This article was written by Bryony Evans and James McGrath.
As the commencement of the Consumer Data Right (CDR) in the banking sector has been finalised for the major Australian banks for 1 July this year, now is the time to engage with the CDR participant accreditation process if your organisation wants to be in a position to receive CDR data on behalf of CDR consumers.
Comprehensive privacy, information security and audit criteria for accreditation will require a whole-of-business response and are likely to require organisations to review and make changes to their operational and business processes to meet accreditation conditions.
Further, both new and existing third-party outsourcing arrangements will need careful review to determine whether CDR data can be disclosed under those agreements and whether further amendments are required to meet minimum requirements.
We’ve previously described the background and timing for Open Banking here, as well as some of the issues raised by the OAIC’s draft guidelines on the privacy safeguards for the collection, use, disclosure and correction of CDR data here. We set out some commentary below in relation to:
- who needs to be accredited;
- what to consider when applying for accreditation; and
- how third-party arrangements may be affected.
Who needs to be accredited?
If your organisation wants to be able to receive CDR data (in response to a request from another person) your organisation will need to be accredited by the ACCC.
To do so, your organisation will need to demonstrate that it:
- satisfies a “fit and proper person” test;
- has implemented a series of minimum data security obligations to prevent misuse of, and unauthorised access to, CDR data;
- has taken out appropriate insurance cover which is commensurate with the risk of dealing with the CDR data; and
- has instituted appropriate internal and external dispute resolution processes to address CDR consumer complaints.
For fintechs seeking to venture into such a tightly regulated landscape, there may be some serious work in satisfying the ACCC that they are ready for the accreditation obligations to apply.
What to consider when applying for accreditation
It is not yet clear how long the accreditation process will take. However, applicants should be prepared for the following steps (at least):
In particular, an applicant will have to provide information for the ACCC to consider in relation to:
- the “fit and proper person” test, such as whether the applicant, or any associated person (including directors), has been convicted of a serious crime or dishonesty offence within the past 10 years, contravened a law relevant to the management of CDR data or been subject to a determination relating to interference with privacy;
- information security capabilities, including the organisation’s formal information security governance framework for managing data security risks that covers the exposure and potential for harm from security threats and the plan to address those threats;
- information security measures, where the applicant must take steps to protect CDR data from misuse, interference and loss, as well as unauthorised access, modification and disclosure. It must assess and define the boundaries of the CDR data environment and identify people, processes, technology and infrastructure that manages, secures, stores or otherwise interacts with CDR data. Once accredited, ongoing information security obligations apply including obligations for systems to meet certain minimum information security control requirements which are set out in the CDR Rules (for example, encryption, access security and implementing formal vulnerability management programs);
- information security assurance, in the form of an assurance report prepared in accordance with the Australian Standard on Assurance Engagements 3150 Assurance Engagement on Controls (see the draft supplementary information security guidelines);
- dispute resolution, such as an internal process that complies with ASIC's Regulatory Guide 165 (Licensing: Internal and external dispute), a CDR policy which provides for the management of complaints relating to the CDR data and, for the banking sector, being a member of the Australian Financial Complaints Authority’s dispute resolution scheme; and
- adequate insurance cover, for the period of accreditation in order to reduce the risk of CDR consumers not being appropriately compensated by reason of an accredited person’s lack of financial resources. This might include professional indemnity insurance and cyber insurance (see the draft supplementary insurance guidelines).
The ACCC can also impose conditions on accreditation, including:
- the “default conditions” for the banking sector, which mean that an accredited person must provide regular attestation statements and assurance reports to the ACCC; and
- any other conditions, for example by limiting the accreditation to the operation of specific websites or products.
To apply, applicants need to establish an account and then apply through the new “CDR Participant Portal”. See the ACCC’s draft accreditation guidelines for more specific instructions.
How are third-party arrangements affected?
An accredited person is expressly permitted to disclose CDR data under a “CDR outsourcing agreement”. This is a written contract where:
- the recipient will provide to the discloser goods or services using CDR data; and
- the recipient must:
- comply with the information security obligations of the accredited person;
- use or disclose the CDR data only in accordance with the contract;
- if directed by the discloser, the recipient must return the CDR data, delete the CDR data, provide records of deletions, or direct any other person in possession of the CDR data to take corresponding steps; and
- not disclose any CDR data to another person, otherwise than under another CDR outsourcing arrangement where the other person is required to comply with the requirements of that CDR outsourcing arrangement.
This will mean that those seeking accreditation will need to carefully consider the terms on which they disclose CDR data to outsourced service providers (for example, data centre and back-up providers, SaaS and PaaS providers and other cloud based service providers).
An accredited person’s CDR policy must also provide list of outsourced service providers, the nature of the services they provide and the types of data that may be disclosed to them. If any of the outsourced service providers are based overseas and are not accredited, the accredited data recipient must include the countries in which those outsourced service providers are based.
The ACCC is currently consulting on the use of intermediaries to collect or facilitate the collection of CDR data from data holders on behalf of accredited persons. If such intermediaries are permitted, then the ACCC may offer a separate (and less stringent) tier of accreditation than the current “unrestricted” level. The ACCC is expected to release draft rules on the use of intermediaries in March 2020.
Please get in touch if you have any questions.