This is an HTML version of an attachment to the Freedom of Information request 'Consumer Data Right Direct to Consumer Obligations Consultation'.

FOI 3139 
Document 1
Consumer Data Right newsletter: 17 May 2021 
 
  
Dear <<First Name>>, 
This week’s Consumer Data Right (CDR) newsletter includes: 
•  what the 2021-22 Federal Budget contained on CDR 
•  ACCC compliance guidance for data holders in the banking sector 
•  ACCC guidance on authorised deposit-taking institution (ADI) responsibility 
for data holder brands 
•  a reminder about the consultation open on CDR rules and standards design 
papers, and information about deferral of joint account and direct to 
consumer obligations. 
Federal Budget 2021-2022 
As part of the Budget papers released on 11 May 2021, the Government stated its 
continued commitment to implementing the CDR in the banking sector and 
accelerating its rollout across the economy, including in the energy and 
telecommunications sectors. Treasury is excited for the next phase of the CDR 
rollout, where we will see: 
• 
the development of a data-driven economy 
• 
increased innovation in a post-COVID economic environment 
• 
consumers empowered to make informed choices about their services, and 
• 
reduced costs for Australian households and small businesses. 
As noted in our 7 May 2021 newsletter, the Government’s 2021-22 Federal Budget 
includes $111.3 million of investment to both continue and expand CDR rollout. 
ACCC compliance guide for data holders in the banking sector 
The ACCC has published compliance guidance for data holders in the banking 
sector. This guide is designed to assist data holders to understand and comply 
with their obligations under the Consumer Data Right Rules and Standards. 
ACCC guidance on ADI responsibility for data holder brands 

The ACCC has published some guidance on ADI responsibility for data holder 
brands.
 This document is designed to assist industry participants identify whether 
they have data holder obligations in relation to particular brands or branded 
products they are associated with. 
Reminder: Consumer Data Right rules and standards design papers 
As announced in our 30 April newsletter, Treasury and the Data Standards Body 
are seeking input on design issues to inform the development of rules and 
standards to implement: 
• 
a peer-to-peer data access model in the energy sector, and 
• 
an ‘opt-out’ data-sharing model for joint accounts in the banking and 
energy sectors. 
To support consultation and elicit informal feedback on these issues, two design 
papers are now available on Treasury’s website for stakeholders’ consideration. 
We welcome feedback and engagement on an informal basis, which can be 
provided through GitHub (with separate pages for joint accounts and peer-to-
peer model for energy 
feedback) or by emailing xxxx@xxxxxxxx.xxx.xx. 
As part of the consultation discussions, there have been a number of queries about the 
deferral of the joint account requirements and ‘direct to consumer’ obligations that 
would have applied from November 2021 (Treasury announcement). Treasury has 
responded to these queries with additional information which is available on the CDR 
Support Portal.
 
We are seeking stakeholder views by 26 May on the details of rules and standards 
outlined in these papers. 
Feedback received on these papers will inform the development of draft rules 
and standards, which will be the subject of formal consultation in the coming 
months. 
 
Kind regards, 
 
Kate O’Rourke  
First Assistant Secretary 

Consumer Data Right Division 
The Treasury 
 
 

FOI 3139 
Document 2
Response to queries: Deferral of joint account and direct to consumer 
obligations 
 
On 30 April 2021 the Treasury announced that the current requirements for banks to implement the 
joint account requirements that would have applied from November 2021 will be deferred, with new 
compliance dates to be set following consultation on the joint account data sharing model. 
Separately, compliance with data holders’ ‘direct to consumer’ obligations that would have applied 
from November 2021 will also be deferred, pending a future consultation process. 
In response to this announcement, Treasury has been asked for more details on the deferral 
announcement and its implications for data holders in the banking sector. 
What are the joint account obligations that are being deferred? 
Major ADIs 
Major ADIs must continue to facilitate joint account data sharing in accordance with the obligations 
in version 1 of the CDR Rules. 
 
Under the deferral major ADIs will not be required to comply with the additional obligations in 
version 2 of the CDR Rules that would have applied from November 2021. The key differences 
between version 1 and version 2 of the joint account data sharing obligations in the CDR Rules are 
described in a CDR Support Portal article. In particular, major ADIs must continue to support joint 
account data sharing for joint accounts with two account holders, maintain a joint account 
management service to allow consumers to manage their disclosure options, as well as meet the 
dashboard and notification requirements under version 1. However, the following obligations in 
version 2 will be deferred: 
• 
requirements for sharing data on joint accounts where there are more than two account 
holders (rather than two account holders only) 
• 
notification and invitation requirements 
• 
the ‘in-flow election’ processes 
• 
secondary user functionality for joint accounts. 
 
Non-major ADIs 
Obligations for non-major ADIs to share joint account data from November 2021 will be deferred. 
This will also apply to the major banks for their non-primary brands. 
 
Reciprocal data holders 
Similarly, current requirements for reciprocal data holders to share joint account data under version 
1 of the CDR Rules from July 2021, and version 2 of the CDR Rules from November 2021, will be 
deferred. 
 
The deferral does not affect other obligations for the non-major ADIs that are due to commence 
from November 2021, in relation to phase 2 products and additional APIs. For example, this means 
that non-major ADIs will be required to respond to consumer data requests for phase 2 products 

from November 2021 where these products are held by single account holders (including home 
loans, mortgage offset accounts and personal loans). 
 
 
Requirements under the current rules 
Effect of deferral 
 
Present 
Jul 2021 
Nov 2021 
 
Must continue sharing joint 
Share joint 
account data under version 1 of 
account data 
Share joint 
the rules 
Major ADIs  under version 
account data 
1 of the rules 
 
under version  No requirement to implement 
until 31 
2 of the rules  additional joint account 
October 2021 
functionality that would have 
applied from November 2021 
Non-major 
ADIs and 
Share joint 
non-
account data 
primary 
 
 
under version 
brands of 
2 of the rules 
major ADIs 
No requirement to share joint 
account data 
Share joint 
Reciprocal 
account data 
Share joint 
data 
 
under version  account data 
holders 
1 of the rules 
under version 
until 31 
2 of the rules 
October 2021 
What is the new compliance date for joint account obligations? 
New compliance dates for joint account obligations will be determined by the Minister after 
considering feedback from stakeholders received during the current consultation on the joint 
account design paper, and from the formal consultation that will occur on draft amendments to the 
CDR Rules. New compliance dates will be determined, even if the Minister decides, following 
consultation, to maintain the current approach to joint account data sharing in the CDR Rules. 
How can I provide feedback on the new compliance date for joint account obligations? 
Feedback on the issues outlined in the joint account design paper can be provided up until 26 May 
2021, including on the implementation considerations to inform a new compliance date for joint 
account data sharing. Draft rules will be developed for formal consultation as soon as possible 
following the close of consultation on the design paper. 
As noted in the design paper, we are keen to ensure that joint account data sharing can commence 
as quickly as possible and for as many consumers as possible, and to support increased participation 
in the CDR by prospective ADRs. While the design paper notes the desire for any new compliance 

date to be in Q1 of 2022, this is a consultation issue and we encourage feedback on the 
implementation timeframes that would be achievable for the options explored in the paper. We 
encourage the provision of specific information about the implementation impacts of the opt-out 
proposal to support submissions on the new compliance date. 
What are ‘direct to consumer’ obligations that are being deferred? 
All data holder requirements to disclose required consumer data in response to a direct request 
made by a CDR consumer (the ‘direct to consumer’ obligations) will be deferred. The intention is for 
consultation to occur at a future time on an API-based model for direct to consumer obligations and 
part of that process would involve consideration of compliance dates for these obligations. 
How wil  the deferrals be given effect? 
Deferrals relating to joint account and ‘direct to consumer’ obligations will be given effect though 
amendments to commencement provisions in the CDR Rules. The process for consulting on and 
finalising these rules is intended to occur prior to November 2021. 



