This article is a collaboration between Quill Peak, FDATA and Robin Scarborough – all of us keenly interested in the success of the CDR in Australia.
All banks now need to comply with CDR
1 July 2021 marks a milestone in Australia’s journey to a digital economy. All banks are now mandated to share customer data with accredited data recipients if a customer requests this. But the world has not changed overnight.
A quick recap on the two primary classifications of participants in Australia’s Consumer Data Right (CDR): (1) Data Holders hold customer transaction data and product information – for banking this is intended to be all authorised deposit-taking institutions (ADIs); and (2) Data Recipients that have a proposition for customers or businesses that utilise data that a customer instructs a Data Holder to share.
So far, most Data Holders have only been focused on meeting their compliance obligations. They are required to obtain a customer’s authorisation before sharing a customer’s personal and transaction data, and to inform the customer of what data they are sharing, who they are sharing the data with, and the time period for which it will be shared. In addition, they need to consider whether there is a valid reason for refusing to share data and to be able to manage revocation of a customer’s authorisation.
Data Recipients also have compliance obligations. There are limits on the purpose and timeframe for which they can use data shared by a customer, and they are required to have a transparent consent process. The risks of non-compliance are significant.
However, before a customer is willing to share anything, a Data Recipient needs to have a proposition that makes a customer want to share data.
Response to CDR from organisations to date
So where are organisations on their CDR journey?
Lead: Despite it being over three and a half years since Australia’s CDR was introduced, just two entities are both data holders and active ADRs. As we pass the 1 July milestone, the yellow jersey is being worn by CDR-spearhead Regional Australia Bank and Commonwealth Bank. Each of these organisations have embraced CDR – they are active Data Holders and accredited and active as Data Recipients.
However, even the leaders’ use of CDR is limited.
Regional Australia Bank has created a helpful link which allows consumers to see what data will be shared and experience what CDR can offer for them . But the main use for data a customer shares is as part of their loan affordability assessment using a third-party service provider.
Other than account aggregation for data from certain banks, Commonwealth Bank does not appear to have developed any new customer propositions using shared data to date. And despite a number of new data holders becoming active on 1 July, CBA’s website still notes that only data from NAB and Westpac accounts “are available for data sharing right now” .
Comply: Other Data Holders are meeting their compliance obligations to share data, but do not yet have propositions for customers based on using data shared through the CDR. While the four major banks’ Data Holder obligations began on 1 July 2020, all other ADIs were supposed to comply from 1 July 2021.
However, even though the start date for open banking has been moved twice, not all ADIs have met the revised deadline and become active Data Holders. In fact only twelve of the remaining ADIs are active data holders as of 5 July. Twenty-one ADIs have received exemptions and been given up to two-and-a-half years to meet their data holder obligations . There is a large peloton of ADIs – comprising more than half of all ADIs – who are not active data holders but have also not received an exemption.
For some banks the challenges appear to have been some combination of technology, budget adequacy, or simply internal project management related. Of course, this has not been helped by the continued evolution of the rules and requirements. For others, the challenge has been that their software providers have not been able to upgrade their systems so that they meet the security and data sharing compliance obligations set out in the CDR.
Anecdotally, the ACCC appears to be adopting a lenient approach. It appears unwilling to grant exemptions except for major IT transformations or mergers, but rather than apply penalties at this stage, seems to prefer to work with organisations that are struggling to reach compliance as long as they are genuinely moving as quickly as possible to reach that goal.
Although there are now sixteen data holders, there are still only twelve entities which have been accredited as data recipients (ADRs) and of these, only half are active and just three have consumer focused offerings.
Agile: Just four organisations are both accredited and active as data recipients (excluding those who are also data holders).
One entity provides financial, accounting, and tax preparation software and related services for small businesses and individuals (Intuit, which has two active brands).
