- clarify how the CDR rules require data holders to assess eligibility of CDR consumers where a data holder provides products across multiple brands or digital channels
- outline the implications of eligibility being assessed at the data holder level and invite input from participants on any associated implementation issues, and
- clarify ACCC expectations about data holder management of dashboards and authorisations under a multi-brand model.
This article provides guidance to data holders on assessing eligibility of CDR consumers in the banking sector, in accordance with the CDR Rules.
We understand that some data holders may experience challenges with assessing consumer eligibility as required by the CDR Rules. Data holders have indicated there may be technical complexities associated with identifying consumers across different brands; and sharing data from closed accounts in circumstances where a consumer has open eligible accounts with one brand, and only closed accounts with a different brand of the same data holder.
The ACCC is liaising with Treasury on these challenges. Treasury has policy responsibility for CDR and is responsible for developing the CDR Rules. Further feedback on implementation challenges can be provided to Treasury at firstname.lastname@example.org.
Alternatively, if you are concerned about compliance, you can contact the ACCC on email@example.com.
Under the CDR rules, consumer eligibility is assessed in relation to the ‘data holder’, which, in the banking sector, is defined as an authorised deposit taking institution (ADI) . Data holders are required to onboard their brands in a way that supports their market presence (i.e. reflects the brands under which products are marketed by the data holder and which are readily recognised by consumers) in accordance with their CDR obligations. Information on how this can be achieved is available in this article.
A CDR consumer is eligible in relation to a data holder in the banking sector if the CDR consumer is:
- 18 years of age or older (or is a person who is not an individual) and is an account holder or secondary user for an account with a data holder that is open, or
- a partner in a partnership for which there is a partnership account with the data holder that is open; and
- in either case, has online access to an account with the data holder .
Because eligibility is assessed at the data holder level, if a CDR consumer is eligible because they have at least one account that meets the criteria above, then all accounts the CDR consumer holds with the data holder must be available for CDR data sharing, regardless of whether those accounts are open or closed, or held across multiple brands (or ‘digital channels’) of the data holder.
Dashboards and authorisations
If the CDR consumer has more than one account with the data holder, and those accounts are on the same brand, then a single dashboard for those accounts must be provided.
If the CDR consumer has more than one account with the data holder, and those accounts are across multiple brands, then the data holder can require the CDR consumer to authorise CDR data sharing for each distinct brand in a way that aligns with how the CDR consumer ordinarily interacts with those separate brands (so long as this also complies with the rules and any other data holder obligations) .
This may include requiring the consumer to use separate dashboards for separate brands. Data holders should have regard to their obligations in relation to consumer dashboards, including the requirement for dashboards to be simple and straight forward to use (rule 1.15(1)(c)).
Where multiple products are held across multiple brands, those products may be held by an individual and a non-individual (e.g. a company). In those circumstances, eligibility is determined separately as the individual and non-individual are separate CDR consumers and we expect separate dashboards would be provided for the individual and the non-individual.
Terry is over the age of 18 and has five accounts across multiple brands of Cherry Bank (the data holder):
- a personal account (P1) on Cherry Bank’s personal brand, Cherry Personal, that Terry holds as an individual and can access online
- a personal account (P2) held with Seed Bank, another brand of Cherry Bank. Seed Bank is not a separate legal entity or an ADI in its own right and therefore not a separate data holder under the CDR rules
- a business account (B1) on Cherry Bank’s business brand, Cherry Business, that Terry holds as an individual but cannot access online because he has not set up his online login details for Cherry Business
- another business account (B2) with Cherry Business, that Terry held as an individual but has been closed for 6 months, and
- an agribusiness account (B3) on Cherry Bank’s agribusiness brand, Cherry Agribusiness, that is held by a company Terry’s Tomatoes Pty Ltd of which Terry has account authority.
Terry is over the age of 18 and has at least one account with Cherry Bank that he can access online (the personal account P1). This means Terry is eligible in relation to Cherry Bank and therefore, CDR data sharing must be available for each of Terry’s accounts that he holds as an individual across all Cherry Bank brands.
However, Cherry Bank can require Terry to separately authorise CDR data sharing for each brand:
- on his personal account (P1) by using Cherry Personal
- on his personal account (P2) by using Seed Bank
- on his business account (B1) by using Cherry Business
- noting Terry may need to set up an online account with Cherry Business for this to be possible
- on his business account (B2) by using Cherry Business
- for the avoidance of doubt, we note that Cherry Bank must enable data sharing in relation to required consumer data for Terry’s business account (B2) despite that account being closed .
As the account held on Cherry Agribusiness (B3) is held by the company Terry’s Tomatoes Pty Ltd (which is a non-individual for the purposes of r 1.10B(1)), Cherry Bank must make a separate determination as to whether Terry’s Tomatoes Pty Ltd is an eligible CDR consumer.
If Terry’s Tomatoes Pty Ltd is determined to be an eligible CDR consumer, a nominated representative must be appointed to engage with CDR on behalf of the business. For more information see the Nominated representatives of non-individuals and partnerships in CDR fact sheet.
 Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019 section 5(2).
 See Rules 1.10B and Schedule 3 Part 2, section 2.1 as well as accompanying sections in the Competition and Consumer Act 2010 subsection 56AJ, and 56 AC(2)(a).
 For example, if a data holder provides a consumer dashboard under r 1.15, r 4A.13(2) requires the service referred to in r 4A.13(1) to be contained in that dashboard.
 See clause 3.2(5) of schedule 3 to the rules to learn more about required consumer data in relation to closed accounts.