Consumer Data Right Board 
s 22
Action item CDRB/201020/2.5 (Direct to consumer, 
assigned to Treasury) remains open. 
 
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted





Consumer Data Right Board 
s 22
1.5  Action Items 
Paper 
Ms Quinn 
 
 
s 22
The following action items remain open: 
•  CDRB/201020/2.5 (Direct to consumer, 
assigned to Treasury). 
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted



FOI 3139 
PROTECTED   
Document 7
s 22
Deferral of direct to consumer obligations 
• 
The rules currently contain a requirement, that would apply from 1 November 2021, on data 
holders to transfer data directly to consumers on request in a ‘human-readable form’ in 
accordance with the data standards. Significant concerns were raised about the utility and cost 
to provide data in human-readable form during consultation on a draft standard during late 
2019.  
• 
On 16 April you agreed to defer data holder ‘direct to consumer’ obligations indefinitely, 
pending a future consultation process to review the appropriate model for providing direct 
access to data by consumers. This decision was announced on 30 April on the Treasury 
website. 
 
 
PROTECTED   
 
The remainder 
 
of this document is outside 
the scope of the request and has been 
deleted
 



Consumer Data Right Board 
s 22
The following action items remain open: 
•  CDRB/201020/2.5 (Direct to consumer, 
assigned to Treasury). 
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted



FOI 3139 
Document 10
‘Direct to consumer’ obligations 
Background on position on ‘direct to consumer’ obligations in the banking sector 
• 
On 16 April (MS21-000864 refers) the Minister agreed to defer data holder ‘direct to 
consumer’ obligations indefinitely for the banking sector, pending a future consultation 
process to review the appropriate model for providing direct access to data by 
consumers. These obligations would have required banking data holders to offer this 
service to consumers on request in a ‘human-readable form’ in a matter prescribed by 
the data standards, with effect from 1 November 2021. The deferral was announced on 
30 April on the Treasury website. 
s 22
• 
The exposure draft rules do not apply ‘direct to consumer’ obligations for energy data 
holders at this time. Treasury considers that any consultation on the future application 
of these obligations should explicitly address the overlap with existing energy 
regulation, and any consultation should first occur with State, Territory and 
Commonwealth Energy Ministers.  
s 22

 
The remainder of this document is outside 
the scope of the request and has been 
deleted


FOI 3139 
Document 11
From:
s 22
To:
s 47F
Cc:
s 22
; s 22
s 22
s 22
Subject:
Questions from last week"s CDR rules v3 presentation [SEC=OFFICIAL]
Date:
Wednesday, 28 July 2021 2:52:00 PM
Attachments:
image001.gif
OFFICIAL
Hi s 47F
Thanks for attending the presentation on the CDR Rules consultation at the implementation call last Thursday. I
hope you found it useful.
We wanted to follow up on your questions to close off on that call:
s 22
Direct to consumer under v3 seems to be deferred, is there any date in mind for when this will be introduced?
There is not currently a date in mind for the direct to consumer obligations. As noted on the CDR
Support Portal, the intention is for consultation to occur at a future time on an API-based model for
direct to consumer obligations and part of that process would involve consideration of compliance
dates for these obligations.
s 22
Kind regards
s 22
s 22
Director (a/g) Rules Unit
Consumer Data Right Division | Markets Group | The Treasury
Level 16, 530 Collins Street, Melbourne
Ph: s 22
 | M: s 22
 | E: s 22
cdr.gov.au | Subscribe to receive CDR updates
The Treasury acknowledges the traditional owners of country throughout Australia, and their continuing connection to land, water
and community. We pay our respects to them and their cultures and to elders both past and present.

OFFICIAL

link to page 21 link to page 24 link to page 29 link to page 30 link to page 34 link to page 37 link to page 44 link to page 45 FOI 3139 
Document 12
Data Standards Body  
Consumer Experience and Technical Working Groups 
Noting Paper 207: Draft v3 Rules Analysis | Anticipated Data Standards 
Contact: Michael Palmyre and Mark Verstege 
Publish Date: 9 August 2021 
Feedback Conclusion Date: 24 August 2021 
Context 
A draft version 3 of the Consumer Data Right (CDR) Rules (draft v3 rules) was published for consultation from 1 July – 30 July 2021. This Noting Paper 
considers potential data standards changes using the draft v3 rules as reference. 
 
The purpose of this Noting Paper is to consult on the scope and intent of the anticipated data standards changes by reference to the draft v3 rules that 
were published for consultation. 
 
This paper includes anticipated changes to the Consumer Data Standards relating to Consumer Experience, Information Security, Technical API Standards 
and the CDR Register to support alignment with the proposed draft v3 rules. 
 
The major areas include: 
1.  Sponsored Accreditation 
2.  The CDR Representative Model  
3.  Unaccredited OSPs 
4.  Trusted Advisers 
5.  CDR Insights 
6.  Joint Accounts 
7.  Direct to Consumer 
8.  ADR Representation 
1 | P a g e  
 

 
Targeted decision proposal consultations will occur separately to this Noting Paper for the specific areas listed in this document, in light of the final rules 
made by the Minister. The DSB invites the community to provide feedback on timings, content, and obligations. 
 
The draft v3 rules published for consultation are subject to change. If, or where, the rules change from the draft version 3 of the CDR Rules, impacts to 
anticipated changes will be addressed as part of ongoing consultation. Standards not currently authorised in the rules cannot be made. As such, the 
creation of v3 rules-dependent standards will necessarily follow the making of the final rules. 
Decision To Be Made  
Decide the scope and intent of the changes to the Data Standards based on the draft v3 rules. While a Noting Paper is not part of a formal decision proposal 
consultation, the DSB strongly encourages feedback to help inform data standards development in relation to these key items. 
Identified Options 
This Noting Paper contains a brief description of the anticipated standards changes in relation to specific topics. Each change discussed in this paper will be 
consulted on separately, where necessary, but CDR participants should use this consultation to raise any concerns or impacts. Suggestions for alternatives 
for any topics are welcome and should be raised in the consultation process. 
 
The structure of this section aligns with the headings in the draft v3 rules explanatory materials. 
 
Each section contains a table with descriptions of the expected obligations and timing for Accredited Data Recipients (ADR, also referred to as Accredited 
Persons) and Data Holders (DH). 
 
2 | P a g e  
 

Sponsored Accreditation 
The sponsored level of accreditation is for persons with or who intend to have an arrangement with an unrestricted accredited person who is willing to act 
as their sponsor in the CDR regime. A person accredited to the sponsored level and in a sponsorship arrangement would be known as an affiliate of its 
sponsor. An affiliate is an accredited person and is required to fulfil the obligations of an accredited person in the CDR regime. 
 
