Australia's Consumer Data Right: Here's everything you need to know
Australia's Consumer Data Right (CDR) officially launched on Wednesday, with the first tranche, an open banking-like regime, requiring financial services providers to share a customers' data when requested by the customer.
Individual customers of the big four banks -- ANZ Bank, the Commonwealth Bank of Australia (CBA), National Australia Bank (NAB), and Westpac -- can request their bank share their "live" data for deposit and transaction accounts and credit and debit cards with accredited data recipients (ADRs).
"It's a really significant day for banking," Australian Competition and Consumer Commission (ACCC) commissioner Sarah Court said. "We've been working hard towards this for a couple of years now, both at the ACCC and with the industry, in particular the four major banks and a select group of potential data recipients."
Implementation of the CDR faced many delays, but Court told ZDNet this has enabled the ACCC and regime participants to be certain it's secure.
"The time that we've had has enabled us to ensure that the regime is very secure, it's one of the things the banks have been most concerned about -- and that we've been most concerned about -- because the whole issue of consumer trust in the system is going to be critical to the success of the regime overall," she said.
"We're acutely conscious that if there are any security issues or IT issues in the immediate weeks then that is going to result in a loss of trust, so we've done everything that we can to sure that up, we've had various security checks and reviews, as have all the data participants -- it feels like the regime is strong and ready to go."
What is the Consumer Data Right?
The Consumer Data Right has been touted as allowing individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The CDR aims to help an individual monitor their finances, utilities, and other services, and compare and switch between different offerings more easily. The system also aims to encourage innovation and competition between service providers, including startups.
"Giving consumers greater access to and control over their data will make it simpler and more convenient for them to access tailored offers based on their current financial data and usage patterns," the ACCC says.
In the first instance, the mandate will apply to banking, but Australia's Treasurer has recently signed the designation instrument for the energy sector, and the ACCC will shortly commence consultation on the implementation of the CDR as it applies to energy. The government expects the move will give consumers more power to compare and switch providers to lower their energy bills.
Telecommunications will then follow once the energy CDR is implemented.
What is launched on July 1?
The Consumer Data Right platform launched on 1 July 2020 provides the infrastructure that supports the interaction of data holders and accredited data recipients.
Using the CDR, consumers can request their current financial services provider to share their data with ADRs -- which from 1 July 2020 includes finance and budget management app-maker Frollo and the Regional Australian Bank -- who might be able to use that data to offer a better and more personalised deal.
From July 1, eligible consumers -- customers of the big four banks -- will be able to direct data holders to share data from savings and transaction accounts, credit and debit card accounts, and term deposits. Loosely, this is referred to by the ACCC as "phase one" data.
"The big four banks are all ready to go and we've got a couple of accredited data recipients who have gone through what is a reasonably rigorous accreditation process, Frollo and the Regional Australia Bank, so those six participants are going to be the ecosystem to start with," Court said.
The ACCC expects that initial data recipients will progressively make data sharing available to their customers over coming weeks.
The big four have already made product reference data available since 1 July 2019. Product reference data includes generic information for credit and debit cards, deposit accounts, and transaction accounts, and this is available via an application programming interface from the big four, allowing offerings to be easily compared.
What comes next?
Non-major authorised deposit-taking institutions are required to begin data sharing by 1 July 2021 but may choose to share data earlier. Court is anticipating a significant number of fintechs and ADRs to join the CDR over the next few months.
The ACCC said over 39 prospective data recipients have already started the process to apply for accreditation since the Register and Accreditation Application Portal was launched in May.
"All businesses the ACCC accredits go through a rigorous process to ensure they meet appropriate security, privacy, and transparency standards, and must also demonstrate that their technology solution complies with the Consumer Data Right Rules and Standards," the ACCC said.
Testing for launch of the CDR began with a limited cohort of prospective data recipients. The COVID-19 pandemic meant several of those initial data recipients had to redirect resources to other priorities. The ACCC said prospective data recipients who are currently applying for accreditation are expected to start going live from September.
Non-major banks will be able to voluntarily participate in consumer data sharing from early 2021 and will be required to do so by 1 July 2021.
The next phase for the major banks comes into play on 1 November 2020 when data from mortgages, joint accounts, and personal loans will be added to the mandate. This means that from November, consumers will be able to share their data relating to home loans, investment loans, personal loans, and joint accounts the same way they currently can for transaction data.
Phase three begins 1 February 2021.
Non-major banks must comply within 12 months of major banks at all phases.
A bit of history
In November 2017, following a handful of Senate Economics Committee probes of the big four banks, the CDR was officially announced.
In March 2019, the ACCC published draft rules that would guide the implementation of the CDR. Only a few months prior, the ACCC was unsure how banks could provide consumers with their data, but took a red marker to the calendar to say ANZ, CBA, NAB, and Westpac needed to make consumer data available on credit and debit card, as well as deposit and transaction accounts, at minimum, by the start of the 2020 financial year.
The CDR was then created by the Treasury Laws Amendment (Consumer Data Right) Act 2019 which inserted a new Part IVD into the Competition and Consumer Act 2010. It passed through Parliament in August 2019.
After countless parliamentary probes, submissions, industry testimony, and consultations, the rules were finalised by the ACCC and came into effect on 6 February 2020.
The Select Committee on Financial Technology and Regulatory Technology is also currently looking at the CDR through the lens of fintech and regtech participation.
Read more: Senate fintech committee re-opens inquiry to focus on COVID-19 aftermath
A focus on security and the consumer
"Security and privacy protections are integral to the Consumer Data Right," the ACCC said. "Privacy protections have been strengthened and tailored to adequately reflect the needs of the Consumer Data Right and each sector that it applies to"
To become an ADR, each provider must undertake an accreditation process managed by the ACCC. Each data recipient must demonstrate that they have a secure technology environment to protect consumer data; and show that data shared between data holders and data recipients is encrypted to ensure that it is transmitted securely.
There are significant penalties of up to AU$10 million for any participant that breaches the Consumer Data Right Rules, in accordance with the Consumer Data Right's Compliance & Enforcement Policy.
The ACCC has adopted a joint enforcement policy with the Office of the Australian Information Commissioner (OAIC) to guide compliance and enforcement activities.
"There is a very strong legislative regime with very significant penalties that apply for breaches of any of the protections that are built in," Court told ZDNet.
Core to the CDR is the idea that consumers have 100% control and they can choose what data is shared and for how long, and have the right to withdraw consent and stop sharing data at any time.
It is purely an opt-in regime for consumers, meaning data can only be shared with a consumer's consent. If a consumer withdraws consent, the provider that received the consumer's data must stop using it, and must delete or de-identify any previously collected data.
Read more: ACCC and OAIC promise to put consumers at the centre of CDR enforcement
Who is overseeing the regime?
As the lead implementation agency, the ACCC is responsible for making the CDR Rules, accrediting potential data recipients, establishing and maintaining a Register of Accredited Persons, monitoring compliance and taking enforcement action where necessary, recommending future sectors to which the CDR should apply, and communicating with, and educating, consumers and other stakeholders about their rights and obligations under the CDR.
The ACCC works with the OAIC and the Data Standards Body (DSB) in developing and implementing the CDR: The DSB is responsible for the creation of the technical standards for the sharing of consumer data and the OAIC is the primary complaints handler under the CDR scheme.
The OAIC will have a range of investigative and enforcement powers to handle privacy complaints and carry out other regulatory activities with respect to privacy.