Treasury has begun consulting on new rules that would significantly expand the number of businesses able to ingest data under the consumer data right in a bid to “encourage greater uptake”.
An exposure draft of version three of the rules was released on Friday, making good on a proposal first revealed in April to “support new pathways for participation in the CDR”.
At present, only accredited data recipients (ADRs) are able to receive a consumer’s data from data holders and make use of it in their own products or services.
Thirteen ADRs are currently endorsed by the Australian Competition and Consumer Commission, including the fintechs like Frollo and Ezidox, credit bureau illion and the Commonwealth Bank.
But in a bid to overcome what has been described as a “costly” and “laborious” pathway to accreditation by some, Treasury has proposed three new models to “lower barriers to participation”.
A “sponsored accreditation model” would reduce the “cost of accreditation by altering certain obligations to establish information security capability as part of the accreditation process”.
Under this model, ADRs would be able to sponsor other parties as accredited ‘affiliates’, who will be able to make consumer data requests through ADR.
However, unlike the sponsor, affiliates will not be required to provide an independent third-party assurance report to “establish that [they] meet the information security criterion once accredited”.
“Instead, an affiliate will be required to provide a self-assessment and attestation to the data recipient accreditor (DRA),” explanatory materials [pdf] for the exposure draft states.
Sponsors will be required to undertake due diligence on affiliates before entering into sponsorship agreements, as well as “take reasonable steps to ensure affiliates comply with their obligations”.
A second new model will allow participants to access and use CDR data “without the need for accreditation… where they offer CDR-related service to consumers as a representative of an ADR”.
Called the “CDR representative model”, this approach would see an ADR enter an arrangement with a ‘CDR representative’, who may offer goods or service on behalf of the ADR or themselves.
Treasury said this model – which “does not preclude more arm’s lengths relationships” – would largely depend on the level of “responsibility (and potential liability)” an ADR is willing to accept.
Examples given by Treasury revolve around what appears to resemble banking-as-a-service, where an ADR partners with an unaccredited third-party for a white-labelled bank account.
A third “outsourced service providers” model will allow unaccredited third-parties to collect CDR data, removing the need to build and operate APIs that connect to data holders.
“This will allow ADRs to use the services of an unaccredited [party] to collect data directly from a data holder on their behalf,” explanatory materials for the exposure draft states.
Treasury said that the changes would, ultimately, “encourage greater uptake of the CDR by both participants and consumers while maintaining trust in the security and integrity of the CDR system”.
“The consumer benefits of the CDR are intrinsically linked to establishing a vibrant ecosystem of accredited data recipients (ADRs) and other participants,” it said.
“Stakeholders have indicated that current barriers to enter the CDR (including the cost of accreditation) are deterring many businesses from participating.
“Addressing this concern has the potential to increase the range of ADRs making products and services available to consumers via the CDR and expand the overall benefits of the CDR regime.”
Other proposed changes being consulted on include the ability for consumers to permit trusted advisors to access CDR data and create a single consent data sharing model for joint accounts.
Consultation on the proposed changes follows the first anniversary of the CDR, which now applies to all banks and credit unions.
Sixteen authorised deposit-taking institutions – and their respective brands – are now data holders under the scheme, with other institutions opting to defer their entry by up to 18 months.
Consultation on the legislation will close July 30.