Affiliate 
Sponsor 
Consumer
Data Holder
(ADR)
(ADR)
CDR 
Register
 
 
Further analysis and consultation needs to be conducted to understand if/how an affiliate may appear to the consumer throughout the consent model, 
particularly in the DH’s authorisation flow and authorisation management dashboard. 
3 | P a g e  
 

link to page 45 link to page 45 link to page 24 link to page 45 link to page 45  
Table 1. Sponsored Accreditation 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
1.    ADR representation in 
ADR 
1.14(3)(ha) 
ADR: MAY 
The DSB will consult on additional consent-related fields to 
TBD 
TBD 
DH authorisation flow 
DH 
1.15(ba) and 
DH: MUST 
determine if or how these fields could support more 
and dashboards 
(bb) 
complex accreditation models. Additional details on this 
4.23(2) 
proposal can be found in the Table 8. ADR Representation 
 issue.
 
 
Further analysis will need to be conducted to understand 
how affiliates will or will not surface in DH authorisation 
flows and dashboards. 
 
This issue is reflected in: 
Table 2. CDR Representative Model 
Table 8. ADR Representation 
 
Purpose: Achieve comprehensible and contextually 
appropriate presentation of ADRs during authentication, 
authorisation, and on consumer dashboards. 
 
2.    Consumer Data 
N/A 
N/A 
N/A 
No additional CX Data Standards are anticipated for this 
N/A 
N/A 
Standards (CX) 
item. 
 
3.    Consumer Data 
N/A 
N/A 
N/A 
No technical standards are currently anticipated for this 
N/A 
N/A 
Standards (Technical) 
specific item.  
 
However, the outcome of the ADR representation issue may 
require technical standards. This will be consulted on in a 
separate consultation. 
The rules allow for the transfer of CDR data between ADRs 
as long as appropriate consent is obtained. While the rules 
define obligations that ADRs must meet in order to make 
4 | P a g e  
 

link to page 45 Table 1. Sponsored Accreditation 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
these transfers there is no requirement for the DSB to make 
standards for this transfer. The DSB has not sought to 
impose technical standards on the transfer of data between 
accredited persons. 
 
4.    CDR Register Standards 
N/A 
N/A 
N/A 
No technical standards are currently anticipated for this 
N/A 
N/A 
(Technical) 
specific item.  
 
However, the outcome of the ADR representation issue may 
require technical standards. This will be consulted on in a 
separate consultation. 
 
The CDR Register APIs are designed for trusted information 
sharing between Accredited Data Recipients and Data 
Holders. Affiliates collect CDR data through a sponsor rather 
than directly connecting to Data holders. Since the sponsor is 
themselves an existing ADR, the CDR Register APIs contain 
the necessary metadata to facilitate the trusted connection 
of the sponsor to the Data Holder. 
 
5.    CDR Register (Participant 
ADR 
N/A 
N/A 
The rule changes associated with the introduction of 
TBD 
TBD 
Portal) 
Sponsored Accreditation and Sponsorship arrangements will 
require additional functions to be added to the CDR 
Participant Portal and additional accreditation onboarding 
requirements.  These functions will enable:  
•  Prospective accredited persons to: 
o  Apply for accreditation and be assessed 
against the criteria at the sponsored level 
•  Unrestricted accredited data recipients to: 
5 | P a g e  
 

Table 1. Sponsored Accreditation 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
o  Notify the Data Recipient Accreditor when 
a sponsorship arrangement has been 
established; 
o  Manage the status of these arrangements 
by providing updated information as 
needed.  
 
Sponsored accredited persons will appear on the find-a-
provider page. W
here sponsorship arrangements exist, 
details of the relationships between sponsors and affiliates 
will be available. 
 
 
 
 
 
 
 
 
 
 
 
 
 
6 | P a g e  
 

link to page 45 link to page 45 The CDR Representative Model 
The CDR representative model enables unaccredited persons to provide goods and services to consumers using CDR data in circumstances where they are in a CDR 
representative arrangement with an unrestricted accredited person who is liable for them. 
An unaccredited person who is in a CDR representative arrangement would be known as the CDR representative of the principal accredited person. 
Representative 
Principal 
Consumer
Data Holder
(unaccredited)
(ADR)
CDR 
Register
 
 
Table 2. CDR Representative Model 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
6.   
ADR representation 
ADR 
1.14(3)(ha) 
ADR: MAY 
The DSB will consult on additional consent-related fields to 
TBD 
TBD 
in DH authorisation 
DH 
1.15(ba) and 
DH: MUST 
determine if or how these fields could support more complex 
flow and dashboards 
(bb) 
accreditation models. Additional details on this proposal can 
4.23(2) 
be found in the Table 8. ADR Representation issue. 
 
Further analysis will need to be conducted to understand 
how CDR Representatives will or will not surface in DH 
authorisation flows and dashboards. 
This issue is reflected in: 
7 | P a g e  
 

link to page 21 link to page 45 link to page 45 Table 2. CDR Representative Model 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
Table 1. Sponsored Accreditation 
Table 8. ADR Representation 
 
Purpose: Achieve comprehensible and contextually 
appropriate presentation of ADRs during authentication, 
authorisation, and on consumer dashboards. 
 
7.   
Consumer Data 
N/A 
N/A 
N/A 
No additional CX Data Standards are anticipated for this 
N/A 
N/A 
Standards (CX) 
item. 
 
8.   
Consumer Data 
N/A 
N/A 
N/A 
No technical standards are currently anticipated for this 
N/A 
N/A 
Standards (Technical) 
specific item.  
 
However, the outcome of the ADR representation issue may 
require technical standards. This will be consulted on in a 
separate consultation. 
The rules allow for the transfer of CDR data between ADRs as 
long as appropriate consent is obtained. While the rules 
define obligations that ADRs must meet in order to make 
these transfers there is no requirement for the DSB to make 
standards for this transfer. The DSB has not sought to impose 
technical standards on the transfer of data between 
accredited persons. 
 
9.   
CDR Register 
N/A 
N/A 
N/A 
No technical standards are currently anticipated for this 
N/A 
N/A 
Standards (Technical) 
specific item.  
 
A principal may enter into many arrangements with separate 
CDR representatives (representatives). In this situation, the 
representatives provide goods or services to consumers, at 
least in part, using CDR data. It is possible that a principal 
may represent:  
8 | P a g e  
 

Table 2. CDR Representative Model 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
(a)  these arrangements under a common brand and 
software product of the principal, or 
(b)  each arrangement under separate software products 
and/ or data recipient brands.  
 
The CDR Register GetDataRecipients API supports the 
disclosure of the representative arrangement using existing 
metadata where the accredited persons that have entered 
into the representative arrangement make it known to the 
consumer. This can be achieved in one of two ways: 
(a)  The brand of the principal would be used in a 
brandName of the data recipient. The software 
product of the principal would be used in the 
softwareProductName of the data recipient. The 
software product would be onboarded by the 
principal. An example may include an online 
accounting platform that provides its own 
marketplace of vendors that offer additional goods 
and services. The brand and software product 
presented during the consent flow would be the 
brand and software product of the accounting 
platform. The consumer would see consent 
arrangements in their data holder dashboard under 
the brand and software product of the accounting 
platform. 
 
(b)  The brand of the representative may be used in the 
brandName of the data recipient. The software 
product of the representative would be used in the 
softwareProductName. The software product may 
be on-boarded for the representative by the 
principal operating under the representative 
9 | P a g e  
 

Table 2. CDR Representative Model 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
arrangement. An example may include a large 
mortgage broker utilising a bank's common 
mortgage broking platform. The consumer may be 
more familiar with or seek to do business with a 
particular mortgage broker firm but the platform is 
offered by the bank. The brand name may include 
something like a "powered by" label in the brand 
name, software product name or software product 
description.  
The draft rules do not require additional metadata to be held 
or exposed via the CDR Register APIs.  
 
