The Latest Updates to the Consumer Data Right Rules (Version 3)

There are now five access models for CDR data, after previously only the unrestricted accreditation model.

The latest rule changes to the Consumer Data Right in Version 3, are the most widely anticipated and contentious updates yet. After several months of feedback and consultation, Treasury proposed the rule changes in June 2021, followed by a one month consultation period in July, and finally the confirmed rules in October.

 

From the initial proposal to the confirmed rules, not much changed. The rules passed allow a new "sponsored" accreditation model with Sponsor-Affiliates. Unaccredited Representatives can collect and use data under the governance of an accredited Principal. Data sharing with unaccredited third parties in limited circumstances is also now possible with the Trusted Advisors and CDR Insights models. Finally, the consent requirements for joint accounts have been revised.

 

Let's take a look at the good, the bad, and the remaining question marks from each of the five key changes.

 
CDR Insights
 
The Good 
 
It’s now confirmed an accredited data recipient (ADR) can verify the ID, account balance and specific transaction details to share the output of that with unaccredited third parties. If there are multiple transaction records, no specific date or amount can be shared for those.
 
The Bad
 
The scope of CDR Insights is more specific and narrow than expected. That may prevent some of the more innovative ways insights could be derived and shared to create value for the user. The Trusted Advisors model accounts for some of the known use cases not enabled by CDR Insights.
 
The Question
 
Based on the very specific scope - how will the CDR Insights scope be updated over time to allow new use cases? If that relies on rule updates and the several months involved in that process, it may limit innovators from conceiving, designing and pursuing exciting new use cases that could otherwise be enabled by allowing derived CDR data to be used more broadly.
 
Trusted Advisors
 
The Good
 
There are great use cases under the Trusted Advisors model that will allow consumers to easily and securely share data with their accountants, lawyers, and mortgage brokers. That saves the major headaches and security risks of downloading account statements and sharing them over email. It may also replace the manual analysis and calculations otherwise required. This can allow accredited data recipients to build technology to provide more value for the consumer and advisor relationship. Easy accounting, better tax and legal advice, simpler mortgage applications? … yes please!
 
The Great 
 
We added this category for Trusted Advisors, because it’s great to see privacy and security protected by clever design rather than by subjective and onerous compliance requirements. There are two clever elements to this model:
 
1. It leverages the established and objective qualifications of trusted professionals. These professionals are governed by existing regulations that maintain high standards including security, privacy, and ethical conduct with liability for losing those credentials if not upheld.
 
2. It requires consumers to appoint their advisors. As consumers have already determined that they trust these advisors with their data under the services they provide, it's following the existing scope and requirements of data, just in a more secure and automated form.
 
The Bad 
 
ADRs making use of the Trusted Advisors model are required to take reasonable steps to confirm the advisor is part of a class of authorised professionals. That’s expected, but it will create an operational burden for those ADRs. This is not something that's currently enforced under the alternate method of screen scraping, where consumers can invite anyone in to see and use their data (eg. Xero).
 
The question mark 
 
From a practical standpoint, is there going to be a register of confirmed trusted advisors? How will the ADRs confirm a trusted advisor's qualifications without manual, complex and time-intensive activities that may undermine these use cases?
 
Joint Accounts
 
The Good 
 
Progress was finally made on the contentious topic of consent for joint accounts. The new consent model comes into effect from July 2022, when data holders (banks) are expected to have had time to implement a mechanism for joint account holders to specify their preferred method of consent. The three options are:
  1. By default, joint accounts are taken to opt-in to data sharing if either of the account holders consents (pre-approval option).
  2. Both account holders have the option to set non-consent so the account cannot be used for CDR data sharing (non-disclosure option).
  3. It can be set to the co-approval option where both or all joint account holders need to approve each individual consent to data sharing arrangement.
The default pre-approval option is the key to removing friction that was causing problems for joint accounts. If it’s not really easy to provide consent and start using the data sharing, people lose interest. 
 
The Bad
 
Aside from the delayed implementation to give banks time to prepare, it allows the banks (data holders) to set the narrative around these data sharing options. The banks have resisted joint account sharing and the CDR data sharing in general. We may see a concerted effort to raise alarm bells to consumers and encourage joint account holders to choose option 2 or 3 with their accounts (which keeps the current friction).
 
The Question
 
Time will tell how much this change increases data sharing for joint accounts under the CDR. Even the slightest friction point can lead consumers to lose interest and not follow through, which was the cause of the issue originally for joint accounts. Will this new consent model reduce the friction enough? 
 
Sponsor-Affiliate
 
The Good 
 
This new access model provides another accreditation path for simpler CDR use cases without the requirement for an independent audit of compliance under the ASAE 3150 standards. All the same CDR Schedule 2 compliance rules and obligations still apply, but it allows more flexibility on how that compliance is validated. That's anticipated to mean less “evidentiary burden" and compliance costs. 
 
The Bad 
 
Sponsors have the responsibility for verifying and reporting on their affiliates' compliance. That’s likely to pass on some level of “evidentiary burden” and costs to the affiliates. Those expecting to sponsor others are fintechs, rather than security and compliance experts. It will require sponsors to up-skill, outsource or make other arrangements to effectively fulfil these responsibilities. 
 
The Question 
 
The big question is the level of rigour that will be applied by sponsors in verifying the compliance of their affiliates. Will that be influenced by the regulators, or will it be left up to them to determine what's appropriate? 
 
On one extreme, if the level of rigour is similar to an ASAE 3150 audit, then the additional benefits of full accreditation may outweigh the potential cost savings of sponsor-affiliate. On the other hand, if the level of rigour is low, it may leave liability for sponsors and their affiliates and a generally lower standard of security for consumer data.
 
CDR Representatives
 
The Good 
 
The CDR Representatives model allows unaccredited data recipients to use data as if they were accredited under the governance of a Principal. This model allows more advanced use cases than Sponsor-Affiliate and with less audit and evidentiary burden than the full accreditation path.
 
The Bad 
 
There’s a lot of responsibility for the principal as the accredited data recipient. That’s likely to mean this access model is reserved for highly trusted representatives. It may mean significant costs passed on to those reps to cover the onerous compliance burdens and liability for the principal. 
 
The Question 
 
Will Sponsor-Affiliate, Principal-Representatives, or full accreditation see the highest uptake across aspiring data recipients where all three models are an option? All three require compliance with the same security and privacy safeguards. Time will tell how the commercial arrangements and offerings will steer data recipients to these different options. 
 
When audits cost $80,000+ and took months to achieve, these new access models were pretty attractive. Now with audits starting at $20,000, taking as little as four weeks, and with the most experienced CDR experts conducting the accreditation audits and guiding the compliance required under either model, is full accreditation the best path for everyone? 
 
Start with a free readiness assessment
 
Whichever access model or use case, the best starting point is our free, 30-minute, self-navigated assessment to see what's involved in Consumer Data Right Compliance. Or meet with us to discuss your CDR use case and goals.

CDR Readiness Assessment

CDR

Some additional information in one line