This article was written by Daryl Cox, Roslyn Hinchliffe, Max Allan and Cheng Lim.
Recent amendments to the Consumer Data Right (CDR) rules which facilitate greater participation in the CDR regime by participants and consumers mark a significant leap forward for the CDR regime. These are important changes that will open up the CDR regime, provide greater control and choice to consumers in sharing their data, promote innovation, and provide businesses across the economy with new opportunities to participate in the CDR regime and create compelling use cases for their customers.
Highly anticipated amendments to the CDR rules were made on 30 September 2021 and registered on 5 October 2021 that:
- introduce two new pathways to participate in the CDR regime – the sponsorship model and CDR representative model;
- provide new ways for consumers share their data outside of the CDR ecosystem – by sharing CDR data with trusted advisers and CDR insights with third parties; and
- streamline elements of the CDR regime.
These amendments coincide with the Treasury’s consideration of expansion plans for the CDR and its sectoral assessments already well underway, stemming from the report of the Inquiry into Future Directions for the CDR (Future Directions Report).
What does it mean for you?
With increased accessibility for the CDR regime and imminent visibility of its future expansion, we are at a critical juncture for the CDR ecosystem, and for consumer-focused businesses who have been taking a ‘wait and see’ approach to participation.
Forward-thinking businesses will use these developments as a platform to plan their entry into the CDR ecosystem, to pick up CDR projects that have stalled, or to turbo-charge existing efforts.
Those who wait risk being left behind.
New pathways to participate in the CDR regime
Until now, the only pathway for a data recipient to join the CDR ecosystem has been to apply for unrestricted accreditation, which involves ensuring there are arrangements in place to meet the requisite upfront and ongoing compliance requirements. We explored these compliance requirements in our previous Alert on CDR accreditation.
Consistent with Direction 3 of the Future Directions Report (“Beyond a standalone system, towards an integrated data ecosystem”)[i], the sponsorship model and CDR representative model have been introduced to lower the barrier to entering the CDR regime.
A new level of sponsored accreditation will be available from 1 February 2022. A person that is an ‘affiliate’ within the CDR regime will hold the sponsored level of accreditation and have in place an agreement with a ‘sponsor’ that holds unrestricted accreditation. Under this sponsorship arrangement, the affiliate can ask the sponsor to collect CDR data from data holders on behalf of the affiliate where it has the relevant consumer’s consent to do so.
The affiliate keeps the consumer relationship and manages consents given by consumers. Further, once the affiliate receives CDR data from its sponsor, the affiliate is responsible for any downstream use and disclosure of that CDR data.
In return for being beholden to its sponsor for data collection, the affiliate may self-assess and attest to its compliance with the CDR’s rigorous information security requirements. This is likely to lead to a significant cost reduction when compared to the unrestricted accreditation pathway, which requires accredited data recipients (ADRs) to obtain independent assurance reports and to make attestation statements in compliance with ASAE 3150.
The sponsor has some oversight responsibility. As a condition of its unrestricted accreditation, a sponsor must provide training to its affiliates and implement management frameworks aimed at ensuring its affiliates maintain appropriate information security capabilities.
CDR Representative Model
The CDR representative model is similar to the ‘authorised representatives’ model under the Australian financial services licensing regime.
From 19 October 2021, a ‘CDR representative’ with an agreement with a ‘principal’ holding unrestricted accreditation may ask the principal to collect CDR data for the representative to use to provide goods and services to its customers. The CDR representative does not require accreditation. It just needs to be registered on the Register of Accredited Persons managed by the ACCC before accessing or using CDR data. Though a CDR representative can only have one sponsor; a limitation that doesn’t apply in reverse to sponsors.
The principal is ultimately liable for the conduct of its CDR representatives and for providing the infrastructure and capability necessary to comply with the CDR laws. Principals will therefore need to carefully select and manage CDR representatives, and put in place appropriate contractual protections.
New opportunities to leverage unrestricted accreditation
In addition to lowering the barrier to entering the CDR regime, these new participation models will provide opportunities for ADRs with unrestricted accreditation to leverage their infrastructure and accreditation by becoming trusted data gateways – providing a link between affiliates and CDR representatives, on the one hand, and data holders, on the other.
These gateway opportunities are likely to be seized initially by outsourced service providers (OSPs) who already support ADRs to connect with data holders with ready-made application programming interfaces (APIs) and data ingestion functionality. New players may emerge in this space to satisfy the needs of affiliates and CDR representatives, particularly ADRs who recognise that having unrestricted accreditation and the associated capability and infrastructure is a point of significant value.
These types of opportunities in the supply chain will allow the CDR to expand and meet its potential.
New ways for consumers to share data
The recent amendment to the CDR rules will allow consumers to consent to their data being shared outside of the CDR ecosystem in certain circumstances. Consumers can elect to share their CDR data with trusted advisers or CDR insights with other third parties.