10.   
CDR Register 
ADR 
Sch. 1, clause 
N/A 
Participant Portal changes are required. 
TBD 
TBD 
(Participant Portal) 
2.3(2) and 
 
2.3(3) 
The rule changes associated to the introduction of CDR 
5.15(a)(vi) 
Representative Arrangements will require additional 
5.24(bc) 
functions to be added to the CDR Participant Portal.  These 
functions will enable the principal (accredited person) to: 
•  notify the Data Recipient Accreditor when a CDR 
representative arrangement has been established; 
and  
•  manage these arrangements by providing updated 
information as needed. 
 
The details of these CDR Representative arrangements will 
also be made available on the public CDR Register via links 
from the find-a-provider page. 
 
 
10 | P a g e  
 

Unaccredited OSPs 
In December 2020, the Act was amended to allow the CDR Rules to authorise the collection of CDR data by parties who are not accredited on behalf of an 
accredited person. It is now possible for the CDR Rules to allow unaccredited intermediaries to collect CDR data on behalf of an ADR. 
 
Outsourced 
Principal 
Consumer
Service Provider 
Data Holder
(ADR)
(unaccredited)
CDR 
Register
 
 
Table 3. Unaccredited OSPs 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
11.   
Consumer Data Standards 
N/A 
N/A 
N/A 
No additional CX Data Standards are anticipated for this item.  N/A 
N/A 
(CX) 
 
 
12.   
Consumer Data Standards 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
(Technical) 
The draft rules changes allow for unaccredited OSPs to collect 
data on behalf of their accredited principal. Where the OSP 
collects data on behalf of the principal, in continues to do so in 
accordance with the existing technical standards. The OSP is 
not known to the consumer and does not have a consumer-
facing relationship it simply provides the technical integration 
between the principal and the data holder.  
11 | P a g e  
 

Table 3. Unaccredited OSPs 

Issue 
Entity 
Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
 
13.   
CDR Register Standards 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
(Technical) 
The OSP is not an accredited person but instead acts under the 
principal's accreditation held by the CDR Register. The Register 
APIs currently expose all data related to the accredited person 
(the principal) to facilitate registration and integration with the 
Data Holder.  
 
14.   
CDR Register (Participant 
ADR 
N/A 
N/A 
Accreditation changes required. 
TBD 
TBD 
Portal) 
 
 
The collection arrangement question in the accreditation 
application form will become redundant when this rule change 
is made and, accordingly, it will be removed. Additionally, 
features introduced to establish a relationship between a 
provider’s Brand and a principal’s Software Product during on-
boarding will also become redundant and will be removed.  
 
 
 
 
 
 
 
 
 
12 | P a g e  
 

Trusted Advisers 
Schedule 3 amends the CDR Rules to allow a consumer to consent to an accredited person disclosing a consumer’s CDR data to a person within a specified class 
(referred to as ‘trusted advisers’). The intention is to facilitate current consumer practices of sharing their data with trusted third parties in order to receive advice 
or a service, and increase convenience and control for consumers by enabling them to use the CDR to share their data with their chosen trusted advisers. The 
accredited person cannot make the nomination of a trusted adviser or the giving of a TA disclosure consent a condition for the supply of goods and services 
requested by the CDR consumer. 
 
Trusted Advisor 
Consumer
ADR
Data Holder
(unaccredited)
CDR 
Register
 
 
Given the importance of CDR consumers understanding the effect of consenting to the disclosure of their CDR data to non-accredited persons, disclosures are 
subject to CX standards to be made by the Data Standards Body (rule 8.11(1)). This will ensure the CDR consumer is provided with adequate information to give 
informed consent, for example, information that the use of the data by the recipient will not be covered by the CDR regime and the recipient may not have 
obligations under the Privacy Act 1988.  
Rule 7.5A(2) provides that disclosure of CDR data under a TA disclosure consent is not a permitted use or disclosure until the earlier of a date to be determined or 
when the Data Standards Chair makes consumer experience data standards for disclosure of CDR data to trusted advisers. The specified date is expected to be 
three months after the commencement of the rules. 
 
13 | P a g e  
 

Table 4. Trusted Advisers 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made:  Comply: 
Obligation 
15.   TA Disclosure 
ADR 
8.11(1)(c)(iv)  MUST 
CX standards are proposed that would require ADRs to ensure that 
TBD in accordance 
TBD in accordance 
consent: 
CDR consumers are able to make informed decisions about the 
with the date 
with the date 
Disclosure 
disclosure of data outside the CDR system. 
specified in the 
specified in rules, 
notification 
 
rules, which is 
which is expected 
This item will feature alongside the equivalent insight disclosure 
expected to be 
to be three 
notification in an overall ‘disclosure to non-accredited persons’ 
three months after 
months after the 
standard. 
the 
commencement 
 
commencement of 
of the rules 
the rules 
16.   Disclosure 
ADR 
4.10(1)(a)(i) 
MUST 
The existing CX standards for disclosure consent are expected to 
The existing 
The existing 
consent: 
SHOULD 
apply to TA disclosures. 
standards were 
standards were 
Collection source 
 
made in June 2021.  made in June 
 
An amendment to the standards is proposed to clarify this 
Timing of 
2021. Timing of 
application. 
clarification TBD in 
clarification TBD in 
 
accordance with 
accordance with 
the rules. 
the rules. 
 
 
17.   Disclosure 
ADR 
4.10(1)(a)(i) 
MUST 
The existing CX standards for disclosure consent are expected to 
The existing 
The existing 
consent: 
apply to TA disclosures. 
standards were 
standards were 
Descriptions of 
 
made in June 2021.  made in June 
data to be 
An amendment to the standards is proposed to clarify this 
Timing of 
2021. Timing of 
collected and 
application. 
clarification TBD in 
clarification TBD in 
disclosed 
 
accordance with 
accordance with 
 
the rules. 
the rules. 
 
 
18.   Withdrawal: 
ADR 
4.10(1)(a)(i) 
MUST 
The existing CX withdrawal standard for disclosure consent is 
The existing 
The existing 
Disclosure 
expected to apply to TA disclosures. 
standards were 
standards were 
consent 
 
made in June 2021.  made in June 
An amendment to the standards is proposed to clarify this 
Timing of 
2021. Timing of 
application. 
clarification TBD in 
clarification TBD in 
 
accordance with 
accordance with 
the rules. 
the rules. 
 
 
14 | P a g e  
 

Table 4. Trusted Advisers 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made:  Comply: 
Obligation 
19.   Consumer Data 
N/A 
N/A 
N/A 
No additional CX standards are anticipated in relation to this item. 
N/A 
N/A 
Standards (CX) 
 
 
20.   Consumer Data 
N/A 
N/A 
TBD 
Technical changes may be required. 
TBD 
TBD 
Standards 
(Technical) 
No data standards changes are required where consumers consent 
to share data with an ADR they have a direct relationship with. 
Disclosure of data to a trusted advisor is done so at the discretion of 
the ADR through services offered by the ADR. For example, a small 
business consumer performs regular account reconciliation with an 
online accounting solution but uses an accountant for end of year 
financial statement. The accounting software is an ADR and the 
small business is the eligible consumer that has a customer 
relationship with the ADR. The ADR discloses the consumer’s data to 
the trusted advisor through a mechanism provided by the ADR. 
Where the consumer does not have a direct relationship with the 
ADR but instead only has a relationship with the trusted advisor, a 
separate consultation will be developed to consider the streamlined 
secure sharing of data using an ADR and onward disclosure of data 
to the trusted advisor under a consumer's full consent. For example, 
an individual who at tax return time engages an accountant (the 
trusted advisor) to perform all account reconciliation and tax return 
activities on their behalf using an online accounting software (the 
ADR), who is not themselves required to be a customer of the ADR. 
 
