Consumer Data Right: Banking Data Holder and Accredited Data Recipient Duties

The CDR framework in banking

The Consumer Data Right is established by Part IVD of the Competition and Consumer Act 2010 and provides consumers with greater control over their data. consumer data right overview It is currently active in the banking, energy and, from 2026, non-bank lender sectors.

Within the CDR framework, data holders are entities that provide consumer data, such as banks, while accredited data recipients (ADRs) are entities that receive that data. The ACCC, OAIC and Treasury jointly administer the CDR regime, overseeing the responsibilities of both data holders and ADRs.

CDR Rules version 8 extends the CDR to non-bank lenders, with product data sharing commencing 13 July 2026. This expansion builds on the existing framework already in operation for banking data holders and ADRs.

Banking data holder obligations

Banking data holders are required to implement practices, procedures and systems to comply with Consumer Data Right (CDR) Rules. This includes establishing robust operational capabilities to support data sharing and consumer access requests. Data holders should also consider the ABA banking code of practice when developing these systems.

A key obligation is to publish a CDR policy. This policy must clearly explain to consumers how they can enquire about their data, lodge complaints, access their data, and request corrections. The policy must be readily accessible and easily understood.

Data holders must also adhere to specific processes regarding data accuracy. They must respond to consumer data correction requests within the mandated statutory timeframes and ensure that any data shared with accredited data recipients is correct. If incorrect data has been disclosed, data holders must notify affected consumers. Compliance with these obligations is monitored by the Australian Competition and Consumer Commission (ACCC), with separate guidance provided for major banks versus non-major ADIs.

Accredited data recipient obligations

Accredited data recipients (ADRs) gain their status through the ACCC’s CDR Rules accreditation process. This accreditation signifies a commitment to specific obligations regarding the handling of consumer data. ADRs are responsible for ensuring their data handling practices align with the requirements outlined in the CDR Rules and related guidance.

ADRs must adhere to all 13 Privacy Safeguards detailed in Part IVD of the Consumer Credit Act (CCA). These safeguards supersede the Australian Privacy Principles (APPs) when dealing with consumer data accessed through the Consumer Data Right. ADRs are obligated to collect, use, and disclose CDR data solely based on the consents provided by consumers. RG 271 internal dispute resolution provides guidance on dispute resolution.

When CDR data is no longer needed for the purpose for which the consumer consented, ADRs must either destroy it or de-identify it. Furthermore, ADRs are required to implement information security controls that meet the standard of ISO 27001, supported by annual independent assurance to demonstrate ongoing compliance.

Consent, complaints and enforcement

Consumer consent is fundamental to the Consumer Data Right. Consent must be informed, specific, time-limited and can be revoked by the consumer at any time. Data holders and Accredited Data Recipients (ADRs) are required to obtain and manage consumer consent in accordance with the CDR rules.

Both data holders and ADRs must participate in an external dispute resolution (EDR) scheme. Currently, this requires membership of the Australian Financial Complaints Authority (AFCA) or an equivalent scheme. Consumers can utilise these schemes to resolve disputes related to their data sharing experiences.

The Office of the Australian Information Commissioner (OAIC) investigates complaints relating to breaches of the Privacy Safeguards and misuse of personal information. The Australian Competition and Consumer Commission (ACCC) has enforcement powers, including the ability to issue infringement notices and seek civil penalties under Part IVD of the Competition and Consumer Act. Non-bank lenders will begin product data sharing from 13 July 2026.