CDR Archives

As the Consumer Data Right (CDR) extends to the non-bank lenders sector, organisations may face a wave of new obligations on top of their core lending operations.

This article cuts through complexity, explaining why many Data Holders partner with specialists, the risks that partnership brings, and the privacy and security criteria you should prioritise when choosing your provider.

Key Deadlines:

13 July 2026: Product data (formally called Product Reference Data) sharing obligations begin to apply to:

initial providers:

non-bank lenders with a combined total value of >A$10 billion resident loans and finance leases (reported to APRA on 4 March 2025).
all Buy Now Pay Later (BNPL) providers, regardless of the size of their loans/leases.

large providers:

non-bank lenders who have >1,000 customers and a combined total value of resident loans and finance leases >A$10 billion.
non-bank lenders who have CDR accreditation.

9 November 2026: Consumer data sharing obligations start for initial providers.

10 May 2027: Consumer data sharing obligations start for large providers.

Partnering for CDR Compliance

With key CDR deadlines fast approaching, non-bank lenders face mounting pressure to meet exacting standards. The CDR ecosystem is complex and constantly evolving, governed by separate Acts, Rules, Privacy Guidelines and Data Standards regulated by the ACCC, OAIC and the Data Standards Body.

Balancing this regulatory load alongside day-to-day operations often leads data holders to work with specialist third-party providers for implementing technical data holder solutions and ongoing support. However, relying on third parties introduces risks that businesses must be aware of when choosing a provider.

Why choosing a trusted Data Holder partner matters

Recent developments in the CDR landscape have highlighted a critical truth: the technology partner you choose can make or break your compliance journey.

Failing to meet CDR obligations exposes non-bank lenders to reputational and financial repercussions. The ACCC and OAIC have intensified enforcement by actively monitoring participant compliance and investigating complaints. If data holders have breached the CDR Rules and Privacy Safeguards, they could face an infringement notice and/or hefty penalties.

Are you accountable if something goes wrong?

Under the Competition and Consumer Act 2010, outsourcing your CDR activities doesn’t transfer your regulatory obligations. When a service provider acts as your CDR agent, their actions are treated as your own. This is why having the right partner matters.

Rather than increasing risk, working with a trusted provider gives you greater confidence that obligations are met consistently, and issues are identified early. But it’s still important for any CDR participant to understand where accountability sits.

Industry examples highlight this clearly. In a recent Open Banking Incident reported by the Office of the Australian Information Commissioner, consumers received comingled data from unrelated accounts, an error that created privacy concerns and the potential for incorrect credit decisions. Even though the issue originated with the vendor, the Data Holder remained accountable under the rules.

How does Cuscal’s Data Holder Solution stack up?

As CDR Specialists, This Is What We Do Every Day. Our Data Holder Solution for Non-banking Lenders is purpose-built to meet the rigorous demands of the CDR regime. We don’t just support compliance; we embed it into every layer of our platform. Here’s how we deliver peace of mind through three core assurances:

1. No Data Storage – Zero Retention of consumer CDR data

We never store consumer CDR data. By design, our solution minimises security and privacy risks with strict policies on data storage and segmentation, ensuring that:

There is no persistent storage of CDR payloads.
The risk of data comingling across environments, clients, or systems is eliminated.
You maintain full control over your data lifecycle, with no shadow copies or residual data left behind.

2. Bank Grade Controls – Security You Can Trust

As an Authorised Deposit-Taking Institution (ADI), we operate under CPS 230 and CPS 234-aligned operational risk and information security controls, which exceed standard CDR requirements. Our platform includes:

End-to-end encryption, and secure API gateways
Segregated environments to prevent cross-client data exposure
Access controls and audit trails that meet APRA and OAIC expectations
Continuous vulnerability management and penetration testing

3. Built-In Transparency – Compliance Without Guesswork

Transparency is not an add-on—it’s built into our service model. We provide:

Relevant 9.4 Biannual reporting metrics captured by Cuscal provided to Clients.
Client attestation reports to support your internal governance and external reporting
Monthly Raw data reports for Consent volumes.
We’re not just supporting your compliance, but your assurance as well.

Selecting Your Data Holder Partner: Key Criteria and Questions

With accountability ultimately resting with the Data Holder, the partner you choose plays a critical role in helping you meet your CDR obligations with confidence. A well-designed solution shouldn’t add complexity. It should simplify compliance, strengthen governance, and give you visibility over how your customer data is handled.

When assessing potential providers, look for partners who demonstrate clear alignment with regulatory expectations, transparent operating models, and controls that support secure, accurate, and reliable data sharing at scale.

Below are key questions and considerations to guide your evaluation:

Data Handling Model

How do you ensure CDR data is kept strictly separate from other datasets?
Do you use dedicated environments for CDR data processing and storage?
What safeguards are in place to prevent unauthorised access or any mixing of CDR and non-CDR data?
Do you store any CDR related Data on behalf of Data Holders?

