Purpose
This document is designed to assist industry participants identify whether they have data holder obligations in relation to particular brands or branded products they are associated with.
We have also set out a series of scenarios to provide examples of when a particular entity is (or is not) likely to have data holder obligations in relation to products that are not offered under their primary brand.[1]
Overview
For the banking sector, a data holder includes a person who is an ‘authorised deposit-taking institution’ (ADI) that holds CDR data about a product, the user and/or the use of a banking product. APRA maintains a Register of ADIs.[2]
Entities that have been granted the authority to be an ADI will have data holder obligations in relation to information about products, which they may offer under another brand name.
For the banking sector, these products are those that are ‘publicly offered’ and are listed in clause 1.4 of Schedule 3 of the CDR Rules. For assistance in identifying whether a particular product is in scope for the CDR, including whether it is ‘publicly offered’, please see guidance for data holders — assessing whether a product is in scope for CDR.
An entity that is not an ADI will not be considered a data holder in the banking sector unless they are accredited as a data recipient by the CDR Data Recipient Accreditor (accredited non-ADI).
For more information about a data holder’s obligations, please see compliance guidance on the CDR website.
Branded product scenarios
The following table sets out hypothetical scenarios to provide examples of when an entity is likely or unlikely to have data holder obligations in relation to differently branded products.
Please note that the following scenarios are not exhaustive and are provided for illustrative purposes only. It is critical that individual entities obtain their own legal advice as to whether they have data holder obligations under the CDR and, if so, the scope of those obligations.
# | Scenario Description | Scenario type | Assessment and conclusion |
A |
XYZ Products is a registered business name of ABC Bank, meaning ABC Bank is the brand owner of XYZ Products. ABC Bank is a non-major ADI. It offers a range of banking products under its XYZ Products brand, including savings accounts, term deposits and personal credit card accounts.
|
ADI publicly offers phase 1 products under a registered trading name |
In this scenario, ABC Bank is the legal entity/data holder and XYZ Products is a data holder brand. ABC Bank has data holder obligations in relation to its XYZ Products branded products because of the following factors:
As ABC Bank’s XYZ branded products are publicly offered products categorised as ‘phase 1’ products in the CDR rules, its data holder obligations in relation to its XYZ branded products commenced on 1 July 2021. This means ABC Bank must have been on-boarded for its XYZ Products brand by this date. |
B |
DEF Insurance is a registered business name of ABC Bank, meaning ABC Bank is the brand owner of DEF Insurance. ABC Bank offers a range of insurance products under its DEF brand, including home, car and travel insurance. |
ADI publicly offers non-banking products under a registered trading name |
ABC Bank does not have data holder obligations in relation to its DEF branded products because insurance products are not currently in scope for the CDR as they are not listed in the CDR rules. |
C |
GHI Loans is a registered business name of ABC Bank, meaning ABC Bank is the brand owner of GHI Loans. ABC Bank is a non-major ADI. It offers a range of home loan and personal loan products under its GHI Loans brand.
|
ADI publicly offers phase 2 products under a registered trading name |
In this scenario, ABC Bank is the legal entity/data holder and GHI Loans is a data holder brand. ABC Bank has data holder obligations in relation to its GHI Loans branded products because of the following factors:
As ABC Bank’s GHI Loans branded products are publicly offered products categorised as ‘phase 2’ products in the CDR rules, its data holder obligations in relation to its GHI Loans branded products commenced on 1 November 2021. This means ABC Bank must have been on-boarded for its GHI Loans brand by this date. |
D |
Wings offers personal and business credit cards to consumers. Wings is an airline company and is not an ADI. Town Bank is a non-major ADI and issues these credit card products on behalf of Wings. When a consumer wishes to obtain a Wings Airlines credit card, Town Bank enters into a contractual agreement with the consumer.
|
A non-ADI (Brand Owner) markets banking products, which are issued (manufactured) by an ADI (White Labeller). |
In this scenario, Town Bank is the white labeller/data holder and Wings is considered the brand owner. Unless Wings becomes an ADI or an Accredited Data Recipient, it will not be considered a data holder for the Wings branded credit cards. It is Town Bank that will be considered the relevant data holder in relation to the Wings branded credit card products as it is the ADI responsible for issuing the white label credit cards on behalf of Wings to its consumers. For more information about white label products and data holder obligations, see approach to disclosure of consumer data: white label products. As personal and business credit cards are listed as ‘phase 1’ products in the CDR Rules, Town Bank’s data holder obligations in relation to these white labelled products commenced on 1 July 2021. This means Town Bank must have been on-boarded for its Wings white labelled products by this date. |
E |
Little Village Bank, an ADI, offers a range of banking products to consumers. However, in relation to its personal credit card products, it obtains these from Town Bank under a white label arrangement. This means Town Bank issues Little Village branded credit cards to consumers on Little Village’s behalf. When a consumer wishes to obtain a Little Village credit card, Town Bank enters into a contractual agreement with the consumer. |
An ADI (Brand Owner) markets banking products, which are issued (manufactured) by another ADI (White Labeller). |
In this scenario, Town Bank is the white labeller/data holder and Little Village Bank is considered the Brand Owner who may also hold CDR Data about the consumer. Although both Little Village and Town Bank are ADIs in their own right, to avoid any unnecessary duplication, it is the ADI with the contractual relationship with the consumer for the publicly offered product who will be considered responsible for enabling consumer data requests in relation to Little Village’s personal credit card products. This means Town Bank would be considered the responsible data holder in this scenario. As personal and business credit cards are listed as ‘phase 1’ products in the CDR Rules, Town Bank’s data holder obligations in relation to these white labelled products commenced on 1 July 2021. While Town Bank is responsible for making the data available it does not preclude Town Bank and Little Village entering into an agreement on how this is achieved. |
