Consumer Data Right law passed – Open Banking set to start in Australia

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

By Scott Farrell and Max Allan.[1]

The law to establish the Consumer Data Right (CDR) has been passed by the Australian Parliament.  The way is now clear for Open Banking to start in Australia, as the first implementation of the CDR.  After so much work has gone into the development of CDR and Open Banking, customers will soon have the right to ask for their data to be shared with others they choose to trust.  Now is the time for businesses connected with the banking, energy and telecommunications sectors to work out not only what they will need to do for their customers, but also what new services they will be able to provide. Businesses in other sectors should also engage with what the implementation of CDR in their sector could mean.

In this Alert we describe:

  • What is Open Banking?
  • Where is its regulatory framework found?
  • To whom does it apply?
  • How is the data to be shared?
  • When does it start?
  • What happens next?
  • What should I do?

What is Open Banking?

In Australia, Open Banking is the first part of the Consumer Data Right.  The Consumer Data Right is a general right created for consumers to control their data, including who can have it and who can use it.  It is to form a single customer-driven data sharing framework across the Australian economy.  After banking, more sectors of the economy (including energy and telecommunications sectors) will follow.  Background on the Consumer Data Right is summarised in our recent Alert.  The implementation of Open Banking as the first stage of Consumer Data Right follows the recommendations of the Australian Government's Open Banking Review, which emphasised customer control, choice, convenience and confidence.

Key features of the Open Banking system are summarised in the ten points in the following diagram.

Open Banking

The data which must be shared at a customer's request is information about:

  • Banking products (product data)
  • The user of banking products (customer data)
  • The use of banking products (transaction data).

More information on this can be found in this Alert and in the regulatory framework for Open Banking.

Where is the regulatory framework found?

The regulatory framework for Open Banking is made of a few parts, described in the following diagram.

It is the first part, the legislation, which has been passed by the Australian Parliament.  The Rules are being developed by the ACCC, as lead regulator of the CDR, and the standards are being developed by the Data Standards Body.  The work on the Rules and the Standards have been substantially progressed, through multiple consultations.

In addition, there is a designation instrument, under which the banking sector is designated as a sector to which the CDR applies.  This contains descriptions of the types of data to which Open Banking can apply.  A draft of the designation instrument can be found here. The designation instrument describes to whom Open Banking is to apply.

To whom does Open Banking apply?

All Australian Authorised Deposit-taking Institutions (ADIs) must comply with Open Banking, including banks, credit unions and building societies.  Other entities can also participate, for example by seeking accreditation to receive Open Banking information through the system.  The accreditation requirements are to be set out in the Rules, and the Data Standards.  Entities accredited to receive Open Banking data must also respond to customers' requests to share Open Banking data.

How is data to be shared?

The data standards provide for the Open Banking data to be shared using Application Programming Interfaces (APIs).  This provides a mechanism for customers to authenticate themselves to a data holder and authorise the sharing of that data by that data holder with the nominated accredited recipient.  Open Banking does not involve any central entity holding all of the data.

The use of APIs is consistent with the approach being taken in other countries, such as the United Kingdom, Hong Kong, Singapore and New Zealand. 

The technological standards for the APIs have been created by the Data Standards Body, and are available here.

When does Open Banking start?

The current timing for the commencement of Open Banking to different types of ADIs and different types of banking products is set out in the following diagram.  The four largest Australian Banks are required to start before the other ADIs.  However, other ADIs may choose to participate before they are required to.

What happens next?

The passing of the legislation is not the last rulemaking process needed for Open Banking to start in Australia.  The ministerial designation of banking as the first sector of the CDR needs to be finalised and issued, rules need to be finalised by the ACCC and the data standards completed by the Data Standards Body.  Also, a period of testing needs to be completed by the initial data holders and accredited entities.  However, the passing of the legislation will allow this remaining work to now be completed.

Also, the work for the extension of the Consumer Data Right to the energy and telecommunications sectors is to continue.  The ACCC has already engaged in consultation on its application to the energy sector, which can be found here

What should I do?

The passing of the legislation means that Open Banking and the Consumer Data Right cannot be ignored.  It is finally part of Australian law.  This is much more than a question of compliance.  Instead, this is a question of taking the opportunity to engage with customers differently.  This opportunity should drive competitiveness and innovation within, and between, businesses and sectors.

There are some initial critical questions for businesses to consider:

  • Will the business be required to comply as a data-holder?
  • If not, should the business opt-in as a data-holder?
  • Should the business seek accreditation to receive data?
  • What does the business need to connect with APIs?
  • How could the business use data to generate better services for its customers?
  • What new technologies might the business need to create those better services?
  • Does the business want to grow to be part of the vibrant data economy?

The benefits from the introduction of the Consumer Data Right should be best realised by businesses looking to participate and innovate in a customer-centric data sector which generates growth, employment and value to customers.  The new services, new products and new skills created by the opportunities the Consumer Data Right framework presents are likely to be in demand not only in Australia but also overseas.  Businesses should consider now their existing expertise, relationships, competitive advantage and, most importantly, the value they provide to their customers, and decide how they want to position themselves in the data economy and what products, services and skills they want to offer to their customers, and whether they want new customers, in the future.  Some businesses have already started this journey.

It is now too late to say that it is too early to engage with Open Banking and the Consumer Data Right.  It is now the time to use it to participate, innovate and succeed in Australia's emerging data economy. 

[1] Scott Farrell led the Australian Government's Review into Open Banking.  However, this article is co-written by him solely in his capacity as a partner of King & Wood Mallesons.

Industrial relations and employment regulation have been centre stage recently, with the Federal Government pushing ahead to pass its Fair Work Legislation Amendment (Secure Jobs, Better Pay) Bill 2022 (Cth) (Secure Jobs Bill) before the year ends.

02 December 2022

As part of the economy-wide approach to achieving commitments under the Paris Agreement, the Federal Government has announced further changes intended to support industry emissions reductions, while maintaining competitiveness as the global economy decarbonises.

02 December 2022

The terms of reference for the Inquiry are broad, encompassing “the effectiveness of Australia’s corporate insolvency laws in protecting and maximising value for the benefit of all interested parties and the economy”. While we applaud the PJC for framing the terms of reference so broadly, we respectfully consider that for meaningful reform to be achieved in this area, it will be necessary to conduct a comprehensive review of Australia’s corporate insolvency (and personal bankruptcy) laws with a consultation period of longer than 63 days and more than two public hearings.

01 December 2022