[ARCHIVE] Returning account numbers other than those of the consenting customer – Consumer Data Standards Australia

Archived 2022-09-28 and contents moved to Masking guidance for CDR data.

Question

Should account numbers be returned in the response to an API request, when the account number does not belong the consenting customer?

For example:

Should an accountNumber, as described in BankingDomesticPayeeAccount, be returned in the Get Scheduled Payments Bulk API?
Should BankingDomesticPayeeAccount be returned in response to the Get Payees API?

As a Data Holder (DH), should we mask the accountNumbers for the payee or the counter party in the API responses, or is the requirement to return unmasked accountNumbers?

Answer

If a consumer has consented to share their payee data with an Accredited Data Recipient (ADR), this data must be shared in accordance with the Consumer Data Standards. Credit Card PANs are masked in payee data, but the accountNumbers of payees are not masked.

See:

CDS BankingDomesticPayeeAccount
CDS Get Scheduled Payments Bulk API
CDS Get Payees API

Welcome to the Consumer Data Right Support Portal

[ARCHIVE] Returning account numbers other than those of the consenting customer Follow

Question

Answer

Comments