F |
Llama Finance offers savings accounts, transaction accounts and home loans to consumers. Llama Finance is not an ADI. Llama Finance is a wholly owned subsidiary of North Bank, which is a non-major ADI. North Bank issues all of Llama Finance’s banking products on its behalf. |
A non-ADI subsidiary (Brand Owner) markets banking products, which are issued (manufactured) by its ADI parent company (White Labeller) |
In this scenario, North Bank is the white labeller/data holder and Llama Finance is considered the Brand Owner. Unless Llama Finance becomes an ADI or an Accredited Data Recipient, it will not be considered a data holder for the Llama Finance branded banking products. It is North Bank that will be considered the relevant data holder in relation to the Llama Finance’s branded banking products as it is the ADI responsible for issuing the white label products on behalf of Llama Finance to its consumers. For more information about white label products and data holder obligations, see approach to disclosure of consumer data: white label products. As savings and transactions accounts are both listed as ‘phase 1’ products in the CDR Rules, North Bank’s data holder obligations in relation to these white labelled products commenced on 1 July 2021. This means North Bank must have been on-boarded for its Llama Finance white labelled products by this date. |
G |
Lion Loans offers home loans to consumers. Lion Loans is not an ADI. Lion Loans is a wholly owned subsidiary of South Bank, which is an ADI. South Bank issues some of Lion’s banking products on its behalf. Lion Loans also obtains home loan products from other ADIs and non-ADI lenders |
A non-ADI (Brand Owner) markets a range of banking products which are issued (manufactured) by its Parent ADI, other ADIs or non-ADI lenders. |
In this scenario, South Bank is the white labeller/data holder and Lion Loans is considered the Brand Owner. Unless Lion Loans becomes an ADI or an Accredited Data Recipient, it will not be considered a data holder for the Lion Loans branded banking products. As an ADI, it is South Bank that will be considered the relevant data holder in relation to the Lion Loan’s branded banking products it is responsible for issuing on behalf of Lion Loans to its consumers. If Lion Loans obtains home loan products from other ADIs, those ADIs will be considered responsible for meeting the data holder obligations in relation to those products they issue on Lions’ behalf. However, where Lion Loans obtains products from non-ADI lenders, those non-ADIs will not be considered data holders for the purposes of the CDR (unless they become accredited). For more information about white label products and data holder obligations, see approach to disclosure of consumer data: white label products. As home loan products are listed as ‘phase 2’ products in the CDR Rules, data holder obligations in relation to these white labelled products commenced on 1 November 2021 for both South Bank and any other ADIs white labelling home loans for Lion. This means South Bank and any other relevant ADI that provides white label products to Lion Loans must have been on-boarded for its Lion Loans white labelled products by this date. |
H |
Beta Loans is a wholly owned subsidiary of Alpha Bank (an ADI) that operates under its own ABN. Beta Loans is not an ADI in its own right. Beta Loans provides home and personal loan products to Tip Top Lenders. |
A non-ADI white labels banking products to other non-ADIs. |
Beta Loans will not be considered a data holder in this scenario unless they become accredited. This is because:
As Beta Loans is not an ADI that offers in-scope products, it is not considered an entity with data holder obligations. |
I |
Big Bank provides a range of business finance products and lines of credit (business) to Beta Loans to help it meet its own business needs, including its provision of loans to consumers. To obtain these business banking products, Big Bank and Beta Loans engaged in a highly detailed negotiation process and designed a tailored contractual arrangement that is not generally offered to others. |
An ADI makes a negotiated offer to provide banking products to another non-ADI. |
Although Big Bank is an ADI that is offering Beta Loans ‘phase 3’ products, it is unlikely that Big Bank will have data holder obligations in relation to these products. This is because these products is unlikely to be considered ‘publicly offered’ as the products are heavily negotiated and involves a highly bespoke arrangement between Big Bank and its customer, Beta Loans. For more information on identifying whether a product is ‘publicly offered’ or not, please see guidance for data holders — assessing whether a product is in scope for CDR. |
J |
Rudolph Bank, an ADI, offers a range of banking products to consumers. It also issues credit cards under the brand ‘Red’ to several other ADIs, including Dasher Credit Union, Prancer Bank, Dancer Bank and Blitzen Credit Union. |
An ADI issues (manufactures) white labels credit card products under the same brand name to other ADIs |
In this scenario, Rudolph Bank is the white labeller/data holder for the ‘Red’ branded credit cards it issues to the other ADIs. Although all parties in this scenario are ADIs in their own right, to avoid any unnecessary duplication, it is the ADI with the contractual relationship with the consumer for the publicly offered product who will be considered responsible for enabling consumer data requests in relation to the Red branded credit card products. This means Rudolph Bank would be considered the responsible data holder in this scenario. As personal and business credit cards are listed as ‘phase 1’ products in the CDR Rules, Rudolph Bank’s data holder obligations in relation to these white labelled products commenced on 1 July 2021. While Rudolph Bank is responsible for making the data available it does not preclude Rudolph Bank and the other ADIs entering into an agreement on how this is achieved. |
Technical articles
These technical articles may also assist data holders' on-boarding activities.
[1] For the purposes of this guidance, ‘primary brand’ refers to products that are branded with the name/s of, or a name similar to, the name of the ADI.
[2] Please note that for CDR in the banking sector, the following ADIs are not considered data holders: foreign ADIs, foreign branches of domestic ADIs, and restricted ADIs (unless the entity becomes an Accredited ADI) (clause 6.2 of Schedule 3 of the CDR Rules).
Comments
0 comments
Please sign in to leave a comment.