share data on my joint accounts? 
  For joint account data sharing, all joint account holders must be:

  • Individual and sole trader customers
    
  • legal owners of the joint account 
  • eligible to participate in data sharing 

  
  Can secondary users on my account share data?
  To be eligible for secondary user data sharing: 

  • All account owners and secondary users seeking to share data must be eligible to share data as per the criteria above  (see ‘Who can share data?’)
    
  • Secondary users seeking to share data must be able to transact on the account*
  • The account owner must enable data sharing for secondary users via the Customer Dashboard
  • *Note that power of attorney relationships and delegated users are not secondary users.

  
  Non-individuals (business entities)
  For non-individual (business) data sharing: 

  • Within Open Banking non-individuals / organisations can authorise a Nominated Representative to share the business entity’s banking data with accredited service providers. 
    
  • Nominated Representatives must be eligible to share data as per the criteria above and be a signatory on at least one of the accounts attached to the business entity. 
  • Currently, single non-individual entities (which may include a trading name or trust) are able to share data via a Nominated Representative. Data sharing for additional types of business entities and ownership structures will be made available in the future.
  • Accounts that are jointly owned by one or more individuals and/or involve multiple non individual entities (e.g. an account owned by two companies) are not eligible under the Consumer Data Right rules. 

  
  How does it work?
  Data sharing will start on an Accredited Data Recipient’s (ADR) website or app, where you may be asked if you wish to share your data while browsing for a service or product. 

  • If you consent to data sharing your identity will need to be verified by BOQ Specialist before we share any data. 
    
  • You will be directed to BOQ Specialist's Data Holder services platform and prompted to enter your client number. 
  • You will then be sent a One Time Password (OTP) to your mobile or email. 
  • When the OTP has been successfully entered and your identity verified, you will be prompted to choose the specific accounts you consent for data sharing, before being linked back to the ADR site where you may begin using your shared data.

  When sharing joint account data, a notification will be sent to all joint account holders via the Customer Dashboard. This will occur each time data sharing has started, and when data sharing has stopped for that joint account. 

  
  How do I manage data sharing for my account(s)?
  Once you have authorised sharing of your personal data, you will receive access to your Customer Dashboard. Through this dashboard, you can view each of your data sharing consents, including the accredited providers that you have consented to share your data with, the specific accounts shared with each provider, and the time period you have nominated for each data sharing consent. You can easily manage your consents through this dashboard.

   

  How do I share data on a joint account? 
  Eligible joint accounts are available for data sharing by default, so you won’t need approval from other joint account holders to share data with accredited providers. However, if you or any other account holder have disabled your joint account for data sharing it will need to be re-enabled before data can be shared.

  You may change your data sharing settings for your joint account or stop data sharing at any time via the Customer Dashboard. If you choose to disable your joint account for data sharing, all other joint account holders will need to approve and re-enable the account for data sharing.

  To enable data sharing:

  1. Go to 'Accounts management' > "Joint accounts" and enable the joint account you want to share by following the onscreen prompts.
  2. We’ll send the other joint account holder a notification to the Customer Dashboard asking them to approve or decline your request.
  3. Each Joint account holder will need to log in to their Customer Dashboard to view the notification* and approve the request to enable data sharing for the joint account. 
  4. If all joint account holders approve the request, your joint account will be enabled for data sharing and you will be able to select it from the list of accounts eligible for data sharing when creating a new consent.

  *The notification will expire after 30 days. If the other joint account holders do not approve the request during this time, you will need to repeat the process from step 1.

  
  How do I know if another joint account holder is sharing the account data?
  Whenever a new data sharing consent is given, is revoked, or expires, all joint account holders will be notified on their data sharing dashboard. You can always see what data is being shared in your Customer Dashboard.

  
  How do I share data as a secondary user? 
  Data sharing permissions for secondary users must be enabled by an account owner via the Customer Dashboard. Account owners may choose to enable data sharing for all eligible secondary users per eligible account.

  To enable data sharing for secondary users as an account owner:

  1. Go to ‘Accounts management’ > ‘Secondary users’ and enable the account for secondary user data sharing by following the onscreen prompts. Note that this action enables data sharing for all eligible secondary users on the account, including secondary users subsequently added to the account.

  
  How do I know if a secondary user is sharing the account data?
  

