Consumer Data Right (CDR) legislation and compliance

Is accreditation the only way to get CDR data?

CDR encompasses a variety of models designed to facilitate safe, secure, and consumer-consent-based sharing of data across different sectors. These models aim to provide differing ways of participation. They include:

1. Unrestricted Accredited Data Recipient (ADR)

An Unrestricted ADR, accredited by the Australian Competition and Consumer Commission (ACCC), has the authority to access consumer data securely, but only with explicit permission from the consumer. These firms adhere to the Consumer Data Right regulations and have cleared their capability in handling data. A typical example is seen in ADR financial management applications that, once authorised by the consumer, can provide a consolidated budget overview for individuals who have accounts across various banks.

2. Sponsorship model

The sponsorship model is essentially a helping hand for smaller businesses to join the CDR. It allows smaller entities to access to CDR data through the accreditation of a larger, already accredited sponsor. The consumer agrees for the sponsored entity to access their data for defined services, with the understanding that the sponsor (an accredited entity) is ultimately responsible for the data handling. This way, smaller businesses can innovate and offer new services without the heavy lifting of the accreditation process.

3. Representative model

The representative model in the CDR framework enables a company to use consumer data obtained by a partner company that is an Unrestricted ADR, without needing its own accreditation. The accredited partner, called the Principal, is responsible for any data the non-accredited company, known as the Representative, uses. For instance, a mortgage broker might partner with a bank that is an Unrestricted ADR to get financial data for their clients. The broker uses this data to advise on mortgage options. The consumer is informed and must consent to their data being used by the broker. It's the bank's job to ensure the data is used correctly and the consumer's consent is properly obtained.

4. Collecting Outsourced Service Providers (COSP)

COSPs are service providers that are not directly accredited under the CDR, but are contracted by accredited entities to collect CDR data on their behalf. This model enables accredited entities to use third-party services for data collection, allowing them to focus on their core competencies and service offerings.

5. Trusted adviser

The trusted adviser model within the CDR framework proposes to share consumer data with professional advisers, like financial planners or accountants, when certain conditions are met. This arrangement enables consumers to allow their trusted advisers to securely access their financial data for more personalised guidance. For example, a consumer can permit a financial management platform, which they use and has CDR accreditation, to provide their financial information to an independent financial adviser. This then allows the adviser to offer tailored advice on the consumer's investments, savings, and retirement plans, based on a full understanding of the consumer's financial picture. Consumer consent here is very specific: they must clearly agree to share their data with the adviser, understand exactly what data will be shared, the purpose of the sharing, and how long the data will be accessible to the adviser.

6. CDR insights

The CDR insights model offers a way for consumers to let third parties see simple, important details derived from their data, intended for straightforward, low-risk uses. In this model, ADRs can process and share specific data insights once they have the consumer's permission. For example, when applying to rent a house, a consumer might allow their bank to confirm their average income and ability to pay the deposit to the property manager using this model. The bank can then provide just the necessary insights without revealing the consumer's full transaction history, making the process quicker and easier. To share these insights, the consumer must explicitly agree to what's being shared, why, and with whom, ensuring they have a clear understanding of the use of their information.

Each of these models plays a crucial role in expanding the CDR ecosystem, lowering barriers to entry, and enhancing consumer trust and security. By providing various pathways for entities to participate in the CDR, the system aims to foster innovation and consumer-centric services across industries.

What does consent have to do with CDR?

CDR revolutionises how consumer data is managed, placing a strong emphasis on consumer consent for data sharing between individuals and accredited businesses. This regulatory framework grants consumers unprecedented control over their personal information, enabling them to securely share it with chosen providers in sectors like banking and energy, thereby enhancing competition and innovation.

Central to CDR is the principle of explicit consumer consent, allowing individuals to specify which data can be shared, with whom, and for how long. This empowers consumers to use their data for accessing tailored services and better deals, ensuring they can make informed choices. Businesses accessing this data must adhere to strict privacy and security standards, with the flexibility for consumers to revoke consent at any time, further ensuring their control over their personal information.

