Preparing for changes to the CDR: What you need to know

1. A recap on the CDR

a. The CDR framework was created to provide individuals and businesses with a right to access and share their data in certain industry sectors.

b. The CDR was enacted by the Treasury Laws Amendment (Consumer Data Right) Act 2019³, which inserted a new Part IVD into the Competition and Consumer Act 2010⁴. The CDR Rules⁵ provide the framework for how the CDR operates.

c. A sector needs to be designated by the Minister to be subject to the CDR. So far, the banking sector (i.e. ‘open banking’)⁶, the energy sector⁷, non-bank lending (which is part of a broader category known as ‘open finance’)⁸, and the telecommunications sector⁹ have been designated. The CDR is currently only active in the banking and energy sectors - the rules for telecommunications and non-bank lending are not yet finalised.

d. In Australia, consumers can currently only consent to giving accredited entities their data in read-only form. This can be contrasted with the UK where for many years consumers have been able to consent to giving accredited entities both read and write access to their data. Write access provides consumers the power to instruct accredited entities to initiate actions on their behalf (rather than just read or view data). This can include making a payment, switching products, or opening or closing an account.

2. Action initiation

a. On 26 September 2022 the Treasury released draft legislation for consultation, to enable action initiation as part of the CDR.¹⁰ Action initiation would provide CDR consumers with the ability to use the CDR to have an action initiated on their behalf.

b. 36 submissions were received as part of the consultation. The submissions were broadly supportive, but raised a number of challenges and risks (which largely centred on security, privacy, ensuring flexibility, and reducing compliance costs).

c. On 30 November 2022 a Bill was introduced to Parliament to give effect to the proposed reforms, the Treasury Laws Amendment (Consumer Data Right) Bill 2022 (Bill).¹¹ Below we summarise the key parts of the Bill.

• New participants: Action initiation will introduce new entities into the CDR ecosystem: Accredited Action Initiators (AAIs) and Action Service Providers (ASPs). Under the new law, a consumer will be able to request an AAI to instruct an ASP on their behalf. The ASP must perform the action if it is a type of action they would ordinarily perform in the course of their business. AAIs will be accredited by the ACCC.
• Actions: The actions (to be known as ‘CDR actions’) that would be the subject of initiation instructions are to be specified by the Minister through a declaration. The initial focus appears to be on payments, but we would expect other use cases to be designated (e.g. product switching).
• Regulation of the instruction layer: The Bill seeks to regulate the ‘instruction layer’ (i.e. the instruction for the performance of an action) rather than the ‘action layer’ (i.e. how a service provider processes instructions). A service provider that receives a valid instruction to perform the action must perform that action if it would ordinarily do so as part of its business.
• Rules: The Consumer Data Right Rules (which contain the more detailed aspects of the CDR regime) may be expanded to include rules in connection with CDR actions and instructions, including the specific steps involved with initiating actions, participant roles and activities, and accreditation.
• CDR data: The Bill proposes to expand the definition of CDR data to capture information that relates to a consumer, in cases where the consumer data rules authorise an accredited action initiator to use or disclose the information to prepare or give an instruction for an action.
• Privacy Safeguards: The existing legislation contains privacy safeguards that provide a level of protection for data used and shared within the CDR framework, and which are generally more prescriptive and onerous on handling CDR data than the requirements applying to personal information under the Privacy Act 1988. These privacy safeguards would be amended to capture AAIs and ASPs.

d. The significance of action initiation cannot be overstated. In the UK, action initiation (otherwise known as ‘write access’) has enabled innovative business models to develop. This has included a write access enabled AI assistant that can transfer funds between accounts, a system that automates the payment of bills on their due dates from designated accounts, a website that compares term deposit rates and automatically invests in the best ones, or a system that automatically allows consumers to round up purchases into an investment account.¹² The introduction of action initiation in Australia has the potential to increase use and adoption of the CDR framework, and create new opportunities for businesses. For a bank, for example, this could include changing data (including personal information) about an account holder, instructing a bank to make a payment through a third party application, applying for new products and services through a third party comparison service, and closing an account.¹³ For consumers, this may lead to lower prices (due to automation, efficiencies, and increased competition) and less friction in user experiences.

e. With that opportunity will come challenges and risks. We set out some of the potential impacts below.

• Action initiation may be a good opportunity for businesses to review holistically how they will handle, use and disclose personal information. Certain data flows will be covered by the privacy safeguards in CDR legislation and the interaction between the Privacy Act 1988 and the CDR privacy safeguards¹⁴ will need to be carefully considered as part of data governance frameworks.
• Action initiation will rely heavily on getting good consent from consumers to support the proposed actions. Businesses should plan ahead by ensuring consent processes are compliant with any new arrangements.
• Businesses will need to be accredited to take advantage of action initiation. This could be a time consuming and costly process and businesses may want to get their ducks in a row sooner rather than later.
• Business will need to ensure that they have strong KYC and AML compliance frameworks and security controls in place to minimise the risk of fraud and scams. Relative to the status quo, action initiation is likely to increase customer interactions and result in new interactions which could increase the incidence and impact of fraud and scams targeted at making payments or account changes.
• Commercial contracts between participants in the CDR ecosystem may need to be uplifted to reflect action initiation.
• CDR policies that govern how an organisation manages CDR data will need to be updated.

f. The Bill is currently before the Senate Economics Legislation Committee which is expected to report in May 2023.¹⁵

3. Telecommunications and other enhancements

a. As noted above, telecommunications was designated as a CDR sector in January 2022.¹⁶ It is expected that the rollout of the CDR to the telecommunications sector will allow consumers to access consolidated information about their internet and mobile bills, facilitate greater product choice and bundling of solutions that best suit consumers’ needs, and increase competition in the sector.

b. Following the designation, Treasury released an exposure draft of the amendments to the CDR rules required to expand the CDR to telecommunications (as well as other operational enhancements to the CDR rules).¹⁷ The rules need to be finalised before the CDR can apply to the telecommunications sector.

c. The proposed changes to the CDR rules for the telecommunications sector include:¹⁸

• eligibility requirements to determine which telecommunications-sector consumers may make requests for CDR data. The consumer's account must relate to a ‘relevant product’ (i.e. a public mobile telecommunications service or a fixed internet service), the account must be set up in such a way that it can be accessed online, and the account must not be a ‘large scale commercial account’
• specification of the telecommunications data sets (i.e. CDR data) that can be shared. The exposure draft contains definitions of ‘required product data’, ‘voluntary product data’, ‘required consumer data’ and ‘voluntary consumer data’ that are specific to the telecommunications sector;
• internal and external dispute resolution requirements that are tailored for the telecommunications sector; and
• rules providing for the staged implementation of CDR in the telecommunications sector. The ‘initial CSPs¹⁹’ (being Telstra, Optus and TPG) would be subject to the rules first, followed by ‘large CSPs’ and ‘small CSPs’ (although small CSPs will be able to voluntarily participate earlier). The exact dates for the application of the rules to initial and large CSP’s are square bracketed in the exposure draft.

d. Other proposed operational enhancements to the CDR rules include the following:²⁰

• allowing business consumers to share their data with more third parties. Through the creation of a “business consumer disclosure consent”, businesses will be able to consent to their CDR data being shared with “specified persons”, like book-keepers, consultants and other advisers who are not trusted advisers under the current CDR Rules;
• extending business consumer use and disclosure consents from 12 months to a maximum of 7 years. The purpose of this extension is for consistency with usual business requirements as to record keeping;
• enhancements to CDR representative arrangements and CDR outsourcing arrangements;
• delaying reciprocal data sharing obligations for newly accredited entities holding banking data sets, until 12 months after becoming an ADR. (Current rules require newly accredited entities to respond to consumer data requests as data holders once they become an Accredited Data Recipient (ADR). This adds to the cost and complexity of accreditation); and
• an exemption from data sharing obligations for small-scale pilot products. Data holders in the banking sector will be allowed to offer small scale pilot products without being subject to the data sharing obligations in order to incentivise innovation.

e. Some submissions from telecommunications-sector participants raised concerns about how long it would take to implement these rules.²¹ Along with the interaction with action initiation, this may explain at least in part why the rules have not yet been finalised.

4. Open Finance

a. After telecommunications, the next step will be to expand the CDR to ‘open finance’.²² Open finance (a similar concept to open banking) will allow consumers to compare and save across a greater range of financial products in addition to banking, including general insurance, superannuation, merchant acquiring and non-bank lending service providers.

b. Treasury’s Strategic Assessment Report of 2022 noted that open finance will be implemented in phases involving the assessment and designation of key datasets relating to superannuation, general insurance and merchant acquiring, and non-bank lending service providers in 2022.²³

c. During March – April 2022, Treasury conducted a sectoral assessment on applying the CDR to the non-bank lending sector.²⁴ The submissions were broadly supportive, given it will build on data already available in banking, energy and telecommunications (and provide a more comprehensive assessment of a consumer’s credit profile and risk), and encourage innovation and competition. However, some of the submissions also identified concerns, relating to the differences between the non-bank lending sector, and other sectors and the degree of variation within the non-bank lending sector. This included:

• Typical consumers of non-bank lenders are more vulnerable than consumers of traditional banks. For that reason consent frameworks will need to be robust, ensure that consumers meaningfully understand what they are consenting to, and should be carefully considered in the CDR rules.
• Not all non-bank lenders are in the same position as ADIs²⁵. Most ADIs are well-resourced and well-placed to address and uplift security, privacy and data governance frameworks. This may not always be the case for non-bank lenders.
• Accreditation and compliance costs may be significant for the non-banking lending sector. A phased approach (starting with large non-bank lenders) may be preferable with a threshold introduced for size of businesses caught by the new regime and/or a grace period.

d. On 19 August 2022 the Government announced the release of Treasury’s final sectoral assessment report recommending the non bank lending sector be designated for the CDR.²⁶ Non-bank lending was then designated as a CDR sector in November 2022.²⁷ Following the designation, Treasury sought input on the development of CDR rules and data standards to implement the CDR in the non-bank lending sector.²⁸ The rules have not yet been finalised.

The developments discussed in this article (the proposal to implement action initiation, and the application of the CDR to telecommunications and open finance) are significant and will increase engagement and participation in the CDR this year and beyond. Action initiation, in particular, has the potential to be a game-changer in terms of business opportunities, transaction efficiency and productivity, but will also present new risks and challenges that business will need to navigate without a lot of precedent.

We will keep you advised of the progress of the Treasury Laws Amendment (Consumer Data Right) Bill 2022 and the CDR rules for telecommunications and open finance.