  Note that notifications for secondary user data sharing are not yet available. However, you can always see what data is being shared in your Customer Dashboard by clicking on Sharing started by others.

  
  How do I share data on behalf of my business or organisation? 
  Within Open Banking eligible non-individuals / organisations can authorise a Nominated Representative to share a business entity’s banking data with accredited service providers. 

  Once authorised, Nominated Representatives may choose to create data sharing consents including all eligible accounts for the business entity. 

  Note that if the Nominated Representative also holds eligible personal BOQ Specialist accounts or is a Nominated Representative for more than one business entity, they will be required to select the profile of the relevant business entity during the initial consent process. For example, the Nominated Representative may be asked to choose between profiles such as ‘Myself’ (for their personal accounts) or ‘Company A’ (as a Nominated Representative). The profile they select will filter the relevant accounts available for data sharing.

  For information on which organisations and Nominated Representatives are currently eligible to share data, refer to Who can share data?

  
  How do I add and remove a Nominated Representative for data sharing on behalf of my organisation?
  To add or remove a Nominated Representative, the authorised representative[s] of the business entity must complete the Open Banking – Data Sharing Form for Business Entities.

  Once authorised, the Nominated Representative will be able to share all accounts associated with the business entity, even those they do not have signing authority on.
  

  Once removed, the Nominated Representative will not be able to share data on any accounts associated with the business entity, and any active data sharing consents they have created for the business entity will be immediately revoked.

  
  What data can a Nominated Representative share?
  Once authorised a Nominated Representative will be able to share all accounts associated with the business entity, even those they do not have signing authority on and including accounts that have been closed in the last two years.

  
  Can my business or organisation have more than one Nominated Representative?
  Yes. Authorised representative[s] of the business entity may add multiple Nominated Representatives.  

  
  How do I know if a Nominated Representatives is sharing the account data?
  Nominated Representatives may view and manage all data sharing consents that they or another Nominated Representative have created on behalf of the business entity via the Customer Dashboard at any time. 

  Note that only authorised Nominated Representatives have access to the Customer Dashboard to view and revoke data sharing consents on behalf of the business entity.

• Giving consent and the data sharing experience

  Giving consent

  I hold accounts with more than one BOQ brand. Do I need to complete a consent to share data for each brand?
  Yes. You will need to provide a consent for each brand.

  
  I want to give three banks access to my BOQ Specialist data. Does this require three separate consents?
  Yes. You will need to provide a consent for each Accredited Data Recipient (ADR).

  
  How do I share information on a new account?
  You must provide consent to share data per account, including for any newly created accounts.
   

  Where can I find more details on any ‘terms and conditions’ for data sharing?
  This responsibility largely sits with the Accredited Data Recipient (ADR), who is required to provide a clear declaration of data usage. Please contact the relevant ADR for further information on this.

  Note that the BOQ Specialist Customer Dashboard has been designed to meet Data Holder obligations of Open Banking.

  
  What is my Customer ID? Is it the same for each brand?
  The customer ID is the generic name given to the unique customer identifier you use to log into internet banking. For a BOQ Specialist client, your Customer ID is your Client Number.

   

  One Time Password (OTP)

  I have been blocked due to too many failed login attempts. Can I be unblocked so that I can access the dashboard?
  There is no ability to unblock a client before the 24-hour period. If you have failed the maximum login attempts to access your dashboard and are been blocked, you will need to wait 24 hours until the block is removed before you can try again.

  
  Is there an autofill feature for the One Time Password (OTP) for mobile phones?
  This feature is not available in our Data Holder solution.

  
  Can the One Time Password (OTP) be emailed?
  The OTP will be sent via SMS to customers who have a valid mobile number registered with BOQ. The OTP will only be sent via email in the instance that BOQ does not have a valid mobile number registered for a customer.

   

  Refusing consent

  In what circumstances can BOQ Specialist (the Data Holder) refuse to share customer data in response to a request from an Accredited Data Recipient (ADR)?
  Your bank (the Data Holder) may refuse to disclose required customer data in response to a request in the following instances:

  • if BOQ Specialist (the Data Holder) considers this to be necessary to prevent physical, psychological or financial harm or abuseto any person; or
  • in relation to an account that is blocked or suspended; or
  • in circumstances set out in the data standard

  BOQ Specialist (the Data Holder) is required to inform any customer of such a refusal in accordance with the data standards.

