Treasury launches consultation on giving brokers CDR data

Currently, the rules do not permit the disclosure of CDR data by an accredited data recipient (ADR), such as a bank, to other parties that the consumer may wish to share their CDR data with.

Indeed, in their initial format, the CDR rules outline strict parameters by which consumer data can and cannot be shared – largely due to security/risk concerns. 

However, following initial engagement with industry, it was noted that it was “critical” that a broad range of recipients should be able to engage in the Consumer Data Right scheme in order for it to “achieve the competition and innovation objectives of the regime, and for the CDR to support Australia’s digital economy”.

As such, Treasury has released for consultation its exposure draft amendments that “empower consumers to share their CDR data with certain classes of ‘trusted adviser’”, or to share “limited ‘insights’ obtained from CDR data”.

Trusted advisers must be one of the following:

• qualified accountants;
• persons who are admitted to the legal profession;
• registered tax agents, BAS agents and tax (financial) advisers;
• financial counselling agencies;
• financial advisers or financial planners; and
• mortgage brokers.

These professionals are all subject to existing professional or regulatory oversight, including fiduciary or other duties to act in the best interests of their clients.

What the new rules mean

The amended rules mean that a CDR consumer can consent to an ADR – such as their bank – disclosing their CDR data to their nominated trusted adviser; and enabling the lender to invite their customer to nominate one or more trusted advisers to share their data with (but the ADR cannot nominate the trusted adviser themselves).

The process for this must accord with any consumer experience data standards, and the consent given must be “voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn”.

Moreover, the ADR must take “reasonable steps” to confirm the person to whom the data is to be disclosed is a member of one of approved “trusted adviser” categories. These might include checking a register or seeking confirmation from the individual themselves. The ADRs are also required to maintain records that detail and explain the disclosures of CDR data to trusted advisers, the trusted advisers to whom CDR data was disclosed, and the steps taken to confirm that a trusted adviser is a member of a class of trusted advisers.

They must also report the number of consents received from CDR customers and for each category of trusted adviser, and the number of trusted advisers to whom the CDR data was disclosed.

All data being sent to trusted advisers will need to be covered by the information security controls and must be encrypted in transit.

Further, the consumer dashboard that relates to the request must indicate what CDR data was disclosed, when it was disclosed and the name of the trusted adviser it was disclosed to.

“This will enable the CDR consumer to monitor where their data is being sent, and if necessary, withdraw their TA disclosure consent,” the new amendments read.

Standards will also be set to ensure that consumers are “provided with adequate information to give informed consent” when sharing their data, for example, information that the use of the data by the recipient will not be covered by the CDR regime and the recipient may not have obligations under the Privacy Act 1988. 

Other changes to the CDR rules aim to “accelerate the benefits of the CDR for consumers by reducing barriers to participate in open banking and by allowing more Australians to leverage their data in common banking scenarios”.

These include:

Written by Annie Kane

Last Updated: 09 March 2022

Published: 05 July 2021