One of the most significant changes to the CDR rollout 5 min read
On 26 September 2022, the Treasury released draft legislation to enable action initiation under the national Consumer Data Right (CDR) regime (AI Exposure Draft). One month later, on 30 November, the Treasury Laws Amendment (Consumer Data Right) Bill 2022 was introduced to Parliament to give effect to these proposed reforms.
Action initiation, often referred to as 'write access', will provide consumers with the power to instruct accredited organisations to initiate actions on their behalf (whereas under the current framework, consumers can only consent to accredited entities being given access to their data in 'read only' form).
If the UK's experience with write access under its own Open Banking regime is anything to go by, this will represent one of the most significant changes to the CDR rollout to date—unlocking the potential for improved functionality and a much broader range of use cases that could provide tangible value and efficiencies to consumers and participating businesses alike.
To refer back to the previous model, click here.
- Action initiation is coming. Treasury has not yet proposed a timeline or go-live date, but judging by previous consultation processes on exposure draft legislation and the rapid pace at which the CDR has been rolled out, we anticipate that action initiation could commence as early as mid to late 2023.
- It will mean big changes for the CDR regime. Action initiation will open up a whole range of new CDR use cases—eg consumers could direct service providers to make payments, open and close accounts, switch providers and update personal details on their behalf. The CDR Rules and privacy safeguards will need to be updated so that consumers can authorise, manage and facilitate these actions safely and securely.
- The CDR will only seek to regulate the 'instruction' layer, but not the 'action' layer. Data holders will not be required to initiate actions on behalf of consumers that they would not otherwise undertake in their usual course of business, or to change their processes for undertaking similar actions outside of the CDR framework. For example, a consumer could not instruct a bank to deposit their money into a high interest savings account if the bank does not offer that type of account as part of its BAU service offering.
- Existing data holders under the CDR in the banking and energy sectors (as well as incoming data holders in the telecommunications and open finance sectors) should be aware of, and prepare for, their incoming obligations as Action Service Providers.
- Legal, Risk and Compliance teams should work closely with technical and operational teams as they implement new systems to enable action initiation.
- Existing accredited data recipients (and other businesses that are considering becoming accredited under, or participating in, the CDR ecosystem) should consider the benefits of pursuing further accreditation as an Accredited Action Initiator to be able to instruct Action Service Providers to take actions on behalf of consumers (with their consent).
- Business and product teams should consider the potential for new revenue streams by expanding their current service offerings through action initiation or creating new solutions connected to their existing platforms/product offering.
The CDR is an initiative of the Australian Government’s Digital Economy Strategy that aims to:
- support an increasingly data-driven economy based on data transactions between consumers, businesses and government; and
- empower consumers to have better control and utilisation of their datasets collected and held by service providers.
So far, the CDR has been implemented via a sector-by-sector rollout, with Treasury designating specific sectors of the economy as data holders that are required to share certain types of data they hold about eligible CDR consumers, pursuant to a valid request from an accredited organisation and the consumer's consent.
The CDR has been in operation in the banking sector for over two years, and has recently commenced in the energy sector. The telecommunications sector will be the next cab off the rank (with Treasury having recently released an exposure draft of the revised CDR Rules for the telecommunications sector, alongside other general operational enhancements to the economy-wide framework).
The CDR rollout has shown no signs of slowing down, with the Government also announcing in January this year that 'Open Finance' would be the next priority area for expanding the CDR. Open Finance would capture targeted datasets held by non-bank lending, superannuation, general insurance and merchant acquiring service providers that have not been regulated under the existing Open Banking regime.
Diagram sourced from The Treasury
New participants in the CDR ecosystem
The AI Exposure Draft contemplates the introduction of two new types of CDR entities:
- Accredited Action Initiators (AAIs) – an entity that receives requests from consumers and instructs an Action Service Provider (defined below) on behalf of a consumer. It is proposed that an AAI would need to be an accredited data recipient (ADR) for data sharing under the existing framework.
- Action Service Providers (ASPs) – existing data holders that are required to act on a valid instruction received from an AAI (as if that instruction came directly from the consumer themselves). The ASP must carry out the requested action if it is a type of action they ordinarily perform in the course of their business. That is, ASPs cannot discriminate between instructions received through the CDR and those received through other channels—but they will not be compelled to perform actions received through the CDR that they could not, or do not, otherwise ordinarily undertake.
Similar to how many data holders can also register as ADRs under the CDR, organisations are able to be both ASPs and become accredited as AAIs.
Instructions and actions (actions won't be regulated)
Action initiation will be made up of two layers:
- the instruction layer, where consumers provide instructions to AAIs to take an action with their data (which is then passed on to an ASP to effect); and
- the action layer, where the ASP then carries out the action in accordance with the consumer's request.
Interestingly though, from a regulation perspective, CDR action initiation is only concerned with the 'instruction layer' of an action, including:
- consumers' requests to give instructions;
- AAIs passing through those instructions to ASPs;
- how ASPs then process the instructions; and
- communication from the ASP back to the AAI (including after the action is performed);
all of which will be regulated under the CDR Rules.
On the other hand, the CDR will not seek to dictate or change how the 'action layer' (ie the ASP's actual performance of the action) is carried out. Instead, existing laws and practices that govern the performance of actions will continue unaffected.
