Insight,

Data,

Rebooting the system – the Government announces its plans for the Consumer Data Right

26 August 2024

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

The Government has outlined its plans for the Consumer Data Right (CDR) ecosystem, focusing in particular on reducing the costs of compliance for industry participants, lowering the barriers to adoption for consumers and increasing uptake of the CDR in the sectors in which the CDR is already active.  Meanwhile, action initiation is now enshrined in law.  In this article, we summarise the key takeaways from the Government’s announcement and what it means for your business.

Tell me in 30 seconds

  • The Government has announced a ‘reset’ of the CDR regime.
  • It has started a public consultation on a number of operational enhancements to the CDR Rules intended to simplify the consent process, lower barriers to adoption and reduce the compliance load on CDR participants. These include allowing data recipients to bundle consents, clarifying when CDR data received by banks can be treated as other customer data, and exempting particular trials for energy products from the data sharing obligations of the CDR.
  • It has released a report on the compliance costs associated with the CDR, and published its expectations for a change in focus of the development and implementation of the data standards.
  • It has announced that the CDR is to be expanded into the non-bank lending sector, with the data sharing obligations becoming operational by mid-2026.
  • It is seeking a way forward for a ban on screen scraping.
  • It has passed the legislation implementing action initiation.

Introduction

Since the Treasury’s consultation between August and October 2023 on draft amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) to expand the CDR regime to the non-bank lending sector, legislative development in relation to the CDR regime paused while the Government focused on improving awareness and take-up of the CDR regime in the banking and energy sectors. 

On 9 August 2024, the Assistant Treasurer announced a ‘reset’ of the CDR regime by:

  • introducing proposed enhancements to the consent and operational processes in the CDR Rules;
  • releasing the ‘Consumer Data Right Compliance Costs Review Report for the Department of the Treasury’ conducted by Heidi Richards for the Treasury in December 2023 (Costs Review);
  • writing to the Data Standards Chair to clarify the Government’s expectations for the development and implementation of data standards;
  • announcing its intention to expand the CDR to non-bank lending in early 2025; and
  • requesting advice from the Treasury over the next twelve months on a way forward for a full and formal ban of screen scraping.

On 15 August 2024, the Treasury Laws Amendment (Consumer Data Right) Bill 2022 (the Action Initiation Bill) passed in the Senate, after being before Parliament since late 2022.  However, the Government has indicated that it will not ‘turn on’ any specific types of actions until the CDR ecosystem is on a more sustainable footing.

We have summarised each of the Government’s key announcements below.  The consultation on proposed amendments is open until 9 September 2024.

Look out for our separate Alert on the passing of the Action Initiation Bill.

#1 – Proposed enhancements to consent and operational processes

The Treasury’s current consultation on proposed amendments to consent and operational processes of the CDR follows the previous consultations between August and October 2023, which sought industry feedback on opportunities to:

  • better support the consumer experience while maintaining key consumer protections; and
  • ensure that the CDR Rules are fit-for-purpose and support the CDR’s policy objectives.

The proposed amendments are extensive, so we have summarised the key proposed amendments in the table below and what they mean.

Consents

EXPAND

Commonly, a data recipient will require multiple consents (eg, a collection consent, a use consent and a disclosure consent) to be able to provide a good or service to its customer that leverages CDR data.

The CDR Rules currently prohibit a data recipient from bundling those consents.

The proposed amendments will remove this restriction, meaning that data recipients will be able to streamline the consent giving process, where it is ‘reasonably needed’ for the provision of the requested good or service.  However, the ability to combine multiple CDR consents into a single action does not apply to direct marketing and de-identification consents, which must be requested separately.

Given that disclosure consents will be able to be combined with collection and use consents, the Treasury is also proposing to extend the data minimisation principle to the disclosure of CDR data (previously, the data minimisation principle only applied to the use and collection of CDR data).

What does this mean?

While the current prohibition on bundling is intended to enable consumers to review each specific collection, use or disclosure of CDR data before giving consent to the data recipient, this has become a point of friction in the consent process.  The ability to bundle consents would enable data recipients to develop a more streamlined process for onboarding customers and enhance the consumer experience by reducing the number of steps needed to be taken by the consumer before they can acquire a product.

