Question
For Credit Cards, we assume that only the Owner of a Credit Card can share and view their data for that Credit Card and that Additional Cardholders would not be able to view or share data for the same Credit Card account as they are not considered to be owners of the liability and therefore should not be entitled to share that data.
Example: I'm a Sole Trader with a small business credit card and I have 2 additional card holders that I also share my Credit Card Limit with. I as the sole trader (individual) will have the ability to view and share my data for this particular account. I would not expect that any additional card holder can view or share the data as it is my liability.
Is this assumption correct?
Answer
Under the CDR Rules, an individual CDR consumer who is an account holder can nominate someone to be a secondary user who can authorise data sharing from the account.
In your example, if the account holder is an individual (including a sole trader who holds the account as an individual), the secondary users rules mean that each Additional Cardholder who is an eligible consumer (as defined in rule 1.10B and clause 2.1 of Schedule 3 of the rules) may be permitted to share CDR data relating to the account with accredited persons. This is possible where the account holder approves of them doing so by making a ‘secondary user instruction’ (rule 1.15). For more information, see Secondary users in the banking sector – Fact sheet.
Other business consumers (such as non-individuals and business partnerships) and sole traders who hold accounts in their capacity as a business may nominate individuals to have the ability to share CDR data (nominated representatives). A nominated representative is able to give, amend and manage authorisations to disclose CDR data on behalf of the business. Refer to guidance on Nominated representatives, non-individuals and partnerships for more information.
Comments
2 comments
How does this work in case of a large corporate ? Typically, each user has a set entitlements through which they have access only to specific accounts. Also, it may not possible to nominate few users as 'super-users' as we are talking about hundreds of accounts, some of which may be confidential or with very restricted access. Can CDR rules overwrite corporate entitlements ?
If the addional cardholder only has access to transact but no access to account information such as balance, payee, direct debit etc, are they still eligible for selection as a secondary user ? If so, this could potentially create a loophole exposing information to the secondary user via Open Banking.
Please sign in to leave a comment.