Skip to Content
Login
Close

Quick Links

  • Newsroom
  • Choosing a Trusted Data Holder Partner: Security-First Tips for Non-bank Lenders

Choosing a Trusted Data Holder Partner: Security-First Tips for Non-bank Lenders

Related Info

Sydney, 17 December 2025

As the Consumer Data Right (CDR) extends to the non-bank lenders sector, organisations may face a wave of new obligations on top of their core lending operations.

This article cuts through complexity, explaining why many Data Holders partner with specialists, the risks that partnership brings, and the privacy and security criteria you should prioritise when choosing your provider.

Key Deadlines:

13 July 2026: Product data (formally called Product Reference Data) sharing obligations begin to apply to:

initial providers:

  • non-bank lenders with a combined total value of >A$10 billion resident loans and finance leases (reported to APRA on 4 March 2025).
  • all Buy Now Pay Later (BNPL) providers, regardless of the size of their loans/leases.

large providers:

  • non-bank lenders who have >1,000 customers and a combined total value of resident loans and finance leases >A$10 billion.
  • non-bank lenders who have CDR accreditation.

9 November 2026: Consumer data sharing obligations start for initial providers.

10 May 2027: Consumer data sharing obligations start for large providers.

Partnering for CDR Compliance

With key CDR deadlines fast approaching, non-bank lenders face mounting pressure to meet exacting standards. The CDR ecosystem is complex and constantly evolving, governed by separate Acts, Rules, Privacy Guidelines and Data Standards regulated by the ACCC, OAIC and the Data Standards Body.

Balancing this regulatory load alongside day-to-day operations often leads data holders to work with specialist third-party providers for implementing technical data holder solutions and ongoing support. However, relying on third parties introduces risks that businesses must be aware of when choosing a provider.

Why choosing a trusted Data Holder partner matters

Recent developments in the CDR landscape have highlighted a critical truth: the technology partner you choose can make or break your compliance journey.

Failing to meet CDR obligations exposes non-bank lenders to reputational and financial repercussions. The ACCC and OAIC have intensified enforcement by actively monitoring participant compliance and investigating complaints. If data holders have breached the CDR Rules and Privacy Safeguards, they could face an infringement notice and/or hefty penalties.

Are you accountable if something goes wrong?

Under the Competition and Consumer Act 2010, outsourcing your CDR activities doesn’t transfer your regulatory obligations. When a service provider acts as your CDR agent, their actions are treated as your own. This is why having the right partner matters.

Rather than increasing risk, working with a trusted provider gives you greater confidence that obligations are met consistently, and issues are identified early. But it’s still important for any CDR participant to understand where accountability sits.

Industry examples highlight this clearly. In a recent Open Banking Incident reported by the Office of the Australian Information Commissioner, consumers received comingled data from unrelated accounts, an error that created privacy concerns and the potential for incorrect credit decisions. Even though the issue originated with the vendor, the Data Holder remained accountable under the rules.

How does Cuscal’s Data Holder Solution stack up?


As CDR Specialists, This Is What We Do Every Day. Our Data Holder Solution for Non-bank Lenders is purpose-built to meet the rigorous demands of the CDR regime. We don’t just support compliance; we embed it into every layer of our platform. Here’s how we deliver peace of mind through three core assurances:

1. No Data Storage – Zero Retention of consumer CDR data

We never store consumer CDR data. By design, our solution minimises security and privacy risks with strict policies on data storage and segmentation, ensuring that: 

  • There is no persistent storage of CDR payloads.
  • The risk of data comingling across environments, clients, or systems is eliminated.
  • You maintain full control over your data lifecycle, with no shadow copies or residual data left behind.

2. Bank Grade Controls – Security You Can Trust

As an Authorised Deposit-Taking Institution (ADI), we operate under CPS 230 and CPS 234-aligned operational risk and information security controls, which exceed standard CDR requirements. Our platform includes:

  • End-to-end encryption, and secure API gateways
  • Segregated environments to prevent cross-client data exposure
  • Access controls and audit trails that meet APRA and OAIC expectations
  • Continuous vulnerability management and penetration testing

3. Built-In Transparency – Compliance Without Guesswork

Transparency is not an add-on—it’s built into our service model. We provide:

  • Relevant 9.4 Biannual reporting metrics captured by Cuscal provided to Clients. 
  • Client attestation reports to support your internal governance and external reporting
  • Monthly Raw data reports for Consent volumes.
  • We’re not just supporting your compliance, but your assurance as well.

Selecting Your Data Holder Partner: Key Criteria and Questions

With accountability ultimately resting with the Data Holder, the partner you choose plays a critical role in helping you meet your CDR obligations with confidence. A well-designed solution shouldn’t add complexity. It should simplify compliance, strengthen governance, and give you visibility over how your customer data is handled.

When assessing potential providers, look for partners who demonstrate clear alignment with regulatory expectations, transparent operating models, and controls that support secure, accurate, and reliable data sharing at scale.

Below are key questions and considerations to guide your evaluation:

Data Handling Model

  • How do you ensure CDR data is kept strictly separate from other datasets?
  • Do you use dedicated environments for CDR data processing and storage?
  • What safeguards are in place to prevent unauthorised access or any mixing of CDR and non-CDR data?
  • Do you store any CDR related Data on behalf of Data Holders?

Compliance Monitoring

  • How do you stay up to date with changes to CDR rules and requirements?
  • What processes do you have for regularly reviewing and updating your compliance controls?
  • How do you support ongoing staff security awareness and compliance training?

Transparency & Reporting

  • Do you provide clear, timely reporting that gives Data Holders visibility into your controls and performance?
  • Can you support biannual reporting to the regulators?
  • Do you have experience preparing attestation and assurance reports?
  • How do you notify clients about material service changes involving CDR data?
  • Can you provide metrics on consumer data requests and deletions?

Want to learn more about Cuscal’s Data Holder Solutions?

If you haven’t started planning or are still evaluating Data Holder Solutions, we can help.

Find out more about our CDR Solutions, or get in touch to discuss how we can support your CDR compliance journey.

Important Information: Information in this article is current as at [insert date] is subject to change. This article represents the opinions and views of the personal experiences of the panellists only. This article is provided for general information purposes only and does not have regard to the situation or needs of any reader and must not be relied upon as advice. Before acting on this information, consider its appropriateness to your business Cuscal Limited ABN 95 087 822 455.

Related News