The ACCC has published Compliance Guidance for Data Holders in the Banking sector to assist data holders to understand and comply with their obligations (other than privacy) under the Competition and Consumer Act 2010, Consumer Data Right (CDR) Rules, and Standards.

Data holders need to do four main things under the CDR. They must:

• provide the necessary CDR infrastructure to enable requests to be made for
  product and consumer data, including joint account data;
• disclose general product data about products they offer, covering interest rates,
  fees and charges, discounts and other features;
• securely transfer, with a consumer’s authorisation, a consumer’s data in a
  machine-readable format when they receive a valid request; and
• manage a consumer’s authorisation to disclose CDR data and any amendment or
  withdrawal of that authorisation.

Under the CDR regime, a data holder is an Authorised Deposit-taking Institution (ADI) or an
Accredited Data Recipient (ADR) that holds CDR data about a banking product; the consumer of a banking product; or a consumer’s use of a banking product.

The four major banks (Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank Limited, and Westpac Banking Corporation) are identified in the Rules as ‘initial data holders’. Initial data holders were required to share CDR data earlier than other ADIs.

All remaining ADIs that are not an ADR, foreign ADIs, foreign branches of domestic banks, or restricted ADIs are categorised as ‘any other relevant ADI’ for the purposes of the commencement of CDR obligations.

ADRs having requested and received CDR data under the Rules will be required to share CDR data, in accordance with reciprocal data sharing obligations. ADIs that become ADRs will need to share data at an earlier stage than would otherwise have been required if they were not accredited.

An ADR is generally not a data holder if it only holds CDR consumer data that was disclosed to it by another data holder under the Rules.

Initial data holders

• have been required to share product data since 1 February 2020;
• have been required to share consumer data for their primary brands since 1 July 2020;
• are required to share consumer data for their non-primary brand products from 1 July 2021.

All other ADIs

• are currently required to share Phase 1 and 2 product data. This will extend to include
  Phase 3 products from 1 July 2021;
• will be required to share Phase 1 consumer data from 1 July 2021. This will extend to include all listed products by 1 February 2022.

ADRs have been required to share Phase 1 consumer data since 1 March 2021 and will be required to share Phase 2 and 3 consumer data from 1 July 2021.

The CRD product phases have been summarised by the ACCC as follows:

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.