The CDR Rules currently prohibit a data recipient from pre-selecting options when requesting a consent from a customer.  This has meant that data recipients are unable to propose a ‘default’ choice.

While the original intention was to enable consumers to have the ultimate say in how their CDR data will be collected, used and disclosed, it has led to criticism that the consent process is overly complex and unwieldy.

The Treasury has proposed to allow data recipients to pre-select options for:

  • the dataset(s) that will be collected or disclosed;
  • the specific uses for the data that has been collected;
  • the duration of the consent; and
  • the persons to whom CDR data may be disclosed,

provided they are ‘reasonably needed’ for the service to function.

If a data recipient has pre-selected options for a CDR consumer, they must give an explanation of why the pre-selected option is reasonably needed to provide the relevant goods or services.

Pre-selection will not be allowed for direct marketing and de-identification consents, given the consequences for the consumer’s CDR data (ie, being used for targeted advertising or being brought outside the scope of the CDR regime entirely).

The Treasury will also remove references in the CDR Rules to allowing the CDR consumer to ‘actively select’ options for their consent.  This reflects current industry practice, given that most entities prefer to ‘clearly indicate’ the various elements of the consent, rather than giving CDR consumers the ability to actively select their preferred options.

What does this mean?

The ability to pre-select options is another measure to streamline the consent process and reduce the cognitive load on consumers.  Data recipients will be able to put forward the options that they consider to be the most optimal for their products (having regard to the purpose of the product and the consumer experience) while allowing consumers to make changes should they wish to.

Under the proposed amendments, data recipients will no longer have to provide information on:

  • how a consent can be withdrawn;
  • what the consequences of withdrawing a consent are; and
  • the data recipient’s proposed treatment of redundant data,

at the time they are asking for a consent from a customer.

However, data recipients would need to provide more detailed information about any CDR outsourcing or sponsorship arrangements that are relevant to the collection, use or disclosure of the customer’s CDR data.  This information broadly aligns with the information that a CDR representative must give to a customer about the CDR representative’s principal.

If the data recipient is seeking a direct marketing consent, they must also provide information about how the CDR data may be used or disclosed for the direct marketing activities.

What does this mean?

Research has shown that consumers consider the specific details of how to withdraw consent, and the consequences of withdrawal, are less critical at the time they are being asked to give consent (given they have already decided to give the consent(s) being requested).  Again, the intention of these amendments is to lower the barriers to adoption and reduce ‘information overload’ for consumers at the onboarding stage.

In addition to the above changes relating to the initial consent request process, the proposed amendments also:

  • clarify that the periodic notification that must be sent to customers for each active consent can cover all active consents (so as to avoid a separate notification being sent for each active consent); and
  • provide that a data recipient must delete redundant CDR data by default unless the CDR consumer has given a de-identification consent.

The detailed requirements for the periodic notification and the CDR receipt are also proposed to be moved from the CDR Rules to the data standards.  This would allow those requirements to be updated more regularly in response to consumer, behavioural or technological changes.

Operational enhancements

EXPAND

The CDR Rules require data holders to provide a service that can be used by customers who are not individuals (eg, bodies corporate or partnerships) to nominate an individual to give, amend and manage authorisations to disclose CDR data (a nominated representative) or to revoke or withdraw such a nomination.

Stakeholder feedback was given that some data holders have implemented unwieldy and cumbersome processes for nominating representatives (eg, processes that are paper-based or require the completion of multiple forms).

The proposed amendments now require that the nominated representative service must be:

  • simple and straightforward to use; and
  • prominently displayed and readily accessible to the customer.

Where a customer (who is not an individual) has already authorised a person to manage their account with a particular data holder online, then the nominated representative service must also be online.

To give data holders time to update their systems, these new requirements for nominated representatives will only come into force 12 months after the commencement of the proposed amendments to the CDR Rules.

What does this mean?

While the Government has identified accounting services to small businesses as a high-priority use case for the CDR, stakeholder feedback has been that data holders have made it difficult for businesses to access their own data.  The new nominated representative service requirements could reduce the barriers to adoption for businesses (most of whom would interact with the CDR through a nominated representative) and encourage a move to the CDR as the data-sharing platform of choice.

