Consumer Data Right (CDR) Rules Outline

The Australian Competition & Consumer Commission(ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion.) has set out its position on what should be included in the rules that will govern the CDR.

The Rules Outline provides guidance to data holders (eg., banks) and potential data recipients (eg., fintechs) so they can develop the necessary systems and product offerings ahead of the start of the CDR regime in July 2019.

The ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion. has said it is not seeking formal consultation, however, given Intuit’s experience with PSD registration in the UK, in a meeting with Steve Kemp and me, the Director of the ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion.’s Consumer Data Right Branch, Jodi Ross said she would welcome Intuit’s views on accreditation criteria and assessment.

The policy positions in the Rules Outline will be reflected in the draft Rules which the ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion. intends to publish for consultation in the first quarter of 2019.

Draft Accreditation

Full details of the ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion.’s proposed accreditation can be found in Section 5 on pages 11-18 of the attached CRD rules outline document.

I have excepted the following draft rules below:

  • Levels of accreditation;
  • Accreditation process;
  • Criteria for the general level of accreditation;
  • Continuing obligations on accredited data recipients; and
  • Accreditation of foreign entities

There will be no fee for an application for accreditation in version one of the Rules.

Levels of accreditation

  1. There will be one general level of accreditation in version one of the Rules. 

In a subsequent version of the Rules, the ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion. proposes to introduce additional levels of accreditation, including levels of accreditation that accommodate business models that use third party intermediaries to collect and/or hold CDR data.

The first general level of accreditation will enable an accredited data recipient to receive all CDR data within scope for banking and will therefore be subject to stringent obligations.

The general level of accreditation will apply to additional designated sectors and on the basis that the need for additional accreditation requirements will be considered as the CDR regime is extended.

Accreditation process

  1. An application for accreditation must be in an approved electronic form as specified by the Rules.
  2. The approved form will require applicants to provide sufficient detail to enable identity verification of the applicant or, in the case of an applicant that is a body corporate, enable identity verification of its directors, company secretary and senior managers.
  3. Applicants must nominate an address for service (or, in the case of foreign applicantfor accreditation, its local agent’s address for service) in accordance with regulation12 of the Competition and Consumer Regulations 2010 (Cth).
  4. Applicants must provide a description of the services they intend to offer consumers using CDR data as an accredited data recipient.
    • This is relevant contextual information to enable the Data Recipient Accreditor to consider the other information and documents provided with an application for accreditation and whether the criteria for accreditation are satisfied.
  5. Applicants that are not ADIs must indicate whether they hold, or expect to hold, data that is specified in a CDR designation instrument (see paragraph 2.8).
  6. Applicants that are part of a group of companies that is applying for more than one accreditation must provide the names of the other applicants in the group. The Data Recipient Accreditor will use its best endeavours to assess all accreditation applications together that are made by applicants from the same group to ensure that these applications are dealt with efficiently and consistently.
  7. Applicants for accreditation are required to notify the Data Recipient Accreditor of any material changes in circumstance that may affect their application (after it has been submitted) and the Data Recipient Accreditor’s decision to grant accreditation. Any change in the nominated address for service must also be notified to the Data Recipient Accreditor.

Criteria for the general level of accreditation

  1. To grant accreditation, the Data Recipient Accreditor must be satisfied that the applicant meets the accreditation criteria set out in Table 1.
  2. The ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion. will publish draft accreditation application guidelines relating to assessment of the accreditation criteria with the draft Rules. Interim guidance is provided in Table 1.
  3. In considering an application for accreditation, the Data Recipient Accreditor may consult with other relevant regulators including the OAIC and ASICAustralian Securities and Investments Commission (ASIC) is Australia’s corporate, markets and financial services regulator. asic.gov.au.
  4. Streamlined accreditation will apply to ADIs including PPF providers. Partial streamlined accreditation will apply to restricted ADIs.

Continuing obligations on accredited data recipients

  1. An accredited data recipient has continuing obligations relating to the criteria for accreditation to maintain:
    1. their fit and proper person status
    2. adequate practices, procedures and systems to manage CDR data and information security risks
    3. internal dispute resolution procedures that meet the requirements set out in the Rules
    4. membership of the recognised EDR scheme for the banking sector
    5. adequate insurance or comparable guarantee to compensate consumers for loss arising from breach of obligations under the CDR regime.
  2. These continuing obligations also apply to accredited data recipients provided with streamlined accreditation, except where the accredited data recipient was exempted from meeting any particular accreditation criteria.
  3. Accredited data recipients are required to provide an annual attestation of compliance with their obligations under the Privacy Safeguards and the Rules.
  4. The ACCCAustralian Competition and Consumer Commission The ACCC is Australia's competition regulator and national consumer law champion. and OAIC will monitor compliance with the continuing obligations through an audit and compliance program.
  5. Accredited data recipients are required to notify the Data Recipient Accreditor, as soon as practicable, of any material changes in circumstance that may affect their ability to meet their continuing obligations.

Accreditation of foreign entities

  1. A foreign applicant for accreditation must appoint a local agent to accept service on behalf of the applicant.
  2. If accredited, a foreign accredited data recipient is obliged to maintain a local agent and to notify the Data Recipient Accreditor of any change in appointment of its local agent.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.