Two other entities operate as intermediaries. One has a B2B offering which provides banks and fintechs with access to customer data (Adatree). They have recently announced that their platform will be used by a consortium of 20 Australian mutual banks . Another offers an open banking platform, although it also has a simple personal financial management app for consumers (Frollo).
Prepared: Six organisations with seven brands have been accredited as Data Recipients (ADRs) but are not yet active.
ADRs with consumer-focused offerings include a comparison website for a range of financial products (Finder) and a site which provides consumers with an ability to check their credit score (Credit Simple) .
The others are focused on B2B, providing open banking platforms (Basiq) and data related services to banks, fintechs and other data recipients (illion , Ezidox , SISS Data Services and Yodlee). Some of these entities already offer their services to other sectors, including superannuation and loyalty platforms, leaving them well placed for the future expansion of CDR to other sectors.
All Data Holders should be seeking to become active ADRs. Some, including ANZ, are reported to be seeking accreditation as an ADR in the second half of 2021. Banks that fail to develop propositions delivering benefits to customers using shared data, risk losing customers to more agile organisations.
Many Australian fintechs are yet to take the leap and become accredited as data recipients. Reasons that have been put forward for this include limited resources and funding, and a desire to ‘build once’, which requires a stable regulatory framework. The amendments to the rules released on 1 July 2021 (version 3) introduced changes to accreditation models and the role of intermediaries, but it is not yet clear that these will be sufficient to prompt fintechs to become accredited in the near future.
Learning from the UK’s open banking experience
Somewhat surprisingly, despite a steady stream of UK fintechs entering the Australian market and the UK’s already three and half years’ experience with open banking, there are, to date, no UK fintechs among the ADRs . Activity from this group is likely to increase in time, exporting established open banking-enabled propositions from the UK to the Australian market, particularly once payment initiation is introduced into Australia’s CDR.
As of December 2020, the UK has 109 live to market open banking-enabled products and services, delivering a broad range of benefits and outcomes to consumers and SMEs.
The take up of data sharing by consumers in Australia is likely to be slow, leading some to question whether the significant investment in CDR has been worthwhile. But as we’ve learnt over the last eighteen months, exponential curves have the capacity to surprise us. The UK’s experience of consumer engagement with data sharing points the way to what Australia might experience.
Delayed, but steady progress
Australia’s CDR has had a somewhat interrupted path to this point. Introduced on 26 November 2017 following the Farrell Review, the rules originally required the big four banks to be able to share customer data from 1 July 2019. In December 2018 this was amended so only product data needed to be shared from 1 July 2019, with sharing of customer data by the big four banks delayed eight months to commence on 1 February 2020 . This was changed again in September 2019 with sharing of customer data by the big four banks delayed a further five months to commence on 1 July 2020 and sharing of customer data by other banks similarly pushed out to 1 July 2021 .
Along the way we’ve also seen exemptions granted as a result of COVID-19 to financial service providers’ obligations to provide product data , amendments to the rules to include intermediaries , amendments to include a broader range of business customers , consultation (and just recently draft rules) around tiered accreditation, disclosure of insights, and sharing data with ‘trusted advisors’ , an inquiry into future directions for the Consumer Data Right by Scott Farrell which was released by Jane Hume, Minister for Superannuation, Financial Services and the Digital Economy, on 23 December 2020  and proposed options to expand the CDR to include ‘action initiation’ (also known as write access).
In addition, to these changes, responsibility for the development of the rules was moved from the ACCC to Treasury and the Data Standards Body (DSB) was transferred from CSIRO to Treasury on 28 February 2021 .
Despite a history of missed deadlines and delays, the expansion of the CDR this month is another significant step in Australia’s journey to being a digital and data economy.
What should organisations be doing now?
There are two key challenges organisations face.
The first is to ensure that you comply with the CDR legislative requirements. As the Consumer Data Right regulations continue to evolve, ongoing compliance can be a challenge. Many more changes are expected as the existing rules are bedded down, new sectors are added and the recommendations from the recent Farrell inquiry are implemented, including the extension of the CDR to include ‘action initiation’ including payments (‘write access’).