21.   CDR Register 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
Standards 
(Technical) 
The draft v3 rules do not require additional metadata to be held or 
exposed via the CDR Register APIs. 
  
15 | P a g e  
 

Table 4. Trusted Advisers 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made:  Comply: 
Obligation 
22.   CDR Register 
ADR 
N/A 
N/A 
Reporting changes required. 
TBD 
TBD 
(Participant 
 
Portal) 
The draft v3 rules change Reporting obligations under Rule 9.4.  
These additional reporting obligations require the collection of 
additional values in the CDR Participant Portal Rule 9.4 Report 
function. 
 
 
CDR Insights 
Rule 1.10A(3) defines an insight disclosure consent as a consent given by a CDR consumer for an accredited data recipient to disclose particular CDR data (the CDR 
insight: see rule 1.7(1)) to a specified person for a specified purpose, which are to: 
•  identify the consumer 
•  verify the consumer’s account balance  
•  verify the consumer’s income, or  
•  verify the consumer’s expenses  
For these purposes, ‘verify’ means to confirm, deny or provide some simple information about the consumer’s identity, account balance, income or expenditure 
based on their CDR data. These CDR insights would allow consumers to securely provide and confirm relevant factual information about themselves, while giving 
the recipient comfort in its authenticity and accuracy. These purposes are intended to support the sharing of information that the consumer could themselves 
confirm and understand. 
16 | P a g e  
 

Consumer
Other ADR
ADR
Person 
CDR insight
Consumer
(unaccredited)
CDR data
 
ADRs would be responsible for ensuring that the CDR insights they disclose align with the purpose consented to by the consumer. For example, CDR insights could 
be used to:  
•  confirm with a ‘yes’ or ‘no’ that the personal information provided in an application matches the information held by a bank  
•  confirm with a ‘yes’ or ‘no’ that the consumer’s account balance is or is not sufficient to meet a particular payment  
•  provide a consumer’s actual account balance at a specific point in time  
•  provide an alert to a merchant if a direct debit payment will fail, or  
•  provide the consumer’s average income over a specific period of time  
Rule 4.11(3)(ca) requires an accredited person to give an explanation of the CDR insight to the CDR consumer when seeking the insight disclosure consent that will 
make it clear what the CDR insight would reveal or describe. The CDR Rules do not require a CDR insight to be shown to a consumer prior to it being disclosed. 
However, where practical, this step could be taken to assist the consumer’s understanding of what the CDR insight would reveal or describe and help meet the 
accredited person’s obligation under rule 4.11  
Rule 7.5A(4) provides that disclosure of CDR data under an insight disclosure consent is not a permitted use or disclosure until the earlier of a date to be 
determined in the rules or when the Data Standards Chair makes consumer experience data standards for disclosure of CDR insights. 
Rule 8.11(1A) states that the standards that relate to obtaining insight disclosure consents must include provisions that cover the following:  
(a)  how the accredited person can meet the requirement to explain a CDR insight in accordance with paragraph 4.11(3)(ca);  
(b)  ensuring that the CDR consumer is made aware that their data will leave the CDR system when it is disclosed.  
17 | P a g e  
 

Rule 8.11(1)(c)(v) contains new requirements for data standards to be made about disclosure and security of CDR data that is disclosed in a CDR insight, and the 
processes by which insight disclosure consents are obtained, including ensuring the consumer understands their data will leave the CDR system and explaining the 
CDR insight in accordance with rule 4.11 (rule 8.11(1A). 
 
Table 5. Insight Disclosure 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
23.   Insight Disclosure 
ADR 
1.14(3)(ea),  MUST 
Standards are proposed that will cover how accredited persons 
TBD in accordance 
TBD in accordance 
consent: Insight 
4.11(3)(ca), 
can meet the requirement to explain a CDR insight in 
with the date 
with the date 
descriptions 
7.9(4), 
accordance with rule 4.11(3)(ca). 
specified in the rules, 
specified in rules, 
8.11(1A) 
which is expected to 
which is expected 
This is expected to include requirements in relation to how to 
be three months after 
to be three months 
make clear to the CDR consumer what the CDR insight would 
the commencement 
after the 
reveal or describe. 
of the rules 
commencement of 
the rules 
It is expected that this requirement will need to be reflected on 
the dashboard. 
 
24.   Insight Disclosure 
ADR 
8.11(1A) 
MUST 
Standards are proposed that would ensure that CDR consumers 
TBD in accordance 
TBD in accordance 
consent: 
are able to make informed decisions about the disclosure of 
with the date 
with the date 
Disclosure 
data outside the CDR system when it is disclosed. 
specified in the rules, 
specified in rules, 
notification 
 
which is expected to 
which is expected 
This item will feature alongside the equivalent TA disclosure 
be three months after 
to be three months 
notification in an overall ‘disclosure to non-accredited persons’ 
the commencement 
after the 
standard. 
of the rules 
commencement of 
 
the rules 
25.   Disclosure 
ADR 
4.10(1)(a)(i)  MUST 
The existing standards for disclosure consent are expected to 
The existing standards 
The existing 
consent: 
SHOULD 
apply to insight disclosures. 
were made in June 
standards were 
Collection source 
 
2021. Timing of 
made in June 2021. 
 
An amendment to the standards is proposed to clarify this 
clarification TBD in 
Timing of 
application. 
accordance with the 
clarification TBD in 
 
rules. 
accordance with 
 
the rules. 
18 | P a g e  
 

Table 5. Insight Disclosure 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
 
26.   Disclosure 
ADR 
4.10(1)(a)(i)  MUST 
The existing standards for disclosure consent are expected to 
The existing standards 
The existing 
consent: 
apply to insight disclosures. 
were made in June 
standards were 
Descriptions of 
 
2021. Timing of 
made in June 2021. 
data to be 
An amendment to the standards is proposed to clarify this 
clarification TBD in 
Timing of 
collected and 
application. 
accordance with the 
clarification TBD in 
disclosed 
 
rules. 
accordance with 
 
 
the rules. 
 
27.   Withdrawal: 
ADR 
4.10(1)(a)(i)  MUST 
The existing withdrawal standard for disclosure consent is 
The existing standards 
The existing 
Disclosure consent 
expected to apply to insight disclosures. 
were made in June 
standards were 
 
2021. Timing of 
made in June 2021. 
An amendment to the standards is proposed to clarify this 
clarification TBD in 
Timing of 
application. 
accordance with the 
clarification TBD in 
 
rules. 
accordance with 
 
 
the rules. 
 
28.   Consumer Data 
N/A 
N/A 
N/A 
No additional CX standards are anticipated in relation to this 
N/A 
N/A 
Standards (CX) 
item. 
 
