isTailored and risk-based pricing

What lending rate information should be included in PRD for products that use risk-based pricing. For example, is it acceptable to omit lending rate information where rates are not publicly disclosed on a provider’s website, or should certain baseline information, such as minimum, maximum and representative (mid-point) rates, always be included? Specific questions:

1. Are there any circumstances in which it is appropriate to set isTailored to true for a risk-based priced product? For example, where interest rates are not publicly published.
2. How should this be treated where interest rates are publicly published, including scenarios such as “from 10.99% p.a.” or “between 10.99% p.a. and 20.99% p.a.”?
3. How should this be treated where interest rates are only available through an online quote tool that requires the consumer to provide information, such as their credit score, in order to see a personalised rate?
4. How does this compare with home loan products, where an advertised rate (effectively the maximum rate a consumer would pay) may be negotiated down?
5. Where rates are not publicly published, but other information usually included in lendingRates is available (for example, loan term), where in PRD should that information be included?

We have recently published guidance on Sharing product data in the non-bank lending sector which we consider would largely answer the questions raised. With respect to your specific questions:

1. Please refer to the content in our guidance under the heading Highly bespoke products for information on when the isTailored flag can be used.
2. Please refer to the content in our guidance under the heading How can information about interest rates be shared? for information on sharing single, from or range rates.
3. We encourage data holders to share information about their products that is as accurate, complete, and useful to end users as possible. This could include sharing information that is made available to a consumer after they input specified information into a quote tool on a website. However, we recognise that some products are highly bespoke and require significant amounts of information to be provided by a consumer to determine pricing. In these circumstances, data holders may use the isTailored flag instead of sharing specific rates under CDR. Please refer to the content in our guidance under the headings Highly bespoke products and Products that are not publicly advertised for further information.
4. Advertised rates should be shared as product data under the CDR. Data holders may note in an additionalInfo field that the rates may be negotiated down.
5. As noted in our guidance, where the isTailored flag is used, data holders must still disclose other required product data about the product, such as information about product features, eligibility and constraints. Data holders should also disclose additional product data which would be useful to consumers. Without rates fields, additional detail may be provided in the following areas:
   • Product description field for anything that may be helpful as free-text. e.g. "Our home loan for sole traders is available at personalised fixed rates for terms from 1 to 5 years at up to 90% LVR, and a limit of $3 million dollars."

   • additionalInformation URI fields (or the additional... URI fields) to refer to other sources for additional information -

     • overviewUri
     • termsUri
     • feesAndPricingUri

     Some constraints types may also be relevant -

     • MAX_LIMIT
     • MIN_LIMIT
     • MAX_LVR
     • MIN_LVR
     • OTHER

We note the 'brand' field in the Get Products endpoint can be used –

• as a query parameter - "Filter results based on a specific brand."
• as a product field - "A label of the brand for the product. Able to be used for filtering. For data holders with single brands this value is still required."

At this stage we do not consider your stated approach is necessarily incorrect but we note it is uncommon. If you do decide to use the brand, brandName and brandGroup fields to differentiate products in one URI, it will be important to be mindful of accuracy and consistency, as the ability to use the brand to filter the endpoint response may produce incorrect results if filtering is used and there are mismatches.

Another option may be to have multiple different URLs resolve to the same backend. This would be consistent with the prevailing approach in the CDR (i.e. having a different product URI for each brand) and makes things easier should it become necessary to have different product data for particular white label products in future. In particular, this approach would have the following advantages:

• Any changes wouldn’t be subject to propagation delays induced by the caching described in the Standards. This would be an issue were the URI to change.
• The particular brand that is being queried would be captured, which may have some advantages.

