Background

On 30 September, the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) were amended with the aim of lowering barriers of entry to Consumer Data Right regime (CDR) participation, as foreshadowed by the Australian Treasury’s prior proposal in April and related exposure draft legislation released in July.

By increasing ease of access, the amendments aim to increase the adoption of the CDR among a wider range of organisations, and in doing so, enable consumers to make greater use of their data rights. The amendments are the latest in a series of steps taken by the Treasury to expand the reach of the CDR, aimed at implementing the CDR on an economy-wide basis.

Broadly, the amendments seek to:

  • implement new pathways for organisations to access the CDR, including through facilitating “Sponsored Accreditation” and enabling the appointment of “CDR Representatives”;
  • establish new models for the sharing of CDR data outside the CDR ecosystem, including to “trusted advisers” and in the form of “CDR Insights”; and
  • implement a single consent mechanism for joint accounts, in respect of the sharing of account-related CDR data.

Sponsored Accreditation and CDR Representatives

Sponsored Accreditation

The Sponsored Accreditation process allows an organisation to become accredited under the CDR by contracting with an existing accredited person, who may act as the sponsor of that organisation for the purposes of accreditation. The criteria for ‘Sponsored Accreditation’ and the obligations that come with it, are the same as for other accredited persons. However, the sponsored organisation will not be required to go through the accreditation process that was required originally (for example, in respect of the implementation of the CDR in the banking sector, in which participants were required to provide an information security assurance report, once accredited). Importantly, however, sponsored organisations cannot directly collect information from data holders, but must request that their sponsor collect the relevant data for them.

This materially lowers the barrier to entry for sponsored organisations, who can now seek to leverage the CDR without having to undergo the traditional accreditation process, which, during the Open Banking implementation of CDR, was criticised as being laborious and costly. This form of accreditation may be useful in situations where an accredited organisation is looking to partner with smaller affiliates, to provide services requiring access to CDR data. For example, a FinTech start-up may choose to contract with (and be sponsored by) a large ADI (or vice versa) for this purpose.

CDR Representatives

The amendments propose to implement a quasi-accreditation “CDR Representative” process, intended to commence by 19 October, which would allow organisations that offer CDR-related services to consumers, to become a CDR Representative (Representative) of an accredited participant (Principal), thereby enabling those Representatives to access and use the CDR data of the Principal without needing proper accreditation.

The amendments also prescribe terms for any contractual arrangements between Representatives and Principals, particularly in respect of the use and disclosure of CDR data by Representatives. The amendments also provide that a Principal would retain responsibility and liability for the acts and omissions of Representatives in connection with such arrangements.

Accredited persons will now be able to rely on outsourced service providers to collect CDR data on their behalf, reducing business costs associated with data collection. As with the arrangements between Representatives and Principals , responsibility and liability for the collection of the CDR remains with the relevant accredited person, and does not pass to the outsourced service provider.

Trusted Advisers and CDR Insights

The amendments establish new CDR data sharing models, intended to provide consumers with greater choice as to who their CDR data can be shared with by accredited organisations, outside the CDR ecosystem – that is, outside the existing network of accredited persons, sponsored entities and Representatives.

Trusted Advisers

Consumers may nominate a professional (such as a consumer’s accountant, or legal or financial adviser) to be a “trusted adviser”who may access CDR data on behalf of that consumer. While a professional may not be an accredited person for the purposes of the CDR, the Amendments recognise that professionals are appropriately regulated to receive CDR data, particularly due to the consumer protection mechanisms that form part of their respective regulatory frameworks. It is expected that consumers will be able to share their CDR data with trusted advisers by 1 February 2022.

CDR Insights

Consumers may also consent to the sharing of their CDR data by accredited organisations, in certain, prescribed situations, intended to make it easier for consumers to receive goods and services. This shared CDR data is known as a “CDR insight”; . CDR insights can be shared, for example, to verify a consumer’s identity, their account balance or details about their transactions. The Data Standards Chair will separately consult with key industry stakeholders, to establish the standards enabling CDR insight disclosures.

Single Consent for Joint Accounts

The amendments seek to simplify the consent process for CDR data sharing, as it relates to joint consumer accounts. Specifically, the Amendments seek to enable the CDR data of joint account holders to be shared with the consent of only one (not both) of those joint account holders. However, Accredited Data Holders must provide joint account holders with the option to change their consent option (for example, to require joint consent for the sharing of CDR data, or to entirely prevent the sharing of any CDR data in respect of the relevant account). It is intended that this joint consent capability will commence in February 2022.

What does this mean for businesses?

These changes will lower barriers to entry for those wishing to participate in the CDR, and for those who have not received CDR accreditation to date, offer new pathways to access CDR data that weren’t available before (that come without the additional burden of the accreditation process). Similarly, for already-accredited organisations, the number and type of organisations with whom they can partner and share CDR data, will be materially increased . This will enable accredited organisations to take advantage of breadth of market expertise, and deliver a better and more efficient customer experience.

In order to prepare for CDR participation and leverage the opportunities presented by it, businesses (whether accredited or not) may need to:

  • develop a board-endorsed, fit-for-purpose CDR strategy;
  • assess the type and extent of consumer data they hold;
  • perform a “readiness assessment” of their technology landscape, including examining the need to bolster their existing data security measures and privacy controls;
  • (if they are data holders) ensure they are able provide data management options for joint account holders;
  • consider their relationships with other parties including affiliates, partners and outsourced service providers, looking for opportunities arising from the CDR (including these recent changes) , particularly in respect of collaboration and innovation that may lead to the best regime-compliant customer experience;
  • implement access and authentication controls in order to enable third party access to relevant data; and
  • assess and implement required changes to existing business processes and policy frameworks related to customer data.

How can DLA piper help?

Data is now the digital gold of contemporary commerce. As CDR becomes increasingly prolific in the market, finding a way to navigate the regulatory and commercial landscape will not only be beneficial, but critical to business growth.