With the October deadline to publish Open Banking product APIs behind us, banks and credit unions are looking ahead to the next big CDR milestone: From 1 July 2021, non-major ADIs will have to be registered as a Data Holder and enable their customers to share CDR data with accredited third parties.
Building and testing the systems and APIs to enable this is no small feat, and getting your Data Holder testing right can save you a lot of money.
As the CIO of Australia’s most experienced Data Holder tester, Tony Thrassis has been closely involved in the extensive testing Frollo did with the Big Four banks.
We got him to share his experience by asking him 5 questions about Data Holder testing.
It’s important to look for a Data Holder testing partner that can provide a solution that suits your needs, instead of a one-size-fits-all solution.
Tony Thrassis, CIO (Frollo)
1. What scope should Data Holder testing cover?
Data Holder testing should generally cover four areas:
- Data sharing APIs – Banking APIs, common APIs and API unhappy paths
- Security profile – Validating different types of authorisation requests and tokens
- Consent flow – Flows for establishing, withdrawing and validating consents
- Register – Registration management and recovery
Each of these areas are tested for different scenarios. They include different products (like credit cards, mortgages and bank accounts), account types (like joint accounts), error codes and personas.
Both phase 1 and 2 scope needs to be tested, although the timing depends on the Data Holder’s launch schedule. After go live, there’s ongoing testing that needs to be conducted to comply with changes and updates.
2. Can I use the CTS for testing?
The Conformance Test Suite (CTS) is a tool the ACCC provides to Data Holders, to test their compliance with the Consumer Data Standards and Consumer Data Right Register design.
It’s the last step before your accreditation and it’s a requirement before you go live. It’s not, however, a Data Holder testing solution.
The CTS does not test the internal workings and validations of a Data Holder and it does not test the consent flow. It’s also not a sandbox or an assisted development tool.
It’s important to conduct thorough testing to ensure you have a production ready Data Holder brand before using the CTS, as per the ACCC’s recommendations.
3. Can my Data Holder technology provider do the testing?
First of all you should always expect your technology provider to perform thorough system testing, to ensure the solution works as intended.
It’s sound practice to have an independent testing team, which can come from the same provider – especially when it comes to system testing.
It’s different when you get to User Acceptance Testing (UAT) though. The Data Holder will have to test and accept the implementation, so your technology provider can’t really do this for you.
Most users aren’t able to perform all of the technical tests required and validate the results though. That’s where an independent, specialised testing partner can help out.
4. How much should testing cost?
That’s a great question, and the honest answer is, it depends. Three things can have a significant impact on the cost of your Data Holder testing:
- Your Data Holder solution – If you’re using mature technology that’s undergone a lot of system testing already, Data Holder testing will be more efficient and will cost less.
- Your testing scope – Currently the ACCC has outlined over 300 potential test cases for phase 1 scope. It’s up to you to decide how many you want to test and the level of risk you’re comfortable with. Do you want to conduct stress testing and performance testing too? This will have an impact on the cost of the project.
- Your testing partner – Does your Data Holder testing partner have experience with CDR Data Holder testing? How many issues have they seen and resolved before? If their engineers have deep experience with CDR Data Holder testing, it will help them quickly understand and triage issues, resulting in lower cost.Technology can also significantly improve efficiency. A comprehensive testing tool to automate testing, using codified test cases, can increase the speed and reliability of the testing process.
5. What should a Data Holder look for in a testing partner?
At Frollo we’ve tested extensively with the Big Four banks, and we’re working with a number of other partners on Data Holder testing too. From my experience, a few things are important when selecting a testing partner.
Experience
I’d look for a partner that has deep, real world experience with CDR, as well as Data Holder testing. From the work we’ve done with our clients so far, the experience our engineers bring has saved them a lot of time and money because they were able to identify and triage issues quickly based on their knowledge of Open Banking APIs and testing scenarios.
It helps that we have technology to automate a lot of the testing, which means our engineers are focused on the issues, while knowing the tests are done quickly, and the test results are consistent and reliable.
Flexibility
With hundreds of potential test cases and many different types of possible tests, there’s a lot to chose from. Not every Data Holder has the same risk appetite or quality expectations, so it’s important to look for a partner that can provide a solution that suits your needs, instead of a one-size-fits-all solution.
Frollo Data Holder Testing
Work with Australia’s most experienced Data Holder tester to save time and money on your accreditation, knowing your testing is done to the highest standards.