Phase 1 Product Reference Data (PRD) commencement mandatory requirements

1. Are the Get Metrics, Get Service Status, and Get Outages APIs mandatory for Phase 1 PRD-only commencement, or are these obligations deferred until Phase 2 (Consumer Data sharing)?
2. Is a Get Metrics endpoint mandatory for the ACCC to poll if we are only sharing unauthenticated product data? If so, what is the specific reporting frequency and data latency required for Phase 1?
3. Do Phase 1 PRD endpoints (which are unauthenticated) still require a protected mTLS Admin Base URI for the CDR Register to perform health checks or collect metrics?
4. Are we required to implement the Dynamic Client Registration (DCR) APIs during Phase 1, or can the registration of PRD base URIs be managed manually via the Participant Portal?
5. Must we host OIDC Discovery (.well-known) and JWKS endpoints in Phase 1 if we are not yet performing consumer authentication?
6. If using a third-party vendor for PRD, must we provide a separate Admin Base URI for ACCC metrics collection? Does this URI need to reside on our own owned domain?
7. We understand the latency target for the Unauthenticated Tier is 1,000ms (p95). Aside from this and a minimum throughput of 300 TPS, are there any other mandatory NFRs to consider for Phase 1?

1. Please refer to our recently published guidance on ACCC expectations for NBL compliance with Get Metrics, Get Outages and Get Status endpoints.
2. As above, please refer to our recent published guidance on ACCC expectations for NBL compliance with Get Metrics, Get Outages and Get Status endpoints.
3. As outlined in the article above, the Admin Base URI, which hosts the Get Metrics solution, is expected to be made available at the same time as consumer data sharing. There is currently no expectation for it to be made available during Phase 1 alongside the PRD endpoints.
4. DCR is only required for Phase 2, when the remaining authenticated endpoints become available. PRD-only Data Holders are not required to implement Dynamic Client Registration APIs, as these APIs are used to register software products with the data holder for enabling data sharing, which is not obligated until Phase 2. Data Holders can use the CDR participant portal to specify their PRD base URIs.
5. We do not expect that participants need to build the DCR APIs, JWKS endpoint, OIDC Provider Configuration endpoint, or any of the other mTLS/authenticated APIs as there are expected alongside the Phase 2 obligations for Consumer Data Sharing
6. There is currently no obligation to provide an Admin Base URI during Phase 1, as the relevant obligations commence alongside Phase 2 Consumer Data Sharing.
   Additionally, you cannot provide a separate Admin Base URI exclusively for PRD. Even if you engage a third-party vendor for PRD, they would still need to ensure the metrics are consolidated and made available through the Get Metrics solution required under the Phase 2 obligations.
   Whether these endpoints are made available through your own domain or via a service provider domain is ultimately a decision for the participant. However, it is important to note that, when requesting certificates for mTLS endpoints, the Consumer Data Standards require the certificate Common Name (CN) to align with the organisation’s Primary DNS name and this is validated at the time of the certificate issuance that the CN matches your domain information.
7. That’s correct; however, the Products endpoint is not classified as High Priority and therefore follows the unauthenticated tier requirement of 1500ms, rather than the 1000ms indicated.
   Please see the Non-functional Requirements in the CDR Standards.

Redirect to App clarification

1. Desktop initiated journeys
   If a consumer initiates the CDR consent journey on a desktop browser, and the data holder mobile app is available on a separate device:
   Is the expectation that the consumer continues the authorisation journey on the web (desktop), consistent with current flows?
2. Mobile journeys – App vs Web behaviour
   Where a consumer is on a mobile device (either via browser or ADR app) and the data holder app is detected at the time of redirecting from ADR to DH:
   Should the data holder automatically redirect the consumer to the mobile app without presenting an option, or should the data holder provide the consumer with a choice between continuing via web or mobile app?
   Or is the redirect to DH App required only if the consent journey initiated from ADR App?
3. Existing authenticated session vs new authentication
   In the context of Redirect to App:
   If a consumer is redirected to a data holder mobile app where an active authenticated session already exists, should the data holder reuse the existing authenticated session to continue the authorisation flow, or require the consumer to re-authenticate as part of the CDR process?
   Additionally, are there any expectations on how data holders should handle cases where the authenticated session may differ from the consumer who initiated the CDR journey?
4. Customer dashboard (mobile app)
   Regarding the customer dashboard at the data holder:
   Is the channel (web versus mobile app) at the data holder’s discretion, with no additional requirement as part of the Redirect to App obligation?

