The Consumer Data Right (CDR) is a new, regulated data sharing regime that gives consumers the ability to share their personal data with organisations that they trust.
Open Banking is the application of CDR as it relates to the banking industry.
“The consumer data right was introduced in banking first. Thus, it was given the name open banking, and that name stuck and is used as a proxy, or an alternative to Consumer Data Right”. – Jon Shaw, CEO of Moneysoft.
What the CDR refers to is the customer, product, account, and transaction data that is typically held by organisations (called Data Holders) such as banks and other financial institutions. The CDR gives individuals the power to control their own data and share it with companies that they engage with in product or service offerings.
The purpose of these changes is to introduce the safe, consent driven sharing of this customer data with different organisations. The intent is that this data-sharing is to improve product and service innovation and competition for businesses offering outcomes for consumers.
The Australian Competition and Consumer Commission (ACCC) is the lead regulator of the CDR.
The Banking sector is the first sector to implement the Consumer Data Right. The CDR is envisaged to become an economy-wide system which will enable the safe and secure transfer of consumer data between data holders, accredited data recipients and other participants.
“Australia is lagging behind the rest of the world in terms of getting open banking and consumer data right in place across different industries. After the banking sector, CDR will open up to other sectors over time” – Jon Shaw.
Data holders are effectively any organisation that holds specific customer data. Currently CDR access is limited to banking products, but for the financial services industry, in time data holders will also extend to insurance, investment management and superannuation providers.
Presently many of the larger financial institutions and medium tier banking organisations are active and accredited under CDR as Data Holders, www.cdr.gov.au provides a list of all the Active Accredited Data Holders.
Once fully active in the Banking Sector, CDR will see inclusion of the energy sector which is scheduled to be active within the consumer data right by November 2022. Telecommunications providers are estimated to be in the consumer data right early 2023, followed by General Insurance.
And it won’t stop there. A report by Minter Ellison on the Consumer Data Right Strategic Assessment Consultation Paper issued by Treasury in July 2022, listed the following industries as next in line to be included in the Consumer Data Right.
A Data Holder can only grant access to CDR to an Accredited Data Recipient. Once granted accredited person status, CDR data can flow from the data holder only with the consent of the consumer to a Data Recipient.
There are many different data access options as illustrated in the model above, and only some of these involve accreditation status. The level of accreditation will determine on what data you can receive and access, and perhaps most critically, what you can do with the data itself.
“There are differences between an accredited person, an accredited data recipient and a CDR participant. An accredited person is someone who is allowed to receive and collect consumer data. An accredited data recipient is someone who is both allowed to and has received or collected raw consumer data. A CDR participant is someone who is sponsored or contracted by an accredited person to receive or collect data as an affiliate or agent of the accredited person ” – Jon Shaw
The Appendix – CDR Model and Accreditation Types to this report provide an overview of the CDR access levels and associated accreditation requirements.
Accredited persons may receive CDR data from a data holder or other accredited person at the request and consent of the consumer.
Other entities may access CDR data by being “sponsored” or “registered” by an Accredited Data Recipient.
A current list of Accredited Data Recipients is accessible here.
Within the CDR framework, Financial Advisers are classified as “Other Participants”, and may gain access to CDR data through an Accredited Data Recipient, on the consent of their client. We discuss this further below.
Unrestricted ADR status offers “unrestricted” access to data.
The Accreditation process for ADR status is lengthy and expensive with security, compliance, technical controls, governance and processes, and business fitness all under assessment in an organisation.
Companies applying to become an ADR must be able to meet minimum security requirements to prove they are able to protect CDR data from misuse, loss, and unauthorised access and use. Organisations will need to design, implement, and operate a CDR data environment that complies with the rules. In addition, an assurance report and audit is required to review the controls, people, processes, technology, and infrastructure that manages, secures, stores, or otherwise interacts with CDR data.
“Due to the Government regulation and data security requirements, it will be very costly for Data Recipients to actually operate and maintain services that comply with all of the requirements and hold the necessary insurances in place to meet the regulations” – Jon Shaw.
Whilst there are other pathways, gaining sponsorship from an Unrestricted ADR as a Trusted Adviser appears the most appropriate, affordable and efficient option for Financial Advisers and other professionals.
Unrestricted Access Data Recipients have the highest level of accreditation and may act as a sponsor of Trusted Advisers.
The Trusted Advisers status allows the disclosure of CDR data to “Other Participants” including approved professionals such as Financial Advisers, Accountants, Lawyers, Mortgage Brokers and Financial Counsellors.
It is possible that there will be a financial cost associated with sponsorship by an Accredited Data Recipient as there are associated risks and responsibilities placed upon the ADR under this model.