Fraud and scams are rising, and they’re shaking customer confidence at its foundation. Every scam attempt is a moment of vulnerability for your customers. Based on Cuscal’s Quarterly Insights research with over 2,000 Australian consumers, 57% of respondents face scam attempts weekly, and almost one in three has been impacted. Behind every statistic is a person who wants to feel safe when they bank with you.
Trust Starts with Security
Security and trust go hand in hand. Customers expect robust protection, but they also value reassurance that you genuinely have their best interests at heart. Trust drives loyalty, and loyalty translates into retention and revenue. When customers feel both protected and valued, they stay.
Security as a Strategic Advantage
As confirmed by our latest survey and qualitative community study, communication plays a critical role in building that trust. Nine out of ten respondents believe their financial institution should do more to protect them, and 86% want regular updates on new scam tactics. Security has evolved beyond compliance. Today, it’s a competitive advantage and a core promise that influences why customers choose you and stay with you.
Our insights point to five essentials:
Visible, robust protection such as multi-factor authentication and real-time alerts.
Proactive education through scam alerts via SMS, in-app notifications, and targeted campaigns.
Empathetic support with fast, human responses when things go wrong.
Transparent communication that keeps customers informed every step of the way.
Customisable security options that give customers control and confidence.
Strengthening Your Fraud Defences
Fraud prevention goes beyond protection. You’re earning trust when it matters most, and that trust becomes the foundation of lasting customer relationships. Cuscal can help you deliver on that promise with advanced fraud monitoring for cards and real-time payments, AI-driven detection tools, and comprehensive financial crime solutions that keep you ahead of emerging threats.
Stay Ahead of Fraud Threats
Explore the full report for practical strategies, real-world case studies, and industry benchmarks that can help you stay ahead of emerging threats.
Get the White Paper
Complete the below form and we will email you the PDF.
Important Information: Information in this web copy and White Paper are current as at 04 March 2026 and is subject to change. This information is provided for general information purposes only and not for the purpose of providing legal, financial or investment advice. The information contained in the web copy and White Paper does not constitute an offer, a solicitation of an offer or to enter a legally binding contract. The web copy and White Paper contains material provided by third parties. While such material is published with the necessary permission, Cuscal does not accept any responsibility for the accuracy or completeness of any such material. Although Cuscal has made every effort to ensure the information is free from error, Cuscal does not warrant the accuracy, adequacy or completeness of the information. Except where contrary to law, Cuscal intends by this notice to exclude liability for the information. This web copy and White Paper is not to be distributed to any other party without Cuscal’s prior written consent. Cuscal Limited ABN 95 087 822 455.
As the Consumer Data Right (CDR) extends to the non-bank lenders sector, organisations may face a wave of new obligations on top of their core lending operations.
This article cuts through complexity, explaining why many Data Holders partner with specialists, the risks that partnership brings, and the privacy and security criteria you should prioritise when choosing your provider.
Key Deadlines:
13 July 2026: Product data (formally called Product Reference Data) sharing obligations begin to apply to:
initial providers:
non-bank lenders with a combined total value of >A$10 billion resident loans and finance leases (reported to APRA on 4 March 2025).
all Buy Now Pay Later (BNPL) providers, regardless of the size of their loans/leases.
large providers:
non-bank lenders who have >1,000 customers and a combined total value of resident loans and finance leases >A$10 billion.
non-bank lenders who have CDR accreditation.
9 November 2026: Consumer data sharing obligations start for initial providers.
10 May 2027: Consumer data sharing obligations start for large providers.
Partnering for CDR Compliance
With key CDR deadlines fast approaching, non-bank lenders face mounting pressure to meet exacting standards. The CDR ecosystem is complex and constantly evolving, governed by separate Acts, Rules, Privacy Guidelines and Data Standards regulated by the ACCC, OAIC and the Data Standards Body.
Balancing this regulatory load alongside day-to-day operations often leads data holders to work with specialist third-party providers for implementing technical data holder solutions and ongoing support. However, relying on third parties introduces risks that businesses must be aware of when choosing a provider.
Why choosing a trusted Data Holder partner matters
Recent developments in the CDR landscape have highlighted a critical truth: the technology partner you choose can make or break your compliance journey.
Failing to meet CDR obligations exposes non-bank lenders to reputational and financial repercussions. The ACCC and OAIC have intensified enforcement by actively monitoring participant compliance and investigating complaints. If data holders have breached the CDR Rules and Privacy Safeguards, they could face an infringement notice and/or hefty penalties.
Are you accountable if something goes wrong?
