Insight,

Breaking down the barriers - operational enhancements set to better facilitate participation in the CDR

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

New changes to the CDR Rules will have a significant impact on the CDR regime, particularly to reduce barriers to participation in the CDR regime, better facilitate participation by CDR business consumers and introduce other operational enhancements. In this article, we’ll explore what the changes are and what they’ll mean for your business.

Tell me in 30 seconds

  • ‘Operational enhancements’ to the CDR Rules commenced on 22 July 2023.
  • A new data sharing model has been introduced, which will allow CDR business consumers to share their CDR data with third parties such as accounting software providers. Accredited persons may deal with certain CDR consumers as CDR business consumers and disclose CDR data in accordance with business consumer disclosure consents from 1 December 2023 (or, if relevant data standards are made before then, the day after those standards are made).
  • From 1 December 2023 (or, if relevant data standards are made before then, the day after those standards are made), CDR business consumers will be able to select a maximum consent period of 7 years, up from 12 months.
  • Trials for banking products can be run without being captured by the data sharing obligations of the CDR, subject to parameters for duration and maximum user numbers.
  • Enhancements have been made to the CDR Rules for CDR outsourcing arrangements and CDR representative arrangements.
  • Accredited data recipients in the banking sector who are not authorised deposit-taking institutions now have a grace period for complying with reciprocal data sharing requirements.

Introduction

As we discussed in an earlier alert, the Treasury proposed a range of material ‘operational enhancements’ to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) in 2022 while consulting on proposed amendments to the CDR Rules to implement the CDR in the telecommunications sector. The CDR Rules have now been amended to provide for these operational enhancements. These changes to the CDR Rules will have a significant impact on the CDR regime, particularly to reduce barriers to participation in the CDR regime, better facilitate participation by CDR business consumers and introduce other operational enhancements.

The Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023 (Amendment Rules) were made on 11 July and commenced on 22 July 2023. Accredited persons may deal with certain CDR consumers as CDR business consumers and disclose CDR data in accordance with business consumer disclosure consents from 1 December 2023 (or, if relevant data standards are made before then, the day after those standards are made).

What are the operational enhancements?

We have summarised the key changes made by the Amendment Rules, what they mean and when they take effect in the table below.

ENHANCEMENT
DESCRIPTION
WHEN IT TAKES EFFECT

New data sharing model for CDR business consumers

The Amendment Rules introduce the concept of a ‘CDR business consumer’ who is a CDR consumer who the accredited person has taken reasonable steps to confirm: (i) is not an individual; or (ii) has an active ABN. The Amendment Rules also introduce a new disclosure consent, a ‘business consumer disclosure consent’, which is a disclosure consent given by a CDR business consumer that authorises the accredited data recipient (ADR) to disclose the CDR data to a specified person and includes a business consumer statement. Accordingly, in order to disclose in accordance with this new model, the ADR must be provided by the CDR consumer with a business consumer statement that certifies that the consent is given for the purpose of enabling the ADR to provide goods or services to the CDR business consumer in its capacity as a business and not as an individual (in addition to being provided a consent from the CDR consumer which authorises the ADR to disclose the CDR data to a specified person).

The new business consumer disclosure consent will allow CDR business consumers to authorise ADRs to share their CDR data with third parties outside of the CDR ecosystem, such as software providers, bookkeepers, consultants and other advisers.

This expands the existing trusted adviser model that allows disclosures of CDR data to financial advisers, lawyers, tax agents and a selection of other third parties outside of the CDR ecosystem who are subject to obligations to protect the confidentiality of their clients’ information.

What does this mean?

This data sharing model represents a significant development of the CDR as a means to access user data for CDR business consumers. It has the potential to materially increase data liquidity in the CDR ecosystem by opening up new opportunities for business-to-business use cases, including for small businesses.

Allowing disclosures to software providers, in particular, could open the door for productive collaborations between accredited persons and accounting software providers.

The Data Standards Chair is required to make data standards about the processes for obtaining and managing business consumer statements and consumer experience (CX) data standards for the disclosure of CDR data of a CDR business consumer under this data sharing model. These data standards will be important given CDR data will be leaving the CDR ecosystem when it is shared with third parties who are not regulated by the CDR regime.

1 December 2023 (or, if relevant data standards are made before then, the day after those standards are made)

Consent periods of 7 years for business consumer use and disclosure consents  

The maximum duration of certain use and disclosure consents given by CDR business consumers to ADRs (including, among others, consents for the new data sharing model for CDR business consumers referred to above) will increase from 12 months to 7 years.

There are several exclusions from this change:

  • Consents collected by CDR representatives from CDR business consumers retain the 12 month maximum duration.
  • The change does not apply to collection consents, AP disclosure consents (being consents to seek CDR data from another accredited person), disclosure consents for direct marketing, direct marketing consents and de‑identification consents.
  • Authorisations retain the 12 month maximum duration.

What does this mean?

The new maximum consent duration of 7 years better aligns with business requirements. For example, an ADR who has an ongoing business arrangement with a CDR business consumer may have regulatory or contractual obligations to maintain records containing CDR data, or may continue to require CDR data in order to provide its services, for longer than 12 months.

This change will allow CDR business consumers and ADRs to agree appropriate consent durations based on the arrangements they have in place up to a maximum of 7 years, rather than renewing consents every 12 months. If an ADR offers a CDR business consumer a consent with a duration longer than 12 months, it must also give the CDR consumer the option of choosing a period for the consent of 12 months or less.

CDR business consumers will still be able to withdraw their consents at any time, and will be permitted to select a shorter timeframe for their consents. Accordingly, it may be appropriate for ADRs and CDR business consumers to agree to consent durations in their contracts that underpin the services provided by the ADRs to CDR business consumers.

