FOIREQ22/00356 061
Statutory Review of the Consumer Data Right
Part Two: Implementation and lessons learnt
The CDR has developed significantly since its establishment in 2019 and the initial rollout to the
banking sector. As of 26 July 2022, 114 data holder brands are now live in the CDR system, with 76
designated data holders and an additional 38 brands. The number of ADRs has also been steadily
growing, with 32 ADRs, 20 of which are active. This represents a market share of more than 99 per
cent of Australian household deposits being covered by CDR data-sharing.
Part Two of the Report considers feedback on the development and functioning of the CDR to date
and the lessons that should be gleaned to inform future rol out, including governance structure, speed
of expansion, the level of system complexity and the accreditation process.
The CDR has expanded and developed since its launch, most notably with the designation of additional
sectors (energy and telecommunications), and the ongoing assessment of Open Finance. Along with
increasing the coverage of CDR data, there have been continuous developments in the rules and
standards to support the expansion of the system, as wel as improvements in the functioning of the
framework in existing sectors. There have now been four version updates of the rules, while the
standards have received rolling updates, with 10 maintenance cycles completed in addition to a
number of narrower updates from Decision Proposals.
The CDR framework provides a foundation that has the potential to support economy-wide digital
transformation and deliver significant consumer benefit. However, this Review’s consultations have
found that the system is not yet at a point where these benefits are being delivered. Part Two of this
Report considers a number of concerns related to the implementation of the CDR to date and what
lessons could be considered in relation to the statutory framework. These concerns include, but are
not limited to, the quality of CDR data, the level of coordination between CDR agencies, the
accreditation process, the lack of consumer awareness of the CDR, the uptake of CDR products, and
some potential y adverse competition outcomes from the CDR rollout. Many stakeholders informed
the Review that some of these concerns have directly prevented them from choosing to participate in
the CDR – stakeholders whose participation would otherwise create additional consumer value and
contribute to a vibrant CDR and digital ecosystem.
2.1 Data quality and screen scraping
Under CDR privacy safeguard 11, data holders and ADRs are required to take reasonable steps to
ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and
complete.16 The data put into the system should be of a quality that maintains consumer trust and
gives system participants confidence to invest in developing the innovative products and services that
compel consumers to move away from alternatives, such as screen scraping. A number of Review
participants spoke about issues of inconsistent data quality, with a number of ADRs suggesting that
product development has been held back by data range and quality issues. The Financial Data and
Technology Association (FDATA) noted that many of its “members regularly share concerns around
poor quality data, delays in data being received (in some cases up to 24 hours by major ADIs), missing
fields, erroneous data fields, garbled and inconsistent data”.
16 Chapter 11: Privacy Safeguard 11 – Quality of CDR Data, https://www.oaic.gov.au/consumer-data-right/cdr-
privacy-safeguard-guidelines/chapter-11-privacy-safeguard-11-quality-of-cdr-data
30 | Part Two: Implementation and lessons learnt
FOIREQ22/00356 066
Statutory Review of the Consumer Data Right
2.3 The role for an implementation body
The CDR has been operating since 2019 and has attracted feedback and suggestions on how
implementation could or should have been approached differently. It is important in these discussions
to maintain awareness of the system’s context as a world-leading initiative, in terms of both depth and
scope. Australia’s CDR is an international y unprecedented framework that supports broad
multi-sector data sharing, with no set formula and few examples to learn from. The CDR has an
ambitious vision and, to ensure its success, we must consider the lessons from its implementation to
date.
Feedback from participants has indicated that implementing systems and engaging with the CDR and
its administrators has been difficult and complex. While most were general y complimentary about
their experience with individual regulators, many also spoke of the burden of dealing with multiple
regulators, each with their own objectives, and a perception they were not wel coordinated across
government and lacking appropriate tools to support participants.
This Review’s consultations revealed a common experience of participants being referred back and
forth between regulators, without receiving clear solutions and resulting in a perceived lack of
ownership. This highlights the complexity of the CDR’s governance structure and the roles and
responsibilities of the CDR agencies and the Minister, for further information see Appendix C. The
Review supports implementing a ‘no wrong door’ approach to interactions including for consumers
(see section 3.7), which wil require improving coordination and clarifying role and responsibilities
between CDR agencies.
“While engaging on important CDR issues, the AEC has sometimes found it unclear
what body or organisation was the responsible decision maker and there appeared
to be administrative confusion between the respective bodies over who held
responsibility for which roles. At times, this has had reduced the quality of
consultation and made it difficult for data holders to receive the guidance they
need on grey areas in the CDR ecosystem.” – Australian Energy Council submission
Participants often cited the absence of a centralised implementation entity or market operator, such
as the OBIE in the UK, to address these concerns. The OBIE was established to implement Open
Banking in the UK as part of a multi-agency governance framework, with the key organisations being:
•
the Competition & Markets Authority (CMA) which has responsibility for the obligations under
the CMA Order and oversight the OBIE,
•
the Financial Conduct Authority which authorises, regulates and supervises Open Banking and
payment firms,
•
the Payment Systems Regulator which is the economic regulator for payment systems, and
•
HM Treasury which has responsibility for overarching financial policy.
This model offered participants (business operators using open banking as wel as consumers using
products and services supported by open banking) a clearer ‘front door’ for interaction with the UK
Open Banking scheme and participation in it.
Part Two: Implementation and lessons learnt | 35
FOIREQ22/00356 069
Statutory Review of the Consumer Data Right
Banking, Australia’s fragmented and fractured approach has created further
misalignment, delays, assumptions and, in some cases, a false responsibility to
carry out the priorities of others to the detriment of the overal Right.” – FDATA
Since its inception, the CDR governance structure has not remained static, with changes made in 2021
to move some accountability and responsibility from the ACCC to Treasury to provide a more
streamlined and unified approach to development and implementation (see Appendix C). However, as
the system continues to evolve and expand, the roles and responsibilities (including service delivery,
regulatory functions, and technical standards) of the current structure should be revisited and lessons
learnt to ensure the best structure is in place to support the CDR going forward. This Review found no
clear consensus around a suggested governance model and, in the medium term, suggests further
consideration be given to what model best supports the CDR as it expands and integrates with the
wider digital economy.
2.4 Increasing awareness and engagement
Submissions raised issues with the implementation framework that might be addressed with
adjustments to the governance structure for the CDR. Most stakeholders noted that there is very little
consumer awareness of the CDR. One submission by Finder cited their Consumer Sentiment Tracker
survey, which suggests that, in May 2022, only 5 per cent of their sample could correctly identify what
the CDR is, down from 8 per cent in March 2021.20 Some submissions suggested that this lack of
awareness results in little consumer demand for new use cases of the CDR, reducing incentives to
produce new use cases.
“The CBA encourages the Government and the Regulators to support education for
consumers on the use and benefits of the CDR regime to increase engagement and
drive consumer benefits.” – Commonwealth Bank of Australia
“An increase in consumer participation and awareness can only be achieved
through planned educational and marketing programmes” – Cuscal
Increasing consumer awareness of the CDR has been discussed in previous review processes, including
submissions to the recent sectoral assessment of Open Finance, as wel as in recommendations from
the Open Banking Review21 and the Future Directions Inquiry.22 This Review has found that the
assertion that education would drive consumer uptake of the CDR overstates its role in consumer
decision-making related to CDR-powered products. While understanding of the CDR may drive uptake
for consumers who closely follow technological developments, for the majority of consumers, uptake
wil be determined by the new products and services on offer that can remove frictions from their
lives or benefit them in other ways. This does not disregard the need for consumer education and
20 Refer to https://www.finder.com.au/cst
21 Recommendation 6.4 of the final report of the Review into Open Banking, May 2018,
https://treasury.gov.au/consultation/c2018-t247313
22 Recommendation 7.8 of the final report of the Inquiry into the Future Directions for the Consumer Data
Right, December 2020, https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-
final-report
38 | Part Two: Implementation and lessons learnt
FOIREQ22/00356 070
Statutory Review of the Consumer Data Right
awareness; consumers should understand the risks of data sharing practises, whether that be CDR or
screen scraping.
“Community acceptance and use of the CDR regime wil be boosted by timely
consumer education focused on the benefits of data sharing and how to mitigate
its risks and costs.” – Scientia Professor Ross P Buckley & Dr. Natalia Jevglevskaja,
University of New South Wales
Any consumer education efforts concerning the CDR, regardless of the message, wil also need to
consider the target audience and adapt accordingly. Targeting smal businesses wil be especial y
difficult given the diversity of the cohort. Smal business owners listen to different voices within their
respective networks which makes cutting through difficult. Conventional government campaigns have
historical y had difficulty achieving broad coverage amongst these smal er business operators.
Consumer education and technical understanding are unlikely to be the core drivers of consumer
adoption, and the focus should be on building the CDR brand as a trusted form of data sharing, a trust
mark of sorts, and to provide the warning signs of unsafe practices. To borrow Scott Farrel ’s analogy
from the Future Directions Inquiry, if the CDR is the new highway for driving consumers to data quickly
and securely, then consumers are primarily interested in getting to their destinations safely and
quickly, rather than in the highway itself.