1. Generally, yes a desktop web flow may continue on desktop, but the data holder may support Decoupled Authentication to provide a better experience for customers (where the consumer can authenticate on mobile, then return to desktop). A mobile web flow would be expected to redirect to mobile app.
2. The standards state: "If a data holder provides an app, the data holder MUST implement Redirect to App in accordance with the relevant consumer experience authentication and security profile standards."
   There are no provisions for asking the consumer the channel in which they would like to continue authentication, but if a data holder provides an app that the consumer doesn't have installed (for example by knowing an app didn't intercept the authorisation request) the data holder may invite the consumer to install the app first. See Common Authentication Standards.
3. There are no standards explicitly preventing this, so it may be possible for an authentication to be assumed from an existing session, but it may also depend on the following:
   1. Could you re-trigger a biometric test, to verify that the current user is still the same person that was initially authenticated?
      1. In relation to this, you may need to consider detail related to Authentication levels and session activity/timing with respect to 'Reauthentication' in Digital ID.
      2. Would you be able to confirm that the existing session was authenticated to a level that would meet any requirements for CDR? (and if not, would a step-up be possible?)
   2. Could the user still access a profile selection feature for CDR purposes, if applicable?
   3. Would there be any impact to CDR metrics requirements in the authentication and authorisation flow?
   4. The standards currently state:
      1. The provided OTP MUST only be used for authentication for CDR based sharing and MUST NOT be usable for the authorisation of other transactions or actions.
      2. From a security perspective the intent may be similar for Redirect to App, so you may need to consider whether an existing authentication in a banking context is able to be used for CDR purposes, and vice versa. You may need to consider any differences for app and web sessions.
4. The requirements for a customer dashboard are unrelated to the redirect to app obligations, so the channel of the dashboard is at the data holders discretion. More information on this in relation to the Energy sector is here - Offline customer guidance.

Brand group field
Please refer to the White Labelled brands in the CDR article for detailed guidance regarding the use of the optional Brand Group field.

Brand groups have been introduced to address significant changes in the demographics of data holder brands within the non-bank lending sector, specifically:

• a dramatic increase in the ratio of data holder brands to holders; and
• an increase in brand owners that have concurrent arrangements with multiple designated data holders (e.g. white label arrangements)

Brand groups are applicable in cases where brand owners have current arrangements with multiple data holders. If brand grouping is to be utilized, all relevant data holder brands should be assigned to the same brand group. Additionally:

• the brand group should be immediately recognisable to the consumer
• the brand group should be chosen to maximise the likelihood of a search match when selecting a provider

Next steps for consideration
We encourage you to consider whether the brand you are registering has an identifiable need to utilise the brand group field in line with the guidance. If you consider it is unlikely to be relevant, it is not mandatory to populate the field with information.

Should you determine that the brand group is pertinent to the brand you are registering, and if "BUSINESS LENDING" and "CONSUMER LENDING" are not suitable options, please enter a new value to establish a different Brand Group.

Solar Sharer Offer (SSO) in CDR Energy Product Reference Data from 1 July 2026
We need to understand the DSB's position on how the SSO should be represented in CDR
Energy Product Reference Data published via Get Account Detail.

EnergyPlanTariffPeriodV2.timeOfUseRates[].type enum currently supports: PEAK \ OFF_PEAK \ SHOULDER \ DEMAND

None of these values can distinctly identify an SSO free-electricity period.

A non-bank lender data holder that commences PRD sharing between 1 July – 31 December 2026 is required to submit their first biannual participant report by 30 January 2027, for the 1 July to 31 December 2026 reporting period.

A non-bank lender data holder that commences PRD sharing on or before 30 June 2026 is required to submit their first biannual participant report by 30 July 2026, for the 1 January to 30 June 2026 reporting period.

Rule 9.4(5) of the CDR Rules provides that the bi-annual reporting periods are:

• 1 January to 30 June of each year; and
• 1 July to 31 December of each year.

Reports must be submitted every 6 months, by 30 January and 30 July each year. For more information see the rule 9.4 reporting page on the CDR website.

The CDR website includes sample reporting forms for Rule 9.4 reporting.

Resources available

What resources can I lean into to make sure that I'm completely up to date and can refer to to make sure that I am meeting obligations?