For businesses, consumer consent opens avenues for innovation by enabling the development of products and services that meet precise consumer preferences, thus enhancing their competitive edge. Participating businesses must manage consent transparently, ensuring consumers can easily give, adjust, or withdraw their consent. Accreditation signifies a business's dedication to upholding the highest standards of data handling, fostering trust.

In essence, CDR reshapes consumer-business relationships with consent at its core, ensuring consumers dictate their data sharing terms, which in turn drives market innovation and consumer-focused solutions in a privacy-conscious framework.

How can my organisation benefit from CDR?

The CDR framework creates opportunities for entities that hold data, to evolve beyond their traditional roles. By accurately sharing up-to-date product information, these data holders can extend from their traditional silos and market themselves on new platforms.

For organisations that receive data, being an accredited recipient of consumer data through CDR has its own advantages. It enables these entities to design and offer innovative products and services based on customer data. With the explicit consent of consumers to share their data, these accredited recipients can improve sales and revenues. This ability to leverage the CDR not only enhances the customer journey but also provides a competitive edge in the marketplace.

What are data holder and data recipients required to do under CDR?

Under the CDR framework, data holders and data recipients bear a responsibility to safeguard consumer privacy and use CDR data responsibly and ethically.

Data holders are required to:

• empower consumers with control over their data, simplifying the process for them to compare and transition between products and services
• furnish data about their products and services to consumers and other Accredited Data Recipients (ADRs) upon the consumer's request, but only after receiving explicit consent from the consumer
• procure consent from consumers, detailing how their data should be shared
• disseminate CDR data in a machine-readable format using the secure CDR system
• publicly disclose the general product information they offer, encompassing aspects like interest rates, fees, charges, discounts, and other salient features
• present consumers with clear and succinct information about their rights under the CDR, explaining how to retrieve their data and retract their consent.

Data recipients, on the other hand, must:

• employ CDR data ethically and only for the purposes for which they have obtained the consumer's permission
• accumulate only the CDR data related to the purpose they've secured the consumer's consent 
• safeguard CDR data from unauthorised actions, including access, utilisation, revelation, alteration, or obliteration
• not sell or transfer CDR data to third parties without obtaining the consumer's explicit approval
• erase CDR data promptly once it's no longer necessary for its initial purpose
• adhere to the CDR stipulations regarding the collection, utilisation, and disclosure of data

What does the future hold for CDR?

CDR reform is set to evolve significantly, with the Australian government earmarking $88.8 million for 2023-2024 to enhance data standards, consultation, and the reform's visibility. This investment is expected to accelerate the reform's impact, not only ensuring compliance among existing entities in the banking and energy sectors but also facilitating the entry of new businesses into the CDR ecosystem.

As the volume of CDR data grows, and the framework expands into new sectors, both existing and emerging entities are poised to reap substantial benefits. This expansion underscores a focus on leveraging the full potential of open data to drive innovation, consumer choice, and competitive differentiation across industries.

For those in the banking and energy sectors, the immediate priority will continue to be the adherence to the Treasury's staged data sharing guidelines. Entities that are already compliant will continue to work closely with the Treasury to explore new benefits, develop practical use cases, and refine their operational models to maximise the advantages of open data.

The energy sector is actively aligning with these compliance guidelines, with retailers starting to respond to non-complex and complex consumer data requests. Retailers are gearing up to handle non-complex consumer data requests by November, with complex requests following in May 2024.

Non-bank lending is identified as the next frontier for CDR expansion. The Treasury is contemplating extending CDR rules to this sector to ensure a broader financial ecosystem coverage, building on the successes of open banking. Although the specifics are under review, a proposed timeline suggests that the sharing of product data could begin as early as November 2024, with further data sharing expansions planned for 2025.

The Treasury is also exploring the potential for 'write' access, which would allow consumers to direct accredited organisations to perform actions on their behalf, such as making payments or opening accounts. This development could significantly enhance consumer empowerment by streamlining data transactions, boosting customer satisfaction, and fostering brand loyalty. For businesses, it opens a new frontier for innovation, offering opportunities to redefine service delivery and secure a competitive advantage through enhanced consumer-centric offerings.

How can I start complying as a data holder CDR?

