CDR rule change opens consumer data tap to fintechs

CDR Rule Change Intermediaries

Australia’s Consumer Data Right (CDR) rules have been relaxed to allow accredited intermediaries to collect data on behalf of third-party data recipients – the first in a series of anticipated amendments to the data-sharing regime.

The rule change, which comes into force today, means CDR-accredited businesses are now permitted to request an accredited third-party business to obtain consumer data on their behalf.

The Australian Competition and Consumer Commission (ACCC), the CDR’s overseer and chief regulator, states that rule change is intended “to facilitate greater participation in the Consumer Data Right by fintech firms”.

ACCC Commissioner Sarah Court added that the amendment makes it easier for businesses who rely on outsourced services often smaller, less well-resourced, financial services firms to join the CDR.

“[It reflects] our ongoing goal of facilitating a wide range of business arrangements within the Consumer Data Right,” Court said in a statement.

The rule change recognises that third-parties may be better provisioned with CDR-ready technologies, without which fintechs and smaller financial providers within the scheme may be at a disadvantage.

Indeed, rather than having to build their own infrastructure and software to support consumer and product data capture and transfer, the rule change could conceivably allow fintechs to leverage outsourced IT resources from accredited intermediaries, tapping into CDR data streams via a data holders’ Open APIs.

Commissioner Court said the rule change to allow accredited intermediaries is “the first in a series of measures to reduce the time and cost to enter and operate in the Consumer Data Right ecosystem”.

She added that data security and integrity remained front of mind in the decision, maintaining that any business that is accredited by the ACCC “[goes] through a rigorous process to ensure they meet appropriate security requirements”.

“These amendments do not change those rigorous controls,” she said.

Open Banking, the first tranche of the CDR regime, was officially launched on 1 July this year.

The initial roll-out, which was mandated for the big four banks only, requires financial services organisations to make their credit/debit card, deposit account, and transaction data available to share with accredited providers.

The CDR’s originally proposed February 2020 launch was delayed due to concerns that there was insufficient time for accredited businesses to test and enforce security for data sharing.

Commissioner Court noted at the time that “robust privacy protection and information security are core features of the CDR and establishing appropriate regulatory settings and IT infrastructure cannot be rushed.”

“The CDR is a complex but fundamental competition and consumer reform and we are committed to delivering it only after we are confident the system is resilient, user friendly and properly tested.”

By July 2021, all banks and lenders in Australia will be required to provide access to product, account and transaction data for all banking and mortgage products.

In addition to the intermediary rule change, the ACCC has also announced a consultation on a set of further proposed consumer data rule changes.

This includes proposals for new levels of accreditation, including restricted tiers of accreditation, and rules to allow consumers to consent to the disclosure of CDR data to third parties.

Feedback on the proposed changes is due by 29 October 2020.

The new rules are expected to be in place by December this year.