Under the Competition and Consumer Act 2010, outsourcing your CDR activities doesn’t transfer your regulatory obligations. When a service provider acts as your CDR agent, their actions are treated as your own. This is why having the right partner matters.
Rather than increasing risk, working with a trusted provider gives you greater confidence that obligations are met consistently, and issues are identified early. But it’s still important for any CDR participant to understand where accountability sits.
Industry examples highlight this clearly. In a recent Open Banking Incident reported by the Office of the Australian Information Commissioner, consumers received comingled data from unrelated accounts, an error that created privacy concerns and the potential for incorrect credit decisions. Even though the issue originated with the vendor, the Data Holder remained accountable under the rules.
How does Cuscal’s Data Holder Solution stack up?
As CDR Specialists, This Is What We Do Every Day. Our Data Holder Solution for Non-banking Lenders is purpose-built to meet the rigorous demands of the CDR regime. We don’t just support compliance; we embed it into every layer of our platform. Here’s how we deliver peace of mind through three core assurances:
1. No Data Storage – Zero Retention of consumer CDR data
We never store consumer CDR data. By design, our solution minimises security and privacy risks with strict policies on data storage and segmentation, ensuring that:
There is no persistent storage of CDR payloads.
The risk of data comingling across environments, clients, or systems is eliminated.
You maintain full control over your data lifecycle, with no shadow copies or residual data left behind.
2. Bank Grade Controls – Security You Can Trust
As an Authorised Deposit-Taking Institution (ADI), we operate under CPS 230 and CPS 234-aligned operational risk and information security controls, which exceed standard CDR requirements. Our platform includes:
End-to-end encryption, and secure API gateways
Segregated environments to prevent cross-client data exposure
Access controls and audit trails that meet APRA and OAIC expectations
Continuous vulnerability management and penetration testing
3. Built-In Transparency – Compliance Without Guesswork
Transparency is not an add-on—it’s built into our service model. We provide:
Relevant 9.4 Biannual reporting metrics captured by Cuscal provided to Clients.
Client attestation reports to support your internal governance and external reporting
Monthly Raw data reports for Consent volumes.
We’re not just supporting your compliance, but your assurance as well.
Selecting Your Data Holder Partner: Key Criteria and Questions
With accountability ultimately resting with the Data Holder, the partner you choose plays a critical role in helping you meet your CDR obligations with confidence. A well-designed solution shouldn’t add complexity. It should simplify compliance, strengthen governance, and give you visibility over how your customer data is handled.
When assessing potential providers, look for partners who demonstrate clear alignment with regulatory expectations, transparent operating models, and controls that support secure, accurate, and reliable data sharing at scale.
Below are key questions and considerations to guide your evaluation:
Data Handling Model
How do you ensure CDR data is kept strictly separate from other datasets?
Do you use dedicated environments for CDR data processing and storage?
What safeguards are in place to prevent unauthorised access or any mixing of CDR and non-CDR data?
Do you store any CDR related Data on behalf of Data Holders?
Compliance Monitoring
How do you stay up to date with changes to CDR rules and requirements?
What processes do you have for regularly reviewing and updating your compliance controls?
How do you support ongoing staff security awareness and compliance training?
Transparency & Reporting
Do you provide clear, timely reporting that gives Data Holders visibility into your controls and performance?
Can you support biannual reporting to the regulators?
Do you have experience preparing attestation and assurance reports?
How do you notify clients about material service changes involving CDR data?
Can you provide metrics on consumer data requests and deletions?
Want to learn more about Cuscal’s Data Holder Solutions?
If you haven’t started planning or are still evaluating Data Holder Solutions, we can help.
Find out more about our CDR Solutions, or get in touch to discuss how we can support your CDR compliance journey.
Important Information: Information in this article is current as at 17 December 2025 and is subject to change. This article represents the opinions and views of the personal experiences of the panellists only. This article is provided for general information purposes only and does not have regard to the situation or needs of any reader and must not be relied upon as advice. Before acting on this information, consider its appropriateness to your business Cuscal Limited ABN 95 087 822 455.
In a recent speech by Assistant Treasurer Stephen Jones at a CEDA (Committee for Economic Development of Australia) conference, significant changes were announced that aim to reshape Australia’s digital economy, focusing on the Consumer data right (CDR), privacy, and cybersecurity. The speech highlighted both the benefits and challenges brought by the digitisation of the economy, emphasising the need for stronger protections and more effective use of consumer data.
A focus on Privacy and Data protection
The speech underscored the importance of data in the digital economy, recognising the growing concerns among Australians about privacy due to rising incidents of cybercrime and data breaches. To address these concerns, the government is reviewing the Privacy Act to ensure it is fit for the digital age. This review will impose higher standards on businesses to protect customer data.