Further consideration wil also need to be given to the education, guidance, promotion and
incentivisation of system adoption for existing and potential participants. The CDR highway isn’t yet
ful y built, with some of it built in only one direction (that is, data sharing only in banking) or only
partial y constructed (energy and telecommunications). The Government needs to ensure there is
enough awareness and understanding among those who wil build the highway by demonstrating
the utility of the system, drawing them into the ecosystem and committing to the long term vision
of the CDR.
The Future Directions Inquiry addressed the concept of incentivisation for participation by
recommending the establishment of a grants program to support developers to build products to
benefit consumers.23 Grants alongside other incentives were raised in submissions to both the Future
Directions Inquiry and this Review. The Review suggests that more effective incentives than grants
could be provided by other mechanisms such as chal enge-based funding and sponsoring prizes. For
example, the OBIE-backed ‘Open Up 2020 Chal enge’ (see Box 2.3) is an example of the role
incentivisation can play in promoting and encouraging innovation and the development of practical
use cases. Indeed, Australia has not been absent in this space, with the Department of Industry,
Science and Resources’ Business Research and Innovation Initiative, which offered similar incentives to
solving various policy chal enges.
23 Recommendation 7.9 of the final report of the Inquiry into the Future Directions for the Consumer Data
Right, December 2020, https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-
final-report
Part Two: Implementation and lessons learnt | 39
FOIREQ22/00356 072
Statutory Review of the Consumer Data Right
2.5 Balancing expansion with system maturity
The CDR’s rollout of data portability to date has provided wide coverage and the focus should now
turn to deepening the framework. While other data portability frameworks were able to achieve some
capabilities faster, none has achieved Australia’s breadth of coverage across sectors. For example, the
Open Banking scheme in the UK commenced a phased delivery in early 2018, which enabled payment
initiation in mid-2020. At the time of publishing, it has been two years since the first implementation
of the CDR in the banking sector and the scheme does not currently include action and payment
initiation. While the inclusion of payment initiation in Australia’s data portability scheme in the
banking sector wil be later than in the UK, Australia has already implemented beyond banking and
made significant headway in expanding to energy and telecommunications, while the UK is grappling
with legislation required to expand its scheme beyond payments within banking and to other sectors.
See Figure 2.1 for a graphical representation of differences in participation between the UK and
Australia.25
Figure 2.1 - Growth in open banking
The Review heard some concerns about the speed of rollout of the CDR. Stakeholders recognised the
importance of balancing expansion with the iterative process of developing a secure and useful
regulatory framework. While some stakeholders noted their appetite for receiving some CDR-enabled
products faster (such as those enabled through action initiation), others noted moving ahead quickly
with the scheme could leave some data holders already finding it difficult to meet compliance
requirements and consultation deadlines behind.
“…the continuing compliance pipeline of overlapping commencement dates has
reduced the capacity of many of our members to even consider becoming an
accredited data recipient.” – Customer Owned Banking Association
25 Figure 2.1 source Truelayer submission to the Statutory Review of the Consumer Data Right
Part Two: Implementation and lessons learnt | 41
FOIREQ22/00356 076
Statutory Review of the Consumer Data Right
As the CDR continues to build momentum expanding in both functionality and sectors, it is expected
that many consumers wil access the CDR via multiple applications provided by their service providers,
such as a bank or energy provider, a third party fintech, or a combination of both. It is easy to see how
the average consumer may lose track and become overwhelmed if managing multiple consents across
multiple applications and across various sectors that also differ in format. This has also been raised in
the Future Directions Inquiry, along with the joint submission by the Chartered Accountants Australia
and New Zealand, CPA Australia and the Institute of Public Accounts and a submission from FDATA
ANZ, and so consideration could be given to improving the long term experience of consumers in the
CDR ecosystem by providing a consolidated consumer dashboard to track and manage consents, with
appropriate consideration given to potential risks and burdens on participants.
2.8 Complexity of rules and standards
Many participants also noted that, aside from the consultation processes, the rules and standards had
also not been implemented in a way that was appropriate to their business needs. Stakeholders felt
that there was an assumption, upon release of rules and standards, that there were technical experts
waiting at their computers for the latest implementation updates. This experience was exacerbated by
concurrent consultations and updates to both rules and standards which made the CDR rollout a very
demanding process for stakeholders (see also section 1.5).
The complex and, according to one participant, “overly prescriptive” rules and standards may risk
participants finding it difficult to meet the requirements set out for al products and services. The ABA
noted in its submission “that regulation of the CDR should not be used to drive homogenous
outcomes in products and should instead encourage and enable data holders to innovate”. A
submission from EnergyAustralia noted the same was true of the energy sector. The Review heard
from participants concerned that the overly prescriptive standards may cause some data holders to
shift consumers from bespoke or niche products to standard offerings or, alternatively, may adjust
their products to fit the standards resulting in more homogenised offerings across the market, less
value for consumers and reduced competition in the marketplace.
Despite some of these complexities, it was exciting to hear participants speak with optimism about the
prospect of becoming an ADR and the introduction of action initiation as the “game changer”, which
also highlighted the point that benefits wil be realised only at that point. To get to this point, the
system wil need appropriate time to breathe and mature. The CDR is on the right path to providing
certainty to participants, which, in turn, gives them the time to transition from being solely focussed
on compliance to innovation and new product development.
“We acknowledge that the implementation of CDR to date has been driven largely
by compliance, and recognise that as the CDR matures and stabilises, the
development of more strategic customer value propositions wil emerge” –
Commonwealth Bank of Australia
Part Two: Implementation and lessons learnt | 45
FOIREQ22/00356 078
Statutory Review of the Consumer Data Right
Figure 2.2 – Represents the data flow through the different access models
While these pathways to participation have created more options for prospective CDR participants,
some have suggested that revision is needed for such pathways to be fit-for-purpose.
“Trying to gain accreditation or rely on another entity’s accreditation has become
an enormous task due to the liability framework and the different accreditation
models have not made a large difference” – Envestnet | Yodlee
The representative model, where a CDR Principal takes on the liability for a CDR representative, has
the potential to expand the number of products and services powered by the CDR. This has been
borne out in experience, where there are now almost as many CDR representatives as there are ADRs
in the CDR ecosystem. However, this model also introduces risks to CDR Principals that may have
adverse effects on the CDR ecosystem. A submission from il ion suggested that large firms wil be
unwil ing to “take on a large number of representatives due to the liability risk of non-compliance, as
wel as the reputational risk it places on their other business”, potential y encouraging higher risk
thresholds and tolerances from Principals sponsoring representatives.
Part Two: Implementation and lessons learnt | 47
FOIREQ22/00356 080
Statutory Review of the Consumer Data Right
the collection or storage of CDR data on behalf of other ADRs or a business that provides the data
analytics software that al ows an ADR to provide consumer services. These participants may not
necessarily offer any consumer-facing CDR services of their own. The Review recognises the role
intermediaries play in the CDR ecosystem, but the Review did not hear from submissions how the
existing accreditation models fail to meet their needs and what potential changes might be required
to facilitate their role in the CDR ecosystem. Without a clear picture of the underlying problem it is
difficult to see what a bespoke intermediary accreditation process would look like in practice.
While expansion of accreditation may create new opportunities for involvement, it may also add to
the complexity of the accreditation process and further add to existing concerns that further options
have not made it easier to engage with the CDR to date, as noted by Basiq in its submission:
“Although these models have provided greater options, we feel that they have
stil not solved the underlying problems that were original y raised during the
proposal phase. As it stands now, the accreditations are stil considered to be
expensive to implement, lengthy to acquire and complicated to interpret the
rules associated with them.”
Introducing new pathways to accreditation should remain a possibility as the CDR develops. However,
in the spirit of al owing the CDR to mature before introducing further optionality to the system,
constructing a new intermediary accreditation may not be a priority, al owing time for further
exploration of how intermediaries interact with the CDR to understand how their participation in the
CDR can be facilitated.
Several submissions also noted that the requirements for CDR accreditation could be more closely
aligned with existing requirements under other government initiatives. For example, there are existing
security and privacy requirements for Digital Service Providers (DSPs) under the Operational Security
Framework (OSF) for the Australian Taxation Office (ATO), however, the CDR framework demands
more of data recipients.29 Indeed, many participants inside and outside the system may see it as an
unreasonable expectation of businesses to undergo multiple accreditation processes for schemes
focused on data protection.30
“Xero is confident recognising this Security Framework [including the Privacy Act,
the ATO OSF and the Security Standard for Add-on Marketplace (SSAM)] would
material y increase ADR participation, connecting business consumers with the
innovation and competition measures intended for the CDR.” – Xero
During consultations, it was suggested that, if ATO requirements are not sufficiently strong, they
should be brought in line with CDR accreditation requirements – otherwise the Government should
29 A 2021 review of the Security Standard Add-on Marketplace (SSAM) by Digital Service Providers ANZ
(DSPANZ) provides insight into the degree to which this framework can align with the CDR. See
https://www.dspanz.org/media/website_pages/news/ssam-review-2021-report/SSAM-Review-2021-
Report.pdf
30 The 2020 Inquiry into Future Directions for the Consumer Data Right touched on similar issues,
recommending the formation of a common ‘data safety licence’ to manage participation in schemes where
secure data holding or transfer is required. See pages 192-3 https://treasury.gov.au/sites/default/files/2021-
02/cdrinquiry-final.pdf
Part Two: Implementation and lessons learnt | 49
FOIREQ22/00356 082
Statutory Review of the Consumer Data Right
The Review heard conflicting proposals on reciprocity. Submissions from major data holders (in
particular, data holders in the banking and telecommunications sectors) advocated for the expansion
of reciprocity to support competitive outcomes in line with the Future Directions Inquiry
recommendations.33 The inclusion of data holder obligations acknowledges that designated
participants incurred significant costs in implementing CDR requirements and lose exclusive access to
the data they hold. Reciprocity ensures that those firms that benefit from new data available through
the CDR are required to make the other CDR data they also hold available.