   

  Managing consent

  Under what circumstances would BOQ Specialist (the Data Holder) manage consents on behalf of a customer?
  Under the Consumer Data Right (CDR) rules:

  • Customers can request that a Data Holder revoke a consent e.g. via a call centre. This may be as the customer is unable to do it themselves. A Data Holder has an obligation to revoke consents for customers who have requested the Data Holder to do so
  • A Data Holder has an obligation to revoke consents for customers who are not eligible anymore e.g. no longer a customer
  • An authorised staff member can suspend (i.e. temporarily block) a specific account from consent. e.g. for the prevention of physical, psychological or financial harm or abuse to any person
  • In the event that a customer is deceased
  • In the event that fraudulent activity has been detected

  
  How immediately will changes to my data sharing consent(s) be reflected in the Customer Dashboard?
  Updates to data sharing consents that are made via the Customer Dashboard will be reflected immediately.

  
  How immediately will any data corrections / updates be reflected in the Customer Dashboard?

  Please allow up to 24 – 48 hours for data corrections / updates to be reflected in your dashboard.

   

  Revoking consent

  
  How do I revoke a consent I created?  

  You may revoke a data sharing consent at any time:

  1. Access your Customer Dashboard 
  2. Click Sharing started by you and follow the prompts to stop sharing.
      

  How do I stop joint account data sharing on a consent created by another joint account holder?  

  You may stop data sharing for a specific joint account within a consent created by another joint account holder or secondary user at any time.  Note that you are only able to view accounts within a consent where you are a legal owner of the account. This action will not prevent joint account holders from creating new consents that may include the joint account.

  1. Access your Customer Dashboard.
  2. Click 'Sharing started by you' and follow the onscreen prompts to stop sharing.
  3. A notification will be sent to all joint account holders via the Customer Dashboard that data sharing has stopped.

  *If you would like to disable data sharing on an account for all current and future data sharing consents, please refer to the relevant section on disabling joint account data sharing within ‘How do I share data on my joint accounts?’.

  How do I disable a joint account for data sharing?

  You may disable a joint account for data sharing at any time. This action will disable data sharing on the account for all joint account holders and secondary users:

  1. Go to Accounts management > Joint accounts and disable the joint account by following the onscreen prompts.
  2. We’ll send the other joint account holder a notification to the Customer Dashboard that data sharing for the joint account has been disabled.
      

  How do I enable a joint account for data sharing?

  Eligible joint accounts are available for data sharing by default, so you won’t need approval from other joint account holders to share data with accredited providers. However, if you or any other account holder have disabled your joint account for data sharing it will need to be re-enabled before data can be shared.

  To enable data sharing:

  1. Go to Accounts management > Joint account and enable the joint account you want to share by following the onscreen prompts.
  2. We’ll send the other joint account holder a notification to the Customer Dashboard asking them to approve or decline your request.
  3. Each joint account holder will need to log in to their Customer Dashboard to view the notification* and approve the request to enable data sharing for the joint account. 
  4.  If all joint account holders approve the request, your joint account will be enabled for data sharing and you will be able to select it from the list of accounts eligible for data sharing when creating a new consent.

  *The notification will expire after 30 days. If the other joint account holders do not approve the request during this time, you will need to repeat the process from step 1.
   

  How do I enable secondary user data sharing on my account? 

  Data sharing permissions for secondary users must be enabled by an account owner via the Customer Dashboard. Account owners may choose to enable data sharing for all eligible secondary users per eligible account.

  To enable data sharing for secondary users as an account owner:

  1. Go to Accounts management > Secondary users and enable the account for secondary user data sharing by following the onscreen prompts. Note that this action enables data sharing for all eligible secondary users on the account, including secondary users subsequently added to the account.

  Note that notifications for secondary user data sharing are not yet available.
   

  How do I disable secondary user data sharing on my account?

  Eligible accounts are disabled for secondary user data sharing by default. However, if an account owner has previously enabled secondary user data sharing, any account owner may disable the account for secondary user data sharing at any time via the Customer Dashboard. This action will disable data sharing for all eligible secondary users on the account:

  1. Go to Accounts management > Secondary users and disable the account by following the onscreen prompts.

  Note that notifications for secondary user data sharing are not yet available.
   

