Compliance requirements for data holders

Overview

This page provides an overview of compliance requirements for data holders in the Consumer Data Right. It should be read in conjunction with the CDR Rules. It provides general guidance only and should not be relied on as a statement of the law. Further compliance guidance is available here. We encourage participants to obtain their own professional advice regarding individual compliance matters to ensure they understand their obligations under the CDR framework.

General requirements

Data holders need to do two main things under Consumer Data Right. They must:

  • transfer a consumer’s data in a machine-readable format when they receive a request via the secure Consumer Data Right system 
  • publicly release general product data about products they offer, covering interest rates, fees and charges, discounts and other features.

In doing these things, data holders need to meet consent, IT, reporting and security requirements.

As Consumer Data Right rolls out, it will become mandatory for providers to be set up and registered as data holders. Rolling out across banking first, it is now expanding to the energy sector. Non-bank lending will follow. In some circumstances, applicants can seek an exemption. You can view the exemption register for details on all exemptions granted by the Australian Competition and Consumer Commission.

Consent requirements

Under Consumer Data Right, rigorous consent requirements apply to the collection and use of consumer data. These requirements are governed by the Consumer Data Right Rules and the Data Standards Body’s Consumer Data Standards. You can also view specific requirements for data holders’ websites and apps on the IT requirements page

Process

  1. Consumer consents to having their Consumer Data Right data collected and used by an accredited data recipient.

     

     

  2. Accredited data recipient requests the data from the data holder.

     

     

  3. Data holder gets the consumer’s authorisation to disclose the data to the accredited data recipient.

Consumer authorisation

This process serves as a check so consumers can confirm the authorisation details the data holder provides, which must include:

  • the name of the accredited data recipient that made the request
  • the period for which the data can be collected, including existing data and future data that is yet to be produced
  • the type of data that’s being requested (for example, transaction data from their everyday banking account, or savings history from their term deposit banking account)
  • whether the authorisation is for a single use or covers a longer period (and the exact date range) up to the maximum of 12 months 
  • a statement that their authorisation can be withdrawn at any time and
  • instructions on how to withdraw their authorisation.

The consumer can withdraw authorisation at any time either in writing or via the data holder’s website or app. 

If the consumer withdraws authorisation, the data holder must action that request as soon as possible, within two business days at the most. The data holder must also notify the accredited data recipient that authorisation has been withdrawn. 

Privacy obligations

The security and integrity of the Consumer Data Right is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented by the CDR Rules.

While most of the privacy safeguards apply to accredited data recipients, there are certain obligations that relate to data holders, including requirements to:

  • implement practices, procedures and systems to ensure compliance with the Consumer Data Right
  • have a Consumer Data Right policy that provides information to consumers about how they can make an enquiry or complaint and how they can access and correct their data 
  • ensure data transferred to another provider is correct, and inform the consumer if incorrect data has been disclosed
  • respond to data correction requests by the consumer.

These privacy safeguard obligations for data holders and how to comply are set out in chapters 1, 10, 11 and 13 of the OAIC’s Privacy Safeguard Guidelines.

Consumer Data Right policy

All data holders must have a CDR policy that consumers can understand and access easily.

A CDR policy is a document that provides information to consumers about how they can make an enquiry or complaint, how they can access and correct their data, and whether the data holder accepts requests for voluntary data.

For information on how to develop a CDR policy, including what specific content must be included, see the OAIC's Guide to developing a CDR policy.


Records and reporting

All data holders must maintain records of Consumer Data Right data. 

The records must include: 

  • consumer authorisations to disclose the data
  • withdrawals of authorisations to disclose the data
  • notifications of withdrawals of consent to collect the data
  • disclosures of the data made in response to consumer data requests
  • instances when the data has not been disclosed because of an exemption from the obligation to disclose
  • Consumer Data Right complaint data. 

Data holders must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). 

The reports must be in the approved format and contain specific information, including: 

  • a summary of any Consumer Data Right complaints
  • the number of general product data requests, consumer data requests made by consumers, and consumer data requests made by accredited data recipients on behalf of consumers during the reporting period
  • the number of data requests that were refused during the reporting period, with information on the rule or data standard on which the refusal was based. 

For more information, see the Consumer Data Right Rules, as well as guidance on the reporting forms for product data-related obligations.

You may also like to download the reporting form template for data holders. 

Data uses

General product data and specific consumer data can be used for product comparisons. 

Consumer data can also be used for other purposes. For example, a budgeting app that’s been accredited under Consumer Data Right could use a consumer’s banking information to create an accurate budget. Similarly, a small business’s banking data could be used by an accounting app to help them manage their books. 

As the Consumer Data Right system develops over time, other innovative uses will emerge.

Acting on breaches of the Rules

The ACCC and OAIC jointly monitor compliance and enforcement of the Consumer Data Right regulations. They work together to respond to any issues, including taking enforcement action if needed.

For more details on how the ACCC and OAIC undertake compliance and enforcement, view the Compliance and Enforcement Policy.

Related links

  • IT requirements

    Make sure you're technically set up to receive data and meet data standards.

  • Consumer Data Right Rules

    Read or download the Consumer Data Right Rules.

  • The CURB

    Subscribe to the CDR Compliance Update and Regulatory Bulletin from the ACCC.