Skip to Content
Login
Close

Quick Links

Tag: Non-bank lenders

Choosing a Trusted Data Holder Partner: Security-First Tips for Non-bank Lenders

Posted on by cuscal

As the Consumer Data Right (CDR) extends to the non-bank lenders sector, organisations may face a wave of new obligations on top of their core lending operations.

This article cuts through complexity, explaining why many Data Holders partner with specialists, the risks that partnership brings, and the privacy and security criteria you should prioritise when choosing your provider.

Key Deadlines:

13 July 2026: Product data (formally called Product Reference Data) sharing obligations begin to apply to:

initial providers:

  • non-bank lenders with a combined total value of >A$10 billion resident loans and finance leases (reported to APRA on 4 March 2025).
  • all Buy Now Pay Later (BNPL) providers, regardless of the size of their loans/leases.

large providers:

  • non-bank lenders who have >1,000 customers and a combined total value of resident loans and finance leases >A$10 billion.
  • non-bank lenders who have CDR accreditation.

9 November 2026: Consumer data sharing obligations start for initial providers.

10 May 2027: Consumer data sharing obligations start for large providers.

Partnering for CDR Compliance

With key CDR deadlines fast approaching, non-bank lenders face mounting pressure to meet exacting standards. The CDR ecosystem is complex and constantly evolving, governed by separate Acts, Rules, Privacy Guidelines and Data Standards regulated by the ACCC, OAIC and the Data Standards Body.

Balancing this regulatory load alongside day-to-day operations often leads data holders to work with specialist third-party providers for implementing technical data holder solutions and ongoing support. However, relying on third parties introduces risks that businesses must be aware of when choosing a provider.

Why choosing a trusted Data Holder partner matters

Recent developments in the CDR landscape have highlighted a critical truth: the technology partner you choose can make or break your compliance journey.

Failing to meet CDR obligations exposes non-bank lenders to reputational and financial repercussions. The ACCC and OAIC have intensified enforcement by actively monitoring participant compliance and investigating complaints. If data holders have breached the CDR Rules and Privacy Safeguards, they could face an infringement notice and/or hefty penalties.

Are you accountable if something goes wrong?

Under the Competition and Consumer Act 2010, outsourcing your CDR activities doesn’t transfer your regulatory obligations. When a service provider acts as your CDR agent, their actions are treated as your own. This is why having the right partner matters.

Rather than increasing risk, working with a trusted provider gives you greater confidence that obligations are met consistently, and issues are identified early. But it’s still important for any CDR participant to understand where accountability sits.

Industry examples highlight this clearly. In a recent Open Banking Incident reported by the Office of the Australian Information Commissioner, consumers received comingled data from unrelated accounts, an error that created privacy concerns and the potential for incorrect credit decisions. Even though the issue originated with the vendor, the Data Holder remained accountable under the rules.

How does Cuscal’s Data Holder Solution stack up?


As CDR Specialists, This Is What We Do Every Day. Our Data Holder Solution for Non-banking Lenders is purpose-built to meet the rigorous demands of the CDR regime. We don’t just support compliance; we embed it into every layer of our platform. Here’s how we deliver peace of mind through three core assurances:

1. No Data Storage – Zero Retention of consumer CDR data

We never store consumer CDR data. By design, our solution minimises security and privacy risks with strict policies on data storage and segmentation, ensuring that: 

  • There is no persistent storage of CDR payloads.
  • The risk of data comingling across environments, clients, or systems is eliminated.
  • You maintain full control over your data lifecycle, with no shadow copies or residual data left behind.

2. Bank Grade Controls – Security You Can Trust

As an Authorised Deposit-Taking Institution (ADI), we operate under CPS 230 and CPS 234-aligned operational risk and information security controls, which exceed standard CDR requirements. Our platform includes:

  • End-to-end encryption, and secure API gateways
  • Segregated environments to prevent cross-client data exposure
  • Access controls and audit trails that meet APRA and OAIC expectations
  • Continuous vulnerability management and penetration testing

3. Built-In Transparency – Compliance Without Guesswork

Transparency is not an add-on—it’s built into our service model. We provide:

  • Relevant 9.4 Biannual reporting metrics captured by Cuscal provided to Clients. 
  • Client attestation reports to support your internal governance and external reporting
  • Monthly Raw data reports for Consent volumes.
  • We’re not just supporting your compliance, but your assurance as well.

Selecting Your Data Holder Partner: Key Criteria and Questions

With accountability ultimately resting with the Data Holder, the partner you choose plays a critical role in helping you meet your CDR obligations with confidence. A well-designed solution shouldn’t add complexity. It should simplify compliance, strengthen governance, and give you visibility over how your customer data is handled.

When assessing potential providers, look for partners who demonstrate clear alignment with regulatory expectations, transparent operating models, and controls that support secure, accurate, and reliable data sharing at scale.

Below are key questions and considerations to guide your evaluation:

Data Handling Model

  • How do you ensure CDR data is kept strictly separate from other datasets?
  • Do you use dedicated environments for CDR data processing and storage?
  • What safeguards are in place to prevent unauthorised access or any mixing of CDR and non-CDR data?
  • Do you store any CDR related Data on behalf of Data Holders?

