Consumer Data Right in 2023

#1 – Action initiation

This year will be important for the rollout of action initiation.

Currently, the CDR only has ‘read access’ functionality for consumers to consent to their CDR data being shared with third parties. Action initiation will introduce ‘write access’, allowing consumers to authorise actions to be initiated on their behalf, such as payments, moving funds to accounts with higher interest or lower fees, opening or closing accounts, switching providers or updating details across multiple accounts.

The Action Initiation Bill was tabled before Parliament in late 2022, with amendments to the Competition and Consumer Act 2010 (Act) to introduce the framework for action initiation. The Senate referred the Action Initiation Bill to its Economics Legislation Committee for inquiry, with submissions due by 6 March 2023 and a report expected by 23 March 2023.

If the Action Initiation Bill is passed, it will be a critical pivot for the CDR regime and present significant new opportunities for participants. However, the passage of the legislation would only be the first step in the path to implementing action initiation in the CDR regime. The Minister would then have to ‘turn on’ action initiation for specific data holders and ‘actions’ by making declarations. Rules for each declaration will then need to be made, in view of the risks and impacts of the declaration. The data standards will also need to be updated. Participants in the CDR regime will also need to consider the technology and process changes required to implement action initiation effectively.

The Action Initiation Bill would introduce two new participants into the CDR regime.

• Action service providers (ASPs) are data holders who are specified in a Ministerial declaration as having to carry out actions on a consumer’s instructions. The Action Initiation Bill distinguishes between the ‘instruction layer’ of action initiation (the instructions from the consumer) and the ‘action layer’ (how those instructions are carried out). The CDR regime will only regulate the instruction layer. ASPs will be able to perform actions, such as payments or account opening, as they ordinarily would in accordance with existing industry laws and regulations. However, to avoid ASPs discriminating between instructions received through the CDR regime and those received through other channels, ASPs cannot charge to process instructions and cannot charge more for performing actions than they would ordinarily charge.
• Accredited action initiators (AAIs) are the service providers who, with a consumer’s consent, may initiate actions by instructing an ASP on the consumer’s behalf. AAIs will require a specific tier of accreditation beyond unrestricted or sponsored accreditation. AAIs will also have a general obligation to act efficiently, honestly and fairly when giving instructions. This is intended to prevent instructions, and subsequent actions, that are contrary to a consumer’s interest, such as pushing consumers to repeatedly switch providers so that the AAI can extract commissions.

Action initiation would complement the existing read access functionality of the CDR regime. For example, a consumer may instruct an AAI to switch the consumer to a more cost-effective plan with another energy retailer after the AAI has collected the consumer’s CDR data from the consumer’s existing retailer (an ASP) to provide a tailored quote for the new plan. However, action initiation can operate independently of any sharing of CDR data.

Cybersecurity risk will be a focus for implementing action initiation. For example, threat actors may see opportunities to stand in the shoes of consumers and initiate actions on their behalf – such as payments or money transfers. In the current environment, we can expect significant attention and scrutiny on the systems and processes that ASPs and AAIs put in place, as well as the changes made to the technical data standards underpinning the CDR.

While there is still significant work to be done, action initiation is a truly exciting development. ‘Payment initiation’ is already live in Europe and the UK after the implementation of the second Payments System Directive (PSD2), although action initiation has not been implemented elsewhere for an economy-wide regime such as the CDR. For those who wish to obtain the required accreditation to become AAIs, it will open up opportunities to unlock new business models and value for consumers.

#2 – Open Finance

A close second to action initiation, we consider that Open Finance will lead to a substantial increase in engagement with the CDR regime and the emergence of compelling use cases.

In its Strategic Assessment of the CDR in 2022, the Treasury identified a cluster of related sectors under the umbrella of Open Finance as its next focus, covering non-bank lending, general insurance, superannuation and merchant acquiring. These sectors were seen as a logical extension of, and also complementary to, Open Banking, which is already live. It is not difficult to imagine how products and services may leverage datasets from these sectors to support consumers to manage their finances.

The first cab off the rank was non-bank lending. The Assistant Treasurer formally designated non-bank lending as a sector subject to the CDR on 21 November 2022, making it the fourth sector of the Australian economy to which the CDR will apply. This extends the CDR’s data holder obligations to corporations who are not authorised deposit-taking institutions (ADIs) but who provide finance as part of their business activities, including non-ADIs who offer or supply goods or services in connection with:

• taking money on deposit (other than for part payment of goods or services), making advances of money (such as mortgages or credit cards), letting goods on hire (including on hire-purchase) or performing other relevant financial activities prescribed in the regulations for the Banking Act 1959 for the purposes of the definition of ‘banking business’; or
• purchased payment facilities (excluding cash).

The scope above includes buy now pay later (BNPL) products offered by non-ADIs, which will be made explicit in the Rules to implement the CDR for non-bank lending. As BNPL products and leasing (including hire-purchase) products are also offered by ADIs, the Treasury has proposed technical amendments to the banking designation to clarify that these products are in-scope for ADIs.

In December 2022, the Treasury released a design paper seeking feedback on proposed policy principles to implement the CDR for the non-bank lending sector through amendments to the Rules and the data standards. Consultations for the design paper closed recently, so we can expect a report in due course.

Non-bank lending is just the first of the cluster of sectors for Open Finance, with other sectors of interest for the expansion of the CDR including superannuation and general insurance.

#3 – Telecommunications Rules

Telecommunications is the next sector for the CDR rollout after the energy sector. This year, the Telecommunications Rules may be made, specifying how the CDR will be implemented in the sector.

After the designation of the telecommunications sector in January 2022, the Treasury published an exposure draft of an instrument to introduce the Telecommunications Rules in September 2022. While the draft Telecommunications Rules are not yet made, the exposure draft provides a useful reference point for how the CDR will be implemented in the sector.

The exposure draft of the Telecommunications Rules limits the application of the CDR to carriage service providers (CSPs) who provide public mobile telecommunications services and fixed internet services. The designation instrument also identified carriers, who own telecommunications infrastructure used to provide carriage services, as data holders in addition to CSPs. However, most carriers will also be CSPs, so this pivot in the exposure draft to focus on CSPs will avoid unnecessary layers of regulation.

The exposure draft of the Telecommunications Rules does not provide any timing for the commencement of data sharing. We will likely need to wait until the final Telecommunications Rules are made to see the phasing of these obligations. However, the exposure draft provides that Telstra, Optus and TPG will be the initial CSPs who will be the first to share CDR data. This is consistent with the banking and energy sectors, where the largest players were required to share CDR data first. Later, the CDR will apply to large CSPs with over 30,000 carriage services in operation per financial year. Small CSPs who do not meet this threshold will not be required to share CDR data, but may voluntarily participate in the CDR as data holders.

The exposure draft of the Telecommunications Rules provides that CSPs will need to share product data about their in-scope products, including:

• information about the eligibility criteria, terms and conditions, price, availability or performance of those products;
• information specified in the designation instrument about those products, including most of the information above as well as contract term, bundling arrangements and assistance services; and
• ‘product specific data’ identifying or describing the products, including product type (e.g. post-paid mobile), name, retailer brand, contractual arrangements, data usage allowances, pricing (including usage rates and fees), accessibility data and features or benefits (e.g. discounts, incentives and bundles).

Interestingly, this obligation covers both current products and legacy products that the CSP has offered or supplied in the past. However, the obligation would only apply to information held on or after 1 January 2022, which is the ‘earliest holding day’ for the telecommunications sector.

Data holders would also need to share consumer data held in digital form about consumers with accounts for those products and their use of those products, such as customer data, account data, billing data, product specific data and usage data. Notably, location data and metadata are specifically excluded.

As for other sectors, telecommunications will have its own eligibility requirements for consumers who can request CDR data in addition to the existing cross-sector eligibility criteria. First, the exposure draft of the Telecommunications Rules provides that only consumers who have signed up to an online account, such as through a web portal or app, are eligible to request consumer data. Second, the exposure draft sets an upper threshold for eligibility by excluding ‘large-scale commercial customers’ from being able to submit consumer data requests. This covers more sophisticated consumers who can negotiate contract terms and have an annual spend of more than $40,000 for in-scope products. The intent here is to limit eligibility to accounts that are broadly on standard terms, rather than bespoke arrangements, so that any comparison of data is meaningful.

Finally, an important issue still to be resolved is the interaction between the CDR regime and Part 13 of the Telecommunications Act 1997. CSPs are required under Part 13 to protect, and not to disclose, certain information and documents that would potentially fall within the scope of CDR data to be shared under the CDR regime. The consultation paper for the telecommunications sectoral assessment identified this issue, but the exposure draft of the Telecommunications Rules did not address it. Addressing the application of Part 13 in these circumstances is expected to be an important issue for CSPs.

#4 – Enhancements to the CDR regime

The CDR is an evolving regime and will be refined and improved over time. For example, the report on the statutory review of the CDR published on 29 September 2022 found that the CDR regime is broadly fit for purpose but identified a range of areas for improvement.

Further, when publishing the exposure draft of the Telecommunications Rules, the Treasury bundled in amendments that it referred to as ‘operational enhancements’ to the Rules. On closer inspection, some of these amendments are quite material.

• More data sharing options for business consumers – a new data sharing model would be introduced to allow business consumers to share CDR data with certain types of third parties outside of the CDR ecosystem, such as bookkeepers, consultants and other advisers, and software providers. This would expand the existing trusted adviser model that allows disclosures of CDR data to financial advisers, lawyers and a selection of other third parties outside of the CDR ecosystem who are subject to obligations to protect the confidentiality of their clients’ information. In particular, allowing disclosures to software providers opens the door for interesting collaborations between accredited persons and business software providers such as Xero and MYOB.
• Longer consent periods – the maximum duration for consents given by consumers for the service providers referred to above, as well as trusted advisers and recipients of CDR insights, to use the consumers’ data would extend from 12 months to 7 years. This extended consent period aligns with typical recordkeeping requirements, and also allows for flexibility given the longer-term arrangements that business consumers have with their service providers.
• Exceptions for trial banking products – in a win for banking innovation, data holders in the banking sector will be exempt from data sharing obligations for certain live trial or pilot products. This exemption is limited to trials or pilots that run for up to 6 months with no more than 1,000 live customers. The Treasury is considering whether to extend this exemption to data holders in the energy and telecommunications sectors, and potentially future sectors.
• Enhancements for CDR representatives – a CDR representative arrangement allows an unaccredited service provider (called a ‘CDR representative’) to engage an accredited principal to collect CDR data on its behalf, while the representative maintains the customer relationship. The model has quickly emerged as a popular alternative to obtaining accreditation, but it has several drawbacks. Representatives cannot engage outsourced service providers (OSPs), so they are typically beholden to their principals for data collection, consent management and data enhancement. Also, the Rules for CDR representatives are currently drafted in a way that is difficult to interpret. The exposure draft of the Telecommunications Rules provides that representatives can engage their own OSPs, except for data collection activities which must still be performed by the principal. The exposure draft also revises the provisions of the Rules relating to CDR representative arrangements and CDR outsourcing arrangements, and clarifies the liability of principals, CDR representatives and OSPs.
• Grace period for reciprocal data sharing – the CDR regime was designed so that accredited persons who hold CDR data outside of the CDR regime have reciprocal data holder obligations for that data, closing gaps in the regime. These reciprocal data holder obligations commence immediately upon becoming accredited. The exposure draft of the Telecommunications Rules provides a grace period so that these obligations do not commence for accredited persons in the banking sector until 12 months after becoming accredited. This is intended to ease the compliance burden and cost for those seeking to become accredited. A similar 12-month grace period is proposed to apply to small CSPs in the telecommunications sector who become accredited.

#5 – More active regulators

The ACCC and the OAIC, as dual regulators for the CDR, have historically taken an educational and monitoring approach to regulating the CDR regime, in view of the novelty and complexity of the regime. However, in late 2021, they communicated to CDR participants that they would shift to an enforcement phase and would be more likely to take enforcement action over administrative outcomes, where appropriate. Indeed, in 2022, the ACCC issued 5 infringement notices to 2 data holders in the banking sector.[1]

In general, the OAIC and ACCC have expressed that the focus of their enforcement activities will be on conduct that will, or has the potential to, give rise to significant harm to consumers or the CDR regime. They issued a joint Compliance and Enforcement Policy in 2020 stating that they would focus on:

• data holders that repeatedly refuse to disclose consumer data, or frustrate the process of disclosure, by intentionally circumventing the Rules or data standards;
• conduct that misleads or deceives a person, for example, regarding the nature or benefits of the CDR service provided, or that a valid request or consent has been made;
• participants collecting CDR data without valid consent;
• intentional misuse or improper disclosure of CDR consumer data; and
• participants who have insufficient controls and processes to protect CDR data from misuse, interference, loss, unauthorised access or disclosure.

Given this shift to an enforcement phase, it is critical for participants in the CDR regime, and those soon to join it, to understand their obligations under the regime. The CDR is a complex regime, but complexity is not a valid excuse if the OAIC or ACCC commences an investigation or enforcement activity. Accordingly, it will be important to be, and remain, compliant and carefully monitor compliance on an ongoing basis.

Full steam ahead

The CDR regime has been expanding into new sectors and new functionalities and enhancements are being developed. The current agenda for 2023 suggests that this will not slow down, demonstrating the importance of an innovative, productive, integrated and competitive data ecosystem in the Government’s strategy for Australia’s emerging digital economy.

The proposed reforms to the CDR regime will open up new opportunities for, but also impose new obligations on, those who are subject to the regime or who are considering whether it is time to jump in and participate.

Contact us if you would like to know more about the various reforms to the CDR regime, or to discuss the opportunities and risks for your business and how we can support you. We have a range of products and services to assist you with your implementation and compliance projects, including innovative technology solutions. We also have a cross-functional team of CDR experts who can support you with your CDR strategy, accreditation, CDR regulatory issues, investigations and enforcement actions, and also the impact of business change (such as M&A, restructuring and insolvency) on your CDR participation. We are here to help.