Data holder white label arrangements bring a new set of considerations for data holders representing their organisation and relationships in the CDR. These relationships must align to the CDR rules and be recorded in the CDR Register.

For foundational knowledge on how brands are modelled in the Consumer Data Right Register, please refer to article: Brands in the Consumer Data Right Ecosystem

The Data Standards Body presented a set of common brand relationships and white label scenarios in Noting Paper 169.

This paper provides technical commentary on these scenarios and how they are recorded in the CDR Register.

 

Background

Industry has requested ACCC guidance on how to be compliant with CDR where white labelled products are concerned.

Rules guidance on White Labelled products was provided for Product Reference Data (PRD) in a CDR Newsletter on 22 July 2020, and Consumer Data on 23 December 2020.

 

Clarification

Clarification on references to ‘Data Holder’ in the Consumer Data Standards and it’s correlation to the CDR Rules and CDR Register has been made in the article Brands in the Consumer Data Right Ecosystem. Please refer to it to for context on use of ‘Data Holder Brands’ in this article.

 

Guidance on the ACCC Rules

At a high level, consumers take up products offered by a brand owner which can be manufactured by a white labeller:

• White labellers are often ADIs, who also market products under their own brands.
• Some brand owners are ADIs, but many are not
• A consumer’s contract is typically with the white labeller, but in many cases the consumer is primarily or exclusively aware of the brand owner’s brand.
• White labellers are usually responsible for complying with existing regulatory obligations, and in most cases white labellers hold most/all product and consumer data.
• There are diverse models for white label products in the market.

The flow of data between a White Labeller, Brand Owner and Consumer is illustrated in Figure 1. This includes the potential for data being augmented or generated by the brand owner.  The brand owner is the consumer facing entity that typically interacts with the consumer.

 

Figure 1: White labelling data flows.

 

Data Standards Body (DSB) Noting Paper 169 presented ACCC’s Rules guidance on white labels in addition to DSB clarification on how brands should be interpreted in five technical scenarios.

• Scenario 1: Secondary Master Brand
  Where a legal entity owns more than one data holder brand, which are unique and easily distinguished by consumers
• Scenario 2: Distribution only brand
  A Data Holder Brand presents separately marketed lines-of-business such as retail and business
• Scenario 3: Full-service White Label brand
  Non-ADI Brand Owners market brands which are fully serviced by their White Labeller
• Scenario 4: Portfolio extension
  Shared obligations of a Brand Owner Data Holder (ADI) and White Label Data Holder (also an ADI)
• Scenario 5: Portfolio extension with separate authentication
  A Brand Owner retails many products from different White Labellers and provides a portal to allow their customers to navigate to the appropriate retail channel

 

Example white label arrangements

Data Holder Brands used in this knowledge article to illustrate examples

For the purposes of illustration, several fictitious data holder brands are presented in this paper to explain a number of variations in white label arrangements.

 

Table 1: Fictitious Brand Names and entity type

Brand	Brand Name	Type of Entity	Data Holder?
	ABC Bank	ADI Brand Owner and ADI White Labeller	Yes
	bankACT	ADI Brand Owner	Yes
	Bank of Dandenong	ADI Brand Owner	Yes
	Beyond Airways	Non-designated Brand Owner	No
	Credit Bank	ADI White Labeller	Yes
	Fresh Money	Non-designated Brand Owner	No
	Happy Bank	ADI Brand Owner	Yes
	Homely	Non-designated Brand Owner	No
	Occa	Non-designated Brand Owner	No
	AgriBank	ADI Brand Owner	Yes

 

 

Scenario 1: Secondary Master Brand

Example 1: ADI owns and operates other master brands which are also ADIs

Australian Banking Corporation (ABC) is a large bank which owns a number of smaller regional banks including Bank of Dandenong and bankACT.

 

Bank of Dandenong and bankACT are both ADIs and hence are designated DHs in the CDR as shown in Figure 2.