 
29.   Consumer Data 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
Standards 
(Technical) 
The technical standards do not currently control the transfer of 
data between an accredited person to other persons.  
The rules allow for the transfer of CDR insights data between an 
accredited person (ADR) and other persons as long as 
appropriate consent is obtained. While the rules define 
obligations that ADRs must meet in order to make these 
transfers there is no requirement for the DSB to make technical 
standards for this transfer. 
 
19 | P a g e  
 

Table 5. Insight Disclosure 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
30.   CDR Register 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
(Technical 
Standards) 
The rules do not require additional metadata to be held or 
exposed via the CDR Register APIs.  
 
31.   CDR Register 
ADR 
N/A 
N/A 
Reporting changes required. 
TBD in accordance 
TBD in accordance 
(Participant Portal) 
 
with the date 
with the date 
The draft rules change Reporting obligations under Rule 9.4.  
specified in the rules, 
specified in the 
These additional reporting obligations require the collection of 
which is expected to 
rules, which is 
additional values in the CDR Participant Portal Rule 9.4 Report 
be three months after 
expected to be 
function. 
the commencement 
three months after 
of the rules 
the 
commencement of 
the rules 
 
Joint Accounts 
The proposed draft v3 rules include a change to a ‘single consent’ model for joint accounts. CDR data that relates to a joint account can be disclosed under the Rules 
only in accordance with the disclosure option that applies to the account. Division 4A.2A sets out: 
•  the three disclosure options, with the default option being the pre-approval option;  
•  an obligation for data holders to provide a disclosure option management service (DOMS) for all joint accounts through which joint account holders can 
change the disclosure option that applies to the account, or propose a change to the other account holders;  
•  when one joint account holder proposes to change the disclosure option―a process by which the other joint account holders can either agree with or reject 
the proposal; and  
•  some associated notification requirements. 
 
20 | P a g e  
 

Data holders must offer the pre-approval option and non-disclosure option on joint accounts, and may offer the co-approval option on an optional basis (rules 
4A.4(2) and (3)). If the pre-approval option applies, any joint account holder can choose that the co-approval option will apply. 
 
Consumer A
is owned by
Bank Account
is owned by
Consumer B
Consumer B
Consumer B
 
 
A change from the non-disclosure option to another option, or a change from the co-approval option to the pre-approval option (if offered by the data holder), 
requires the agreement of all the joint account holders. 
If the co-approval option is offered by the data holder and applies to the joint account—the data holder must ask the requesting account holder to authorise the 
disclosure of the requested data, seek the other account holders’ approval for the disclosure, then disclose the data in accordance with the request. 
On 30 April 2021, Treasury announced that requirements for banks to implement the joint account requirements that would have applied from November 2021 
would be deferred, with new compliance dates to be set following consultation. The draft v3 rules amend the commencement table in rule 6.6 of Schedule 3 to the 
CDR Rules and set 1 April 2022 as the new compliance date for joint account data sharing in the banking sector. 
Draft v3 rule 4A.6 requires data holders to notify joint account holders of the following matters in relation to the account (for new accounts, when the account is 
opened, or for existing accounts, at least 7 days prior to joint accounts being in scope for sharing under the Rules). This notification must be made, in accordance 
with any data standards and via the ordinary method for contacting each joint account holder. 
21 | P a g e  
 

Draft v3 rule 4A.16 requires data holders to allow joint account holders to set certain notification preferences. If data standards are in place, this must be done in 
line with those standards. This would allow consumers to set preferences such that they would not receive certain notifications that data holders would otherwise 
be required to provide. 
The draft v3 rules also include transitional provisions that:  
•  require relevant data holders to continue to comply with the former joint account transitional provisions until 1 April 2022, when they must begin to 
comply with the draft v3 rules;  
•  require data holders to notify consumers with joint accounts of the change to the default setting to share at least a week before the commencement date; 
and  
•  provide that joint accounts that are currently set to the ‘no disclosure option’ are not switched to the pre-approval option on the commencement date. 
The joint account items below have been informed by the Consumer Policy Research Centre’s recent community sector engagement on joint accounts, CX research, 
a public workshop on joint accounts, and issues highlighted by the CDR community. The use of the term ‘requestor’ in this section aligns with Division 4.3, rule 
4.9(a), meaning the person on whose behalf the consumer data request is being made. 
 
Table 6. Joint Accounts 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
32.   Notification 
DH 
4A.6(3) 
TBD 
Standards will be consulted on in relation to Rule 4A.6, where joint account 
Expected in Q4 
Expected to be 1 
standard: Pre-
holders will be notified about matters relating to joint account sharing 
2021 to allow for a 
April 2021. Actual 
sharing notice 
when a new joint account is opened or, for existing accounts, 7 days prior 
6-month 
date TBD in 
for joint 
to joint accounts being in scope for sharing. 
implementation 
accordance with 
accounts 
timeframe. Actual 
the finalised rules. 
date TBD in 
accordance with 
the date the rules 
are made. 
 
33.   Notification 
DH 
4A.16(3) 
TBD 
Standards will be consulted on to allow notification preferences to be set 
Expected in Q4 
Expected to be 1 
standard: Joint 
based on consumer preference. This would allow consumers to choose to 
2021 to allow for a 
April 2021. Actual 
account 
not receive certain notifications and could consider the granularity of 
6-month 
date TBD in 
notification preference controls. 
implementation 
22 | P a g e  
 

Table 6. Joint Accounts 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
notification 
 
timeframe. Actual 
accordance with 
management 
Purpose: Allow consumers to manage and set notifications related to joint 
date TBD in 
the finalised rules. 
accounts based on their preferences. 
accordance with 
the date the rules 
are made. 
 
34.   Notification 
DH 
4A.5(8), 
MUST 
Standards will be proposed to require DHs to alert a joint account holder 
Expected in Q4 
Expected to be 1 
standard: Alerts 
existing 
when they are about to take an action that will result in a notification being  2021 to allow for a 
April 2021. Actual 
sent to other the 
rules 
sent to the other joint account holder(s). 
6-month 
date TBD in 
joint account 
1.15(1)(ba), 
 
implementation 
accordance with 
holder(s) 
4.22(a) 
For example, when changing a disclosure option via DOMS; when removing 
timeframe. Actual 
the finalised rules. 
an approval related to a specific authorisation; or during the authorisation 
date TBD in 
flow when selecting to share data from a joint account. 
accordance with 
 
the date the rules 
Purpose: Facilitate safe and informed joint account sharing and 
are made. 
management. 
 
35.   Notification 
 
Existing 
SHOULD 
This item will propose that, where DHs treat a joint account like an 
Expected in Q4 
Expected to be 1 
standard: Joint 
rule 4.22(a) 
individual account to prevent physical or financial harm or abuse, DHs 
2021 to allow for a 
April 2021. Actual 
account holders 
should notify that joint account holder (the ‘requestor’) that the other 
6-month 
date TBD in 
flagged as 
account holder(s) will not be alerted when that authorisation is initiated. 
implementation 
accordance with 
vulnerable 
 
timeframe. Actual 
the finalised rules. 
Purpose: Reduce cognitive barriers to data sharing for consumers 
date TBD in 
experiencing vulnerability 
accordance with 
 
the date the rules 
are made. 
36.   Notification 
 
Existing 
MUST/SHO
DHs may indicate that a joint account is ‘pending’ further approval in the 
Expected in Q4 
Expected to be 1 
standard: 
rule 4.22(a)  ULD 
authorisation flow and include explanatory information about what this 
2021 to allow for a 
April 2021. Actual 
Pending approval 
means. This could apply where a ‘co-approval’ option has been chosen by 
6-month 
date TBD in 
status 
the joint account holder(s) to indicate that the requestor’s authorisation 
implementation 
accordance with 
will not result in the disclosure of data from that joint account until the 
timeframe. Actual 
the finalised rules. 
other joint account holder(s) approve. 
date TBD in 
 
accordance with 
23 | P a g e  
 

Table 6. Joint Accounts 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
This standard will be considered for broader application, such that data 
the date the rules 
holders can introduce additional information of this nature to the 
are made. 
authorisation flow for other account types where required. 
 