Under the current CDR Rules, an ADI who is accredited as a data recipient may request that a customer allow it to hold any collected CDR data as a data holder, rather than an accredited data recipient (ADR).  This would reduce the additional obligations imposed on the ADI as an ADR such as those arising under the CDR-specific privacy safeguards.  However, this request could only be made if the customer has already acquired a product from the ADI.

The proposed amendments expand the situations in which an ADI can request to hold collected CDR data as a data holder.  In particular:

  • an ADI would be able to notify the customer, before the collection of CDR data in accordance with a collection consent, that it would hold the CDR data as a data holder rather than an ADR; and
  • the notification could be given if the ADI is supplying a product to the customer, or if the customer has applied or is applying to acquire a product from the ADI.

This operational enhancement would allow ADIs to streamline the process for holding collected CDR data as data holders (by front-loading all consent requests at the time the ADI is seeking to collect the CDR data) and also clarify that this mechanism can apply before an ADI has started supplying a product to a customer.

The Treasury has, however, indicated that the new operational enhancements are not intended to apply where a consumer has contacted a bank to make preliminary inquiries, such as to compare existing product offerings or to seek quotes in relation to those products.

What does this mean?

One of the major pain points identified by industry is that data collected through the CDR regime is required to be treated differently from other data held by the data recipient, leading to increased costs and inefficiencies and limiting the usefulness of the CDR data that has been collected.  The ability for ADIs to hold collected CDR data as a data holder rather than as an ADR is intended to acknowledge that ADIs are already required to have stringent security measures in place for data they hold.

The existing ‘ADR-to-data holder’ mechanism in the CDR Rules requires ADIs to have first collected the CDR data, and thus have complied with the full range of functional and compliance requirements of the CDR regime, before requesting to hold the CDR data as a data holder.  This was not a practical approach.  The proposed amendments are intended to close this gap and enable ADIs to rely on this mechanism at the point at which it would be most useful (ie, when the customer is seeking to acquire a new product, rather than when the customer has already acquired a product from the ADI and the ADI is holding 2 separate sets of data – one for the CDR data that has been collected and one for the data that has been generated from the customer’s use of the product).

A CDR representative arrangement allows an unaccredited service provider (called a CDR representative) to engage an accredited person with unrestricted accreditation (called the CDR representative principal) to collect CDR data on its behalf, while the CDR representative maintains the customer relationship.  The CDR Rules require that the CDR representative arrangement must include certain obligations on the CDR representative, such as (by way of example):

  • a requirement to comply with any rules in the CDR Rules that are expressed as applying to a CDR representative;
  • a prohibition on entering into another CDR representative arrangement; and
  • an obligation to comply with certain privacy safeguards as if it were the CDR representative principal,

(Required Provisions).

The proposed amendments clarify that CDR representative principals will be liable for a failure by their CDR representatives to comply with a Required Provision, even if the Required Provision has not actually been included in the CDR representative agreement.  This change is more in the nature of a clean-up, to close a loophole whereby a CDR representative principal would not be liable for a breach of a Required Provision unless that Required Provision was included in the CDR representative agreement.

CDR representative principals would also need to ensure that their CDR representatives comply with any consumer experience data standards that are expressed as applying to an ADR, as if the CDR representative were an ADR.  This is in addition to the current obligation on CDR representative principals to ensure that their CDR representatives comply with any rules in the CDR Rules that are expressed as applying to CDR representatives.

To give CDR representatives and CDR representative principals time to make the required adjustments to their CDR representative agreements and practices, these new requirements will only come into force 6 months after the commencement of the proposed amendments to the CDR Rules.

What does this mean?

The proposed amendments mean that CDR representative principals would need to ensure that their arrangements with CDR representatives are updated to include the new obligation on CDR representatives to comply with the consumer experience data standards that are expressed as applying to an ADR.  As part of this process, CDR representative principals are likely to require that their CDR representative arrangements are compliant with the requirements of the CDR Rules, including that they contain all of the Required Provisions (including those mentioned above).

The CDR contemplates that there may be people other than the account holder who use an account (eg, an additional cardholder on a credit or debit card account) who may wish to share CDR data from that account.  These persons are known as ‘secondary users’.