 

Figure 2: Relationship between ADIs and secondary master brands

 

Although ABC owns both bankACT and Bank of Dandenong, both subsidiary banks are presented to the market as separate data holder brands and they are both designated Data Holders in the CDR. Each master brand is presented as a separate brand in the brand selection step for consumers undertaking the consent flow with an ADR.

 

Example 1 Commentary

Whether they share some or all of their IT infrastructure with their parent bank, ABC, these secondary master brands are distinct bank brands available in the market. Consumers would be able to access data held by those non- primary brands under the CDR similarly to how they interact with those brands via their internet banking channels today.

However, for all intents and purposes, the banking brands operate separately in the market and the customer logs into each bank using separate credentials.

For example, logging into ABC would not show the customer accounts they hold with Bank of Dandenong.

As each bank brand is separately known to consumers in the market, these would show up as distinct entries in the “Brand Selection/Choose your bank” stage of the consent flow. This is based on how the banks are recorded in the CDR Register as Data Holder Brands.

 

Figure 3: Brand selection for non-primary brands

 

CDR Register

Within the CDR Register, this scenario is represented using a legal entity owning and managing one or more data holder brands within the CDR ecosystem. Each of these data holder brands contain a dedicated entry in the CDR Register under the associated legal entity.

This relationship would appear against the CDR public register as follows:

  

Figure 4: Public Register Legal Entity & Associated Brands

 

Table 2: End point configuration for Secondary Master Brands

Data holder brand configuration	One additional data holder brand is used for each secondary master brand
InfoSec APIs	Each secondary master brand will have a dedicated OpenID Provider Configuration endpoint. This will result in a separate issuer defined per data holder brand.
Public APIs: PRD, Status and Outages	Each secondary master brand will have a dedicated set of public endpoints. Independent PRD, status and outage endpoints are published per data holder brand
Metrics APIs	Each secondary master brand will have a dedicated GetMetrics endpoint. Independent metrics endpoints are published per data holder brand

 

 

Scenario 2: Distribution only brand

Distribution brands are quite common across many sectors of the economy such as Insurance and Telecommunications. Where go-to-market strategies include products, or suites of products separately branded (e.g. Everyday Banking products versus Farm Business financial products) or they are co-branded with another organisation (where promotion of the affiliation provides a key product differentiation).

 

Example 2: White Labeller issues co-branded banking products with non-designated data holders that are made via the White Labeller's internet banking channels

Beyond Airways Ltd provides many co-branded credit cards for its loyalty members. Recognising that its frequent flyers like to earn Beyond Frequent Flyer Points but keep all of their banking with the bank of their choice, they partner with many banks to co-label separate credits cards which are made available via the online banking channel of the customer's bank.

                     

                 

  

Figure 5: co-branded distribution only brand credit cards

 

In this example, ABC offers the ABC Beyond Advantage Card whilst bankACT offers the bankACT Platinum Frequent Flyer Card. Both cards accrue Beyond Frequent Flyer points as they are co-branded arrangements between Beyond Airways and the individual banks.

 

Figure 6: Relationship to White Labeller for distribution only brands

 

Example 2 Commentary

Customers are aware of the bank which issues the credit card and the products are available within the digital banking channels offered by each bank. Customers login and manage their credit card direct with their bank, not Beyond Airways.

As the products are available within the data holder brand's digital banking channels, no separate brand is shown to consumers in the "brand selection" step of consent. Instead, they present as a product retailed under the data holder's brand.

Depending on the separation of the distribution brand to other lines of business, the data holder may choose to present a profile selection step (see Authorisation to disclose - CX Guidelines) during authentication to establish data sharing for separate customer groups (e.g. retail vs business banking).

 

Example 3: An ADI retails products under a separate line of business distribution brands available via its internet banking channel

As part of AgriBank's go-to-market strategy, they offer three separately branded lines of business where its retail banking is called Everyday Banking, it's agribusiness is called Farm Business and its larger corporate customers is called Better Business Banking. These brands are not master brands, they are simply brands to differentiate the products they retail to separate consumer demographics where separate business systems are typically used to manage these lines of business.