“Based on the principles and scenarios identified under the CDR Act, and the desire
to have CDR apply economy-wide, we would encourage greater use of the principle
of reciprocity to ensure competitive neutrality in the CDR regime.” – Telstra
“It is clear that designing a system of economy-wide reciprocity would have a
resource impact for regulators and ADRs, but the ABA considers it vital for
consumers to ful y benefit from the CDR and to ensure fair competition between
designated and non-designated industries.”
– Australian Banking Association
Some participants commented that reciprocity requirements may serve to increase market share for
incumbent data holders who are also ADRs because they create higher compliance costs for smal er
ADRs and force the sharing of data that might otherwise be a competitive advantage for smal er
participants. These obligations may therefore limit and disincentivise participation by smal er
participants, which is at odds with the CDR’s objective to increase competition.
“Whilst reciprocity embodies the purist view of the CDR with open consumer data, it
is seen to be unpopular amongst DRs (data recipient) as it exposes their consumer
data to the major data holders (DHs), who are often also DRs, therefore presenting
greater opportunity for the majors to capture additional market share.” – EY
“Unfortunately [reciprocity] … has discouraged companies that would be
beneficiaries of Open Banking data to avoid the adoption, or try and find loop-holes
by seeking non-accreditation access such as via the Principal Representative (PR)
model to circumvent this requirement.” – Basiq
As the system gathers momentum the disincentives of reciprocity obligations for smal er ADRs wil
be offset by greater data availability as the CDR grows. Developments to bring in Open Finance
datasets into the CDR, including the potential designation of non-bank lending, is likely to further
offset some of the issues raised around reciprocity. In the meantime, consideration could be given
to whether reciprocal obligation deferrals are an effective way to support the transition of
participants into the CDR until the system reaches a point of maturity and growth where these
obligations could be reconsidered.
33 Recommendation 6.9 from the final report of the Inquiry into the Future Directions for the Consumer Data
Right, December 2020, https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-
final-report. This recommendation was focused on expanding to cross-sector applications of reciprocity so
that ADRs could face reciprocal data sharing requirements from DHs operating in a different sectoral
designation.
Part Two: Implementation and lessons learnt | 51
FOIREQ22/00356 084
Statutory Review of the Consumer Data Right
Part Three: The CDR within an emerging
digital economy
The Review heard significant enthusiasm regarding opportunities for the CDR to integrate with
Australia’s broader digital economy. Part Three provides an overview of some of the areas that were
identified where the CDR could provide new opportunities, including aligning with technological
developments in payments infrastructure as wel as with regulatory developments underway.
The CDR could become a key driver of Australia’s digital economy by providing consumers the
infrastructure to share their data safely and securely to obtain benefits. The CDR also provides the
framework that can create a flourishing data market in Australia. The Review has heard and
recognised the need for alignment with other digital initiatives and regulatory frameworks, limiting
duplication where possible.
A key area of the digital economy that has seen significant and rapid development is payments. The
New Payments Platform (NPP) has already demonstrated improvements to consumer payment
experiences and promises to deliver further consumer value in the coming years, including through its
PayTo service. Further development of the CDR should consider how its unique framework for secure
transfers of consumer, product and service data could integrate with and augment existing and
emerging payment channels.
Alongside these technological advances, there have also been updates to the legislative framework of
Australia’s digital economy, for example, the recent Data Availability and Transparency Act 2022
(DATA 2022) and the ongoing Privacy Act 1988 review. The CDR is a complex statutory framework and,
where possible, should seek to integrate and operate in concert with other government and
international initiatives.
3.1 Improving settings to support CDR services for small
business consumers
It was consistently acknowledged by stakeholders that the core user and focus of the CDR has always
been, and should remain, the consumer – including smal business consumers. However, obligations to
facilitate the sharing of business data have either only recently taken effect (major banks commenced
in November 2021) or have yet to take effect (non-major banks wil commence in November 2022).
With the majority of Australia’s approximately 2.4 mil ion businesses in a position to benefit from
using the CDR to disclose their own data,34 designing the CDR to facilitate the participation and
particular needs of these businesses could significantly increase the value obtained from the CDR.
These benefits have begun to be realised for smal businesses under the UK Open Banking scheme,
and were recently highlighted in the latest OBIE impact report35 which focussed on how businesses
utilise cloud accounting services with the integration of open banking.
34 Smal er businesses are likely to benefit from these disclosures, for example via accounting platforms.
According to ABS data 93 per cent of Australian businesses have an annual turnover of less than $2 mil ion.
ABS, Counts of Australian Businesses, including Entries and Exits, August 2021,
https://www.abs.gov.au/statistics/economy/business-indicators/counts-australian-businesses-including-
entries-and-exits/latest-release#turnover-size
35 OBIE Impact Report June 2022, https://openbanking.foleon.com/live-publications/the-open-banking-impact-
report-june-2022/
Part Three: The CDR within an emerging digital economy | 53
FOIREQ22/00356 087
Statutory Review of the Consumer Data Right
3.2 Data disclosures and small business
consumer participation
Stakeholders have emphasised the CDR currently doesn’t offer the appropriate levels of flexibility to
al ow business consumers to operate in the ecosystem. The recent introduction of trusted advisers has
gone some way to al eviate this, but the framework fal s short in addressing how a majority of smal
businesses operate in practice.
Under the current framework, the trusted adviser specification does not reflect the needs of smal
business consumers, including sole traders and smal family businesses, where the role of a trusted
adviser can often fal to a family member or employee. In some cases, this adviser may not hold formal
accounting qualifications (e.g. a CPA) and might solely manage the business using an accounting or
business management software platform, meaning that they would be unlikely to be included under
the definition of trusted adviser.
“Many SMEs rely on bookkeepers, who may not otherwise have formal
qualifications, to keep their business afloat. Disrupting this practice by excluding
bookkeepers from the definition of ‘trusted adviser’ and limiting a consumer’s
ability to control who they trust with their data, fundamental y risks undermining
the usability of the CDR and risks existing market practices” – FDATA
Many business consumers are unlikely to make the switch from unsafe but more convenient
alternatives like screen scraping until the CDR can meet their needs and provide a comparable service.
A factor for this is improving data quality (see section 2.1), with current service providers potential y
hesitant to switch to the CDR due to the concern they wil inadvertently provide a poorer quality
experience and product for their customers than the less secure but more convenient alternatives.
“Treasury’s intention for the rules to facilitate current consumer practices of the
permissioned sharing of their data with trusted third parties … is a good one and
deserves support. However, it doesn’t encompass the agency smal businesses in
Australia currently enjoy and depend upon to run their businesses.” – Xero
The differences between individual consumers and smal business consumers need to be
acknowledged, including different requirements and potential tolerances around who the data is
shared with. While both individual and smal business consumers have access to trusted adviser
disclosures, particular consideration should be given to providing smal business consumers the
flexibility to consent to sharing their CDR data with individuals outside the limited categories of
trusted advisers currently defined under the rules, while maintaining the current protections offered
to individual consumers.
The Review acknowledges that some submissions by contrast advocated removing trusted adviser
disclosures entirely from the CDR due to the increased risks associated with CDR data exiting the CDR
system. Some submissions raised concerns relating to instances where consumer consent can be given
for data to be disclosed to unaccredited persons outside the CDR to whom the Privacy Safeguards, and
potential y the APP, do not apply. In al owing disclosures to unaccredited parties, CDR settings should
ensure that consumer risks are reduced by either limiting the eligible recipients or requiring that the
data disclosed meet a specific, limited purpose. In the case of smal business consumers, this would
seem to favour the latter setting – where disclosures are explicitly for business-related purposes.
56 | Part Three: The CDR within an emerging digital economy
FOIREQ22/00356 097
Statutory Review of the Consumer Data Right
For example, when a person is required to confirm their identity and attributes with an unaccredited
third party provider (such as a real estate agent), that third party could ask the person to provide
consent for an ADR to receive attribute data through the CDR from data holders (such as banking
information or energy bil s) so that the ADR can verify the identity and attribute information for the
third party. This process could save consumers the onerous process of collecting, formatting and
providing attribute information themselves and would be more secure than existing processes to
share identity and attribute information with third parties.
