Accreditation requirements

A foreign business requires accreditation only if they are:

• collecting CDR data for another business
• providing services to a consumer

A foreign business can be accredited as an unrestricted ADR, an intermediary, or an ADR with a lower tier of accreditation.

The CDR does not impact on existing traditional services, or on associated data sharing arrangements, and does not require accreditation for these.

Foreign Authorised Deposit-taking Institutions (ADIs) do not need to on-board as a Data Holder, unless they are also an Australian ADI, or one of their Australian-incorporated subsidiaries is an Australian ADI.

If a foreign business does need to become accredited to provide services under the CDR, then they must have a local agent and address in Australia.

Other considerations for foreign entities

CDR provisions can apply extraterritorially when a legal person in Australia has been harmed or an act or omission occurs on behalf of an Australian legal person. The CDR Privacy Safeguards apply similarly.