How do I become an Accredited Data Recipient?

What is an Accredited Data Recipient?

The Consumer Data Right (CDR) and Open Banking are about to shake up the world of finance for all consumers and industries alike. To be able to harness the endless opportunities that CDR data presents, you will need to become an Accredited Data Recipient (ADR). Becoming an ADR is a voluntary process, but can involve quite a bit of work.

In this blog post, we provide a high-level checklist of all the steps that you will need to take, plus the things you need to think about when applying to become an ADR. If you would like more information, you can read the full ACCC guidelines here.

How do I become an ADR?

Step 1 - Create an account on the CDR Participant Portal

The Australian Competition and Consumer Commission (ACCC) manages the accreditation process, and applications are made through the CDR Participant Portal.

You will need to create an account on the CDR Participant Portal. You might find it helpful to review the Participant Portal User Guide before getting started.

In order to create an account, you will need to be the Primary Business Contact (PBC) for your organisation. The PBC is someone who is an office holder and is listed on the organisation's business record. Once the PBC has created an account, they can then authorise additional users to access and manage the organisation's CDR Portal account.

Step 2 - Create and lodge your application

Before filling out the application make sure you have the following information and documents on hand before you sit down to complete the account creation form:

Make sure you have the following information and documents on hand before you sit down to complete the account creation form:

1. Your organisation's name and ABNWhether your organisation is an authorised deposit-taking institution (ADI)
2. If you answer 'No', a standard accreditation application will be availableIf you answer 'Yes', a streamlined application will be available
3. Whether your organisation is a foreign entityYour organisation's registered address for service and registered business addressDescription of the products or services that will be offered if accreditedAn information security assurance report prepared by an independent and suitably qualified auditor (See 'Information Security' below)Insurance policy documents and certificates of currency (See 'Insurance' below)A written statement, signed by an authorised representative, explaining how your insurance is adequate to cover the risks it may be exposed to in connection with the management of CDR DataA document outlining your internal dispute resolution process (See 'Dispute Resolution' below)A copy of your Consumer Data Right policyYour personal details and contact details

Other requirements

The ACCC will ask for information relating to four key criteria in assessing your organisation's eligibility to become accredited. Broadly, these four criteria can be broken down into:

1. The ‘fit and proper person test’;
2. Information security requirements;
3. Dispute resolution; and
4. Insurance.

You will be asked to address these four key criteria when lodging your application.

1. Fit and Proper Person You will have to demonstrate that you (and associated persons involved in decision making) are a 'fit and proper person' to manage CDR data.

The ACCC will consider factors such as:

• Any serious criminal convictions within the past 10 years;
• Contravention of any law relating to the management of CDR Data; and
• Whether any of the organisation';s directors have been disqualified or banned from managing a company.

2. Information Security You have to demonstrate compliance with Privacy Safeguard 12 to protect data from misuse, interference, loss, unauthorised access, modification or disclosure (outlined in Schedule 2 of CDR Rules). You also have to provide an assurance report in accordance with ASAE 3150 Assurance Engagement on Controls.

3. Dispute resolution process You have to demonstrate that your organisation has:

a. Internal Dispute Resolution Process, in accordance with Schedule 3, Part 5 of CDR Rules (which is consistent with ASIC's RG 165).

You also have to create a CDR Policy which is consistent with this standard, and must include:

• When, where and how a CDR consumer can lodge a complaint;
• The information a CDR consumer must provide in a complaint;
• When a CDR consumer can expect their complaint will be acknowledged; your process For handling CDR consumer complaints;
• Time periods associated with various stages in the CDR consumer complaint process;
• Options for redress;
• Options for review, both internally and externally;

b. An External Dispute Resolution - you must be a member of the Australian Financial Complaints Authority ( AFCA ).

4. Insurance You need to have adequate insurance (or comparable guarantee). The ACCC does not prescribe a specific amount of insurance that is required to be held.

Step 3: Completeness check

The ACCC will undertake a completeness check to ensure that the application isn't missing any relevant information.

If the application is incomplete or missing anything, the ACCC will allow you to resubmit with the missing information.

Step 4: Further information

The ACCC may request further information from you through interviews, emails, phone calls or consult with other government authorities such as ASIC or APRA in assessing your application.

Step 5: Decision

The ACCC will notify you in writing whether your application has been successful. Once you are included on the CDR Register, accreditation will take effect.

Step 6: Testing

The ACCC may ask your organisation to participate in or facilitate security testing to ensure the security of the CDR Register.

Sounds tricky? We can help.

At Fiskil, we understand how the accreditation process works. We can take care of all the nitty gritty details to help speed up the accreditation process for your organisation.

To find out how Fiskil can help your organisation become accredited, get in touch.