Figure 3.1 – CDR and attribute verification
With the CDR providing the framework to support open banking and Open Finance, along with the
former Government’s agreement46 to accept the Future Directions Inquiry recommendation to
implement payment initiation, the CDR wil interact with the New Payments Platform (NPP) (see
Box 3.5). Submissions to the Review from the ABA and the Australian Payments Network highlighted
the similarities between the NPP and its new PayTo service offering to support and streamline
payment transfers, with many suggesting the CDR should be leveraging and aligned with this work,
potential y achieving a ‘quick win’ for payment initiation. This alignment includes looking to minimise
friction points where possible to improve the consumer experience (such as with the consents
process), and reduce regulatory compliance for participants, with consideration to any potential risks
that may undermine the integrity of the system. For example, the submission by Australian Payments
Network noted that the CDR consent flow (in the Consumer Experience (CX) guidelines published by
the DSB) currently requires consumer involvement in five distinct steps of the flow, whereas PayTo
al ows a consumer to authorise a third party to provide specific payments on their behalf, offering a
streamlined interaction for the consumer.
46 The Government response to the Inquiry into Future Directions for the Consumer Data Right,
December 2021, https://treasury.gov.au/publication/p2021-225462
66 | Part Three: The CDR within an emerging digital economy
FOIREQ22/00356 100
Statutory Review of the Consumer Data Right
Part of amplifying the consumer voice is creating a CDR ecosystem that is easy and encourages
consumers to raise complaints. A submission from Cuscal suggested that “[a]s the regime expands it
wil become difficult for consumers to ascertain which organisation, they are required to raise
complaints and seek actions for redress”. Cuscal goes on to suggest that a single agency could be
defined through which consumers raise complaints and which directs these complaints as required.
As a cross-sectoral scheme, the CDR was always designed to include multiple regulators to fulfil
separate roles and responsibilities.47 The Review recognises and supports that from the outset that, to
be an effective consumer-facing policy, the CDR should have a ‘no wrong door’ approach (see
section 2.3) to handling consumer complaints, so as to avoid, as the original Productivity Commission
report put it, leaving “the consumer straddling in a regulator abyss”.
3.8 Beyond the Statutory Review
This Statutory Review takes place five years after the initial conception of the CDR in the Productivity
Commission’s Data Availability and Use report. As previously stated, it comes at an important time for
the CDR as it transitions from a build phase into a phase of maturing to develop its scope to deliver
significant consumer benefits. This Review has offered a number of short to medium term changes to
the statutory framework to support the maturation of the CDR. It also recognises that some of these
changes may not be long term solutions and identifies a number of elements of the statutory
framework that may need further consideration in the future, which could include:
• direct to consumer data sharing (section 1.6)
• implementation and governance arrangements of the CDR and other digital economy initiatives
(section 2.3), and
• reciprocal data holder obligations (section 2.10).
The CDR has undergone substantial adjustments even in these early stages, and there should be an
ongoing provision for considered review to ensure it remains agile and fit-for-purpose. Submissions
from the Australian Energy Council and the OAIC recommended that a further statutory review of the
CDR be conducted in the future, with the former suggesting repeating reviews every three years and
the latter suggesting a further review within the next five years.
This Review supports a further statutory review occurring within the next five years, capturing the
lessons from the next iterations of the economy-wide rollout and al owing an additional course check
and design calibration as the system continues to mature. A future statutory review could address the
considerations listed above if they remain pertinent along with any further issues that arise in the
meantime, particularly in relation to the development of the CDR to include payment and action
initiation and other developments in the wider digital economy.
47 See Data Availability and Use – Productivity Commission Inquiry Report, No. 82, March 2017,
https://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf
Part Three: The CDR within an emerging digital economy | 69
FOIREQ22/00356 103
Statutory Review of the Consumer Data Right
Enabling direct to
The legislative framework is broadly suitable to support direct-to-consumer
consumer data
data sharing. Part 3 of the CDR rules outlines requirements for data holders
sharing
and direct to consumer data sharing.
Whether it is timely to ‘switch on’ direct-to-consumer data sharing is a
separate matter, and the Review has found that it is not timely to do so
(Finding 1.3). Consumer data sharing at this stage would not offer significant
benefits to consumers and poses apparent risks. These risks may change as
the CDR system matures, and the nature of consumers’ engagement with
data changes, at which point safely enabling direct-to-consumer data sharing
may be worthwhile.
When conditions have reached a point that risks around direct-to-consumer
data sharing have decreased on balance, the functionality and obligations can
be enabled through a rule change to the relevant schedules.
Data holders are not restricted from enabling direct-to-consumer data
sharing of their own volition. The CDR supports data holders making that
available without waiting for rules requiring them to share it. This would be
the case for the banking sector and any data holders electing to disclose
ahead of being required to (Rules Schedule 3, Clause 6.5) according to the
commencement table (Schedule 3, Clause 6.6 – which is silent on Part 3
obligations – effectively leaving them switched off). There are caveats to this
in that there is a requirement to adhere to CDR standards in making this
disclosure – standards which don’t currently exist – and for it to be provided
in a human-readable form. Any attempts to develop a CDR-compliant data
sharing mechanism ‘through CDR’ in this context wil potential y need to be
revised if these settings change, and banks already often have existing
methods for sharing data with customers outside of CDR.
In the energy sector, obligations around Part 3 of the rules are explicitly
referenced as not applying (Schedule 4, Clause 8.5), so any disclosures made
by data holders to requests from consumers would be outside the CDR,
unless that obligation is revised in rules updates.
72 | Part Four: Other issues raised in submissions
FOIREQ22/00356 104
Statutory Review of the Consumer Data Right
Expanding CDR
The Australian Banking Association, Australian Retail Credit Association and
rules to support
the Commonwealth Bank of Australia suggested amending Clause 7.2 of
the use of CDR
Schedule 3 of the rules to expand the condition of data sharing to include
data in credit
circumstances where a consumer applies for and/or acquires a product. The
assessments
current rules limit the use of CDR data for the purposes of credit decisions by
al owing the data to be retained only if the consumer acquires this product, in
the circumstance a product is not acquired the data must be deleted. This
suggestion could enable further use cases to be developed in credit
assessments, potential y al owing consumers to more easily switch providers
or access products.
Rules changes to
The Australian Payments Network submission suggested a rules change was
improve user
necessary to support payment initiation and consent bundling. Notably, rule
experience,
4.10(b)(i ) explicitly prohibits the bundling of consents with other directions,
potentially through permissions, consents or agreements. Further attention could be given to
allowing bundling
al owing consent bundling in certain circumstances with a view to where the
of consents
benefits of a simplified consumer interface can outweigh the potential risks,
noting this is only part solution as mentioned in section 2.7. If such an
assessment concludes in favour of consent bundling, then r4.10(b)(i ) may
need to be amended, noting that r4.9(d) suggests that consents are required
to be ‘specific to a purpose’ which, as pointed out by the Australian Payments
Network, may be sufficient to protect against inappropriate use of bundled
consents. Such amendments should be considered in light of Finding 2.2.
Part Four: Other issues raised in submissions | 73
FOIREQ22/00356 106
Statutory Review of the Consumer Data Right
Introducing a
Submissions, including from the Financial Rights Legal Centre, Consumer
fiduciary obligation Action Law Centre and the ACCC, recommended establishing a fiduciary duty
for data holders
for CDR participants (ADRs and data holders) to use data in the best interests
of consumers. It is suggested that these duties can increase consumer
confidence in the CDR system, in a similar way that these duties have been
established in other realms where consumers are dependent on another
party completing a service for them (such as doctors, lawyers and
accountants). The Review notes that such a duty would likely increase the
regulatory burden for CDR participants, however, submissions note this may
be offset by increased trust from consumers and wil ingness to participate in
the CDR.49 As a general principle, the Review notes that the CDR framework
should not seek to impose additional regulatory obligations outside of those
that are required to successful y operate the system. Where other regulatory
frameworks are better placed to address a potential harm or issue, they
should be relied upon. It is not clear that the potential benefits of bringing in
these obligations outweigh the additional regulatory burden on CDR
participants.
Joint accounts and
The joint submission by the Australian Banking Association, Financial Rights
consent rules
Legal Centre, Consumer Action Law Centre and the Consumer Policy
Research Centre also raised concern over the current opt-out model for joint
accounts and noted they had previously recommended it be implemented as
an opt-in model to ensure the safety of users. Their joint submission
recommended the model should be reconsidered in the context of the
rollout of payments initiation to al ow time to evaluate the model and to
determine whether sufficient protections are in place for consumers,
particularly in relation to privacy, complaints handling and liability. The
Review recognises the potential risks identified in submissions by the opt-out
model and also sees the potential frictions an opt-in would present to the
consumer. It is noted that the current model was subject to consultation and
only recently implemented by major banks on 1 July 2022. It has yet to be
implemented by non-major banks (compliance date 1 October 2022). At this
point in time the Review finds an insufficient basis to reassess the model, and
suggests time should be given to al ow the system to mature and develop,
before further considering a change.
49 See: Isabel e Guevara, Digital fiduciaries and privacy protection in the digital age, August 2021,
https://www.cba.org/Sections/Privacy-and-Access/Resources/Resources/2021/
PrivacyEssayWinner2021#_edn24; cited in submission from Financial Rights Legal Centre.
Part Four: Other issues raised in submissions | 75
FOIREQ22/00356 108
Statutory Review of the Consumer Data Right
Glossary
Accredited Data Recipient Accredited Data Recipient (ADR) under section 56AK of the Competition
(ADR)
and Consumer Act 2010. An ADR can receive CDR data after being
accredited by the Data Recipient Accreditor (the ACCC).
Anti-Money
The Anti-Money Laundering/Counter Terrorism Financing Act 2006
Laundering/Counter
(AML/CTF Act), and the AML/CTF Rules aim to prevent money
Terrorism Financing
laundering and the financing of terrorism.
(AML/CTF)
Application programming Software designed to help other software interact with an underlying
interface (API)
system.
Australian Competition
An independent Commonwealth statutory authority whose role is to
and Consumer Commission enforce the Competition and Consumer Act 2010 and a range of
(ACCC)
additional legislation, promoting competition, fair trading and regulating
national infrastructure for the benefit of al Australians. The ACCC is a
co-regulator of the CDR with the OAIC.
Consumer Data Right
Australia’s data portability initiative. Al owing consumers to consent to
(CDR)
disclosures of their data to third parties.
Consumer Data Right
CDR agencies are the ACCC, OAIC, DSB and the Treasury.
(CDR) agencies
Consumer Data Right
The ‘CDR consumer’ is the person who has the right to access the CDR
(CDR) consumer
data held by a data holder, and direct that the CDR data be disclosed to
them (not currently enabled) or to an accredited or trusted person. For
the purposes of the CDR a ‘person’ can be an individual or a business.
Consumer Data Right
Information within a class specified in a CDR designation instrument, or
(CDR) data
information wholly or partly derived from such information.
CDR Rules
The Competition and Consumer (Consumer Data Right) Rules 2020 (the
CDR rules) provides the framework for how the CDR it is to be
implemented and operated.
Consent
Communication to an accredited person of the datasets and actions that
the consumer is al owing them to access or perform, and the purposes
for which the consumer agrees to their data being used and actions
being initiated on their behalf.
CX
Consumer Experience
Data Availability and
The Data Availability and Transparency Act 2022 (DATA 2022) enables
Transparency Act 2022
sharing for the delivery of government services; informing government
(DATA 2022)
policy and programs; and research and development.
Glossary | 77
FOIREQ22/00356 109
Statutory Review of the Consumer Data Right
Data holder
A party that holds data to which the Consumer Data Right wil apply,
carrying obligations to provide that data to CDR participants.
Data / Datasets
Data is information translated into a form for efficient storage, transport
or processing, and is increasingly synonymous with digital information. It
includes product data (data related to the product/service advertised
for example: descriptions, prices, terms, and conditions) and consumer
data (data related to the consumer of the product/service for example:
consumer contact details, or information relevant to their eligibility for a
service).
Data portability
The ability to move data from one place to another.
Data Standards Body
A body responsible for assisting the Data Standards Chair in the
(DSB)
development of common technical standards to al ow Australians to
access data held about them by businesses and direct its safe transfer to
others.
Data Standards Chair
The person responsible for making data standards for the CDR,
(DSC)
supported by the DSB.
Derived data
Under Section 56AI(2) of the Competition and Consumer Act 2010.
‘Derived CDR data’ is data that has been wholly or partly derived from
CDR data, or data derived from previously derived data. This means data
derived from ‘derived CDR data’ is also ‘derived CDR data’.
Designation
The designation instrument enlivens the Rule making power by
designating a sector of the economy as a sector to which the CDR
applies.
Digital Economy
Economic activities conducted or facilitated through digital computing
technologies.
Digital identity
Information that represents a person or organisation on a computer
system. A digital identity al ows a user to prove to a remote system that
they are who they say they are.
New Payments Platform
Australia’s real-time payments infrastructure, introduced in 2018, which
(NPP)
al ows consumers and businesses to make and receive fast payments
which are secure and data-rich.
Office of the Australian
The independent national regulator for privacy and freedom of
Information Commissioner information. The OAIC is a co-regulator of the CDR with the ACCC.
(OAIC)
Open Banking
The CDR based system giving customers access to and control over their
banking data and data on banks’ products and services.
78 | Glossary
FOIREQ22/00356 110
Statutory Review of the Consumer Data Right
Outsourced service
A person who, under a CDR outsourcing arrangement, receives CDR
provider (OSP)
data from, or potential y discloses CDR data to, an accredited person in
order to assist the accredited person to provide goods and services to
CDR consumers.
PayTo
PayTo is a new, digital way for merchants and businesses to initiate
real-time payments from their customers' bank accounts.
Participant
CDR participants include ADRs, Data Holders, Representatives, Affiliates,
Trusted Advisers.
Privacy Act 1998
Legislation designed to promote and protect the privacy of individuals
and to regulate how Australian Government agencies and organisations
with an annual turnover of more than $3 mil ion, and some other
organisations, handle personal information.
Screen scraping
The practice of third parties using a customer’s login credentials
provided by the customer to extract data (such as account balance and
transactions) from the information that the customer may see on their
digital display.
Standard/s
The technical and consumer experience data standards made by the
Data Standards Chair for the purpose of the Consumer Data Right to
inform participants on how to comply with the rules.
Strategic Assessment
A three-month assessment to inform an economy-wide Consumer Data
Right, as announced as part of the former Government’s Digital
Economy Strategy announced in the 2021-22 Budget.
Trusted Adviser
A person who can be nominated by a consumer and with consent
receive that consumer’s data from an ADR. Trusted advisers must
belong to one of the specified professions listed in CDR Rule 1.10C(2).
For example, accountants, registered tax agents, BAS agents.
Unique identifiers
A unique identifier is an identifier that marks that particular record as
unique from every other record.
Use case
Where a particular dataset has a current and demonstrable application
to the provision of a product or service.
Vertical and horizontal
Vertical integration is the capacity for innovators to engage consumer
integration
within their industry. Horizontal integration is the connectedness
between sectors particularly such that cross-sectoral use cases are
enabled.
Glossary | 79
FOIREQ22/00356 111
Statutory Review of the Consumer Data Right
Appendix A – Context of the Review
Background to the Review
This Review was undertaken in the context of significant policy and governance developments in the
CDR. This includes the roll out of the CDR to the banking sector, the introduction of rules to bring the
energy sector into the CDR from late 2022, and the finalisation of the sectoral assessment and
designation process for the telecommunications sector. The practical application of the CDR initiative
to these three sectors provides a good opportunity to reflect on the efficacy of the statutory
framework as the CDR grows.
The CDR is a multi-year, complex initiative that wil continue to grow and evolve over the next decade.
As such the Review wil need to consider the policy, governance and any other relevant recent
developments in the CDR in responding to the Terms of Reference, including:
• The former Government’s response50 to the final report51 of the Future Directions Inquiry, which
provides options to expand and enhance the functionality of the CDR.
• The release of the former Government’s Digital Economy Strategy52 (announced as part of the
2021-22 Budget), which sets out a roadmap of initiatives to ensure Australia is a world-leading
Digital Economy by 2030 – including the Australian Data Strategy,53 and the expansion of the Digital
Identity System.
• The CDR Strategic Assessment to inform the future expansion of the CDR, with a relevant
consultation paper released by Treasury in July 2021.54
• Updates to CDR rules to support greater participation within the CDR ecosystem.
• International developments in consumer-initiated data portability.
50 The Government response to the Inquiry into Future Directions for the Consumer Data Right, December
2021, https://treasury.gov.au/publication/p2021-225462
51 The final report of the Inquiry into Future Directions for the Consumer Data Right, December 2020,
https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-final-report
52 Further content concerning the Digital Economy Strategy can be found here:
https://digitaleconomy.pmc.gov.au/
53 Further content concerning the Australian Data Strategy can be found here:
https://ausdatastrategy.pmc.gov.au/
54 The consultation paper and Strategic Assessment Outcomes report can be found here:
https://treasury.gov.au/publication/p2022-242997
80 | Appendix A – Context of the Review
FOIREQ22/00356 112
Statutory Review of the Consumer Data Right
Terms of Reference
• Are the objects of Part IVD of the Act fit-for-purpose and optimal y aligned to facilitate economy-
wide expansion of the CDR?
• Do the existing assessment, designation, rule-making and standard-setting requirements of the
CDR framework support future implementation of the CDR, including to government-held
datasets?
• Does the current operation of the statutory settings enable the development of CDR-powered
products and services to benefit consumers?
• Could the CDR statutory framework be revised to facilitate direct to consumer data sharing
opportunities and address potential risks?
• Are further statutory changes required to support the policy aims of CDR and the delivery of its
functions?
