Open banking: Compliance guidance for data holders

The ACCC has published Compliance Guidance for Data Holders in the Banking sector to assist data holders to understand and comply with their obligations (other than privacy) under the Competition and Consumer Act 2010, Consumer Data Right (CDR) Rules, and Standards.

Data holders need to do four main things under the CDR. They must:

  • provide the necessary CDR infrastructure to enable requests to be made for
    product and consumer data, including joint account data;
  • disclose general product data about products they offer, covering interest rates,
    fees and charges, discounts and other features;
  • securely transfer, with a consumer’s authorisation, a consumer’s data in a
    machine-readable format when they receive a valid request; and
  • manage a consumer’s authorisation to disclose CDR data and any amendment or
    withdrawal of that authorisation.

Under the CDR regime, a data holder is an Authorised Deposit-taking Institution (ADI) or an
Accredited Data Recipient (ADR) that holds CDR data about a banking product; the consumer of a banking product; or a consumer’s use of a banking product.

The four major banks (Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank Limited, and Westpac Banking Corporation) are identified in the Rules as ‘initial data holders’. Initial data holders were required to share CDR data earlier than other ADIs.

All remaining ADIs that are not an ADR, foreign ADIs, foreign branches of domestic banks, or restricted ADIs are categorised as ‘any other relevant ADI’ for the purposes of the commencement of CDR obligations.

ADRs having requested and received CDR data under the Rules will be required to share CDR data, in accordance with reciprocal data sharing obligations. ADIs that become ADRs will need to share data at an earlier stage than would otherwise have been required if they were not accredited.

An ADR is generally not a data holder if it only holds CDR consumer data that was disclosed to it by another data holder under the Rules.

Initial data holders

  • have been required to share product data since 1 February 2020;
  • have been required to share consumer data for their primary brands since 1 July 2020;
  • are required to share consumer data for their non-primary brand products from 1 July 2021.

All other ADIs

  • are currently required to share Phase 1 and 2 product data. This will extend to include
    Phase 3 products from 1 July 2021;
  • will be required to share Phase 1 consumer data from 1 July 2021. This will extend to include all listed products by 1 February 2022.

ADRs have been required to share Phase 1 consumer data since 1 March 2021 and will be required to share Phase 2 and 3 consumer data from 1 July 2021.

The CRD product phases have been summarised by the ACCC as follows:

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.