Purpose: Increase system status visibility to help users understand when 
further action is needed to successfully share data. 
 
37.   Withdrawal: 
DH 
4A.13(2); 
MUST 
This will propose that DHs advise joint account holders of the 
Expected in Q4 
Expected to be 1 
Joint accounts 
4A.15(1)(d)
consequences of the withdrawal. 
2021 to allow for a 
April 2021. Actual 
(v) 
 
6-month 
date TBD in 
This is expected to approval to the removal of a disclosure option, i.e. 
implementation 
accordance with 
changing to a non-disclosure option, and the removal of an approval. 
timeframe. Actual 
the finalised rules. 
date TBD in 
accordance with 
the date the rules 
are made. 
38.   Consumer Data 
N/A 
N/A 
N/A 
No additional CX Data Standards are anticipated for this item. 
N/A 
N/A 
Standards (CX) 
 
 
39.   Consumer Data 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
Standards 
(Technical) 
The rules change the disclosure options for joint account data. 
However, the technical standards do not define obligations that Data 
Holders must meet to obtain the disclosure consent of secondary account 
holders. The proposed draft v3 rules change the way in which consent is 
provided for joint accounts but does not include requirements for technical 
standards. Similar to the Joint Account Management Service, the way in 
which Data Holders implement these proposed draft v3 rules is left to the 
implementation Data Holders. Joint Accounts continue to be shareable 
through the existing standards framework for selection of accounts to be 
associated with the consumer's authorised consent that is held by the data 
24 | P a g e  
 

Table 6. Joint Accounts 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards made: 
Comply: 
Obligation 
holder. Further, joint account data is currently covered by the existing 
technical APIs. 
 
40.   CDR Register 
N/A 
N/A 
N/A 
No technical standards changes required.  
N/A 
N/A 
(Technical 
Standards) 
The draft v3 rules do not require additional metadata to be held or 
exposed via the CDR Register APIs.  
 
41.   CDR Register 
ADR, 
9.4 
N/A 
Reporting changes required. 
TBD in accordance 
TBD in accordance 
(Participant 
DH 
 
 
with the date 
with the date 
Portal) 
The draft v3 rules change Reporting obligations. These additional reporting 
specified in the 
specified in the 
obligations require the collection of additional values in the CDR Participant  rules 
rules 
Portal Rule 9.4 Report function. 
 
 
 
 
 
 
 
 
 
 
 
 
25 | P a g e  
 

Direct to Consumer Request Service 
Under Part 3 of the CDR Rules, data holders are required to implement an online service that allows consumers to directly request their CDR data in a human 
readable form and in accordance with the data standards. 
In order to allow further consultation about the way in which direct to consumer obligations should be provided for and in machine-readable form via APIs (and the 
way in which the data standards should provide for this), the Rules amend clause 6.6 of Schedule 3 to remove the compliance date for the Part 3 obligations in the 
banking sector. 
 
Table 7. Direct to Consumer 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
42.   General 
N/A 
Part 3 
N/A 
As proposed in DP089 and DP167, no CX Data Standards are anticipated for this 
N/A 
N/A 
issue and any technical standards consultation will be deferred in line with the 
rules

 
If Direct To Consumer obligations are re-introduced at a later date, options for 
standards will be considered at that time. 
 
 
 
 
 
 
26 | P a g e  
 

link to page 21 link to page 24 ADR Representation 
This topic covers the presentation of ADRs by DHs in the authorisation flow and DH dashboard. The genesis of this issue can be found in issue 222, where a range of 
possibilities were raised to achieve consistent and comprehensible presentation of ADRs in DH spaces. The proposal outlined in the below table progresses this 
thinking and proposes a new field to accommodate concurrent consents and the newly proposed access arrangement models, such as affiliates and CDR 
representatives. 
 
Table 8. ADR Representation 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
43.   ADR representation 
ADR 
1.15(ba) 
ADR: MAY 
This issue is reflected in: 
TBD 
TBD 
in DH authorisation 
DH 
and (bb),  
DH: MUST 
Table 1. Sponsored Accreditation 
 
flow and dashboards 
4.23(2) 
Table 2. CDR Representative Model 
 
This issue relates to the provision of CX standards to support consistent ADR 
presentation in dashboards, authentication, and authorisation spaces. 
 
ADRs are currently represented inconsistently, and the current requirement to 
display an ADR’s legal entity name in the authorisation flow may not correspond 
with the entity the consumer interacts with as the CDR begins to see more complex 
accreditation models. 
 
This consultation will propose that DHs display the ADR’s brand name in 
authentication and authorisation related artefacts where appropriate. This proposal 
will rely on the existing rules requiring DHs to display specified information that the 
Register holds in relation to an accredited person. 
 
This consultation will also explore if these same fields should be required on 
dashboards, including DH dashboards and ADR dashboards in relation to AP 
disclosures. 
 
The proposal will also query if additional consent-related fields are warranted for 
concurrent consents and complex sharing models, such as affiliates and CDR 
representatives. Consultation will be conducted to determine if or how these fields 
27 | P a g e  
 

Table 8. ADR Representation 

Issue 
Entity  Rules 
Proposed 
Standards description 
Standards 
Comply: 
Obligation 
made: 
could be facilitated through technical standards – such as the authorisation request 
– or the Register. 
 
Purpose: Achieve comprehensible and contextually appropriate presentation of 
ADRs during authentication, authorisation, and on consumer dashboards. 
 
 
44.   Consumer Data 
N/A 
1.15(ba) 
N/A 
Changes may be required. 
N/A 
N/A 
Standards (Technical) 
and (bb),  
4.23(2) 
If the disclosure of additional data relating to the representation of ADR 
relationships is required to be communicated through the authorisation flow and on 
consumer dashboards, changes to the authorisation request may be required to 
facilitate this. 
 
45.   CDR Register 
N/A 
1.15(ba) 
N/A 
Changes may be required. 
N/A 
N/A 
(Technical Standards) 
and (bb),  
4.23(2) 
If the disclosure of additional data relating to the representation of ADR 
relationships is required to be communicated through the authorisation flow and on 
consumer dashboards, changes to the authorisation request may be required to 
facilitate this. 
 
46.   CDR Register 
ADR 
9.4 
N/A 
Changes may be required. 
TBD in 
TBD in 
(Participant Portal) 
 
accordance 
accordance 
If CDR Register (Technical Standards) are required, as mentioned in point Error! 
with the 
with the 
Reference source not found. it will flow on to the Participant Portal in order for 
date 
date 
ADRs to provide additional details during the on-boarding process.  
specified in 
specified in 
 
the rules 
the rules 
 
 
 
28 | P a g e  
 

Implementation Considerations 
The specific items raised in this paper will be consulted on separately, along with the implementation considerations. CDR participants are encouraged to raise any 
concerns or impacts ahead of those targeted consultations. 
 