 

Figure 7: Distribution brands used for separate lines of business

 

AgriBank provides a profile selection screen to allow their different customers to connect ADRs to the correct line of business distribution brand when consumers are establishing consent; the consumer does not see these distribution brands represented as separate brands in the ADR brand selection step as shown in Figure 8.

 

Figure 8: Profile selection screen

 

Example 3 Commentary

Although AgriBank uses branding to differentiate market segments, this is only at the level of the line of business to make it easier to run marketing campaigns and target tailored products to key customer demographics. Customers are aware that all products, regardless of the line of business brand are retailed by AgriBank. Furthermore, whether they operate separate internet banking profiles for each line of business brand, customers login via the AgriBank website.

 

CDR Register Example 2 and 3

The data holder brand platform abstracts the white label arrangements away from the accredited data recipient and the consumer by making the products available within current digital banking channels. No additional brand entries are required in the CDR Register to facilitate these additional products.

 

This relationship would appear against the CDR public register as follows:

 

Figure 9: Public Register Legal Entity & Single Brand

 

Table 3: End point configuration for distribution only brands

Data holder brand configuration	No additional brand required
InfoSec APIs	No additional endpoints required
Public APIs: PRD, Status and Outages	No additional public endpoints required Additional products are populated on the original brand’s PRD endpoints
Metrics APIs	No additional endpoints required

 

 

Scenario 3: Full service white label brand

A designated data holder provides the capability for a range of products that are sold and serviced under a separate brand owned by a non-designated organisation.

 

Example 4: A distribution only brand owner (non-designated) retails products through a full service white labelled arrangement.

Fresh is a supermarket brand which has diversified into retailing other goods and services through white labelling arrangements (such as white labelled mobile and broadband products) including credit cards manufactured by Credit Group that are branded as Fresh Money.

 

With each distribution channel, the Fresh customer has separate login credentials managed by each white labeller and the brands are presented separately in the market (e.g. Fresh Money vs Fresh Mobile vs Fresh Supermarkets).

 

Figure 10: Relationship to Full Service White Labeller for distribution brands

 

 

Figure 11 - Brand selection for non-designated data holder brands

 

As Fresh Money is the branded channel which customers interact with, Fresh Money, serviced by Credit Group, is shown in the ADR brand selection step. Credit Group provide the CDR implementation including customer authentication.

 

Example 5: ADI-owned distribution brand retails the ADI Data Holder's white labelled products through a separate retail channel to the Data Holder

ABC white labels lending products through a distribution brand owned wholly by ABC. Although it is a distribution brand, the customer logs into a Homely branded banking channel and sees only their Homely products but does not see those products within their ABC banking channels. In this situation, Homely is presented by ABC as a separate data holder brand within CDR where ABC is the Data Holder.

 

Figure 12: Relationship between Data Holder Brand distributing products for the Data Holder

 

Alternatively, ABC may prefer to show the Homely distribution brand in a profile selection step within ABC if their customers understand the relationship between Homely and ABC.

 

Example 6: Non-designated Brand Owner retails credit cards via a White Label DH but looks after authentication

 

Figure 13: Relationship between Non-designated Brand Owner and White Labeller

 

Beyond Airways provides a white-labelled credit card, under their Aero Money brand, to their loyalty rewards customers. This credit card is manufactured by Credit Group acting as a white labeller. Beyond Airways is not an ADI and therefore is not designated as a Data Holder for the banking sector however it provides external authentication for Aero Money. This allows customers to login with their frequent flyer loyalty programme credentials. As the Data Holder, Credit Group is the entity responsible for CDR obligations but delegates authentication to Beyond Airways.

 

Figure 14: Non-designated brand owner authentication flow

 

Because Aero Money is the branded channel which customers interact with, Aero Money is serviced by Credit Group as a master brand that is shown in the ADR brand selection step in Figure 14. Credit Group provide the CDR implementation.

