Consumer Data Right Rules – what do the changes mean for you?

By Gavin Smith, Michael Morris, Phil O'Sullivan, Alex Ortner, Emily Cravigan, Sam Dutaillis
ACCC Banking & Finance Competition, Consumer & Regulatory Energy Technology & Outsourcing Technology, Media & Telecommunications

CDR sharing obligations commence for financial sector 5 min read

The formal making of the Competition and Consumer (Consumer Data Right) Rules is a key development in progressing the Consumer Data Right for the banking sector and the regime more generally. As of 6 February 2020, the Big 4 banks are now required to disclose certain types of product data following a request, with the first types of consumer data to be shared from 1 July 2020. For all non-major banks, data sharing obligations will commence in phases, depending on whether the bank decides to become accredited under the regime.

Key takeaways

  • On 5 February 2020, the ACCC formally made the Competition and Consumer (Consumer Data Right) Rules (the Rules), progressing the Consumer Data Right (the CDR).
  • The Rules operate to formally commence the CDR for the banking sector, known as 'Open Banking'. Obligations related to product data have applied to the Big 4 banks from 6 February and will apply to the non-major banks from 1 July 2020. The disclosure of consumer data to accredited persons under the regime will commence for the Big 4 banks from 1 July 2020, and for non-major banks on either 1 November 2020 or 1 February 2021 (depending on their accreditation status).
  • As expected, the ACCC has not made any significant changes to the final Rules, compared with the 'Lock-Down' version it provided to the Treasurer for approval last September. However, banks should consider how the slightly refined scope of an eligible CDR consumer under the Rules will impact the development of internal CDR policies and procedures.
  • Despite the Rules being formalised, they are still not final and we expect the ACCC to continue developing these as the regime matures. For example, the ACCC has already requested feedback on its proposed implementation timeframe for non-major banks, and is currently developing new Rules to accommodate additional CDR participants, and adapting the existing Rules to suit additional sectors of the economy as they become designated (eg the energy and telco sectors).

Who in your organisation needs to know about this?

Legal, risk and compliance, as well as IT and customer relations teams should be aware of Open Banking and its having commenced on 6 February 2020, with implementation commencing in phases over the next one to two years (and the energy and telco sectors to follow).

Has anything changed since the 'Lock-Down' version of the Rules?

Apart from updating the staged application dates for Open Banking (which we discuss in greater detail below), the ACCC has made almost no substantive changes in the final Rules to the 'Lock-Down' version submitted to the Treasurer for approval last September.

The regulator has, however, chosen to slightly modify the definition of an eligible CDR consumer for the banking sector. That is, for certain accounts that are held in the name of a single person (the account holder), but more than one person is authorised to make transactions on the account, the eligible CDR consumer will only be the account holder. Authorised deposit-taking institution (ADIs) may need to consider this internally as they develop and maintain CDR specific policies and procedures.

Staged application of the Rules for the banking sector

With the release of these Rules, the ACCC has also clarified when the various data disclosure obligations under the regime are set to apply. For the Big 4 banks:

  • obligations to share product data commenced on 6 February 2020;
  • obligations to share consumer data with accredited persons will commence from 1 July 2020; and
  • obligations to share consumer data directly with consumers will commence from 1 November 2020.

For non-major banks, the question of when these disclosure obligations are set to commence will depend on whether the bank chooses to become accredited under the CDR regime. Where an ADI does become accredited, the Rules currently require the bank to share consumer data from 1 November 2020. Non-accredited ADIs will need to commence sharing consumer data from 1 February next year. In any event, all ADIs will need to share various types of product data (the scope of which will depend on their accreditation status) from 1 July 2020.

Bearing this in mind, since the release of the Rules, the ACCC has already indicated that the proposed timetable for the commencement of consumer data sharing for non-major banks remains subject to change. Specifically, this timetable may be pushed out until next year (so that consumer data sharing obligations will commence for accredited ADIs from 1 February 2021, and for non-accredited ADIs from 1 July 2021). As such, the regulator is currently seeking submissions from the industry on a revised timetable for participation of the non-major banks.

The Rules are being constantly developed and will change over time

Despite their recent formalisation, the Rules should be viewed as an instrument that will be constantly updated and maintained as the regime matures. For example, while multi-party authorisations for joint accounts is currently an optional feature of the regime for the banking sector, the regulator expects this to become mandatory in future iterations of the Rules.

On a more general scale, the ACCC is currently holding consultations on facilitating the participation of 'intermediaries' under the regime. These participants would collect, or facilitate the collection of, CDR data on behalf of accredited persons. This may cover service providers who filter or process transaction data for the relevant data holder (although it is not yet clear how the concept of an 'intermediary' will be distinguished from the existing concept of an 'outsourced service provider' under the Rules). Separately, the ACCC is also considering the ability for consumers to direct the sharing of CDR data to certain non-accredited third parties, such as accountants and lawyers.

Actions you can take now

  • If you haven’t already, non-major banks will need to consider whether to become accredited under the regime in order to access and benefit from the data sets that will become available to CDR participants. The same goes for organisations outside the banking sector (eg fintechs, superannuation funds and brokers), who may choose to become accredited and should be reflecting on the various opportunities presented by the access to banking data that is, and will soon become, available under the regime.
  • All ADIs should identify when the various obligations the regime imposes will begin to apply to them – most importantly, how these obligations will apply depending on your accreditation status, the products you offer and the types of data you hold about consumers.
  • Stakeholders in the energy sector should reflect on how the current CDR framework might impact them if and when the regime is expanded to cover this sector. That is, stakeholders should consider actively engaging in the various consultation processes the ACCC is holding in relation to how the CDR should apply to the energy sector.