Consumer Data Right
What is a Data Holder? How CDR Infrastructure Works (And Why It Matters)
Open Banking in Australia has introduced a fundamental shift in how financial institutions manage and share customer data. At the centre of this transformation lies a crucial concept: the Data Holder.
Whether you're a Product Manager scoping your CDR roadmap, or a Compliance Lead navigating accreditation, understanding what it means to be a Data Holder — and what infrastructure supports it — is essential.
Let’s unpack the role, the rules, and the real-world impact of becoming a Data Holder under Australia’s Consumer Data Right (CDR).
What is a Data Holder?
Under the CDR framework, a Data Holder is an organisation that collects and stores customer data and is obligated to share it securely when a consumer gives consent.
In the context of Open Banking, this typically includes:
- Authorised Deposit-Taking Institutions (ADIs) like major banks and credit unions
- Other CDR-specified institutions as the scope expands to sectors like energy and telecom
These entities are legally required to provide data access to accredited third parties (known as Data Recipients) through standardised APIs.
What Does a Data Holder Actually Do?
Being a Data Holder isn't just about ticking a compliance box — it’s a technical and operational responsibility.
Here’s what’s involved:
Expose a CDR-compliant API
Must follow the CDR Information Security Profile and data standards issued by the Data Standards Body.Verify and authenticate requests
Validate incoming data-sharing requests using the OAuth 2.0 protocol, and ensure they are from accredited parties.Manage consent flows
Allow consumers to give, view, and revoke consent to share their data.Respond to data requests
Share requested datasets (like account balances, transaction history, or product data) in real-time, reliably, and with traceability.Maintain an up-to-date CDR policy
Comply with governance obligations around consumer education, privacy, and dispute resolution.
Why Does This Matter?
The shift to open data is designed to empower consumers — but it also reshapes the competitive landscape for banks and fintechs.
For Data Holders, this means:
- Regulatory exposure: The ACCC monitors compliance tightly. Failure to meet obligations can lead to enforcement action.
- Brand impact: A poor API experience can damage trust, while a smooth one reinforces your reputation.
- Operational overhead: Standing up your own infrastructure means dealing with uptime SLAs, consent management, and ongoing standards updates.
This is where modern managed infrastructure platforms — like Fiskil — can significantly reduce risk and accelerate time to compliance.
How Fiskil Helps
Fiskil provides CDR Data Holder-as-a-Service infrastructure, built to handle:
- API compliance with zero internal lift
- Consent lifecycle and customer experience UX
- Seamless onboarding and reporting to the CDR Register
Our managed platform is designed for scalability, regulatory agility, and exceptional performance — so you can stay focused on your core business.
Final Thoughts
Becoming a Data Holder is more than a regulatory mandate — it’s a strategic move in the open data economy. With the right infrastructure, it doesn’t have to be painful.
If you're evaluating your Data Holder obligations or preparing for onboarding, talk to us. We’re helping forward-thinking banks and energy providers navigate the CDR with confidence.