The proposed amendments provide that a data holder will no longer need to provide an online service that allows an account holder to ‘block’ the sharing of CDR data after a data sharing request has been made (although the account holder will still be able to instruct a data holder to cease treating a person as a secondary user for the account at any time).

What does this mean?

Stakeholder feedback indicated that the data sharing requirements for secondary users are unnecessarily difficult to implement and may not fully capture the complexities of data sharing structures.  The proposed amendments are intended to streamline the functionality that data holders need to provide to account holders who have nominated a secondary user, while also ensuring that account holders continue to be protected by being able to revoke the nomination of a secondary user at any time.

Energy sector-specific changes

EXPAND

Under the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023 that commenced on 22 July 2023, products offered by data holders in the banking sector as a ‘pilot’ or ‘trial’ and that satisfy certain requirements are excluded from the CDR data sharing requirements while they are trial products.

The Treasury is now proposing to expand the exception to the energy sector.  In order to take advantage of this exception, data holders must ensure that a trial product:

  • ends no more than 12 months after the initial offering;
  • is supplied to no more than 1,000 customers; and
  • is offered with a statement that the plan may be terminated before the end of the trial period and that, if it is, the CDR data in relation to the plan may not be available.

As with the exception for trial products in the banking sector, once a trial energy product ceases to meet those criteria (eg, because the plan continues to be supplied or offered after the end of the 12-month trial period or the product is supplied to more than 1,000 customers), the data holder must share CDR data relating to the trial product and otherwise comply with the requirements imposed on it under the CDR regime in relation to the product (including for CDR data generated during the trial).

What does this mean?

The extension of the exception for trial products to energy provides energy retailers with a degree of flexibility to innovate by testing new products before a larger rollout, without having to share product or consumer data about those products.  This may be a useful option as data holders who want to test a product before proceeding with it, such as through trials with employees or a small pool of customers.

However, data holders who wish to benefit from this exception should be diligent about adhering to the parameters for trial products.  Failure to do so may require the data holder to disclose CDR data from the trial.

The proposed amendments also:

  • expand the definition of a ‘complex request’ to include consumer data requests made on behalf of a CDR consumer who has a nominated representative;
  • introduce a 6-month grace period for a data holder who becomes a ‘larger retailer’ (ie it has 10,000 or more small customers at all times during a financial year) to comply with consumer data sharing obligations; and 
  • provide that the grace period from compliance with the consumer data sharing obligations for a person who is both a small retailer and an accredited person, starts on the later of the date that the person became a small retailer and the date that the person became an accredited person (currently the CDR Rules provide that the grace period starts when the person became an accredited person).

#2 - Release of the Consumer Data Right Compliance Costs Review Report for the Department of the Treasury

The Costs Review was commissioned by the Assistant Treasurer in 2023 and was intended to:

  • help the Treasury better understand the costs for participants associated with the making of CDR rules and standards; and
  • determine how effectively CDR decision-makers evaluate costs and benefits.

The Costs Review is primarily based on 26 interviews with industry participants such as banks, energy retailers, software vendors, industry representative bodies and government agencies that were conducted from October to December 2023.  It found that the costs of the CDR appear to have significantly exceeded the original regulatory estimates, with many data holders, including smaller ADIs, having spent over $1 million in implementation costs to date.  The largest banks have spent more than $100 million each since the CDR regime’s inception in 2020.

The Costs Review report identifies a number of underlying cost drivers, including:

  • the pace and nature of regulatory changes to the CDR regime, including regular updates to the data standards;
  • significant systems development to enable data holders to meet technical requirements;
  • the lack of consistency within industry with regards to defining and managing products and customer data;
  • the CDR requirements not being fully aligned with international standards, meaning that vendors could not realise economies of scale by marketing Australian-specific product overseas; and
  • regular maintenance and compliance costs for technology development and deployment.

