Basiq Insights

Open Banking Consumer Data Right

Changes to CDR Rules good for business

Government announced some big changes to the Consumer Data Right Rules that will impact small businesses and CDR representatives. Haven’t seen them yet? Don’t worry, we’ve gone over the details so you don’t have to – check out our summary to read more!

Last Friday, 21 July, amendments to the Consumer Data Right (CDR) Rules were released by the Government aiming to reduce barriers to participation and encourage greater uptake. 

Changes have taken into account stakeholder feedback to Treasury’s exposure draft of the Amending Rules released in September 2022. 

Overall, the new Rules will see big benefits for:

  • small businesses wanting to share their financial data with a greater range of service providers; 
  • CDR Representatives wanting to use external service providers to create more value for customers using CDR data; and
  • banking data holders wanting to become Accredited Data Recipients (ADRs).

The new rules will come into effect on 1 December 2023. Read on to learn more about the coming changes!

Businesses can share their data with more providers

Old rules:
Businesses have only been able to share data with a limited number of unaccredited service providers, such as qualified accountants, financial advisers and lawyers.

Stakeholder feedback indicated the CDR Rules didn’t adequately cover the range of services used by businesses.    

New rules:
As a result, they will be able to share their data via an ADR with non-accredited third parties like bookkeepers, consultants and other advisers. As well as a wide range of software providers offering services to small businesses in Australia.

How the rule change will impact ADRs:

  • ADRs must ensure the business isn’t an individual and holds an active ABN.
  • Businesses wanting to share data must provide the ADR with a statement consenting they are receiving goods or services as a business and not as an individual.

Old rules:
Businesses could only consent to data being shared for a maximum of 12 months. 

Feedback from stakeholders was that 12 months didn’t suit the needs of businesses, particularly when it came to record keeping requirements. Additionally, if businesses forgot to renew their consent, the ADR would have to delete all shared data which could impact business operations.  

New rules:
Businesses now have the flexibility to choose a consent duration that best fits their operational requirements.

They can grant ADRs the right to use and disclose their CDR data for up to 7 years, but keep the right to select a shorter consent period or withdraw consent at any time. 

It’s important to note extended consent can only be provided by accredited third parties and does not include CDR Representatives, where a maximum of 12 months still applies. 

How the rule change will impact ADRs:

  • Where an ADR offers a business consent duration longer than 12 months, they must also offer the option of 12 months or less.

CDR Reps can now leverage Outsourced Service Providers

Old rules:
CDR Representatives were not allowed to share CDR data with Outsourced Service Providers (OSPs). Within the CDR, OSP’s have specific capabilities that can be leveraged to provide additional services and more value for end users. For example, Basiq has OSP agreements with a number of partners (see Open Banking ready integration partners) specialising in areas like lending and identity authentication.    

Changes were made in response to feedback that CDR Representatives were limited in their use of CDR data, and therefore the services they could provide, because they weren’t able to engage OSPs.

New rules:
In what will be a game changer for the significant number of CDR representatives, changes to the rules means they’ll be able to share data with an OSP that has been vetted by the Principal ADR.  

How the rule change will impact ADRs:

  • The amendments clarify and strengthen the ADR’s liability for the actions of their CDR Representatives and OSPs, including the actions of any OSPs engaged by CDR Representatives. Read all the details here

Data sharing obligations delayed for ADRs holding banking data

Old rules:
Banking sector rules required data holders to respond to consumer data requests once they became an ADR, adding to the cost and complexity of accreditation.

New rules:
In a significant move to ease pressure and increase CDR participation, reciprocal data sharing obligations for ADRs holding banking data sets (i.e. banks and financial institutions) are deferred for 12 months post-accreditation.

No data sharing obligations for small banking product pilots

New rules:
Lastly, the amendments create more room for innovation, allowing data holders in the banking sector to offer small scale pilot products without being subjected to data sharing obligations (for up to 1,000 customers and for a 6-month maximum duration). 

This adjustment is particularly beneficial for smaller data holders, encouraging them to trial innovative products without worrying about data sharing compliance.

Next steps

ADRs will be able to offer the new business consents from 1 December 2023, so stay tuned for that! As always, Basiq will be there to help support customers and partners through these changes. 

We are excited for what this means for the progression of CDR. Government has addressed some key barriers to access and we’re confident they will increase participation. 

Small businesses could see huge benefits from CDR but have previously been underserved – these amendments are a great leap in the right direction.