Objects of 56AA of the Act
The object of this Part is:
a) to enable consumers in certain sectors of the Australian economy to require information relating to
themselves in those sectors to be disclosed safely, efficiently and conveniently
i) to themselves for use as they see fit; or
i ) to accredited persons for use subject to privacy safeguards; and
b) to enable any person to efficiently and conveniently access information in those sectors that:
i) is about goods (such as products) or services; and
i ) does not relate to any identifiable, or reasonably identifiable, consumers; and
i i) as a result of paragraphs (a) and (b), to create more choice and competition, or to otherwise
promote the public interest.
CDR rules discussed in the review
4.9 Object – The object of this Division is to ensure that a consent given by a CDR consumer to
col ect and use CDR data is:
a) voluntary; and
b) express; and
c) informed; and
d) specific as to purpose; and
e) time limited; and
f) easily withdrawn.
Appendix A – Context of the Review | 81
FOIREQ22/00356 113
Statutory Review of the Consumer Data Right
4.10 Requirements relating to accredited person’s processes for seeking consent
An accredited person’s processes for asking a CDR consumer to give consent:
a) must:
i) accord with the data standards; and
i ) having regard to any consumer experience guidelines developed by the Data Standards
Body, be as easy to understand as practicable, including by use of concise language and,
where appropriate, visual aids; and
b) must not:
i) include or refer to other documents so as to reduce comprehensibility; or
i ) bundle consents with other directions, permissions, consents or agreements.
4.11 Asking CDR consumer to give consent to col ect and use CDR data
a) ask for the CDR consumer’s express consent:
i) for the accredited person to collect those types of CDR data over that period of time; and
i ) for those uses of the col ected CDR data; and
i i) to any direct marketing the accredited person intends to undertake;
4.13 Withdrawal of consent to collect and use CDR data and notification
(1) The CDR consumer who gave a consent to col ect and use particular CDR data may withdraw
the consent at any time:
a) by communicating the withdrawal to the accredited person in writing; or
b) by using the accredited person’s consumer dashboard.
4.22 Requirements relating to data holder’s processes for seeking authorisation
A data holder’s processes for asking a CDR consumer to give an authorisation must:
a) accord with the data standards; and
b) having regard to any consumer experience guidelines developed by the Data Standards
Body, be as easy to understand as practicable, including by use of concise language and,
where appropriate, visual aids.
4.25 Withdrawal of authorisation to disclose CDR data and notification
(1) The CDR consumer who gave, to a data holder, an authorisation to disclose particular CDR
data to an accredited person may withdraw the authorisation at any time:
a) by communicating the withdrawal to the data holder in writing; or
b) by using the data holder’s consumer dashboard.
82 | Appendix A – Context of the Review
FOIREQ22/00356 116
Statutory Review of the Consumer Data Right
Appendix C – Overview of the Consumer
Data Right
The Consumer Data Right (CDR) is Australia’s national data portability initiative. It is a significant,
economy-wide reform designed to empower consumers to benefit from the data Australian
businesses hold about them and in doing so strengthen innovation, competition and productivity. The
CDR was conceived of as a right by the Productivity Commission in March 2017,55 based on the
benefits it could provide to consumers and businesses and its potential to enhance competition. The
Productivity Commission identified that creating a right of this kind would fundamental y reform
Australia’s competition policy in a digital world.
In July 2017, the Review into Open Banking was commissioned to recommend the most appropriate
model for an Open Banking initiative in Australia. Giving regard to the earlier work of the Productivity
Commission, the final report of this review positioned Open Banking as a component of a more
general right for consumers to control their data in Australia – the CDR. The final report of the Review
into Open Banking set out four key principles, which have guided the implementation of the CDR in
Australia.56 These are that the CDR should:
•
Be consumer focussed. It should be for the consumer, about the consumer, and seen from the
consumer’s perspective.
•
Encourage competition. It should seek to increase competition for products and services
available to consumers so that they can make better choices.
•
Create opportunities. It should provide a framework from which new ideas and business can
emerge and grow, establishing a vibrant and creative data sector that supports better services
enhanced by personalised data.
•
Be efficient and fair. It should be implemented with safety, security, and privacy in mind, so that
it is sustainable and fair, without being more complex or costly than needed.
55 Refer: Data Availability and Use – Productivity Commission Inquiry Report, No. 82, March 2017,
https://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf
56 Final report of the Review into Open Banking, https://treasury.gov.au/consultation/c2018-t247313
Appendix C – Overview of the Consumer Data Right | 85
FOIREQ22/00356 117
Statutory Review of the Consumer Data Right
CDR statutory framework
The CDR statutory framework originated with the Treasury Laws Amendment (Consumer Data Right)
Bil 2019, which received Royal Assent in August 2019. The statutory framework comprises four
components:
•
Part IVD of the Competition and Consumer Act 2010 (the Act), which contains the primary CDR
legislation, and establishes al other components of the legislative framework,
•
CDR Designation Instruments made by the Minister pursuant to Part IVD of the Act, which
designate sectors of the Australian economy for the purposes of the CDR,
•
the Consumer Data Right rules (the rules) made by the Minister responsible for the CDR. Among
other things, the rules set out the circumstances in which data holders are required to disclose
data, and to whom, in response to a valid consumer request. They also set out consent
requirements, how data may be used and privacy safeguards.
•
the Consumer Data Standards (the standards), which set the technical requirements by which
data needs to be provided to consumers and accredited data recipients (ADRs) within the CDR
system – ensuring safe, efficient, convenient, and interoperable systems to share data are
implemented. Where the rules require compliance with the standards, a breach of the standards
may constitute a breach of the rules, and standards have a contractual effect between data
holders and recipients in certain instances.
Oversight of the CDR
The Minister
The Assistant Treasurer is the responsible Minister and sets the overal strategic direction and
expectations for the CDR program. The Minister is directly advised by the Treasury who leads CDR
policy, including the development of rules and on which sectors the CDR should apply to in the future.
The CDR Agencies
The Treasury leads CDR policy, including development of rules and advice to Government on which
sectors the CDR should apply to in the future.
Treasury works closely with the Australian Competition and Consumer Commission (ACCC), which is
responsible for the accreditation process, including managing the Consumer Data Right Register, and
ensures providers are complying with the rules and takes enforcement action where necessary; and
the Office of the Australian Information Commission (OAIC), which regulates privacy and
confidentiality under the CDR, enforces the privacy safeguards and privacy-related CDR rules where
necessary, handles complaints and notifications of eligible data breaches relating to CDR data. The
Data Standards Body develops the technical and consumer experience standards, which are made by
the Data Standards Chair.
86 | Appendix C – Overview of the Consumer Data Right
FOIREQ22/00356 118
Statutory Review of the Consumer Data Right
CDR Board
The Consumer Data Right Board (the Board) was established under the authority of the Secretary of
the Treasury in February 2020. It provides senior leadership and strategic oversight by CDR agencies to
deliver a complex, multi-year and multi-function policy, regulatory and ICT program. The Board is
advisory in nature and not intended to supersede or otherwise interfere with the roles and
responsibilities, or independence of any agency or individual member. Decision making is undertaken
by a consensus of its Members who consist of the following:
•
Deputy Secretary, Markets Group, Treasury (Chair)
•
Commissioner, ACCC
•
Data Standards Chair
•
Australian Information Commissioner and Privacy Commissioner, OAIC
Evolution of governance
These responsibilities evolved with the rol out of the CDR. In the 2017 Productivity Commission Report
Data Availability and Use it was suggested that the proposed data sharing framework should be
established with the ACCC responsible for regulatory work including handling complaints from data
holders, educating consumers, and assessing applications to participate in data sharing.
The Open Banking Review chaired by Mr Scott Farrel was published in 2018. This Review included
several recommendations regarding governance of Open Banking, including that the initiative be
supported by a multiple regulator model where the ACCC be responsible for competition and
consumer issues and standards-setting, while the OAIC be responsible for privacy protection. The
Review also recommended a Data Standards Body work with the regulators to develop standards. The
Government at the time accepted these recommendations.57
With the launch of Open Banking under the CDR in 2019, the multiple regulator model was adopted
with the ACCC responsible for compliance, enforcement and accreditation as wel as establishing the
rules for participation in the CDR framework. The OAIC was responsible for enforcing the privacy
safeguards and privacy-related CDR rules where necessary, handling complaints and notifications of
eligible data breaches relating to CDR data, for investigating privacy breaches, and providing advice to
the Minister and CDR agencies on the privacy implications of the CDR rules and data standards. During
this time Treasury provided guidance on policy implementation for the CDR. The Data Standards Body
was part of the Commonwealth Scientific and Industrial Research Organisation (CSIRO).
From 28 February 2021, the then responsible Minister for the CDR, Senator the Hon Jane Hume took
over from the ACCC as CDR rule-maker. This change meant that accountability for development and
advice on the rules, and for assessing future sectors, moved from the ACCC to Treasury, along with
overarching leadership and responsibility for the CDR program. The functional real ocation also
included the transfer of the Data Standards Body (DSB) from CSIRO to Treasury. These changes were
intended to support a streamlined and unified approach to the development and implementation of
CDR policy, rules and standards.
