Consumer Data Right – becoming an Accredited Data Recipient

The Consumer Data Right (CDR) reached a further milestone on 1 July 2020, as the Big 4 banks are now required to share consumer data in response to a consumer request.

At present, this includes data from debit and credit cards, and savings and transaction accounts, and from November 2020 will include data from home loans and personal loans, joint accounts, closed accounts, direct debits, scheduled payments and details of payees.

A proposed timetable for the rollout of the CDR in the banking sector has been published, and if no further delays are experienced, it will be fully implemented by February 2022.

The CDR presents significant opportunity (and challenge) to those organisations wishing to become an Accredited Data Recipient (ADR).

Accredited Data Recipients

Under the CDR, consumers can request that Data Holders (currently the Big 4) share their data directly with the consumer themselves or with an ADR.

Becoming an ADR is a voluntary process which requires entities to comply with stringent accreditation requirements.

The Australian Competition and Consumer Commission (ACCC) is responsible for accreditation, and applications are made through the CDR Participant Portal.

Accreditation guidelines have been released to assist applicants submit valid applications and become accredited.

Accreditation requirements

Requirements to receive accreditation include:

• the applicant and any associated person be a fit and proper person to manage CDR data;
• compliance with information security requirements;
• adherence to dispute resolution procedures; and
• insurance requirements.

The accreditation requirements are comprehensive and will require potential ADRs to carefully consider how they can effectively demonstrate the regulatory obligations to progress. There are particular challenges around information security compliance and assurance.

Accreditation can be suspended or revoked by the ACCC in a variety of circumstances, including where a person contravenes a law relevant to the management of CDR Data, contravenes the CDR Rules or a data standard, or where the person is no longer a fit and proper person. The ACCC may also impose conditions on accreditation including limiting scope to particular products or services and requiring regular reporting to the ACCC.

There are currently only two ADRs, however the ACCC has stated that they have received 39 further applications.

Consumer Data Standards

Participation in the CDR requires entities to adhere to data standards, which are set out by Data61.  The data standards are comprised of CX Standards and guidelines, the information security profile, API standards, and non-functional requirements.

These standards largely dictate the consumer experience – how consumers interact with the CDR, how information and interactions are presented, consent flows, and the language that is used.

CDR Rules, Privacy, Compliance and Enforcement

In addition to accreditation requirements and data standards, entities are required to comply with the CDR Rules and Privacy Safeguards. Further, the ACCC and Office of the Australian Information Commissioner have released the Compliance and Enforcement Policy, which ADRs need to navigate to ensure compliance with the CDR.

Reciprocity

As the CDR continues to rollout, the principle of reciprocity may apply in relation to data that is obtained by an ADR through the CDR. ADRs may themselves be subject to obligations similar to those of Data Holders, in particular the requirement to transfer data to consumers and other ADRs.

The extent to which the reciprocity mechanism within the CDR is implemented remains to be seen, however ADRs should be on notice that the CDR may not operate as a one-way street, and consumers may be able to require that their data be transferred both to and from ADRs.

To become accredited?

As the financial industry welcomes a new dawn around the transparent and efficient sharing of consumer data, interested parties will need to carefully weigh up the pros and cons of becoming an ADR. There are significant regulatory requirements which will no doubt require a level of organisational and operational change for a prospective recipient. Fast moving businesses which can adapt quickly are positioned well to take advantage of the opportunity. The question remains whether the benefits of becoming an ADR outweigh the significant costs of participation and regulatory compliance obligations.

Gadens is well placed to assist entities understand their obligations as Accredited Data Recipients, the accreditation process and ongoing compliance.

Authored by:

Dudley Kneller, Partner
Gabe Abfalter, Associate