As the instruction layer will sit within the CDR ecosystem, any instructions given by consumers to AAIs, and passed on the ASPs, must relate to data within the bounds of the CDR (ie to CDR data collected via a CDR product or service). Any actions within the action layer would then need to be linked directly to the instructions provided.
Declared action types
Similar to the current designation process for CDR data sharing, it is proposed that the Minister will (following a period of consultation) be able to declare specific types of actions that can be initiated and performed pursuant to a consumer's instructions.
Following a declaration, the Minister would be able to make new CDR Rules for that specific action type, including around consent and authorisations, recordkeeping, reporting and auditing requirements, application of the privacy safeguards, fee charging and accreditation criteria.
The Minister will also declare which classes of data holders will be designated as an ASP (ie obliged to accept instructions from an AAI) for a certain type of action.1
The overseas experience
The UK's Open Banking scheme—which, unlike the Australian CDR framework, applies specifically to the banking sector and is not designed for industry-wide roll out—has included action initiation functionality (referred to under that regime as 'write access') since its inception in 2018.
The greatest proportion of open banking solutions in the UK relate to payments, personal financial management, business financial management, credit decisions and accounting or tax solutions.2 These types of services tend to rely heavily on the use of write access to provide value. For example, open banking-generated payments have allowed customers to pay for goods and services directly from their accounts, rather than using a debit or credit card. By January 2022, over £2.4bn was transferred using this type of open banking payment, significantly reducing the risk of fraud, increasing the speed of payment, reducing the number of customer errors and reducing the costs of transacting overall.3
There are plenty of other examples of write-access in use in the UK, including:
- services to automate payments of bills and invoices;
- services to move funds to ensure there are adequate funds to make payments and maximise interest;
- investment and wealth management capabilities;
- micro-savings applications to round-up purchases and invest the difference; and
- automated saving and accounting tools.4
Write access also presents a significant opportunity for B2B 'intermediary' infrastructure or platform providers. In the UK, 30% of companies with an open banking licence are infrastructure providers that assist with helping other companies bring their customer-facing open banking solutions to market.5 For example, companies that offer white-labelled software platform solutions to enable other companies open banking offerings have experienced significant growth in the open banking era.
Tink – offers an end-to-end white-label solution for payments, transaction aggregation, risk analysis and financial management for customer-facing apps and banks.
Truelayer – provides data access and transfer on the backend via APIs that power consumer-facing propositions (such as Portify and Creditladder).
Possibilities in Australia
Once action initiation is implemented under the Australian CDR ecosystem, a consumer could provide an action instruction to an AAI for an ASP to take a range of actions on their behalf (rather than having to engage with the ASP directly, or arrange for these actions to be completed manually). These could include:
- applying for products;
- making payments from multiple bank accounts (via one third-party);
- switching providers;
- updating their personal details across all providers;
- opening and closing accounts;
- managing their funds; and
- switching services based on CDR data insights.
For businesses, the introduction of action initiation opens up a range of possibilities to develop new, and enhance existing, product and service offerings. For example, a personal financial management provider could use CDR insight data they have gained access to under the regime to date to now proactively assist their customers (with their consent) to meet payments, make micro-investments and manage their funds.
Moneybox allows customers to round up purchases into an investment account—transferring the round ups to an investment offering—where write access is essential to unlocking this solution.
SafetyNet provides a revolving line of credit that is applied to automatically keep a customer’s current account out of overdraft using UK open banking APIs and payment initiation. It is targeted at regular users of overdraft facilities such as small business.
GoCardless provides direct-from-bank-account payment services to individuals and businesses that eliminates card fees, reduces fraud and combats late payments.
Who needs to know about the upcoming action initiation rollout may depend on the type of 'participant' or role that the organisation currently plays (or is looking to play) in the CDR ecosystem:
- For existing and incoming data holders:
- Legal, Risk and Compliance teams should work closely with operational and technical teams in preparing their organisations to comply with an additional suite of obligations once they are designated as ASPs. These include requirements to:
- For existing and potential ADRs (including intermediary platform/infrastructure providers):
- Legal, Risk and Compliance teams should work with operational and technical colleagues in designing functionality to receive requests for consumers and instruct ASPs to initiate actions in accordance with a consumer's valid instructions.
- From a commercial perspective, business and product teams should consider the potential for new revenue streams by expanding on their current service offerings or creating new solutions connected to their existing platforms.
The consultation period for the draft legislation ended on 24 October 2022, and the Treasury is yet to release a firm timeline for the implementation of action initiation.
However, as we've seen with the CDR rollout to date, compliance uplifts require significant time and substantial financial and operational resources—so whether you're an existing data holder set to become an ASP or an ADR looking to be accredited as an AAI, it's never too early to start planning for this new phase of mandatory functionality.
On the flip side, early-mover businesses that seek accreditation as an AAI may be best positioned to leverage the valuable improvements in product functionality that action initiation offers.
Stay tuned for further Allens updates on the timeline for action initiation, changes to the CDR Rules and details of the AAI accreditation process as they become available.
*This Insight was originally published on 17 November 2022 and has since been updated to incorporate new and relevant information.
Exposure draft bill, s 56ACA.
Exposure draft bill, s 56BZC.
Exposure draft bill, s 56BZD.
The ACCC may intervene to determine whether a fee is reasonable under exposure draft bill, s 56BZE.