• DSB Support- This site has a list of DSB support sites and tools
• CDR website - Great starting point to find key information
• Data Standards - links to the technical standards and consumer experience guidelines
• Sign up to the DSB newsletter and ACCC's the Curb newsletter

Assessing whether a product is in scope

How can we discern whether or not a product is covered and whether we're going to need to provide specifications for the product. An example is a wholesale white labelling agreement with loan managers and is not available directly to the consumer or to the public.

Merchant Names: How transaction information can be managed

There is one specific scenario that is both very important to NBLs and also appears to be in a grey area. It is as follows:

• NBL wishes to use merchant information (which is not customer specific) to categorise the transaction
• To identify the merchant the merchantName and merchantCategoryCode are passed to an Large Language Models (LLM) to make a recommendation on the likely type of transaction that would be made with that merchant
• The LLM can make can initiate a web search to find information on that merchant to assist in the recommendation

The concern is not with the LLM, as models are available that can be run in jurisdiction and with no opportunity for the data provided to be shared with a third party. The concern is with the web search that the LLM might perform as this will end up using external web search engines with T&Cs that are not always conducive to the handling of CDR Data as per the rules.

By the time the web search occurs, the search query is going to be exclusively data that is essentially public (MCC and Merchant Name) and is in no way personal to, or attributable to, the customer.

Would the use of an LLM with the web search capability be acceptable under the CDR rules?

The jti value is expected to be a unique identifier for every JWT (see here), so the fact that you changed it, and it was accepted, would appear to be correct.

Your reference to the field being 'modifiable' appears to refer to the table in the Client Registration section.

As some of those fields are not part of the SSA itself, they are not really meant to be subject to the 'modifiable' statement - in particular for jti as the upstream standard requires it to change on every use. I understand that this can be confusing.

There is a standards maintenance issue to address this inconsistency, as outlined in statements -

• Set jti to be 'modifiable'
• jti (may already be assumed to be modifiable to support update requests)
• Separate DCR request body schema with normative fields

We can't provide specific implementation advice, but the following details are relevant to the amendment process -

• Dashboard Standards

• Specifying an existing arrangement (extract below)

  If a Data Recipient Software Product provides the cdr_arrangement_id claim in the request object to the Data Holder's PAR endpoint, the Data Holder MUST revoke any existing tokens related to the arrangement once the new consent is successfully established and a new set of tokens has been provided to the Data Recipient Software Product.

• Revocations initiated by the consumer would normally require the DH to notify the ADR of the revoked arrangement ID. As the amended authorisation would be given the same arrangement ID as the original authorisation, a typical manual revocation notification to the ADR would cause them to revoke amended consent in the scenario you described.
• As an amendment is not expected to involve manual revocation, your scenario may also impact Metrics reporting, in particular -
  • revokedAuthorisationCount: The number of revoked authorisations.

• Most importantly and directly related to the scenario you propose, the rules state:

  4.24 Restrictions when asking CDR consumer to authorise disclosure of CDR data
  When asking a CDR consumer to authorise the disclosure of CDR data or to amend a current authorisation, the data holder must not do any of the following:
  (a) add any requirements to the authorisation process beyond those specified in the data standards and these rules;
  (b) provide or request additional information during the authorisation process beyond that specified in the data standards and these rules;
  (c) offer additional or alternative services as part of the authorisation process;
  (d) include or refer to other documents.
   

The standards do not support an experience where the consumer would be informed of a need to revoke an authorisation as part of an amendment.

The Treasury provided the below update post-call:

The introduction of a possible de minimis threshold for the banking sector is still under consideration by the Government. As noted previously, this work is only examining arrangements for the banking sector. Changes to other sectors are not being looked at.

I would like to know if FDOs will be published for the Data Holders to start using the new versions of the following Register endpoints.
If not, is there a page where I can find information about when the existing versions will get retired?

1. Get Software Product Statuses (V3)
2. Get Data Recipients Statuses (V3)
3. Get Data Recipients (V4)

The build phase is in progress our indicative delivery dates as of today are:

Pre-production July 2026
Production August 2026

Communications channels

• MSUG - Market Systems User Group (Every 6 weeks)
• Implementation Forum (Held Monthly NEM Reform Changes)
• ITF - Industry Testing Forum WEM (Targeted dates as communications come available)
• ITDF - IT Development Forum (Gas Markets Monthly)
• AEMO Support Hub Bulletins closer to Go-Live dates

Special note the Legacy URL's and new URLs will run in parallel until late December 2026.

