This question concerns companies that are entering the Australian market and providing services to Australian financial institutions. In their work, they may hold or process some data held by Australian FIs.
Who can these companies speak to in order to understand their obligations (if any) under the Consumer Data Right (CDR)? While they would not be data holders or accredited data recipients (ADR), they provide services to data holders and hence need to understand if there are any regulations or practices they must adhere to.
Only businesses who will be collecting CDR data for another business or to provide services to a consumer needs to become accredited, whether as an unrestricted ADR, an intermediary or an ADR with a lower tier of accreditation.
The CDR does not impact on existing traditional services (including associated data sharing arrangements), and should not require accreditation. Additionally, foreign authorised deposit-taking institutions (ADIs) as potential data holders do not need to on-board as a data holder unless they are also, or one of their Australian-incorporated subsidiaries is, an Australian ADI. If a foreign business does need to become accredited to provide services under the CDR, then they will need to have an local agent and address in Australia. Other considerations for foreign entities are that the CDR provisions can apply extraterritorially when a legal person in Australia has been harmed or an act or omission occurs on behalf of an Australian legal person. The CDR Privacy Safeguards apply similarly.
If the business is unsure whether they should become accredited they are welcome to contact us through the Consumer Data Right Support Portal.