57 See Recommendations 2.2, 2.4, 2.6. 2.7, and 2.9 of the final report of the Inquiry into the Future Directions
for the Consumer Data Right, December 2020, https://treasury.gov.au/publication/inquiry-future-directions-
consumer-data-right-final-report
Appendix C – Overview of the Consumer Data Right | 87
FOIREQ22/00356 119
Statutory Review of the Consumer Data Right
The ACCC retains responsibility for accreditation of data recipients, registration and on-boarding
of data holders and data recipients, compliance and enforcement (together with the OAIC), for
designing, developing and running the Register & Accreditation Application Platform (RAAP)
that supports secure sharing of data between participants, and for the Conformance Test Suite
for participants.
Sectoral assessment and designation processes
The CDR statutory framework includes requirements related to the expansion of the CDR through a
sectoral assessment and designation process, as wel as how the CDR is designed through rules and
standards to support engagement that evolves with technological developments.
Figure C.1: Summary of CDR sector implementation steps
CDR-
Sectoral
Agency
Industry
enabled
Assessment
Designation
Rules and
Standards
Build and
Build and
Rol out
Test
Test
Products
and Services
Designation process
The Act provides that before a dataset or sector can be included in the CDR system, a detailed
assessment must be undertaken for the sector or dataset designated by a legislative instrument made
by the Minister.
The Minister may designate a sector of the Australian economy to be subject to the CDR under section
56AC of the Act. A sector is designated by legislative instrument, which specifies the classes of
information (data) designated for the purposes of the CDR and the class or classes of persons who
hold the designated information (data holders).
The Act provides that, before a sector can be designated, certain matters under section 56AD(1)
(col ectively, the statutory factors) must be considered by the Minister. These include:
Figure C.2: Sectoral assessment criteria
privacy &
interests of
promoting
efficiency of relevant
promoting data-
confidentiality of
consumers
competition
markets
driven innovation
consumers
information
intel ectual property
the likely regulatory
considerations
the public interest
impact of
designation
The Act also requires that, before designating a sector, the Minister must be satisfied that the
Secretary of the Department (the Treasury) has arranged for consultation and analysis about
designation and published a report about that analysis and consultation. As part of its consultation,
the Treasury is required to consult the ACCC, the Information Commissioner, and the primary
regulator of the relevant sector (section 56AE(1)(c)). Making a designation instrument cannot occur
until 60 days after the publication of the report. Before making a designation instrument, the Minister
must also consult the Information Commissioner about the likely effect of the instrument on the
privacy and confidentiality of consumers’ information (section 56AD(3)).
88 | Appendix C – Overview of the Consumer Data Right
FOIREQ22/00356 120
Statutory Review of the Consumer Data Right
The sectoral assessment considers the type of data that should be designated (it may include datasets
used in other sectors) and who holds the data in the sector, to inform which data holders and what
data should be designated and shared in a secure way, upon a consumer’s request.
A final report on the sectoral assessment, incorporating stakeholder feedback, wil inform the decision
about whether to designate a particular sector and any datasets and entities to be designated.
Figure C.3: Sectoral assessment process
A designation instrument specifies the parameters for classes of information that may be shared
under the CDR in a particular sector, as wel as who is required to share it. Once a sector has been
designated, CDR rules and standards for that sector can be made in accordance with statutory
processes, including extensive consultation requirements.
Designation involves specifying ‘classes of information’ or data to be designated but designating a
sector does not in itself impose substantive obligations. Rather, the requirement to disclose particular
data emanates from the CDR rules, which establish what is ‘required’ CDR data that must be shared in
response to a valid request, as wel as what information data holders, accredited data recipients and
representatives are ‘authorised’ to share on a voluntary basis.
Rules and standards
The rules have been developed to apply universal y across sectors to the extent possible, however,
sector-specific provisions and modifications are catered for in sector-specific schedules, and wil be
iteratively updated as the CDR evolves and expands. Once designation of a sector occurs,
sector-specific issues (for example, external dispute resolution arrangements specific to that sector)
are considered, as wel as the development of sector-specific data standards. The rules are made
under the Act and set out the framework to facilitate data sharing.
The rules mandate how data holders disclose consumer and product data to consumers, and how data
holders disclose consumer data on behalf of consumers and product data to accredited data recipients
on behalf of the consumer. The first version of the rules was published in February 2020 and since
then there have been several iterations of the rules.
The standards provide guidance to participants in the CDR on technical and consumer experience.
Non-compliance with standards may constitute a breach of the rules where the rules require
compliance with the standards. The Data Standards Body provides frequent updates to the standards
in consultation with stakeholders.
Appendix C – Overview of the Consumer Data Right | 89
FOIREQ22/00356 121
Statutory Review of the Consumer Data Right
CDR roll-out to date
Banking
The CDR was first implemented in the banking sector launching on 1 July 2020, where it is known as
Open Banking. The majority of Australian banking consumers are now able to access the CDR to
securely and conveniently share their banking data to access better-value products and services
tailored to their individual circumstances.
As of 26 July 2022, 114 data holder brands are now live in the CDR system, with 76 designated data
holders and an additional 38 brands. The number of ADRs has also been steadily growing, with 32
ADRs, 20 of which are active. This represents a market share of more than 99 per cent of Australian
household deposits being covered by CDR data-sharing. As of 7 July 2022, there are also 3 ADRs who
are principals for 31 representatives. ADRs are already and expected to use CDR data to provide
services to consumers, such as budgeting, bil payment and financial management apps, streamlined
credit approval processes, and the creation of in-depth financial overviews to assist consumers on
their home-buying journey.
Energy
The expansion of the CDR to the energy sector is wel advanced. On 12 November 2021, the Hon Jane
Hume, the then Minister for Superannuation, Financial Services, and the Digital Economy, made
energy-specific CDR rules that include phased compliance dates. Introducing the CDR in the energy
sector wil provide Australian households and businesses with more accurate information about their
energy use and plans.
Commencing in November 2022, energy consumers wil start to benefit from secure and easy sharing
of data about their own energy use and connection. For example, this could include supporting
informed decisions and greater insights on consumers’ energy usage and expenditure to identify
better value products and service offerings.
Telecommunications
In January 2022, the telecommunications sector was designated as the third CDR sector, following
banking and energy. Introducing the CDR into the telecommunications sector wil enable information
about telecommunications product and consumer data to be shared in a safe and efficient manner.
Consumers wil be empowered to access better-value and personalised products and services, such as
more accurate information about their internet consumption, phone usage and product plans so they
can more easily compare and switch between providers.
The rollout of the CDR in the telecommunications sector is expected to create many benefits for
consumers, including better product comparison, tailored product recommendations, and services
that help consumers save time and money in accessing telecommunications related products, as wel
as supporting more informed financial decision making when telecommunications datasets are
combined with other CDR data.
90 | Appendix C – Overview of the Consumer Data Right
FOIREQ22/00356 123
Statutory Review of the Consumer Data Right
Open Finance
Open Finance expansion wil see the CDR expand in an agile and use case focussed approach –
bringing datasets from across general insurance, superannuation, merchant acquiring and non-bank
lending service providers into the CDR.
The announcement of Open Finance followed the completion of the CDR Strategic Assessment, which
found there were clear and immediate benefits in expanding the CDR to Open Finance by building
upon data already contemplated to be shared under the framework. Open Finance wil also support
multiple use cases beyond provider switching, al eviate friction points for consumers through data
driven innovation and standardisation, and potential y enhance existing data sharing practices in the
related sectors.
Consultation also highlighted that unlocking public sector data, with consumer consent, could drive
private sector innovation and improve how consumers can more seamlessly use data services across
the public and private sectors.
Treasury consulted on expansion to non-bank lending services from 15 March to 15 April 2022. By
expanding the CDR through Open Finance, consumers wil be empowered to make the best financial
judgments for their needs when choosing a superannuation strategy, general insurance product or
credit provider.
Future Directions for the CDR
The Inquiry into Future Directions for the Consumer Data Right final report, released in December
2020, made 100 recommendations to expand the CDR by enabling greater consumer data
empowerment and deeper functionality such as implementing third party action and payment
initiation, an economy-wide foundation, a more integrated data ecosystem, and realising international
digital opportunities.
Payment and action initiation wil particularly be a game-changer for the CDR, and it is expected to
drive greater participation and innovation in the scheme. These developments wil require legislative
amendments and wil be the subject of a separate process of consultation to inform the Bil . Relevant
findings from the CDR Statutory Review wil also inform the design of the legislation.
