After a lengthy period of consultation and revision, the Australian Competition and Consumer Commission (ACCC) has issued the Competition and Consumer (Consumer Data Right) Rules (Rules), which came into effect on 6 February 2020.

The Rules set out details of how the consumer data right works, in particular the timeline for implementation and the framework for how individuals can request their consumer data and relevant product data. The Rules are intended to apply across all sectors in which the Consumer Data Right (CDR) will be activated in the future, with specific details for each sector to be set out in schedules (the Rules currently only contain specific details for open banking, in Schedule 3).

The introduction of the Rules means that the NAB, CBA, ANZ and Westpac (the ‘Big Four’ major banks) are now legally required to share product reference data with accredited data recipients, as well as giving legislative force to the proposed timeline for the commencement of consumer data sharing from 1 July 2020.

This article sets out a high level update of where we’re at with the CDR, an overview of the Rules, and what’s coming next.

Where are we at?

The introduction of the Rules last week follows the passing of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 by parliament on 1 August 2019 (CDR Act). The CDR Act sets out the legislative framework for the regime which aims to increase competition flowing from a person’s right to control their data. See our article here summarising the key aspects of the CDR legislation.

This framework initially applies to the banking sector, in accordance with the Authorised Deposit-Taking Institutions Designation, which was authorised by the Treasurer in September 2019 and clearly defines the categories of consumer data that must be shared under the scheme.

Finally, the Data Standards Body (currently CSIRO’s Data61) has also prepared the data standards, which complete the initial framework for data sharing under the CDR, setting out the technical method of the transfer of data, and other related issues.

An overview of the Rules

There’s a significant amount of content in the Rules relating to the way in which the CDR will apply in practice. Some of the key points are below:

  • Big Four now legally required to share product reference data. The Rules require the Big Four to share product reference data with accredited recipients such as comparison site providers (the Big Four have been sharing this information on a voluntary basis since July 2019). Product reference data includes information such as interest rates, fees and charges, and eligibility criteria for banking products like credit cards and mortgages.
  • Timeline for sharing of Consumer Data by Big Four. The Rules give legislative effect to the Government’s announcement late last year that consumer data relating to credit and debit cards, deposit accounts and transaction accounts will be made available from 1 July 2020, and data relating to mortgage and personal loan data to be made available for sharing from 1 November 2020.
  • Process for consumer data requests. There are three ways to request CDR data under these rules:
    • Product data request. Anyone can request a data holder to disclose product data through an online ‘product data request service’ (which must be set up by all data holders). The data holder cannot impose conditions, restrictions or limitations of any kind on the use of the product data.
    • Consumer data request – by CDR consumer. A CDR consumer (being a customer whose identifiable consumer data is held by a data holder or accredited data recipient) may directly request a data holder to disclose any consumer data that relates to them, via a specialised online service provided by the data holder, in human-readable form.
    • Consumer data request - on behalf of CDR consumer. A CDR consumer may also request an accredited person to request a data holder to disclose CDR data that relates to that consumer on their behalf (with such requests and consents to occur via a ‘consumer dashboard’ online service provided by the data holder).

To enable consumers to submit these requests, data holders will need to establish specialised online data request services.

  • Accredited persons. The Rules set out the process and requirements for applying to become ‘accredited persons’ for the purpose of the regime (for example that accredited persons must be fit and proper with no serious criminal offences in the past 10 years etc.) and ongoing obligations of accredited persons.
  • Rules to be applied in time to other sectors. The Rules create a framework for the application of the CDR generally across all sectors in which it will (in time) be activated, with specific details for each sector to be included in the Schedules. The Rules include the specific details in relation to open banking, setting out (by way of example) who is an eligible CDR consumer, CDR data that may be accessed under the Rules and the treatment of joint accounts.

What’s still to come?

The following table sets out the key dates for the implementation of the CDR:

The Government has stated that the CDR will apply to other industry sectors (and in time, will likely apply economy-wide). The Australian Government has already completed its first round of consultation with the energy sector in relation to the application of the CDR, with the ACCC to shortly release an energy CDR implementation timetable. The Government has also indicated it will extend the CDR to the telecommunication sector.

The Australian Government has also recently announced a further inquiry into the future direction of the CDR, considering how the CDR can be expanded and CDR-related infrastructure leveraged. In particular, the inquiry will consider whether to expand the scope of the CDR to include ‘write’ access to allow customers to apply for and manage products (such as by initiating payments), with reference to the Reserve Bank of Australia’s New Payments Platform: Conclusions Paper.