  How long after revoking a consent will my data sharing stop?  
  Changes due to revoking consent are managed ‘real time’ and will be reflected immediately.

  
  How do I stop non-individual data sharing on a consent created by another Nominated Representative?
  Nominated Representatives may view and manage all data sharing consents that they or another Nominated Representative have created on behalf of the business entity by logging into the Customer Dashboard at any time. 

  1. Log in to the Customer Dashboard. If you have data sharing consents for your personal BOQ accounts, you will be required to select the profile* of the business entity after logging in. You may then revoke any active data sharing consents on behalf of the business entity by following the onscreen prompts. Note that this action will not prevent a Nominated Representative from creating new consents with the accredited provider.
  

  *Profile selection will only be displayed at log in when a customer has access to more than one profile for Open Banking. For example, you may be asked to choose between profiles such as ‘Myself’ (for your personal accounts) or ‘Company A’ (as a Nominated Representative). The profile you choose will filter which accounts and consents you will see. You may switch between profiles by clicking the Home button in the Customer Dashboard.
  

  
  How do I enable or disable data sharing for my business entity / organisation?
  Non-individual data sharing is disabled by default. Within Open Banking non-individuals / organisations can authorise a new Nominated Representative to share business entities banking data with accredited service providers, or remove an existing Nominated Representative by completing the Open Banking – Data Sharing Form for Business Entities. For more information, see ‘How do I add and remove a Nominated Representative for data sharing on behalf of my organisation?’ 

  
  If I had revoked a consent but have now changed my mind, can this consent be reinstated?
  No, you are unable to reinstate a revoked consent, as revoking a consent stops the sharing of data. You will need to grant a new consent via the Accredited Data Recipient (ADR).

  
  Can I revoke a ‘pending’ consent?
  Yes. You can revoke a pending consent.

  
  Inactive and expired consents

  How long can I view inactive consents under ‘Consent History’?
  The Customer Dashboard will show 2 years of history, however BOQ Specialist will retain consent information for an additional 5 years.

  
  What happens to data that I have shared with an Accredited Data Recipient (ADR) once the consented time period is over?
  The data is either de-identified or deleted according to your preferences as captured at the time of granting consent.

• My Customer Dashboard

  How do I access my customer dashboard?
  The Customer Dashboard can be accessed from the BOQ Specialist (Public Website): Internet Banking login page > Manage data sharing.

  
  How will my account name(s) appear in the customer dashboard?
  Your ‘account names’ will not be visible in the customer dashboard. Instead, the ‘product category’ will be displayed (e.g. ‘savings account’).

  
  Where can I see the data that I have consented for BOQ Specialist (the Data Holder) to provide?
  Your bank’s Customer Dashboard will provide you with visibility of the account(s) that you have shared, the provider’s you have shared your data with (Accredited Data Recipients), and the last 4 digits of these accounts. Transaction data is not displayed.

  
  Why can’t I see all accounts that I have with my bank (the Data Holder) in the dashboard?
  Customer dashboards are consent focussed. If there is no consent associated with an account, it will not be displayed in the dashboard. Additionally, not all products and account types are currently in scope (e.g. Joint Accounts). These will become in scope at a later date.

  For joint accounts, data sharing is only available if all joint account holders are legal owners of the account and eligible for data sharing.

  For secondary user data sharing, data sharing is only available if an account owner has enabled secondary user data sharing for the account via the Customer Dashboard.

  
  For Nominated Representative data sharing on behalf of a business entity / organisation, data sharing is only available if the authorised representative[s] of the business entity have completed and submitted the Open Banking – Data Sharing Form for Non-individual entities. For more information, please see ‘How do I add and remove a Nominated Representative for data sharing on behalf of my organisation?'

  
  Is there a mobile phone app available for the customer dashboard?
  Currently the customer dashboard is browser based and optimised for mobile and desktop devices. At this stage, a dedicated mobile app is not planned.

  
  Is the customer dashboard designed with accessibility in mind?
  Yes. Screens within the dashboard have been designed to meet accessibility requirements in the Consumer Data Right (CDR) standards, including colours, fonts and resizeability, to make sure we are meeting the needs of as many of our customers as possible.