In July, amendments to the Consumer Data Right (CDR) Rules were released by the Government aiming to reduce barriers to participation and encourage greater uptake. 

Changes have taken into account stakeholder feedback to Treasury’s exposure draft of the Amending Rules released in September 2022. 

Overall, the new Rules will see big benefits for:

• small businesses wanting to share their financial data with a greater range of service providers; 
• CDR Representatives wanting to use external service providers to create more value for customers using CDR data; and
• banking data holders wanting to become Accredited Data Recipients (ADRs).

The new rules will come into effect on 1 December 2023. Read on to learn more about the coming changes!

Businesses can share their data with more providers

Old rules:
Businesses have only been able to share data with qualified professionals known as “Trusted Advisors” such as qualified accountants, financial advisers and lawyers.

Stakeholder feedback indicated the CDR Rules didn’t adequately cover the range of services used by businesses where CDR data needed to be shared.    

New rules:
As a result, businesses will now be able to share their CDR data via an ADR with non-accredited third parties including bookkeepers, consultants and other advisers, as well as a wide range of software providers and marketing agencies offering services to small businesses in Australia.

Under a “business consumer disclosure consent” businesses can specify any person (an individual or a business) they wish to share their data with for business services. These persons do not need to be accredited.

Extended consent options for businesses

Old rules:
Businesses could only consent to data being shared for a maximum of 12 months. 

Feedback from stakeholders was that 12 months didn’t suit the needs of businesses, particularly when it came to record keeping requirements. Additionally, if businesses forgot to renew their consent, the ADR would have to delete all shared data which could impact business operations.  

New rules:
Businesses now have the flexibility to choose a use or disclosure consent duration that best fits their operational requirements.

They can grant ADRs the right to use and disclose their CDR data for up to 7 years, but keep the right to select a shorter consent period or withdraw consent at any time. 

It’s important to note extended consent can only be provided by accredited third parties and does not include CDR Representatives, where a maximum of 12 months still applies. 

Where an ADR offers a business consent duration longer than 12 months, they must also offer the option of 12 months or less.

CDR Reps can now leverage Outsourced Service Providers 

Old rules:
CDR Representatives were not allowed to share CDR data with Outsourced Service Providers (OSPs). Within the CDR, OSP’s have specific capabilities that can be leveraged to provide additional services and more value for end users. For example, Basiq has OSP agreements with a number of partners (see Open Banking ready integration partners) specialising in areas like lending and identity authentication.    

Changes were made in response to feedback that CDR Representatives were limited in their use of CDR data, and therefore the services they could provide, because they weren’t able to engage OSPs.

New rules:
In what will be a game changer for the significant number of CDR representatives, changes to the rules means they’ll be able to share data with an OSP that has been vetted by the Principal ADR.  

The amendments clarify and strengthen the ADR’s liability for the actions of their CDR Representatives and OSPs, including the actions of any OSPs engaged by CDR Representatives. Read all the details here. 

Data sharing obligations delayed for ADRs holding banking data

Old rules:
Banking sector rules required data holders to respond to consumer data requests once they became an ADR, adding to the cost and complexity of accreditation.

New rules:
In a significant move to ease pressure and increase CDR participation, reciprocal data sharing obligations for ADRs holding banking data sets (i.e. banks and financial institutions) are deferred for 12 months post-accreditation.

No data sharing obligations for small banking product pilots 

New rules:
Lastly, the amendments create more room for innovation, allowing data holders in the banking sector to offer small scale pilot products without being subjected to data sharing obligations (for up to 1,000 customers and for a 6-month maximum duration). 

This adjustment is particularly beneficial for smaller data holders, encouraging them to trial innovative products without worrying about data sharing compliance.

Next steps  

ADRs will be able to offer the new business consents from 1 December 2023, so stay tuned for that! As always, Basiq will be there to help support customers and partners through these changes. 

We are excited for what this means for the progression of CDR. Government has addressed some key barriers to access and we’re confident they will increase participation. 

Small businesses could see huge benefits from CDR but have previously been underserved – these amendments are a great leap in the right direction.