As a data holder, getting started with CDR will depend on your obligation to the Treasury's timeline. Here's what to consider:

1. Understand the CDR framework: Grasp what the CDR framework entails for your role. Familiarise yourself with the obligation to share data and the benefits it offers. Assess how CDR impacts your business operations.

2. Develop your CDR compliance approach: After understanding the CDR framework, devise a sound strategy. Ensure it encompasses essential aspects such as data security, data sharing, and clear communication with consumers. Your strategy should also include rigorous data governance and quality policies and procedures, and an assessment of your technological infrastructure to back up these strategies.

3. Assess your CDR readiness: Pinpoint your current stance and where you need to be. Evaluate your technology, data governance, data quality, resources, and policy to identify areas for development.

4. Implement CDR changes: Action the necessary organisational alterations to adhere to CDR mandates. This might involve the development of your APIs, refining policies, governance structures, and staff training.

5. Register with the ACCC: Registration with the ACCC requires creating an account on the Consumer Data Right Participant Portal. Once established, you'll need to provide the ACCC with details about your organisation and held data. After their review and approval, you should develop and rigorously test your CDR APIs against the CDR technical standards, using tools like the ACCC's Conformance Test Suite.

6. Commence data sharing: With successful onboarding, you can initiate data sharing with accredited recipients, provided you have the necessary consent from your customers.

7. Stay educated: Given that CDR regulations may evolve, maintain an adaptive compliance strategy. Continual training for your team ensures familiarity with the latest regulations and best practices. Regular interaction with regulators and industry counterparts helps align regulatory and strategic priorities, facilitating knowledge exchange.

Note: This list is not exhaustive. The specific route to compliance can vary significantly, including modifying existing systems, implementing entirely new systems, or outsourcing tasks to external vendors.

How can I start complying as a data recipient?

Unlike data holders, there's no regulatory compliance or enforcement requiring your organisation to use the CDR. However, there can be many potential benefits by doing so. If you're looking to become an accredited data recipient, consider the following:

Pre-accreditation

1. Assess the CDR's potential benefits: First, grasp how the CDR might be advantageous for your goals, customers, and products and consider benefits for your internal operations and external clientele.

2. Formulate your CDR strategy: Use the CDR Accreditation Criteria as a guide to discern where your business needs to align. This involves understanding technical, data, security, customer consent, and dispute resolution requirements. With a clear view of these prerequisites, devise a strategy for CDR incorporation, identifying required resources, technology, and drafting supporting policies and procedures.

3. Bridge the gap: Plan how to reconcile any disparities between your current and intended states. This involves noting resources, technology, and procedures and determining the necessary adjustments for a seamless application process.

4. Register for the Consumer Data Right Participant Portal: After familiarising yourself with the legal and IT criteria, apply for an account to access the portal. This will need verification by an official representative of your organisation.

5. Submit your application to the ACCC: Once your account is established, choose the accreditation model and initiate an application via your primary business contact. The ACCC will assess your submission based on the accreditation criteria and may set specific conditions.

6. Meet additional onboarding requisites: If successful, further onboarding and conformance tests are necessary before you receive your accreditation number.

Post-accreditation

1. Commence data acquisition: With successful onboarding, begin receiving data to craft new products or services, elevate customer experience, or cut costs.

2. Monitor and appraise: Regularly assess your CDR application to ensure it aligns with your business needs, monitoring application performance, data quality, and customer experience.

Why should I engage KPMG to help me with the CDR rollout?

Engaging KPMG for guidance with the CDR rollout is a strategic decision with many benefits:

• Demonstrated experience: We are at the forefront of CDR implementation and have detailed understanding of CDR, having supported multiple clients, CDR product providers and market participants with CDR compliance.
• Subject matter expertise: We have experts across corporate and technology services, with experience of delivering strategic transformations and compliance with CDR.
• Global network: Our extensive network allows us to work with entities across the globe with access to broad perspectives who have experience with similar compliance requirements, including but not limited to the UK's Open Banking scheme.
• Market recognition: Our reputation as leaders in the CDR domain showcases commitment to staying at the forefront of regulatory changes. This can provide you with a competitive edge in your CDR journey.