92 | Appendix C – Overview of the Consumer Data Right
FOIREQ22/00356 175
Data Standards Body
August 2022 Update
FOIREQ22/00356 176
Table of Contents
1
Working Group Update....................................................................................................... 1
1.1
Technical Working Group Update ......................................................................... 1
1.2
Consumer Experience (CX) Working Group Update ............................................. 1
2
Stakeholder Engagement .................................................................................................... 4
2.1
CDR Implementation Calls ..................................................................................... 4
2.2
Maintenance Iteration ........................................................................................... 5
2.3
CDR Support Portal ................................................................................................ 5
2.4
DSB Video Channel ................................................................................................ 6
2.5
DSB LinkedIn .......................................................................................................... 6
2.6
DSB Newsletter ...................................................................................................... 6
2.7
Workshops ............................................................................................................. 7
2.8
Service Provider Directory ..................................................................................... 7
FOIREQ22/00356 177
1 Working Group Update
1.1 Technical Working Group Update
The technical working has had a big month in July. The key highlights of the work undertaken is as
follows:
•
Maintenance Iteration 11 has completed with the final decisions approved. This iteration
was very large and addressed 38 distinct change requests as wel as a number of minor
documentation updates. The team is very appreciative of the work done by Hemang Rathod
to lead the iteration.
•
Fol owing the completion of MI 11, version 1.18.0 of the Standards were published on the 11
August 2022.
•
Maintenance Iteration 12 is underway and is in the backlog grooming phase. The intent is
for this iteration to be much smal er in scope and size due to the upcoming implementation
dates in both the banking and energy sector. The intent is that the changes included in
Maintenance Iteration 12 wil not be required to be implemented until wel after the
November implementation dates.
•
The independent information security review report was completed and published. Work
has progressed on the DSB response and is intended to be published shortly.
•
Another Decision Proposal for the Telco sector has been published with the first two
material consultations being completed. A meeting was also held with the Telco industry
participants facilitated by Comms Alliance. Discussions are underway to establish regular
meetings as was done previously with the ABA and AEC. Currently we are on track to have
candidate standards published during November.
•
Significant work went into resolving the issues surrounding the publishing of PRD for the
energy sector. It is understood that this issue is now resolved for the time being.
•
Work on the test documentation is ongoing with additional test cases being published on a
regular basis.
•
In addition, the team has been supporting the Treasury in assessing new sectors, action
initiation, the development of v5 of the rules and rules for the Telco sector
1.2 Consumer Experience (CX) Working Group Update
Since the last update in July, the Consumer Experience (CX) Working Group has continued to
engage with the community, progress the development of CX standards and guidelines, and has
worked closely with Treasury, OAIC, and ACCC on CX developments and guidance related to the
rules and incoming sectors.
Customer data language standards
To conclude Maintenance Iteration 11 (MI11), the Data Standards Chair approved changes to the
CX data language standards to treat customer data as sector-agnostic. These changes were
incorporated into the v1.18.0 release. It wil not alter any banking obligations but wil require
energy DHs to adopt language standards that are consistent with the language currently used in
banking.
1 | August 2022 Update
FOIREQ22/00356 178
This change wil make the customer data language sector agnostic, and as such wil relate to the
banking and energy sectors as wel as future sectors, beginning with telco.
MI11 highlighted issues with the existing energy data language standards that wil be consulted on
as part of MI12. Change Request 529 (CR529) has been published for this consultation, which
proposes that incorrect references to ‘NMI’ be removed, and the language for the payment
schedule cluster be amended to more accurately reflect the data that wil be accessible. The DSB
welcomes views on these changes and if they need to be proposed as a future dated obligation or
can take effect in November for energy DHs.
Telecommunications
Decision Proposal 267 (DP267) will consult on data language standards specific to the telco sector.
This consultation wil define standards for the telco sector and wil be subject to further rules and
technical standards refinement.
This consultation is intended to be conducted in two rounds. The incoming decision proposal (DP)
wil initiate the first round, which wil run for 28 days. The second consultation wil initiate the
finalisation of the data language standards, which is expected to be run soon after the conclusion
of the first round.
The CX working group is planning CX research to test comprehension of the proposed data
language standards, which wil inform the development of the descriptions to be used.
Decision Proposal 229
A path has been assessed for DP229, which wil consult on appropriate and consistent ways to
represent various CDR participants in the CDR ecosystem, particularly in DH authorisation flows
and dashboards. The paper is expected to include:
•
A recommendation for ADRs to onboard a unique brand (and brandName) and software
product (and softwareProductName) per client, such as an CDR Rep, Affiliate, or subsidiary
etc.
•
A proposal for DHs to display the brandName in the authorisation flow, in addition to the
legalEntityName as required by the rules.
•
A proposal for DHs to display the brandName, softwareProductName, and legalEntityName
in DH dashboards
•
Consideration for additional fields to pass metadata to facilitate authorisation management,
particularly where concurrent consents are established using a single software product
Accessibility Analysis
The first accessibility analysis report from DSB’s work with PwC’s Indigenous Consulting (PIC) and
the Centre for Inclusive Design was published in the CX Reports section on accessibility. The coded
prototype tested in accessibility research has been made available in a new Open Source Assets
section of the CX Guidelines.
The findings of this research, further CX and accessibility analysis, and a complete list of
recommendations will be made public in an accessibility improvement plan. The
recommendations from this research are expected to trigger a review of the accessibility
standards and artefacts, as well as propose increased DSB capability. The DSB will provide a public
2 | August 2022 Update
FOIREQ22/00356 179
response to this report and consult on these recommendations as part of ongoing standards and
artefact development.
Authentication
Research on the CX of Authentication is underway to facilitate uplift and evolution. As suggested
at the previous advisory committee, a related Noting Paper is being developed to share our
approach with the community, as well as CX metrics we are using to assess a range of
authentication approaches, which wil ultimately inform standards development.
CX Artefact Development
The CX working group continues to iteratively develop and release CX artefacts to facilitate CDR
implementation in response to an evolving ecosystem and community requests. In July, this
included a new CX Checklist was published to reflect v1.17.0 changes, which is available as
downloadable xlsx and csv files.
For more details, refer to the change log.
Forward View
As noted in the DSB’s quarterly plan, a range of other activities are planned for the CX Working
Group. The CX Working Group is also conducting internal work relating to new sectors, new rules,
reviews of existing requirements, and future developments such as action initiation and
recommendations from the Future Directions inquiry.
3 | August 2022 Update
FOR FURTHER INFORMATION
Andrew Stevens
Data Standards Chair
e andrew.stevens@i sa.gov.au
w www.consumerdatastandards.gov.au
Barry Thomas
Data Standards Body General Manager
e xxxxx.xxxxxx@xxxxxxxxxxxxxxxxxxxxx.xxx.xx
w www.consumerdatastandards.gov.au
FOIREQ22/00356 186
For Official Use Only
CONSUMER DATA RIGHT BOARD: 23 August 2022
• The Disability Discrimination Act 1992 (DDA)
• The Web Content Accessibility Guidelines (WCAG)
• The Australian Government Digital Service Standards (DSS)
• Australian and International Standards
The pragmatic response for the Data Standards Chair to these legal obligations is to support data
standards that provide
equal access of use2
3. This means:
1. Enabling any user to locate, identify, operate functions, and to access the information
provided, regardless of their physical, cognitive, or sensory abilities; and
2. Maintaining the privacy and security of any user at the same level regardless of the
accessibility features of the content or service.
The Background Report indicates that a failure to provide equal access of use could exclude and
discriminate against people with a disability, which would breach the DDA. Risks for not complying
include:
•
Negative publicity and public perception of the CDR: This includes the creation of reputational,
program, and implementation risk for officials and the government, as well as negatively impacting
businesses and consumers.
•
Legal action: Including
the risk of legal action related to the legislative obligations under the DDA
in relation to a failure to provide equal access. The AHRC keeps a register of similar decisions
under DDA.4
•
Secondary effects for sector organisations: Resources being provided for others to use may
result in acquired liability. Organisations may expect that the Chair and DSB have considered
accessibility before producing and releases resources for others to use.
The review noted that research would be required to develop a Usability and Inclusivity framework
with regard for vulnerable consumers. The review also suggests that such an approach would align
with priorities previously raised by the Assistant Treasurer Jones, Minister for the CDR, who noted in
2019 that the potential impact of the CDR on vulnerable consumers needed to be monitored,5 and
that more needed to be done to ensure vulnerable CDR consumers were not discriminated against.6
While the Background Report identifies obligations and opportunities for the Chair that the DSB will
respond to and consult on, the review also outlines the benefits of complying with accessibility
obligations, which include:
•
Increased innovation: Accessibility features in products and services often solve unanticipated
problems for a broader group of users, not just those with identified accessibility needs;
•
Improved Usability: Accessibility features are essential for some and useful for all; and
•
Higher adoption: With greater accessibility, a greater number of people can benefit from the CDR
The Accessibility Review will soon conclude with the finalisation of the Accessibility Improvement
Plan, which is its final output. This report will include an extended list of recommendations for the
2 ETSI EN 301 549 - V3.2.1 - Accessibility requirements for ICT products and services
3 AS EN 301 549:2020 - Accessibility requirements for ICT products and services
4 DDA: Register of Court decisions https://humanrights.gov.au/our-work/disability-rights/dda-court-decisions
5 Mr Stephen Jones (2019) Treasury Laws Amendment (Consumer Data Right) Bill 2019, Second Reading (13:20)
6 Mr Stephen Jones (2019) Treasury Laws Amendment (Consumer Data Right) Bill 2019, Second Reading (17:01)
P a g e |
2