Compliance Monitoring

  • How do you stay up to date with changes to CDR rules and requirements?
  • What processes do you have for regularly reviewing and updating your compliance controls?
  • How do you support ongoing staff security awareness and compliance training?

Transparency & Reporting

  • Do you provide clear, timely reporting that gives Data Holders visibility into your controls and performance?
  • Can you support biannual reporting to the regulators?
  • Do you have experience preparing attestation and assurance reports?
  • How do you notify clients about material service changes involving CDR data?
  • Can you provide metrics on consumer data requests and deletions?

Want to learn more about Cuscal’s Data Holder Solutions?

If you haven’t started planning or are still evaluating Data Holder Solutions, we can help.

Find out more about our CDR Solutions, or get in touch to discuss how we can support your CDR compliance journey.

Important Information: Information in this article is current as at 17 December 2025 and is subject to change. This article represents the opinions and views of the personal experiences of the panellists only. This article is provided for general information purposes only and does not have regard to the situation or needs of any reader and must not be relied upon as advice. Before acting on this information, consider its appropriateness to your business Cuscal Limited ABN 95 087 822 455.

Why the Consumer Data Right is more than a compliance cost for non-bank lenders

Posted on by Rachael Shupe
Picture of Bronwyn Yam

The past couple of years have meant significant growth for non-bank lenders and there are no signs of slowing down, says Bronwyn Yam, the chief product officer at Cuscal.

According to the RBA, the sector grew on average 15 per cent on a six-month annualised basis, more than twice the rate recorded by banks.

It is an exciting – and competitive – time. And it is in this context that the non-bank lender sector prepares to be the next one rolling out the Consumer Data Right (CDR) in Australia. While some organisations try to understand how to best navigate this complex initiative, a key aspect may get lost amid the regulatory language: CDR is way more than compliance costs.

For those organisations willing to make this part of their digital transformation, the initiative presents opportunities to stay competitive, improve efficiency, enhance customer experiences, and drive innovation in the financial services sector.

As a partner of many banking and non-banking organisations, we’ve seen firsthand how data can improve an organisation’s ability to draw strategic insights for its business plans. The good news is that some implementations can be API-driven on a subscription basis, enabling users to securely share their data and empowering companies to build improved financial applications.

Here are key takeaways on how a well-implemented CDR solution can boost businesses.

  • Improved customer experience: As an accredited organisation, non-bank lenders will have access to use consumer data to offer more tailored solutions. Companies that channel this supercharged data pool to drive innovation and product development will deliver improved customer experiences and personalised financial services – a potential make or break in a competitive environment. Easy wins include increasing conversion rates by fast-tracking your lending application process with a mobile-first experience, expedited approval times, quick account verification and pre-funds checks, and streamlined onboarding, easing the deposit of funds and progressing the lending cycle from origination to collections. And this is just the beginning of improved customer experience.
  • Increased visibility of client movement: Non-bank lenders, as mandated data holders, should want access to the metadata generated by their existing customers sharing their data with other organisations. This new dataset becomes a source of powerful insights. At Cuscal, we call them a moat for our clients, protecting their businesses’ revenue and profit. The premise is that if companies use and analyse the data properly, they will notice trends or clients looking to move, allowing them to counteract with a better experience.
  • More accurate risk management: While accessing data is a crucial step in developing a financial application, extracting insights from it truly unlocks its value. Adding comprehensive data overlay services helps companies harness the power of data to make more informed lending decisions, improve risk control, proactively manage hardship, and reduce default rates. Benefits include a deep understanding of spending behaviour with access to enriched transaction details, empowering non-bank lenders to improve their risk assessment capabilities.
  • Increased cyber security: Maintaining robust cyber security practices helps build trust and confidence with your customers and assures them that their data is handled securely and responsibly. CDR also changes the game for consumers and businesses regarding cyber security. It is a safer solution than outdated methods, such as screen scraping, which require customers to share their login details with third parties (e.g. lenders and brokers) for the various compulsory checks for responsible lending obligations. Banning these insecure practices, such as sharing PDFs and scans of transaction statements, minimises the risks exposed by storing them.
  • Compliance with standards and regulations is a key requirement for organisations participating in the CDR framework. That means non-bank lenders will automatically adhere to industry standards and guidelines to ensure data security, limiting exposure to malicious activity.
  • Data protection measures include encryption, access controls, and secure data storage practices to safeguard sensitive information. The CDR framework also imposes ongoing monitoring and auditing of databases, securing consumer data by increasing the chances of discovering risks and losing integrity in datasets.

In summary, CDR is more than a compliance cost to non-bank lenders. It is the next step to increase business competitiveness and protect businesses and consumers in Australia. CDR is about giving consumers peace of mind when they transfer personal data online and giving them control over their vulnerable data.

As CDR continues to roll out, we anticipate a stronger, more protected ecosystem in which organisations, CDR solution partners, and customers are building collectively towards a safer digital economy.

There is much to learn from other industries in preparation for the legislation. However, the reality is that non-bank lenders should consider adopting CDR solutions regardless of the government timelines. CDR will be a reality and the sooner they can be ready and start benefiting from the advantages of data and insights to protect and boost their business, the greater value they will get for their investment.

By Bronwyn Yam, Chief Product Officer

This article was originally published on www.mortgagebusiness.com.au on 6 May 2024.