Heidi Richards’ CDR compliance costs review report, released by Assistant Treasurer Stephen Jones, found that the costs of the Consumer Data Right (CDR) have far exceeded original estimates, with large banks facing significant burdens due to complex technical requirements. The report raises concerns about the rapid changes to CDR rules, low customer usage, and the lack of innovation, partly due to restrictions on using CDR data. Businesses haven’t been incentivised to use CDR data, which has hindered broader adoption and innovation. The report calls for clearer strategic planning and prioritisation of future changes.
The speech acknowledged that the current implementation of the CDR has been flawed, with high regulatory burdens, low uptake, and limited innovation. To address these issues, the government is launching a reset of the CDR, focusing on several key areas that include:
Streamlining consent processes: The government will simplify how consumers give consent to use their data, allowing for multiple consents in a single action, making it easier and more user-friendly.
Improving business access: The government will mandate that data holders, such as banks, provide a straightforward process for businesses to access their own data. This will help businesses, especially small ones, to benefit from the CDR.
Consumption of CDR data: New rules now allow accredited deposit-taking institutions (ADIs) who are data holders to hold consumer data under the Consumer Data Right (CDR) when a consumer applies for or acquires a product. ADIs must notify consumers that their data will be held and inform them of relevant privacy safeguards. This could help accelerate the use of CDR data by banks who are data holders.
Reforming Standards and Costs: The government will introduce a more structured approach to making standards changes. This includes limiting changes to a few scheduled releases per year, ensuring longer lead times, and considering the cost and regulatory impacts on participants.
Focusing the scope of CDR: To reduce unnecessary costs, the government is examining the possibility of narrowing the scope of data included in the CDR, removing products unlikely to be used.
Prioritising high-value use cases: The reset will prioritise consumer finance, energy switching, and accounting services for small businesses, where the potential benefits to consumers are highest.
Sector expansion: It was confirmed that Data holders would be extended to non-bank lenders to be operational by mid 2026.
The speech also highlighted the ongoing efforts to strengthen cybersecurity through the National Cyber Security Strategy and modernise the payments system. The government is committed to ensuring that digital identity systems, which simplify and secure the verification process, will reduce the amount of data businesses and governments need to hold, further protecting consumers. There was also a commitment to align CDR development with Digital ID, Payment system reform and Privacy act reform.
A significant announcement was the government’s stance on screen scraping, a practice where businesses ask consumers to share their bank passwords. The government is considering a full ban on screen scraping, emphasising that it is fundamentally unsafe and that the CDR should become the system of choice for data sharing. With a commitment to phase out screen scraping, the next 12 months will see Treasury develop a full transition plan.
Since launch, the Consumer Data Right (CDR) has been “read-only,” allowing data recipients to access and use the data for purposes like lending assessments, budgeting tools, and product comparisons. However, the introduction of the new action initiation power will add a “write” capability, enabling recipients to not only view the data but also perform actions on behalf of customers, such as making a payment, switching providers and updating personal details using the CDR framework.
Amends the Competition and Consumer Act 2010 to establish action initiation reforms, enabling consumer data right (CDR) consumers to direct accredited persons to instruct on actions on their behalf, such as making a payment, opening and closing an account, switching providers and updating personal details, using the CDR framework.
On the same day as Assistant Treasurer Stephen Jones announced the CDR reforms, the Senate passed the CDR action initiation bill. While this is exciting news, the government will still need to consult with industry stakeholders to determine its application, and detailed rules will need to be established.
The speech marked a pivotal moment in the government’s approach to the digital economy, with a clear commitment to improving the CDR, enhancing privacy protections, and fostering innovation. The reset of the CDR aims to reduce costs, encourage adoption, and ensure that consumers truly benefit from the data they generate. By focusing on these areas, the government hopes to build a digital economy that is both safe and innovative, where consumers can trust that their data is protected.
The Global Payments Innovation Playbook is a collaboration between PYMNTS and Cuscal to examine the key pillars driving financial innovation in Australia, China, the European Union, India, the United Kingdom and the U.S. We have curated some of these regions’ most promising and impactful innovations in this report, all to disseminate the important lessons local success stories have to teach.
The playbook offers a glimpse into global innovators’ efforts to take eCommerce and mobile payments to new heights. This includes what they can show us about modern consumers’ shopping habits, and how businesses might incorporate other regions’ successes when looking to expand abroad.
Contents of playbook:
Executive summary
Rebirth: why European nations are adopting faster payments
North America finds its payments voice
China’s mobile banking system: All roads lead to Alibaba and Tencent