Compliance Monitoring

How do you stay up to date with changes to CDR rules and requirements?
What processes do you have for regularly reviewing and updating your compliance controls?
How do you support ongoing staff security awareness and compliance training?

Transparency & Reporting

Do you provide clear, timely reporting that gives Data Holders visibility into your controls and performance?
Can you support biannual reporting to the regulators?
Do you have experience preparing attestation and assurance reports?
How do you notify clients about material service changes involving CDR data?
Can you provide metrics on consumer data requests and deletions?

Want to learn more about Cuscal’s Data Holder Solutions?

If you haven’t started planning or are still evaluating Data Holder Solutions, we can help.

Find out more about our CDR Solutions, or get in touch to discuss how we can support your CDR compliance journey.

Important Information: Information in this article is current as at 17 December 2025 and is subject to change. This article represents the opinions and views of the personal experiences of the panellists only. This article is provided for general information purposes only and does not have regard to the situation or needs of any reader and must not be relied upon as advice. Before acting on this information, consider its appropriateness to your business Cuscal Limited ABN 95 087 822 455.

Sydney, 8 December 2022

Cuscal, Australia’s largest independent provider of payment, banking and regulated data solutions, has made its first strategic acquisition in the Open Banking and Consumer Data Right (CDR) space through the acquisition of myCDRdata from Regional Australia Bank.

The purchase of myCDRdata positions Cuscal to lead in Open Banking and CDR with immediate access to proven technology that has been successful in market and that can be utilised across Cuscal’s client base and by the wider industry quickly and at scale.

myCDRdata builds on the existing CDR solutions Cuscal delivers to its clients. Through myCDRdata, Cuscal will deliver an accredited Data Recipient solution that allows for Data Aggregation of mandated Datasets enabling market participants to deploy fit-for-purpose use cases. Additionally, myCDRdata delivers a fully operational Test Harness (myCDRdata Pro) that enables market participants to manage compliance obligations by monitoring the health, behaviour and performance of CDR APIs.

Following integration by Cuscal, myCDRdata and myCDRdata Pro capabilities will be enhanced and adapted for use by new industry sectors as the CDR continues to roll out beyond the Banking sector. This will provide all market participants, regardless of industry or data holder service, the ability to test, diagnose and solve flaws in production data holder platforms, enabling them to avoid enforcement action for non-compliance due to API failure.

myCDRdata is well recognised and respected in the industry and is a natural addition to Cuscal’s proven and reliable payments and banking technology solutions.

Cuscal’s CEO and Managing Director Craig Kennedy said: “We are excited by the opportunity to acquire this proven market leading asset from Regional Australia Bank, which will position us well to accelerate our relevance and maturity in Open Banking and CDR. We believe the convergence of data, digital identity and payments is a key growth opportunity for Cuscal, and the acquisition of myCDRdata will accelerate this strategic focus.”

Regional Australia Bank, CEO David Heine said: “Regional Australia Bank is proud to have founded this leading product in the Open Banking space. This product is a representation of the hard work and dedication Regional Australia Bank continues to demonstrate towards future driven banking. We are excited to pass the baton to Cuscal, and assure our myCDRdata customers they are in good hands.”

About Cuscal Limited (Cuscal)
For more than 50 years, Cuscal has championed competition in banking and payments in Australia. More recently, Cuscal has moved beyond banking and payments into the broader data economy. Drawing upon extensive experience managing payments data that is digital, regulated, must always be secure, and flows seamlessly between consumers and enterprise, Cuscal provides data holders and data recipients access to a suite of secure and robust capabilities for the collection, sharing, management and storage of data subject to CDR legislation.

About myCDRdata
myCDRdata includes both software assets ‘myCDRdata’ and ‘myCDRdata Pro’ for consumers and enterprise. myCDRdata is a free, secure CDR discovery service for consumers, powered by CDR compliant APIs and UI, that lets them experience how the CDR works and discover their own data. myCDRdata Pro is a product verification testing and issue rectification service designed to help data holders and CDR service providers test, diagnose and solve flaws in their production data holder services.

About Regional Australia Bank
Regional Australia Bank is a customer owned bank that has been helping regional Australians achieve their lifestyle goals for almost 50 years. Known for being flexible, personable and being able to make the complex simple.

An organisation built strongly on everything that makes regional Australia special – and providing a new standard of banking to all regional Australians. Above all, Regional Australia Bank is about building better financial relationships with its members – and that’s something that can’t often be said of the nation’s larger retail banks. The organisation has proudly donated over $2 million dollars to community groups in regional Australia in the past 12 months and is an organisation that is truly proud to support regional Australians.

Regional Australia Bank was the first organisation in Australia to become an Accredited Data Recipient (ADR) in 2020 and the first bank to both publish and receive CDR data.

Media contact
Simone Perryman, sperryman@cuscal.com.au

Quick Links

Tag: CDR

Choosing a Trusted Data Holder Partner: Security-First Tips for Non-bank Lenders