Basiq Insights


An update on where we are with CDR

How can the ACCC encourage the uptake of CDR open banking APIs to drive innovation in the fintech ecosystem?

Last year, we wrote an article on the state of the Consumer Data Right (CDR). Now that the CDR has officially gone live, we thought it would be a good time to invite our CEO, Damir, to provide some insight into the current state of CDR and open banking in Australia and how it can better facilitate innovation.

What has Basiq’s journey with CDR been like?

As it stands right now, we officially have open banking APIs offered by the major four banks, and 2 accredited data recipients. One of which is Regional Australia Bank, who we recently worked with to approve the first loan in Australia using open banking data. This is a huge win for the market, and a huge win for open banking.

What determines a successful CDR regime and when can consumers benefit?

There are really two main success criteria that determine whether or not the CDR can deliver on the promises of open banking; the uptake of open banking APIs and when open banking APIs supersede screen scraping technology.

So far, the CDR’s done a great job of setting robust privacy protections that mean consumers can have greater access and control over their data. I think the question many fintechs are asking now is ‘What will the ACCC do to increase the uptake of open banking APIs to drive innovation in the sector?’ We’re at a turning point where the CDR can begin making inroads into adopting innovation-specific rules and an open-ended approach to implementation so it doesn’t unintentionally stifle innovation. Without innovation, consumers can’t actually experience the true value of open banking.

Based on some of the decisions and recent rulings, innovation seems to have taken a back seat to consumer protection. Both are equally important, and without balancing innovation and consumer privacy, we risk having a system that provides access to data but not the means to innovate with it.

To ensure open banking’s success, we believe that the CDR needs to support and foster an inclusive fintech ecosystem as fintechs are ultimately the value providers of open banking.

The value of open banking sits in the balance point between privacy protections and innovation.

“What will the ACCC do to increase the uptake of open banking APIs to drive innovation in the sector?”

What kind of compliance requirements are restricting innovation?

Any organisation that wants to use open banking data has to become an Accredited Data Recipient (ADR). The ACCC has adopted a complex accreditation process that is both time and resource-intensive, with estimated costs of +$50,000 in annual compliance fees and a three-month timeframe before onboarding.

Having experienced what it’s like to start a business as a one-man team, it’s clear that these kinds of requirements will leave many smaller players out and restrict innovation. There’s also very little reason for fintech developers to use open banking APIs. After all, how many APIs do you know out there that require you to spend +$50,000, assign you a case officer and make you go through a +3 month accreditation process – before you can make the first API call? This begs the question, what would incentivise fintechs already carrying out their open banking use case through services like Basiq’s to become accredited for CDR data?

“How many APIs do you know out there that require you to spend +$50,000, assign you a case officer and make you go through a +3 month accreditation process – before you can make the first API call?”

Is there an alternative to accreditation?

The ACCC has proposed a tiered accreditation process, but tiered accreditation doesn’t solve the issue of a misaligned system. For developers, open banking is a means, not the end. Open APIs can help them deliver their use cases with accessible and standardised data, but not if it’s at the expense of their ability to go-to-market. Australia’s current fintech ecosystem is made up of over a thousand companies, with more on the rise. If all these fintechs need to become ADRs, the ACCC needs to process all these applications without significant delays.

Some have pointed to intermediary support as a potential solution, but current proposals mean that both intermediaries and data recipients need to become accredited, limiting the extent to which intermediaries can support fintechs. The ACCC has already recognised that once data is consumed by an accredited party, it can then be shared with non-accredited parties known as “outsourced service providers.” The same exemptions need to apply in the intermediary-fintech relationship. This would allow startups to rely on key intermediaries to collect CDR data on their behalf, so that they can focus on innovation rather than regulation.

Going forward, intermediaries like Basiq would also be able to prevent non-compliance and lower risk by upholding the CDR regime with a full understanding of the regulation. This is especially considering the business risk for ADRs, with an increase in the maximum penalties payable to $10 million for business and $500,000 for individuals. Additionally, intermediaries can further help service providers to deliver new use cases by providing value-added services such as data analytics.  

Editor’s note: Since writing, the ACCC has amended the CDR to address these recommendations. CDR rules now permit accredited intermediaries to collect data on behalf of recipients:

What about implementation?

Prescriptive regulation hampers innovation and is difficult to enforce. That’s part of the reason the CDR has (rightly) focused on a standardisation approach. From our experience, there are three main artefacts that you need to take into account when it comes to CDR: the CDR rules, CDR CX (Customer Experience) guidelines and open banking API specifications. We’ve gone through the process of reading and re-reading all the available information and even created a CDR consent flow based on it. Our experience has highlighted the incredible amount of work involved, especially as all this information needs to be considered in parallel.

To ensure that rules and guidelines don’t impact the pace of innovation in the fintech ecosystem, fintechs need to interpret these rules and implement their solutions as they see fit. However, a recent newsletter from the ACCC on white-label arrangements, highlights an overstepping of boundaries when it comes to the implementation of CDR rules.

If the ACCC starts prescribing technical implementations (inside newsletters), it would need to be consistent for all aspects of the CDR to prevent confusion. This will only lead to a volume of rules that are hard to manage, enforce, communicate and comply with. Instead the CDR needs to adhere to a standardisation approach and be flexible in the number of implementation paths available. Fintechs have the know-how to implement solutions based on what their customers want and should be trusted to do so.

What needs to happen from here?

To sum it all up, innovation really needs to be a guiding principle in the CDR going forward. Right now there is an imbalance where virtually all the decisions regarding CDR are made with one goal in mind – consumer privacy protections. What’s being overlooked is the importance of fostering innovation. The role of consumer protections is to ensure consumers have access and control over their data, but to what end? The value exchange of open banking is that, for their data, consumers will have access to a wide range of financial services and products that lets them engage with their finances in new ways and saves them time, money and effort. If innovation and the creation of that value is missing from the equation we ultimately have a broken system.