First Question: Products with rate ranges.
I'm just keen to understand what the schedule is for the DSB and the Chair are to address support for products with rate ranges as it is a pressing issue for the viability and usability of the data once the PRD is published.

Second Question: Campaigns for NBLs that do short-term campaigns.
There are generally two approaches that NBL's are considering:

1. When there's a campaign, they'll do a duplicate product just for that campaign. And they'll put an effective date, start date and end date and give it a new name, etc. So it'll appear in the PRD for a period of time with effective date and start date related to the campaign with eligibility criteria indicating eligibility and how you can apply for it under the campaign.
2. Keep the product that is the subject of the campaign and just republish it with a new discounted rate with the appropriate additional info associated with it. And then when the campaign is over, they'll republish again and remove it. So effectively, as the campaign becomes available and then ceases to be available, the core product gets updated.

I just wanted confirmation that both of these seem completely viable under the DSB standards.

Previous guidance and comments are here:

• Definition of 'status' and how health check status can be determined?

  The "status" is the state of the CDR implementation including all APIs and Information Security components.

• #367 - Consultation Draft 367 - March 2025 Rules - Draft Standards

  As suggested in another comment, Status and Outages detail may remain relevant for Data Holders that only provide product data. It should be noted that Get Status and Get Outages are included in the 'High Priority' performance tier for the purposes of Get Metrics reporting, and the Get Metrics endpoint itself is in the 'Unattended' tier.

Testing with Data Holders - Production
 

• How can a Data Recipient test each Data Holder brand connection to ensure it is working as expected without requiring a live test with a real bank account?
• What is the recommended approach for validating connections across multiple banks before moving into production?

We are not be able to provide specific guidance as to a recommended approach but general approaches are:

• For issues with bank connections, try contacting the banks for support, (Contact details are available on Current providers)
• Check whether banks have outstanding items on the rectification schedule that may explain any inconsistency in their implementations (See Rectification schedule - active data holders with implementation gaps)

There is more detail on testing in the following sources:

• Information for accredited data recipients (in particular, see items 3-6 and 17-21, here)
• Testing tools
• DSB development tools and demos

You may also find further insight into this situation on the following Standards Maintenance issue, where you can add comments to continue the discussion if you wish:

• #558 - The Data Holder PVT Problem

The example you provided appears similar to scenario 1(c) in the Third-party data sharing use cases article, whereby:

1. the accredited data recipient (ADR) first discloses the CDR data to the consumer as is permitted by rules 7.5(1)(a) and (d) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules)), such as by presenting the CDR data to the consumer in the ADR’s app/tool
2. the consumer then decides to share their CDR data with a third party.

It is important that it is the consumer and not the ADR, who initiates this process and on-shares their CDR data with the third party.

As the consumer is not regulated by CDR, they can decide to share their data to whoever they wish. While CDR consents are not relevant to the consumer’s sharing of their data, the article notes the following:
 

Where a consumer shares CDR data outside of the ADR’s app/tool, it is critical that this be a result of an informed consumer choice. It is important that consumers understand the implications of this, and freely and voluntarily elect to that data being shared. ADRs should clearly explain to consumers that shared CDR data that leaves the ADR’s app/tool will be handled in accordance with any applicable privacy legislation such as the Privacy Act 1988, and that consumers should check the third party’s data handling policies such as their Privacy Policy.

In addition to or as an alternative to this, an ADR can seek a CDR consent in accordance with the CDR Rules (noting rule 4.12 restricts the seeking of CDR consents in certain circumstances). If an ADR wishes to disclose a consumer’s CDR data based on a CDR consent, it would be limited to the permitted uses and disclosures set out in rule 7.5 of the CDR Rules, such as those made under a disclosure consent.

Privacy

In your example, we understand the consumer would be sharing the data in a way in which it is taken outside of the ADR’s app/tool and is sent to the third party. Generally, the CDR privacy safeguards would not apply to the data that is in the third party’s hands however, other privacy laws such as the Privacy Act may apply depending on the third party’s circumstances.