Resetting Australia's Consumer Data Right

Reducing cost and driving high value use cases

What you need to know 

• At an event hosted by Ashurst and the Committee for Economic Development of Australia (CEDA) on 9 August 2024, the Assistant Treasurer Stephen Jones described the Consumer Data Right (CDR) as a "good idea, badly executed" and in need of a reset.
• The Assistant Treasurer proposed a more focused, refined future CDR – with a focus on reducing cost and complexity, driving high value use cases to drive consumer benefits and a common approach with digital identity and privacy reforms.
• The announcement included a mix of short- and long- term measures, accompanied by the release of a compliance cost review report suggesting measures to save costs, and the launch of a consultation on draft rules to simplify consent and operational aspects of the CDR.

Key developments to watch 

• CDR will expand to non-bank lending – while the sector expansion of CDR is still on pause, the intent is to extend CDR to non-bank lending in early 2025, to be operational by mid-2026.
• A plan to ban screen scraping – the Assistant Treasurer has tasked Treasury to advise on the way forward for a full and formal ban on screen scraping over the next 12 months, but when the ban will officially come into effect was not announced.
• Action initiation – a bill to bring action initiation to the CDR was passed unamended on Thursday 15 August 2024, with bipartisan support. This will be critical to assist with some of the specific use cases, but the Government has warned that further work is required to identify which actions have value. Read more about the action initiation bill.
• Unlocking high-value use cases – the Government will focus on unlocking high-value use cases. Borrowing decisions, energy switching (as a “fast follow”), and accounting services to small businesses have been flagged as the highest priority, and budget management uses should also be supported.
• A focus on reducing cost – with the release of a compliance cost review report, Treasury is also working on a strategic assessment of the way forward for the CDR, rule changes to reduce costs and focus on high value use cases in 2025, and an impact assessment of narrowing the data covered by the CDR (such as removing products never likely to be used).
• Consent and operational enhancements consultation closing 9 September 2024 – draft rule amendments focus on simplification and streamlining, with proposed changes including bundled and pre-filled consents. While we will not see a principles-based ban on dark patterns, which was also considered in a design paper in late 2023, standards and guidelines on manipulation will be considered.

A reset for the Consumer Data Right 

At an address to an event hosted by Ashurst and the Committee for Economic Development of Australia (CEDA), on 9 August 2024, Assistant Treasurer and Minister for Financial Services, the Hon. Stephen Jones MP described the CDR as a “good idea, badly executed” in need of a reset.

The Government’s proposals focus on reducing costs, streamlining processes, and targeting practical, high value use cases. The Assistant Treasurer identified key concerns with the current CDR:

• the high regulatory burden and compliance costs;
• lack of incentive for businesses to use CDR data;
• restrictions on using and holding CDR data as barriers to CDR uptake; and
• low CDR take-up amongst consumers.

Over its lifetime, the CDR has borne heavy criticism for poor cost/benefit outcomes, most recently from the Australian Banking Association in a report commissioned from Accenture.

These concerns were examined in a separate compliance costs review report, commissioned by Treasury and based on interviews with industry participants and Government in late 2023. Key drivers of cost identified in that report include the CDR's broad scope, constant changes to data standards, inadequate consideration of implementation issues and lack of alignment with international standards.

The report suggested initiatives to reduce costs, some of which have already been actioned (discussed below).

The Assistant Treasurer has also asked Treasury to assess changes that could be made in 2025 to reduce costs and support high value use cases, which will no doubt be informed by the report.

The reset of the CDR is part of a whole-of-government approach to drive greater competition and  ensure consumers realise the benefits of a digital economy while underscoring the importance of maintaining safety, security, and trust in Government and business – building on the Government’s approaches to digital identity and privacy reform.

Open finance early next year – non-bank lending and “buy-now, pay later”

The CDR will expand to include non-bank lending data early in 2024, with the aim of being operational by the middle of 2026 (providing a transition period). Treasury is finalising industry consultation.

At last year's CEDA address, the Assistant Treasurer announced that no further expansion would happen until after a strategic review to be conducted at the end of 2024. This paused the previously anticipated rollouts to telecommunications and insurance sectors (CDR had already rolled out to the banking sector in 2020, and the energy sector in 2022).

In October 2023, Treasury consulted on draft rules covering non-bank lending (NBL), including "buy now, pay later" (BNPL) products. You can read more about the rules in our earlier publication.

A plan to ban screen scraping

Over the next 12 months, Treasury will also advise the Assistant Treasurer on a way forward for a full and formal ban of screen scraping. The Assistant Treasurer’s announcement is clear about the intention, mentioning that “it is fundamentally unsafe”.

This follows a consultation in October 2023 on policy and regulatory implications of screen scraping, which sought views on the recommendation of the 2022 Statutory Review of the CDR to ban screen scraping where the CDR is a viable alternative.

Screen scraping (also referred to as data aggregation) is a commonly used alternative to CDR data sharing. The practice involves prompting a consumer to log into their account via a third-party service, with the service extracting the data displayed "on screen", and sharing that with another provider or service. Critics highlight that it involves unsafe data practices that increase fraud and cyber security risks.

Action initiation laws imminent, but perhaps no actions initiated yet

A bill to bring action initiation to the CDR was passed unamended on Thursday 15 August 2024, with bipartisan support. You can read more about action initiation in our earlier publication.

Action initiation (also known as "write access") allows accredited third parties to take actions on the consumer's behalf – such as opening accounts, authorising payments or switching. One example is account switching in the energy sector, which the Government has highlighted as a priority.

However, the bill sets out the framework for action initiation – not the specific actions that will be introduced. Treasury will consult on which actions are introduced when, and for what sectors.

