Question

If a Core Banking vendor provides technology for consent management and data collection to an Authorised Deposit-Taking Institution (ADI) who is also an ADR, does the Core Banking vendor need to become an Accredited Data Recipient (ADR)?

Where does responsibility to be compliant with CDR Rules sit: with the ADI or Vendor? 

Answer

CDR Rules do not currently allow an ADR to use a non-accredited third party to collect CDR data from a Data Holder on its behalf.  Therefore, if the ADI (as an ADR) plans to use their Core Banking vendor to collect data the vendor must become accredited.

Further, in those circumstances where an ADI is an ADR, non-accredited third parties can be used (an outsourced service provider) under a CDR outsourcing arrangement. Such an arrangement allows an ADR to disclose CDR data that has been collected by an accredited person to the outsourced service provider for the purposes of providing to the ADR goods or services using the CDR data.

Rule 1.10 of the CDR Rules sets out what a CDR outsourcing arrangement is, and the obligations that an outsourced service provider must comply with.

Compliance with the CDR Rules remains with the ADR as the accredited person.

See this FAQ for Finding the latest version of the Consumer Data Right Rules.