Quill Peak’s CDR Obligations Self-assessment Tool dramatically simplifies the problem of maintaining compliance and quickly assessing the impact of changes to the rules and legislative framework.
The second is to develop a proposition that customers value. If CDR is going to be a success, there needs to be a pipeline of propositions being developed across current or potential CDR participants – as concepts, prototypes, in testing, as well as in the market.
As Mark Perry, the Chief Customer Officer of Biza.io, has noted, “Those who can create a compelling strategy as both a Data Holder and a Data Recipient and use the impost of CDR compliance as a catalyst for transformation will be the ones to watch in the coming years” .
All banks, incumbents and challengers, and also potential non-bank competitors, need to see CDR as an opportunity. All entities operating in sectors to which CDR will or could be extended, should be planning for this now. This requires focusing on developing propositions that solve customers’ problems in a way that delivers value to the customer.
As one bank CEO observed “this is not the time for an incumbent mindset, nor the time to continue what has worked in the past” .
In the next few months Quill Peak and its partners will be undertaking additional research on the pipeline of CDR-enabled propositions in Australia.
To find out more about our organisations and services, visit:
Quill Peak Consulting at https://quillpeak.com.au
Robin Scarborough is a consultant specialising in new digital propositions, services and ventures in financial services and can be contacted at the email address above.
Jamie Leach is the Australasian regional director for FDATA, a global not-for-profit representing key financial, data and technology participants in the Australian Open Data ecosystem. FDATA is leading the campaign to deliver Open Banking/Open Finance worldwide. To find out more, visit https://fdata.global.
 Discover your data – myCDRdata (regionalaustraliabank.com.au) accessed 4 July 2021
 CBA, https://www.commbank.com.au/banking/open-banking/data-sharing-with-cba.html accessed 6 July 2021
 ACCC, Consumer data right exemptions register | ACCC, accessed 4 July 2021
 Adatree, Australia’s largest Bank/Fintech partnership: Adatree signs 20 banks, 1 July 2021, accessed 4 July 2021
 https://www.creditsimple.com.au/content/about-us/, accessed 4 July 2021
 The illion group (formerly Dun & Bradstreet), has two inactive ADRs: illion Open Data Solutions as well as Credit Simple.
 https://ezidox.com/openbanking/, accessed 4 July 2021
 https://www.afr.com/companies/financial-services/the-great-british-fintech-invasion-20201216-p56nst, accessed 4 July 2021
 ACCC, Consumer Data Right, Rules Outline, December 2018, accessed 4 July 2021
 ACCC, Consumer Data Right (CDR), CDR Rules (banking), 2 September 2019, accessed 4 July 2021
 ACCC, Temporary exemptions under Consumer Data Right, 24 April 2020, accessed 4 July 2021
 ACCC, Consumer Data Right Rules amended to include intermediaries, 1 October 2020, accessed 4 July 2021
 ACCC, ACCC amends Consumer Data Right Rules, 23 December 2020, accessed 4 July 2021
 Australian Government, The Treasury, Developments in Australia’s Consumer Data Right in response to community feedback, 30 April 2021, accessed 4 July 2021
 Australian Government, The Treasury, Consumer Data Right rules amendments (version 3), 1 July 2021, accessed 6 July 2021.
 Australian Government, The Treasury, Inquiry into Future Directions for the Consumer Data Right – Final Report, 23 December 2020, accessed 4 July 2021
 ACCC, Consumer Data Right newsletter: 3 March 2021, accessed 4 July 2021
 InnovationAus, No reward for banks risking CDR non-compliance, 1 July 2021, accessed 4 July 2021
 Cornell, Andrew, You’re too young for the golden age (of banks), bluenotes, 15 August 2018, accessed 4 July 2021