CDR Accredited Data Recipient: Banking Sector Accreditation Process

CDR statutory framework

The Consumer Data Right (CDR) is established under Part IVD of the Competition and Consumer Act 2010 (Cth), inserted by the Treasury Laws Amendment (Consumer Data Right) Act 2019. This legislative framework enables consumers to control their data and share it with accredited recipients. [CDR data holder accreditation banking] is a key component of this system.

Banking was the first sector designated for CDR, and the consumer data rules (CDR Rules) came into effect from 1 July 2020. Following banking, Energy was also designated (from October 2022), and non-bank lending was designated in 2022, with rules now in force.

The CDR is jointly regulated. The Australian Competition and Consumer Commission (ACCC) oversees competition and standards, while the Office of the Australian Information Commissioner (OAIC) is responsible for privacy matters. The Data Standards Body (DSB), hosted by Treasury, develops the Consumer Data Standards.

Accreditation tiers and criteria

Accreditation as a Data Recipient (ADR) is required to collect CDR data from data holders, excluding those utilising sponsored or representative pathways. The Australian Competition and Consumer Commission (ACCC) grants accreditation under rule 5.5 of the CDR Rules.

The primary accreditation level is ‘unrestricted’. To achieve this, applicants must meet specific criteria. These include demonstrating the ‘fit and proper person’ status of key personnel, possessing adequate information security capability, maintaining appropriate insurance coverage, and demonstrating sufficient operational capacity.

Applicants must also demonstrate adherence to the CDR information security controls outlined in Schedule 2 of the CDR Rules. This is frequently evidenced through an assurance report obtained from a qualified assessor. Appropriate insurance, such as cyber liability and professional indemnity, is also a mandatory requirement to mitigate potential liabilities associated with CDR data handling.

Alternative access models

The CDR Rules provide for several alternative access models for data recipients beyond direct accreditation. The sponsored accreditation model, introduced in October 2021, enables an accredited data recipient (the sponsor) to facilitate access to CDR data for an affiliate. This allows the affiliate to operate under the sponsor’s existing accreditation.

Another model is the CDR representative model, which permits an accredited data recipient (the principal ADR) to allow unaccredited entities (CDR representatives) to utilise CDR data to provide goods or services to consumers. This access is governed by a written arrangement between the principal ADR and the CDR representative. Trusted advisers, including qualified accountants, lawyers, registered tax agents and licensed financial advisers, may also receive CDR data with consumer consent to provide professional advice.

Finally, the CDR insights disclosure model allows accredited data recipients to share specific ‘CDR insights’ with nominated parties. Each of these alternative access models is subject to specific consumer consent and notification requirements detailed within the CDR Rules.

Ongoing obligations and enforcement

Accredited Data Recipients (ADRs) have ongoing obligations to maintain compliance with the Consumer Data Right (CDR) framework. A key requirement is adherence to the 13 CDR Privacy Safeguards, which are more stringent than the Australian Privacy Principles. CDR data holder accreditation banking ADRs must also report data breaches impacting CDR data under the CDR notifiable data breach scheme to both the Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC).

Failure to comply with the CDR Rules can result in significant penalties. The ACCC retains the power to suspend or revoke accreditation under rule 5.17 of the CDR Rules. Civil penalties for breaches of the CDR Rules can reach up to $50 million for body corporates, reflecting the maximum penalty available under the Competition and Consumer Act 2010.

Complaints regarding breaches of the CDR Privacy Safeguards are handled by the OAIC under section 56EJ of the Act. ADRs should ensure robust processes are in place to manage privacy risks and maintain ongoing compliance with all CDR obligations.