This year, Australia’s Consumer Data Right (CDR) is expanding to include the non-bank lending sector. Specific Non-bank Lenders will be designated as ‘Data Holders’ within the CDR framework, requiring them to implement systems to facilitate consumers in being able to transfer their data to accredited third parties.
This builds upon the designations in the Banking and Energy sectors, where Data Holders are already operational, allowing consumers to effectively transfer their data.
November 2024 marks the first milestone for Non-bank Lenders. So what do Non-Bank Lenders need to be aware of?
The Consumer Data Right (CDR) is an economy wide designed to empower consumers with greater control over their data. It facilitates the secure sharing of data, currently housed in various organisations, with third parties in taking up new services. Banking was the first implementation of the CDR, commonly known as Open Banking, allowing consumers to consent to sharing their banking data with accredited third parties. For more detailed information on Open Banking, refer to Basiq’s definitive guide.
Following Banking, the Energy sector adopted the CDR and soon, Non-bank Lenders will join this initiative. Presently there are over 90 Banks and Energy providers acting as data holders. To see the complete list, click here.
Treasury has delineated two categories of providers:
Initial provider: A non-bank lender that on the commencement date has over $10 billion in loans/leases and has averaged over $10 billion for the preceding 11 months.
Large provider: A non-bank lender that on the commencement date has over $500 million but less than $10 billion in loans/leases, averaged over $500 million for the preceding 11 months, has more than 500 customers.
Some examples of organisations it applies to include:
Data Holders must be authorised by the ACCC, fulfilling specific criteria for data security, privacy, and technical capabilities. The implementation of robust security measures, such as encryption and access controls is required to safeguard data. Privacy compliance is crucial, ensuring data use aligns with relevant privacy laws.
Data Holders are obligated to adopt technical standards to facilitate seamless data sharing across entities within the CDR ecosystem. This involves establishing a consent management framework to obtain and manage consent from consumers.
Furthermore, ongoing regulatory oversight requires Data Holders to submit regular compliance reports to the ACCC and promptly address any inquiries and issues that may arise.
What is a complex request?
A “complex request” under the draft rules is a consumer data request that:
While providing access to consumer and product data via APIs seem straightforward, the process of becoming a Data Holder is a complex undertaking. Beyond initial requirements, there are continuous obligations related to regulatory changes, maintenance and reporting. Based on feedback from existing Data Holders in the banking sector, it’s prudent to consider engaging a Partner with the requisite expertise, experience and knowledge.
Given the urgency and complex requirements, Non-bank Lenders falling under the scope of becoming a Data Holder should take proactive steps in initiating their CDR implementation projects. Here are our recommended actions.
Step 1: Requirements and Timing
Familiarise yourself with what’s required and “go-live” deadlines
Step 2: Engage a Partner
Work with a Partner that can help you navigate the complex build and maintenance requirements
Step 3: API development
Start building the internal API layer to surface Users, Accounts, Transactions – needs to be done regardless of whether you engage a Partner or not.
Important Information: This article has been prepared by Basiq Pty Ltd (ABN 95 616 592 011) (Company), and was originally published on 23 October 2023 on www.basiq.io. Information is current as at the publication date, and the Company has no obligation to update or correct this article. The information contained in this article is of a general nature and is not intended to address the objectives or needs of any particular individual entity, and should not be regarded in any manner as advice. To the extent permitted by law, the Company and its related bodies corporate will not be liable for any errors, omissions, defects or misrepresentations in the information in this article or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise. © 2023 Basiq Pty Ltd
