Note: this article has been co-authored by the Australian Competition and Consumer Commission and the Data Standards Body
Ceasing secondary user sharing
This knowledge article provides guidance on the requirement in the CDR Rules to allow an account holder to indicate that they no longer approve disclosures initiated by a secondary user to a particular accredited person. This is distinct to the requirement to allow an account holder to withdraw a secondary user instruction.
- The rules require data holders to provide an online service that allows an account holder to indicate they no longer approve CDR data relating to their account being disclosed to a particular accredited person in response to a consumer data request made by a particular secondary user (rule 1.15(5)(b)(i)).
- This indication would apply universally to all authorisations by that secondary user to disclose to that particular accredited person, and would apply immediately and for future authorisations.
- This indication applies to the accredited person legal entity and all of its brands and software products.
- The rules do not require data holders to provide a functionality that allows this indication to be reversed.
- The rules do not require data holders to allow an account holder to stop secondary user sharing in relation to a particular authorisation but data holders are permitted to provide that additional functionality.
- Noting the above may raise complexities from a technical and CX perspective, Treasury is considering rule changes in this area and we welcome further feedback from participants.
- We encourage data holders who expect to experience compliance issues to contact the ACCC at accc-cdr.gov.au.
Rule 1.13(1)(e) requires a data holder to provide a service an account holder can use to make or withdraw a secondary user instruction. This service may be provided online or offline; however, we encourage data holders to provide this service online as rule 1.15(5) requires the data holder to provide an online service to the account holder with a variety of functions related to secondary users once there is a secondary user on an account. In accordance with rule 1.15(7) if the data holder provides a consumer dashboard for the account holder, the online service must be included in the consumer dashboard.
The functionality required by rule 1.15(5) includes:
- the online service must allow for the withdrawal of a secondary user instruction (Rule 1.15(5)(b)(ii)); and
- the online service must allow the account holder to stop sharing at any time 'in relation to a particular ADR' in response to requests made by a particular secondary user, in accordance with 4.6A(a)(ii) (rule 1.15(5)(b)(i))
The withdrawal of a secondary user instruction is separate to what rule 4.6A(a)(ii) outlines. Rule 4.6A(a)(ii) explains that a data holder must not disclose CDR data to a particular accredited person if their request was made on behalf of a secondary user of the account and the account holder has indicated that they no longer approve CDR data relating to that account being disclosed to that particular accredited person.
Giving this indication allows the account holder to stop current and future data sharing under an existing arrangement by that secondary user to the particular accredited person.
The purpose of this is to allow the account holder to stop the sharing of data from an account by a secondary user with a particular accredited person, while still allowing that secondary user to share information from that account with other accredited persons. The intention is to give the account holder control over which accredited persons can receive data from a secondary user of their account.
Data holders are only required to provide the functionality outlined in rule 4.6A(a)(ii) once a consumer data request has been received from a particular accredited person on behalf of a secondary user in relation to the relevant account.
In addition, under the functionality described in the rules and data standards, if the secondary user’s authorisation covers more than one account, data sharing would only stop for the relevant secondary user account(s) nominated by the account holder and not from other accounts covered by the authorisation.
If, for example, the specific secondary user has 3 separate authorisations with the same accredited person, then rule 4.6A(a)(ii) would require the sharing of CDR data from the relevant account to stop for all 3 authorisations. When giving an indication under 4.6A(a)(ii) the account holder should be made aware that they are choosing to stop the sharing of data by a secondary user with a particular accredited person and the implications of this.
The reference to a particular accredited person refers to the relevant accredited legal entity, rather than a specific software product or brand of the legal entity. As such, if a secondary user is sharing data with a specific brand of a legal entity, an indication under rule 4.6A(a)(ii) would result in CDR data no longer being disclosed to the legal entity in general and any brands and software products registered under that legal entity. In relation to different accreditation models, such as the CDR Representative model, this means that if an account holder gave an indication under rule 4.6A(a)(ii) that they no longer approve CDR data relating to that account being disclosed to a particular accredited person, data sharing would need to cease with all of the CDR representatives of that accredited person.
The rules do not require data holders to provide a functionality to the account holder for an indication under rule 4.6A(a)(ii) to be reversed or ‘unblocked’. In addition, a secondary user cannot re-initiate information sharing through a consent amendment or a new consent with that accredited person once the account holder has made the relevant indication.
Where the account holder or another secondary user has authorised a separate data sharing arrangement to the same accredited person on the same account, those data sharing arrangements can continue as rule 4.6(a)(ii) only applies to a particular secondary user in relation to a particular accredited person.
The rules do not require a data holder to allow an account holder to stop secondary user sharing in relation to a specific authorisation, but a data holder can choose to provide this functionality in addition to the functionality required by rule 1.15(5)(b)(i). Importantly, if supported, this action would only cease data sharing in relation to the specific account and would not result in the secondary user’s authorisation itself being revoked by the account holder. In this sense, this optional functionality would operate in a way that is analogous to the removal of a joint account approval.
Feedback and further guidance
The Secondary users in the banking sector FAQ provides further guidance on the implications of an account holder no longer approving of a particular data sharing arrangement and withdrawing a secondary user instruction.
Note the CX Guidelines only demonstrate the secondary user instruction withdrawal flow, which must also be provided in the dashboard. The Guidelines do not refer to or seek to demonstrate rules 4.6A(a)(ii) or 1.15(5)(b)(i).
Noting the above complexities from a technical and CX perspective, the rules may warrant revision. This could, for example, result in an amendment that allows account holders to cease secondary user data sharing for a specific authorisation, which is consistent with equivalent mechanisms in the rules for joint accounts, and for 4.6A(a)(ii) and 1.15(5)(b)(i) to either be optional functionality or an additional requirement.
Treasury, ACCC, and the DSB welcome feedback on the guidance provided to date and any implementation issues experienced by participants.
We encourage data holders who expect to experience compliance issues to contact the ACCC at accc-cdr.gov.au.
The ACCC assesses all submissions for the public rectification schedule to understand the severity of the gap and take further action where necessary. Self-reporting a compliance gap, and inclusion on the public rectification schedule, does not preclude the ACCC from taking further compliance or enforcement action in line with the CDR Compliance and Enforcement Policy either now or in the future. However, when determining what action is appropriate, we take into account whether non-compliance was self-reported. In this instance, the ACCC would also take into account Treasury’s ongoing review of the relevant rules, noting this may change the nature of the obligation.
The ACCC has not to date, and is unlikely to, grant an exemption under section 56GD of the Competition and Consumer Act 2010 (Cth) in the absence of exceptional circumstances or circumstances where not granting an exemption from the obligations would cause unintended or perverse outcomes. Any data holder contemplating applying for an exemption should carefully consult the ACCC’s exemption guidelines and contact the ACCC.