The CDR business consumer measures are only available to accredited persons. CDR representatives are not, for example, able to seek business consumer consents or consents that have a duration longer than 12 months.

Finally, data holders should note that the increase in the consent duration does not mean that authorisations extend for a corresponding period. Data holders will still need to renew their authorisations each 12 months at a minimum.

22 July 2023, but ADRs may only deal with certain CDR consumers as CDR business consumers from 1 December 2023 (or, if relevant data standards are made before then, the day after those standards are made) 

Exceptions for trial banking products

Products offered by data holders in the banking sector as a ‘pilot’ or ‘trial’ with a statement of a period for which it will operate as a ‘pilot’ or ‘trial’ that ends no more than 6 months after the initial offering, and with less than 1,000 customers, are excluded from the CDR data sharing requirements while they are trial products. To be a trial product, the product also needs to have a statement that the product may be terminated before the end of the trial period and that, if it is, the CDR data in relation to the product may not be available. However, once a trial product ceases to be a trial product (eg because the product continues to be supplied or offered after the end of the 6 month trial period or the product is supplied to more than 1,000 customers), the data holder must comply with the requirements imposed on it under the CDR regime in relation to the product (including for CDR data generated while the product was a trial product).

What does this mean?

This change offers a degree of flexibility for banks seeking to innovate by testing new products before a larger rollout, without having to share product or consumer data about those products.   

This may be a useful option as data holders, in our experience, often do want to test a product before proceeding with it, either through trials on employees or a small pool of customers.

However, data holders who wish to benefit from this exception should be diligent about adhering to the parameters for trial products. Failure to do so may require the data holder to disclose CDR data from the trial. 

22 July 2023

Enhancements to the OSP and CDR representative arrangements

A CDR representative arrangement allows an unaccredited service provider (called a ‘CDR representative’) to engage an accredited person with unrestricted accreditation (called the CDR representative principal) to collect CDR data on its behalf, while the CDR representative maintains the customer relationship. Prior to the Amendment Rules, CDR representatives could not engage outsourced service providers (OSPs) and were reliant on their CDR representative principals for data collection and enhancement activities. CDR representatives can now engage their own OSPs, except for data collection activities which must still be performed or outsourced by the CDR representative principal.

Further, OSPs are now able to directly disclose CDR data to other OSPs engaged by their principals (whether the OSP has been engaged directly or through a chain of outsourced arrangements). This allows for a more efficient data flow, as CDR data does not need to be disclosed back to the principal in order for the principal to disclose the CDR data to the other OSP. However, the principal would remain responsible for its direct and indirect OSPs.

The Amendment Rules also further specify and expand the obligations of CDR representatives and OSPs, including by consolidating the key obligations for CDR representatives into a new Division 4.3A of the CDR Rules.

What does this mean?

These changes should make it easier for organisations to participate in the CDR regime by simplifying some of the complex requirements for CDR representative arrangements. The changes also facilitate more versatile arrangements for CDR representatives and ADRs and should prompt a reconsideration of the structures used for CDR-enabled products and product designs, especially those that were developed on the basis that CDR representatives could not engage OSPs or that OSPs could not disclose CDR data to other OSPs. It will be important to consider the changes to CDR outsourcing arrangements in the context of any particular CDR outsourcing arrangement. Contact us if you would like to know more about these specific changes.

22 July 2023

Grace period for reciprocal data sharing

ADRs who are not authorised deposit-taking institutions but who have collected CDR data under the CDR regime have reciprocal data holder obligations in respect of CDR data that they hold outside of the CDR regime. These reciprocal data holder obligations currently commence immediately upon an entity becoming accredited and collecting data under the CDR regime.

The Treasury has now introduced a grace period so that these obligations do not commence for an ADR in the banking sector who is not an authorised deposit-taking institution until 12 months after it becomes accredited.

What does this mean?

Delaying the application of these obligations is intended to remove a barrier to participation in the CDR ecosystem, particularly for smaller players, given the complexity of having to build both data holder and ADR capabilities at the same time.

22 July 2023

What next?

Many of these changes have already taken effect, so businesses should begin undertaking compliance reviews and consider how their CDR arrangements and product designs might be impacted by, or could be improved to best take advantage of, the enhancements.

The ‘CDR business consumer’ model will start in earnest in December at the latest, so the clock is ticking to prepare for those changes. These amendments seem likely to provide an impetus for businesses developing new CDR-enabled products, builds and contractual arrangements so businesses may wish to engage with these changes in order to ensure these new products, builds and arrangements are ready as soon as possible after the changes take effect.

If you are interested in learning more about these enhancements or wish to explore the opportunities and risks for your business, feel free to get in touch with us. Our range of products and services include innovative tech solutions to support your CDR implementation and compliance projects. Our highly capable team of CDR experts are ready to assist you with strategy, accreditation, regulatory matters, investigations and enforcement actions, and can help you navigate the implications of business changes on your CDR participation.

LATEST THINKING
Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024

Insight
The Australian Food and Agricultural Taskforce (AFAT) has released a position paper, “Land of Plenty – Transforming Australia into a food superpower” (the Position Paper), which highlights that ‘there is a clear opportunity for Australia to become a food superpower and build a second engine of economic growth that mirrors the resources sector’.

19 December 2024

Insight
Employment disputes commonly have confidential or sensitive information front and centre of the matters in issue. Information such as personal details, medical conditions, disciplinary records, family circumstances, commercially sensitive information and workplace dynamics including harassment, bullying or discrimination, or scandalous material seemingly deployed for the purpose of damaging individual reputations – to highlight a few.

19 December 2024