The Consumer Data Right (CDR) reached a further milestone on 1 July 2020, as the Big 4 banks are now required to share consumer data in response to a consumer request.

At present, this includes data from debit and credit cards, and savings and transaction accounts, and from November 2020 will include data from home loans and personal loans, joint accounts, closed accounts, direct debits, scheduled payments and details of payees.

proposed timetable for the rollout of the CDR in the banking sector has been published, and if no further delays are experienced, it will be fully implemented by February 2022.The CDR presents significant opportunity (and challenge) to those organisations wishing to become an Accredited Data Recipient (ADR).

Accredited Data Recipients  

Under the CDR, consumers can request that Data Holders (currently the Big 4) share their data directly with the consumer themselves or with an ADR. Becoming an ADR is a voluntary process which requires entities to comply with stringent accreditation requirements.

The Australian Competition and Consumer Commission (ACCC) is responsible for accreditation, and applications are made through the CDR Participant Portal.   Accreditation guidelines have been released to assist applicants submit valid applications and become accredited.

Accreditation requirements

Requirements to receive accreditation include:

  • the applicant and any associated person be a fit and proper person to manage CDR data;
  • compliance with information security requirements;
  • adherence to dispute resolution procedures; and
  • insurance requirements.

The accreditation requirements are comprehensive and will require potential ADRs to carefully consider how they can effectively demonstrate the regulatory obligations to progress. There are particular challenges around information security compliance and assurance.

Accreditation can be suspended or revoked by the ACCC in a variety of circumstances, including where a person contravenes a law relevant to the management of CDR Data, contravenes the CDR Rules or a data standard, or where the person is no longer a fit and proper person. The ACCC may also impose conditions on accreditation including limiting scope to particular products or services and requiring regular reporting to the ACCC.

There are currently only two ADRs, however the ACCC has stated that they have received 39 further applications.

Source: Gadens article