While a Noting Paper is not part of a formal decision proposal consultation, the DSB strongly encourages CDR participants to provide feedback to help inform data 
standards development in relation to these key areas of work. 
29 | P a g e  
 



Consumer Data Right Board 
s 22
 
The following action items remain open: 
s 22
•  CDRB/201020/2.5 (Direct to consumer, 
assigned to Treasury). 
s 22
The remainder of this document is 
outside the scope of the request and has 
been deleted







Consumer Data Right Board 
s 22
1.5  Action Items 
Paper 
Ms Quinn 
 
s 22
The following action items remain open: 
•  CDRB/201020/2.5 (Direct to consumer).  
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted







Consumer Data Right Board – Meeting 20 
s 22
1.5  Action Items 
Paper 
Ms Quinn 
 
s 22
 
The following action items remain open: 
•  CDRB/201020/2.5 (Direct to consumer).  
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted







Consumer Data Right Board – Meeting 21 
s 22
1.5  Action Items 
Paper 
Ms Quinn 
 
Recommend that action item CDRB/201020/2.5 
(Direct to consumer) is moved to be closed, noting 
that the inclusion of direct to consumer provisions 
in the rules has been indefinitely deferred. The 
item was first raised in October 2020. 
 
s 22
The remainder of this document is outside 
the scope of the request and has been 
deleted







FOI 3139 
Document 26
s 22
From: CX <xx@xxxxxxxxxxxxxxxxxxxxx.xxx.xx>
Date: Monday, 28 February 2022 at 12:58 pm
To: s 47F
Cc: s 22
Subject: Re: Attn: s 22
Hey s 47F
 
Great to chat just then.
 
Here are the links I promised:
Direct to Consumer – data standards consultation
The most recent Direct to consumer deferral announcement
The direct to consumer exemption – which I believe you have already seen;
 
The direct-to-consumer exemption link may not be the most up to date as it refers to Nov 2021.
There are exemptions for individual DHs that defer to July 2022, but I’m certain it’s deferred
indefinitely. It’s notoriously hard to find these details so I’ve just put out a request for the most
up to date info.
 
Hope the above helps.
 
Best,
 s 22
Consumer Experience Lead
Data Standards Body | Consumer Data Right Division
s 22
T s 22
W www.consumerdatastandards.gov.au
 
Consumer Data Standards acknowledges the Traditional Owners of the lands that we live and work on across
Australia and pays its respect to Elders past and present.
 
PLEASE NOTE
The information contained in this email may be confidential or privileged. Any unauthorised use or disclosure is
prohibited. If you have received this email in error, please delete it immediately and notify the sender by return
email. Thank you. To the extent permitted by law, Consumer Data Standards does not represent, warrant
and/or guarantee that the integrity of this communication has been maintained or that the communication is
free of errors, virus, interception or interference. 





This email (including attachments) is confidential and intended for the addressee(s) named above. If you have
received it by mistake, please inform us by an email reply and then delete it from your system, destroy all
copies, and do not disclose as our policy is that it is not permissible to reproduce, adapt, copy, forward, or in
any way reveal this message without the senders consent.
 

FOI 3139 
Document 27
From:
s 22
To:
s 22
Cc:
s 22
; s 22
Subject:
FW: Zendesk Question 1608 - Direct to Consumer Obligations [ACCC-ACCCANDAER.FID2815417]
[SEC=OFFICIAL]
Date:
Friday, 22 July 2022 3:11:00 PM
Attachments:
image001.png
image002.png
image004.png
image006.png
OFFICIAL
From: s 22
Sent: Friday, 15 July 2022 1:47 PM
To: s 22
; s 22
s 22
s 22
Subject: RE: Zendesk Question 1608 - Direct to Consumer Obligations [ACCC-
ACCCANDAER.FID2815417] [SEC=OFFICIAL]
 
Hi s 22
,
 
Yes, I think this is definitely one for us. Thank you for sharing!
 
s 22
 and s 22  For info - the ACCC has received a Zendesk enquiry about timeframes for
consultation re expanding Open Banking to direct-to-consumer sharing. One for next week, but I
assume we will want to refer them to the CDR statutory review.
Previous ACCC advice: Response to queries:...~https://cdr-support.zendesk.com/hc/en-
us/articles/360004343516-Response-to-queries-Deferral-of-joint-account-and-direct-to-
consumer-obligations
Rules for direct-to-consumer sharing are established under Part 3 of the CDR Rules
(Consumer data requests made by eligible CDR consumers)
Right now direct-to-consumer sharing under Part three is not included in the Banking
(Schedule 3, Rule 6.6) or energy (Schedule 4) commencement schedules.
 
Cheers,
 
s 22
CDR Policy Issues Unit |s 22
 
From: s 22
Sent: Friday, 15 July 2022 11:52 AM
To: s 22
Subject: FW: Zendesk Question 1608 - Direct to Consumer Obligations [ACCC-
ACCCANDAER.FID2815417] [SEC=OFFICIAL]
 
OFFICIAL
 
Hi s 22  – I think this one might be for your team?  Let me know if you agree and/or if we can
help!
 
 

s 22
s 22
Consumer Data Right Division | Markets Group | The Treasury
Langton Crescent, Parkes ACT 2600
Ph: s 22
 | M: s 22
cdr.gov.au | Subscribe to receive CDR updates
 
 
Consumer Data Right acknowledges the traditional owners of country throughout Australia, and their continuing
connection to land, water and community. We pay our respects to them and their cultures and to elders both
past and present.
  LGBTIQ+ Ally
 
OFFICIAL
From:s 22
Sent: Friday, 15 July 2022 11:35 AM
To: s 22
Cc: s 22
; s 22
s 22
Subject: Zendesk Question 1608 - Direct to Consumer Obligations [SEC=OFFICIAL] [ACCC-
ACCCANDAER.FID2815417]
 
OFFICIAL
 
Hi s 22
 
The ACCC Regulatory Guidance team has received the below Zendesk query (ZQ
1608) regarding the deferral of direct to consumer obligations:
 
I was wondering if any updated timelines were available regarding the deferral of
‘direct to consumer’ obligations. I see in your latest article that a consultation was
planned to occur before November 2021. I was wondering if this consultation
occurred and if not what the current timeline if any is?
 
As the question relates to CDR policy, we would be grateful for your team’s input.
 
Thanks very much and please let us know if you would like to discuss further.
 
Warm regards,
s 22
Graduate – Regulatory Guidance | Regulatory Branch | Consumer Data Right Division
Australian Competition & Consumer Commission
Level 29M, 135 King Street, Sydney NSW 2000
T:s 22
www.accc.gov.au
The ACCC acknowledges the traditional owners and custodians of Country throughout
Australia and recognises their continuing connection to the land, sea and community. We pay
our respects to them and their cultures; and to their Elders past, present and future.
 
 

---
IMPORTANT: This email from the Australian Competition and Consumer Commission
(ACCC), and any attachments to it, may contain information that is confidential and may
also be the subject of legal, professional or other privilege. If you are not the intended
recipient, you must not review, copy, disseminate, disclose to others or take action in
reliance on, any material contained within this email. If you have received this email in
error, please let the ACCC know by reply email to the sender informing them of the
mistake and delete all copies from your computer system. For the purposes of the Spam
Act 2003, this email is authorised by the ACCC www.accc.gov.au