Following extensive activity around the Consumer Data Right (CDR) throughout 2019, the Australian Competition and Consumer Commission (ACCC) advised in December 2019 that the CDR roll-out in respect of the banking sector would be delayed due to incomplete system testing. As a result, the first availability of consumer data via the CDR has been pushed back from February to July 2020.
Given the concurrent inquiries by the government into future directions for the CDR and by the Senate into financial and regulatory technology more broadly, 2020 will likely be an important year for businesses to continue to engage with and shape implementation of the CDR.
CDR in 2019
Although the CDR has been under development since late 2017, 2019 was its landmark year. In March 2019, the CDR draft rules for banking (Open Banking) were released for stakeholder consultation. After earlier delays in Parliament, the enabling legislation for the CDR was passed in August 2019 and the lock down version of the CDR rules was published in early September 2019.
Regulators took a number of significant steps towards the practical implementation of the CDR. The ACCC opened public consultation on the technical design of the register of CDR participants, party accreditation and the participation of intermediaries. Data61, acting in their capacity as the CDR’s Data Standards Body (DSB), continued to consult on and release new versions of the consumer experience standards. And in October, the Office of the Australian Information Commissioner (OAIC) released its draft guidelines on the CDR’s privacy safeguards.
CDR in 2020: a critical year
Looking forward, the federal government has indicated that it remains committed to growing the digital economy and that the roll-out of the CDR is a critical element in facilitating such growth. Given this, continued government and stakeholder CDR activity is anticipated throughout 2020.
As alluded to above, the updated timeline for the CDR roll-out has pushed back the large banks’ obligations to share consumer data from February to June 2020. However, the CDR is still scheduled to be fully implemented across all participants (the big four banks, both mandatory and voluntarily-participating authorised deposit-taking institutions (ADIs) and accredited persons) by February 2022, as originally scheduled. Organisations will not only be implementing the initial roll-out, but will also need to prepare to deliver the CDR within a tighter timeframe than originally anticipated.
Despite the initial delay, the Commonwealth government has also re-affirmed the importance of the CDR in achieving key government policy objectives across multiple sectors (not just financial services), such as increasing competition in heavily regulated sectors with few major incumbents and empowering consumers to find the best products and services. Accordingly, there is a clear focus on ensuring that the CDR remains fit for purpose.
In January 2020, the Department of Treasury announced an inquiry into future directions for the CDR. Beyond capturing developments in technology and similar regimes in other countries since the CDR’s inception, the inquiry will examine how to potentially expand the CDR’s functionality, including by permitting ‘write’ access to individuals’ data and linking the CDR to other infrastructure, such as the New Payments Platform.
The CDR also features in submissions to the current Senate inquiry by the Select Committee on Financial Technology and Regulatory Technology, which began public hearings at the end of January 2020. Fintechs and banks have advocated in this forum for various changes to the CDR, from extending the CDR to different participants (such as the super industry) or including more kinds of data (including personal data held by the ATO), to a complete reframing of the CDR in the Australian digital regulatory landscape.
Both inquiries are slated to produce their reports in late 2020, and are anticipated as being likely to impact the scope and implementation of the CDR.
Key themes in government and regulator activity
As the CDR continues to evolve, several key themes have emerged that are likely to be a focus for government and regulatory activity in 2020.
- Intermediaries and tiering. Open Banking is centred around, but not exclusive to, banks: fintechs and other potential participants will be intermediaries for the collection and movement of data between banks and customers. The CDR may be reframed to allow changes to the types of organisations that may become intermediaries, the rules for intermediary participation in the regime and the tiering of different classes of intermediaries with different degrees of access.
- Write access and new banking entrants. The CDR is currently limited to ‘read’ access, which only permits consumers (and the intermediaries they engage) to see their data held by the banks: ‘write access’ would allow the consumers or intermediaries to modify that data. Enabling a non-banking party to, for example, initiate payments has the potential to greatly increase the scope and activity of CDR participants, and may further empower consumers. However, such access introduces a potential increased risk of fraud as bad actors gain an additional way of accessing customer information.
- Sandboxing. As regulatory activity increases around CDR, businesses have flagged that corresponding compliance obligations may stifle the innovation and competition that the CDR aims to promote in the first place, particularly outside the big four banks. In February 2020, the Commonwealth government passed legislation expanding the fintech regulatory ‘sandbox’. CDR participants and other fintechs can now test a larger scope of novel technologies with regulatory oversight, but without the fear of sudden restrictions or penalties that might otherwise be fatal, for up to 24 months (doubled from the previous 12 month limit).
- Incumbent experience. The implementation of the CDR throughout 2019 has confirmed that incumbent experience is invaluable in shaping the initial and continued roll-out of the CDR in each sector. Although the CDR enables new market entrants, incumbents have the scale and sectoral expertise assist the government and regulators in anticipating and avoiding practical challenges in implementing the CDR.
- Energy. In the latter half of 2019, the ACCC published their recommended data access model in the energy sector and the DSB formed the Energy Advisory Committee with industry stakeholders. While the energy sector can look to the Open Banking roll-out for guidance on general issues that may arise with the CDR, sector-specific input will be essential in formulating standards and future-proofing the CDR for emerging energy technologies.
2020 remains a vital year for businesses impacted or likely to be impacted by the CDR to continue working with the government and regulators to shape the regulatory landscape. With existing milestones shifting and new goals emerging, it is clear that both the public and private sectors are invested in the continued evolution of Open Banking and the CDR more broadly. HSF invites industry participants to bring any problems or questions about the CDR to the firm’s specialist teams, as clients continue to monitor developments and engage proactively with the CDR.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2021