 

Figure 15: Brand selection for Aero Money

 

CDR Register

The brand owner is not a designated data holder, therefore will not have a legal entity on the CDR Register. The designated data holder, acting as the white label provider, is responsible for maintaining the brand entry in the CDR Register for the non-designated brand. This entry is stored against the white label provider’s legal entity and could also be present alongside the white label provider’s own brand(s).

This relationship would appear against the CDR public register as follows:

 

Figure 16: Public Register Legal Entity and white labelled Non-Designated data holders

 

Table 4: End point configuration for distribution only brands

Data holder brand configuration	One brand entry is used for each white label brand
InfoSec APIs	Each white label brand will have a dedicated OpenID Provider Configuration endpoint. This will result in a separate issuer defined per brand.
Public APIs: PRD, Status and Outages	Each white label brand will have a dedicated set of public endpoints. Independent PRD, status and outage endpoints are published per brand
Metrics APIs	Each white label brand will have a dedicated GetMetrics endpoint. Independent metrics endpoints are published per brand

 

 

Scenario 4: Portfolio Extension

A designated data holder offers a series of products but extends their portfolio with a product white labelled by a different designated data holder. The white label product is seen to be part of the customer’s portfolio with the brand owner and a single authentication is used to service both the directly offered products and the white labelled products.

 

Example 7: ADI augments its banking products with credits cards issued by a white label DH but makes them accessible through their own banking channels

Happy Bank is an ADI as such a DH. Happy Bank manufacture most of their products however they rely on a white labeller to manufacture their credit cards.

 

Figure 17: Relationship between Brand Owner and White Labeller

 

For all intents and purposes, Happy Bank customers are unaware of the white label arrangement with Credit Group. Credit cards issued by Credit Group are branded as Happy Bank credit cards.

 

Under this arrangement, the white label credit cards are accessible via Happy Bank's existing digital banking channels. As such, the expectation within the CDR is that Happy Bank provides access to the credit card data via Happy Bank's CDR implementation. Customers select Happy Bank during the brand selection stage and authenticate using their Happy Bank credentials. At the account selection stage, the consumer can select both Happy Bank accounts as well as credit cards that are white labelled by Credit Group for Happy Bank.

How Happy Bank and Credit Group integrate and fulfil their obligations is outside the scope of the technical standards.

 

CDR Register

This scenario has the equivalent CDR Register impact as scenario 2 where the brand owner is a designated data holder. No additional brand entries are required in the CDR Register to facilitate the additional products.

 

Table 5: End point configuration for Portfolio Extension

Data holder brand configuration	No additional brand required
InfoSec APIs	No additional endpoints required
Public APIs: PRD, Status and Outages	No additional public endpoints required Additional portfolio extension products are populated on the original brand’s PRD endpoints
Metrics APIs	No additional endpoints required

 

 

Scenario 5: Portfolio extension with separate authentication

This scenario is a minor variation on Scenario 4. The white labeller is a designated data holder and the brand owner offers other products directly to customers. The variation is that, instead of both direct and white label products being serviced under a single customer identity, customers use different credentials to access separate facilities for the white labelled products.

 

Panel arrangements offered by mortgage brokers are a common example where the broker retails products by a variety of ADIs and non-bank lenders commonly marketed under separate distribution brands. Often, the brand owner presents a “login portal” where the customer selects the branded login point for the products they own and they are then redirected from the brand owner to the white labeller's banking channel which is presented under the brand owner’s look and feel.

 

If the customer accesses all products through a single customer identity and one servicing facility, Option 1 (below) applies. In this situation, the brand owner needs to negotiate with their panel of white labellers that are designated data holder as to which data holder provides the ADR facing CDR solution and integration to the remaining white label data holders. The brand owner themselves may also choose to provide the technical solution and integration to each white labeller. Under this arrangement, a single master brand is presented in the brand selection page and upon redirection to the data holder, the customer is presented with the profile selection to select which portfolio brand they connect.

 

If the customer accesses all products through separate customer identities and separate servicing facilities, then Option 2 (below) applies and each distribution brand is presented separately in the brand selection page with each distribution brand being serviced by the respective data holder.

