Development of rules for ‘intermediaries’ and storage under the lock-down version of the rules

Dear <<First Name>>, 

Thank you for your continued interest in the Consumer Data Right (CDR).

Development of rules to accommodate ‘intermediaries’

The lock-down version of the rules, released in September 2019, introduced the foundational rules for the CDR regime. The rules authorise accredited persons to disclose CDR data to third party service providers, subject to certain conditions, to assist in providing goods or services to CDR consumers. The rules also cover the storage of CDR data as discussed further below.

However, consistent with the position in the Rules Outline released in December 2018, the lock down rules do not provide for the use of third party service providers who collect CDR data from a data holder on behalf of an accredited person. In the Rules Outline we referred to such service providers as ‘intermediaries’.

We recognise the important role of intermediaries in the financial services sector, and the data economy more generally, in facilitating the efficient and secure collection of data. We also understand there are a range of innovative business models that intend to operate in this area, including those that may not only collect CDR data, but also use CDR data to assist an accredited person to provide goods or services to consumers.

We have commenced the process to develop additional rules that will accommodate intermediaries into the CDR regime by mid-2020, in order to support the uptake of CDR and provide a greater degree of flexibility for potential accredited data recipients.

We would like to hear the views of industry about the different business models that need to be considered and how intermediaries should be accommodated in the rules, including the appropriate form of regulation for collection of CDR data on behalf of an accredited person. We expect this will involve development of additional, risk-based levels of accreditation and/or the expansion of the existing rules relating to use of outsourced service providers.

During this process we will also be seeking views on the development of rules that allow consumers to consent to the disclosure of CDR data between accredited persons and to non-accredited persons such as financial counsellors and accountants, provided that appropriate conditions are met. We intend to publish a short consultation paper in December 2019 seeking submissions to inform the development of these rules.

Expected intermediaries timeline

• December 2019: ACCC will release a short consultation paper on the inclusion of intermediaries.
• February 2020: Submissions due on the consultation paper on the inclusion of intermediaries
• March 2020: ACCC will release a short position paper on the proposed treatment of the different intermediary business models
• Mid-2020: CDR rules will be amended to address the use of intermediaries.

ACCC position on the storage of CDR data under the lock-down rules

We have received a number of queries on the application of the lock-down version of the rules to the storage of CDR data.

The rules permit accredited persons to use third-party storage providers subject to certain conditions. Storing CDR data does not require specific consent from a CDR consumer. However, where CDR data is disclosed to a third party storage provider, CDR consumers must be made aware of this during the consent phase (under rule 4.11(3)(f)) and the outsourced service provider requirements must be met.

It is not necessary to comply with those requirements where the nature of the storage services does not involve a disclosure of CDR data –- for example use of cloud storage services where the accredited person provides the CDR data to the service provider for the sole purpose of storing the data.

By contrast, where there is disclosure such that the accredited person allows the service provider to access and use the data, the outsourced service provider requirements would need to be met. In both circumstances, whether there is disclosure or not, the accredited person remains directly responsible for the security and protection of the CDR data.

Where an accredited person stores or proposes to store CDR data overseas, the accredited person’s CDR policy must also specify the countries in which it proposes to store the CDR data.

We appreciate your ongoing engagement in the development of the CDR regime and look forward to receiving your feedback on the consultation paper when it is released.

Kind regards,

Consumer Data Right Branch

Australian Competition and Consumer Commission (ACCC)