The CDR insights concept has attracted significant interest since it was published in a consultation paper on 30 September 2020. One year later, the CDR rules have been amended to allow consumers to authorise ADRs with unrestricted accreditation to share a limited range of low-risk CDR data with third parties, for the purposes of verifying:
- the consumer’s identity;
- the consumer’s account balance; and
- the details of credits to or debits from the consumer’s accounts.
To avoid full transaction lists or ledgers being disclosed, ADRs cannot disclose amounts or dates of multiple transactions.
It is expected that CDR insights will provide a secure channel for authenticating individuals or transactions, with a high degree of veracity as the data is coming directly from the source and through a trusted framework. Already, interesting use cases are emerging that leverage CDR insights to confirm if consumers have sufficient funds for a transaction or meet the lending criteria for a loan.
We expect this to be fertile ground for innovation.
Consumers will also be able to authorise ADRs with unrestricted accreditation to share their CDR data with a range of trusted advisers, including:
- qualified accountants;
- admitted lawyers with a current practising certificate;
- registered tax agents, Business Activity Statement agents and tax (financial) advisers;
- financial counselling agencies;
- financial advisers; and
- mortgage brokers.
Trusted advisers do not require accreditation and will not be subject to the CDR laws. The rationale is that this grouping of professionals are already subject to obligations that require them to handle CDR data appropriately and to act in the interest of consumers.
It is hoped that this option provides consumers with greater convenience to share data with these trusted advisers who will, in many cases, already have a need to access CDR data to provide advisory services.
These new types of disclosures will be permitted from 1 February 2022. This date may be brought forward if the consumer experience (CX) data standards required to enable them are made before then.
Once the CDR data or CDR insights are transmitted to the recipient, they leave the CDR ecosystem. The data will then no longer be subject to the protections and safeguards of the CDR laws. This is a significant development for the CDR regime, which has so far restricted access to CDR data to accredited persons within the CDR ecosystem. The CX data standards are therefore an important feature to ensure that these disclosures are secure.
Streamlining the CDR regime
The amendments to the CDR rules will further streamline how the CDR works.
Outsourced service providers
Until now, OSPs have required unrestricted accreditation to collect CDR data on behalf of an ADR, or to provide products or services to an ADR using CDR data. From 19 October 2021, fully accredited ADRs can enter an CDR outsourcing arrangements with unaccredited OSPs to perform those activities. OSPs can also sub-contract the provision of products or services to ADRs, excluding data collection activities.
These amendments are expected to ease the burden for OSPs including those providing APIs and data ingestion functionality.
An important change has been made to the framework for joint accounts, for sectors such as banking where products can have joint account holders. The initial framework for joint accounts and interim amendments made in December 2020 required all joint account holders to ‘opt-in’ to data sharing before any could occur on the account. The final report on the Review into Open Banking in Australia published in December 2017 recommended that, as a principle, the authorisations that currently apply to joint accounts in respect of the transfer of money should also apply to the transfer of data which ultimately relates to that money. In accordance with this principle, if a joint account requires only one account holder to authorise a transfer of money from the account, then a direction to share data relating to that account should also require the consent of one account holder only.
The effect of the recent amendments to the CDR rules is to provide a default ‘pre-approval’ setting for joint accounts, allowing any account holder to request that their CDR data is shared without requiring approval from other account holders. These changes will take effect on 1 July 2022, unless a data holder wishes to comply earlier. Protections will be available to notify other joint account holders, who may at any time require a ‘co-approval’ setting to be implemented for data sharing (if offered by the data holder) or may prohibit data sharing with a ‘non-disclosure’ setting.
A force multiplier: accessibility and expansion
The amendments to the CDR rules are introduced at a time when the Treasury is considering the expansion of the CDR from the banking[ii] and energy[iii] sectors to cover the whole Australian economy.
In particular, the Treasury’s consultation on its Strategic Assessment for the implementation of the CDR across other sectors and data sets has completed, as has the consultation on the Sectoral Assessment of the telecommunications sector. Final reports for both of these assessments are eagerly awaited, and are expected to form the foundations of the Government’s CDR Implementation Roadmap and inform the report that the Minister will consider when deciding whether to designate telecommunications as a CDR sector, respectively.
This expansion will be a force multiplier to the accessibility provided by the changes to the CDR rules.
However, the opportunities for forward-thinking businesses are not limited to those in the banking sector or other sectors designated by the Treasury. Based on early use cases that are emerging, opportunities are there for consumer-facing businesses across the economy.
Contact us if you would like to know more about the amended CDR rules, or to discuss the opportunities for your business.
[i] See our previous Alert on the Future Directions Report.
[ii] See our previous Alert on Open Banking.
[iii] See our previous Alert on the status of the energy sector rollout.