Major changes to the CDR Rules announced by Treasury

On 1 July 2021, Treasury released exposure draft amendments to the Consumer Data Right Rules and explanatory materials for consultation (Version 3). The aim of these new rules is to significantly expand the number of businesses able to participate in the CDR scheme, in a bid to “encourage greater uptake”. In this blog post, we set out three key proposed changes to the CDR Rules and what they mean for you.

TL;DR

In a snapshot, the new rules:

1. Will empower consumers to share their CDR data with certain ‘trusted advisors’ such as their accountant, lawyer, tax practitioner or financial counselor;
2. Support more businesses in participating in the CDR by allowing an accredited person to sponsor other parties to become accredited or allow their agents to participate in the system; and
3. Introduce the “CDR insights” model, which enables consumers to consent to an “insight” informed by CDR data being shared outside of an accredited party, for certain low-risk purposes.

Alright... let's get into it.

1. Trusted advisors will be able to access CDR Data

Currently, only unrestricted accredited data recipients (ADRs) are able to receive a consumer’s data from data holders and make use of it in their own products or services. Under the proposed rules, consumers will be able to consent to sharing their CDR data for goods and services with ‘trusted advisors’, without requiring the trusted advisors to go through the accreditation process themselves.

A ‘trusted advisor’ would include the following professions:

1. Qualified accountants;
2. Lawyers;
3. Registered tax agents, BAS agents and tax advisors;
4. Financial counselling agencies;
5. Financial advisers or financial planners; and
6. Residential mortgage brokers.

This means that there will be vast opportunities for businesses to develop products and services that will improve the customer experience using CDR data and streamline business processes. For example, customers may share their data with their lawyer in order to receive tailored and easily accessible legal advice, or share their financial information with their accountant to help file their tax returns.

While ‘trusted advisors’ do not attract the same regulatory obligations that apply to ADRs under the CDR regime, Treasury acknowledges that as members of a professional class, these trusted advisors are generally subject to existing professional or regulatory oversight. However, a number of requirements will apply to the trusted advisor model to protect CDR consumers that wish to disclose their CDR data to trusted advisors:

• An ADR cannot disclose CDR data to a trusted advisor unless it has taken ‘reasonable steps’ to confirm that the recipient is in fact a member of the classes of ‘trusted advisors’ set out in the CDR rules;
• Information security controls (as set out in Schedule 2 to the CDR Rules) will apply to the transfer of CDR data from an ADR to a trusted advisor, including the requirement to ensure that data is encrypted in transit; and
  • The consumer only consents to sharing data based on purpose, with clear disclosures of parties involved and ability to withdraw consent, if necessary.

2. Sponsored accreditation model and CDR representative model

The proposed rules also introduces two new pathways for participation in the CDR scheme through:

1. The sponsored accreditation model; and
2. The CDR representative model.

Sponsored accreditation model

The sponsored accreditation model reduces the cost of accreditation by altering certain obligations to establish information security capability as part of the accreditation process and ongoing accreditation obligations. Under this model, an unrestricted ADR can enter into a sponsorship arrangement with an ‘affiliate’ company, where the ADR acts as the affiliate company’s sponsor in the CDR regime.

The accreditation criteria for sponsored accreditation will be the same as for unrestricted accreditation - with the main difference being that an affiliate company will not be required to provide a third-party assurance report. The purpose of an assurance report is to establish that an organisation will meet the information security criterion once accredited. Instead, an affiliate will only be required to provide a self-assessment and attestation to the Data Recipient Accreditor (DRA).

CDR representative model

The CDR representative model allows unaccredited organisations to access CDR data through a ‘principal’ - that is, an unrestricted ADR who is liable for them.

At a high level, the unrestricted principal ADR and CDR representative company can enter into a “CDR representative arrangement” for the CDR representative to provide goods and services to the consumer, using the principal’s CDR policy. This arrangement must be disclosed to the DRA, but there is no official accreditation outside of this commercial relationship. The unrestricted principal could provide the infrastructure for collection of CDR data, consent screens, CDR storage and dashboards, thereby reducing the costs and obligations on the CDR representative. The proposed rules set out detailed obligations and requirements in relation to the CDR representative / principal model.

3. CDR insights

The proposed rules also introduces the concept of a “CDR insight”, which allows consumers to consent to their data being shared outside the CDR regime for certain low risk purposes. For example, consumers may consent to sharing their CDR data with a non-accredited party to verify:

• The consumer’s identity;
• The consumer’s account balance;
• The consumer’s income; or
• The consumer’s expenses.

The proposed rules caution that CDR insights should only be used to bolster confidence about a consumer’s identity, and should not be in place of formal proof of identity requirements such as meeting know-your-customer requirements to set up a bank account. However, CDR insights would allow consumers to securely provide and confirm personal information while giving the recipient comfort in its authenticity and accuracy.

Consultation on the proposed changes will close on 30 July. If you have any questions or comments on the proposed changes, we’d love to hear from you. Fiskil will be submitting a response to the consultation paper on what we think about the proposed access models and changes to the CDR. If you would like to let us know your thoughts, get in touch with us!