The report sets out a number of suggestions to better target industry’s investment in the CDR, including:

  • a clear prioritisation process for all data standards change proposals;
  • a systematic policy impact approach for changes to the CDR Rules and the data standards;
  • greater transparency with regards to how industry feedback is considered in final amendments to the CDR Rules or data standards;
  • clearer strategic and tactical planning - for example, the publication of a medium-term plan that highlights strategic priorities and objectives to improve CDR experience and reduce costs over the next 1-2 years or the delivery of specific use cases agreed with industry per year;
  • limiting the changes to the data standards to a low and fixed number of scheduled releases per year, with longer lead implementation dates;
  • conducting a joint and data-driven needs assessment to identify changes to non-financial requirements and metrics reporting;
  • permanent exemption pathways for data holders to apply for exclusion of specific products;
  • providing incentives for data holders to invest in CDR infrastructure, for example, opportunities for fee-based, voluntary data sets;
  • establishing a formal forum for industry to raise considerations and working with industry to pilot or sandbox changes to avoid unintended consequences of new rules and data standards; and
  • reviewing the CDR Rules with industry participants to identify obligations of low value and high costs which could be eliminated or streamlined.

The report also notes that feedback from industry participants suggested that it may be timely to reconsider the governance arrangements for CDR decision-making to maximise the alignment between policy and technical industry implementation.  Two options proposed in the report were a streamlined regulator-led model (in the form of a more centralised, top-down regulatory operating model) or an industry-led governance model.

What does this mean?

The Costs Review highlights a number of issues that have been identified by industry in relation to the implementation and development of the CDR regime.  The Government has taken action to address some of its key findings, including by announcing a more structured and consultative approach for making standards changes, examining the impact of managing the data included in CDR, and assessing framework changes that could be made in 2025 to reduce costs and facilitate high value use cases.

#3 - Alignment of focus of data standards

In conjunction with the release of the Costs Review report, the Government has written to the Data Standards Chair setting out its expectations in relation to the performance of the Chair’s functions, and exercise of the Chair’s powers, under the CDR regime.

In particular, the Government expressed that it expects the data standards to focus on information security, consent drop-offs, giving effect to changes to the CDR Rules and critical changes to the data standards to unlock identified high-value use cases or to manage costs within the CDR ecosystem.

The Government also expects that changes to data standards are:

  • prioritised, consulted on and scheduled in a transparent and orderly manner; and
  • implemented having regard to the likely benefits for consumers and the cost impact on participants.

#4 - Expansion of the CDR to non-bank lending

Lastly, the Government has announced that it will expand the CDR to the non-bank lending sector, by passing the required amendments to the CDR Rules that were consulted on between August and October 2023.  This is likely to occur in early 2025, with the data sharing obligations only becoming operational by mid-2026 to allow for a sufficient transition period.

#5 – Seeking a way forward on ending screen scrapers

The Assistant Treasurer has clearly signalled that the industry needs to move away from screen scraping.  In the Government’s view, the CDR should be the system of choice and screen scraping is “fundamentally unsafe”.  Accordingly, the Assistant Treasurer has requested advice from the Treasury over the next year on a way forward for “a full and formal ban” of screen scraping.

Conclusion

These announcements, and the recent passing of the Action Initiation Bill into law, demonstrates the Government’s commitment to the CDR and its focus on ensuring that the regime is fit-for-purpose, cost-effective and, importantly, able to deliver tangible benefits for consumers.  With the Government’s confirmation that the CDR is to be established as a critical piece of digital infrastructure for Australia and with the renewed emphasis on simplifying the onboarding experience for consumers to increase take-up, and reducing the costs for CDR participants, now is the time to get involved.

If you would like a deeper understanding of what the announcement means for you or would like to discuss the opportunities and risks it presents for your business, please do not hesitate to contact us.  Our team of CDR experts are ready to assist you with strategy, accreditation, regulatory issues, investigations and enforcement actions.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
AI governance in government: Is your agency ready for the ANAO’s spotlight?
The Australian National Audit Office’s (ANAO) has recently emphasised the importance of agencies having effective and specific AI governance frameworks. This was the key message coming out of the ANAO’s performance audit report on the ATO’s Governance of Artificial intelligence.

14 March 2025

Insight
B Corps: To B or not to B
We explain what a B Corp is, how to become a B Corp and some of the benefits and challenges of obtaining this certification.

13 March 2025

Insight
The Cyber Security and Critical Infrastructure Rules have now been registered
Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

13 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies