The Consumer Data Right (CDR) and open banking are often promoted as encouraging competition and innovation in financial services. With the ACCC deferring the launch of certain aspects of CDR from February to July 2020, it's useful to take a look at how far the legislation has come in achieving it's intial goal. Current issues surrounding CDR focus on the need to protect consumer data without restricting innovation and stacking the playing field against newer and smaller businesses. To help you get a better understanding of this issue, we’ve detailed three areas of interest:
For businesses seeking to take advantage of CDR and open banking, it will be necessary to become an Accredited Data Recipient (ADR). To date, the proposed CDR rules have only outlined the obligations of an accredited entity at one ‘unrestricted’ level.
To become an unrestricted ADR, a business must complete a rigorous accreditation process in which they have to satisfy a range of criteria relating to the protection and management of CDR data and consumers (subdivision 5.2.3 the Proposed CDR Rules).
One particular criteria is that they need to be a member of an external dispute resolution (EDR) scheme recognised in the Privacy Act 1988. The Privacy Act only recognises financial services EDR schemes for banks, financial planners, insurers, mortgage brokers and superannuation funds, leaving questions as to how businesses who fall outside of these categories will satisfy this criteria and escalate CDR consumer complaints.
Current accreditation requirements make it difficult for smaller businesses and startups to become an unrestricted ADR. It is, however, expected that graduated tiers of accreditation will be introduced, with requirements dependent upon the level of risk posed by the CDR data being used.
Privacy Safeguards & Penalties
Another factor businesses will need to take into account are the 13 privacy safeguards and the penalties involved. These safeguards expand upon the Australian Privacy Principles (APPs), which govern the collection, use and disclosure of personal information. Specifically, the safeguards focus on CDR data privacy, how it’s collected, how it should be dealt with and the integrity as well as correction of CDR data.
In general, Australian businesses with a turnover of less than $3 million are not bound by the Privacy Act (Privacy Act 1988). However, an exception has been made under the CDR, and the Privacy Act will be applicable to all ADRs regardless of SME status. In cases where there are inconsistencies between the consumer data rules and the privacy safeguards, the safeguards will prevail (CDR Bill 2019).
Businesses looking to be accredited face the issue of indemnifying the risks involved. Penalties for non-compliance can be severe and penalties under the proposed amendments exceed those in the Privacy Act. This includes an increase in the maximum penalties payable, from $2.1 million, up to $10 million.
Lastly, the CDR is based on consumers providing access to voluntary, express, informed and time-limited consent. This necessitates a consent management mechanism capable of obtaining CDR data that is specific for its purpose and can be withdrawn at any time. There are concerns over how ADRs will satisfy proposed CDR rules, whilst ensuring a friendly and simple user experience for end consumers.
CDR rules include details such as font weighting and make it difficult to create a simple user flow that is not overwhelming to everyday Australians. There is also the issue of the time-limited nature of the data, which requires ADRs to seek consent again, after a 12-month expiry period (up from the original 3 months). This poses questions in terms of how this process will be managed and also extends to cases where a fintechs’ services or products have changed slightly since the initial authorisation.
The current status of CDR makes it difficult to ascertain its’ role beyond being a data access and portability right. However, as CDR matures it is likely that a number of the aforementioned concerns will be addressed. In line with this, the ACCC has released updates in regards to the CDR model, which previously did not account for the role of intermediaries (third party service providers who collect CDR data from a data holder on behalf of an accredited person). In recognising the importance of intermediaries, the ACCC has started developing additional rules that will accommodate intermediaries into the CDR regime by mid-2020. If this goes ahead without delays, it would mean that by the time major banks are required to share consumer data, CDR rules will have been amended to address the use of intermediaries.
Editor's note: Since writing, a lot has changed with the CDR. The ACCC will no longer have decision-making authority over the CDR. Treasury, OAIC and the Data Standards Body will have joint authority over the rollout of CDR. Clarity has also been offered around the accreditation and the role of intermediaries.