 

Example 8: Non-designated data holder offers different line of business products under separate distribution brands each serviced by different White Label DHs under a "brand portal"

Occa offers different home loan products under separate white label arrangements for differentiated market segments. It offers its customers a "brand portal" allowing their customer to navigate to their relevant home loan products. Each market segment is marketed under a different Occa distribution brand.

 

Figure 18: Lines of business offered by non-designated data holder

 

Some of these Occa market brands are serviced by non-bank lenders: the Occa Sunray and Occa Ambience brands. These two brands are not designated CDR data because the white labellers in these situations are not ADIs.

The remaining two distribution brands — Occa Sunburst and Occa Octane — are designated CDR data because the white labellers in these situations are both ADIs. In both arrangements, the white labeller for occa provides a turnkey solution including product manufacture, digital banking and customer identity.

 

Option 1

The guidance for Scenario 4 is adopted but, within the constraints of the CDR federation statements in the standards, the customer is asked which identity they wish to share from prior to the authentication step of the consent authorisation flow. The path they select will determine which authentication is used and which accounts are available to be shared.

 

Example 11: Occa continues to operate a "brand portal" for CDR-designated distribution brands

Occa maintains the "brand portal" concept and develops a profile selection screen presented to the consumer after redirection from the ADR and allows customers to redirect to the appropriate distribution brand.

The consumer must have sufficient context to know that the banking profile is part of the brand and will therefore select the relevant brand.

 

Figure 19: Additional step pre-authentication for multiple lines of business

 

 

CDR Register

All banking profiles will be represented under the one brand within the CDR Register.

 

Table 6: End point configuration for multiple lines of business

Data holder brand configuration	No additional brand required
InfoSec APIs	No additional endpoints required
Public APIs: PRD, Status and Outages	No additional public endpoints required Additional portfolio extension products are populated on the original brand’s PRD endpoints
Metrics APIs	No additional endpoints required
Data holder brand configuration	No additional brand required
PRD impact	No additional PRD endpoint used. Additional portfolio extension products are populated on the original brand’s PRD endpoints

 

 

Option 2

The two different facilities are considered master brands and have their own independent entries in the CDR Register. Whether the technical implementation for the white labelled brand is managed by the brand owner (aligned to Scenario 1) or by the white labeller (aligned to Scenario 3) is a decision to be determined by the two parties.

 

Example 12: Distribution brands are presented as separate master brands by each white label DH on Occa's behalf

 Occa, in conjunction with their white label data holders, has chosen to align their CDR branding with their market strategy. Under this arrangement, each distribution brand is presented as a full-service white label brand. Thus, each distribution brand shows up as a separately in the "brand selection" step.

 

Figure 20: Brand selection for Occa

 

 

CDR Register

All brands have independent entries in the CDR Register. The data holder is designated and therefore will have its own legal entity entry present on the Register. All brands belonging to the data holder will be published under this legal entity.

 

Table 7: End point configuration alternative for multiple lines of business

Data holder brand configuration	One brand entry is used for each white label brand   Management of the brand, either by the white label provider or brand owner, is to be determined by the two parties
InfoSec APIs	Each white label brand will have a dedicated OpenID Provider Configuration endpoint. This will result in a separate issuer defined per brand.
Public APIs: PRD, Status and Outages	Each white label brand will have a dedicated set of public endpoints. Independent PRD, status and outage endpoints are published per brand
Metrics APIs	Each white label brand will have a dedicated GetMetrics endpoint. Independent metrics endpoints are published per brand

 

 

Conclusion

This is not an exhaustive list of all such arrangements however the DSB and ACCC are seeking feedback on any that fall outside of those described here. To provide feedback to the DSB please post on Noting Paper 169, to the ACCC please talk to the On-boarding or Technical Operations teams by emailing CDRTechnicalOperations@accc.gov.au.

 

If as a Data Holder you are currently On-boarding to the CDR Register, please make arrangements to discuss your circumstances with the ACCC On-boarding team.