Given the significant complexity of introducing new actions, we can expect that the Government will focus on simplifying existing obligations, bringing down existing compliance costs, and targeting high value use cases within the existing framework before expanding action initiation.

Action on high priority use cases

The Assistant Treasurer has already set the reset into action with a letter to the Data Standards Chair, identifying as high priority use cases:

• those relating to borrowing decisions;
• energy switching; and
• accounting services to small businesses.

In a nod to cost of living pressures, uses that help consumers manage their budgets should also continue to be supported. The Government also supports continued use of experiments, primarily focused on these high value-use cases – drawing attention to existing work on energy switching and real estate applications, which test future directions for both action initiation and integration with Digital ID.

The current CDR framework is "read only" – allowing the sharing of data, but not the taking of actions. Taking actions like switching accounts will require new "write-access" action initiation functionality. While legislation to support action initiation has now been passed, delivering these use cases will take more work – including consulting on which actions should apply for what sectors, designing supporting rules, developing standards, and driving technical implementation, operationalisation, and adoption.   

The Data Standards Body is already conducting experiments, establishing a GitHub repository of experimental standards to test concepts and facilitate consultation – which include action initiation and Digital ID use cases.

New approach to standards changes

The Assistant Treasurer's letter to the Data Standards Chair sets out the Government's expectation that future changes to data standards focus on:

• critical changes where required to operationalise the high value use cases above, or to manage costs;
• consent drop-offs – why users start CDR transactions, but stop during consent processes;
• giving effect to rules changes (for example, expansion to non-bank lending, and consent and operational enhancement rules under consultation); and
• information security – in particular authentication standards (we expect this will involve Digital ID options).

Other standards changes will be considered by the CDR Steering Committee to ensure they align with the overall Government direction and other CDR agencies. This may mean "nice to have" or non-strategic changes are minimised.

Consistent with suggestions from the compliance costs review report, the Government expects standards changes to be prioritised, consulted on and scheduled in a more transparent and orderly manner, and to take into account costs and benefits. This approach is supported by a new Standards Assessment Framework finalised by the Data Standards Chair on 8 August.

Alignment with Digital ID

Private sector Digital ID solutions are already available in the market and in use by banks in particular, allowing users safer and simpler access to digital services.

Integrating private sector Digital ID solutions with the CDR should reduce some of the current user friction. Australia's new Digital ID laws are expected to commence in December 2024. The Government has indicated that there should be common elements and consistency between Digital ID and CDR, suggesting that standards should be aligned and interoperable.

How to reduce costs? Outcomes of the Compliance Costs Review Report

The compliance costs review report suggested initiatives that could reduce costs – acknowledging that some of these initiatives may slow the growth, or pace of change, in the CDR.

Some of the initiatives include:

• managing changes to the data standards, with a fixed number of scheduled data standards releases per year;
• ensuring cost impacts are considered as part of a standardised review approach to proposed changes;
• narrowing the focus of changes and ensuring they align with the strategy to focus on key use cases;
• streamlining obligations by reducing performance standard requirements, adding permanent exemption pathways and removing low-value obligations; and
• further industry collaboration on changes, including use of the Data Standards Advisory Committee, exploration of voluntary data sets and engagement with industry to understand implementation barriers.

These new initiatives will start to be implemented across the CDR regulatory ecosystem, although the Government has not expressly committed to follow all of them.

Re-thinking CDR governance 

The compliance costs review report noted feedback from industry participants that CDR decision-making frameworks could be changed to better align policy with technical industry implementation.

Two models explored (without limiting the potential options) were a streamlined regulator-led model with an emphasis on regulatory impact assessment and a smaller number of targeted change proposals per year, and an industry-led model with a regulatory “backstop” and decision making on key issues.

New consultation on consent and operational enhancements

As part of his address, the Assistant Treasurer announced a Treasury consultation on new draft consent and operational enhancement amendments – submissions can be made until 9 September 2024. This follows an earlier August 2023 design paper consultation, which captured an earlier iteration of a number of these changes.

In general, proposed changes reduce compliance burdens and simplify consent processes – such as:

• Bundled and pre-filled consents – consents can be pre-selected where “reasonably needed” to provide a good or service (a concept linked to the data minimisation principle);
• Streamlined consumer information – bundled “90-day” notifications of un-used consents, less information about withdrawing consent up front, consistent information about third parties like outsourced service providers, transparency around direct marketing activities to be undertaken, and standards to specify the information required in a CDR receipt; and
• Simplify use of CDR data by banks – banks receiving CDR data when a consumer applies for a product can hold the data as a data holder (rather than as a data recipient); and
• Trial products for energy – as proposed in the previous consultation, a new trial products exclusion will be added for the energy sector.

The draft rules changes will also tighten the responsibility (and liability) of principals for non-compliance by their CDR representatives with consumer experience data standards and required terms of representative arrangements. In May, the Australian Competition and Consumer Commission emphasised that oversight of third parties, and representative compliance in particular, was a compliance and enforcement priority area.

Dark patterns standards and guidelines being considered by DSB

Treasury will not proceed with a principles-based prohibition on “dark patterns” proposed in its August 2023 design paper consultation. Instead, the Data Standards Board is considering progression of standards and guidelines, which will no doubt be informed by and consistent with Privacy Act reforms to minimise duplication (as recommended in June 2024’s Privacy Impact Assessment).

“Dark patterns” are user interfaces designed or intended to confuse users, making it difficult for consumers to express their preferences, or manipulating consumers into taking certain actions, such as nagging, obstruction, interface interference, sneaking, forced action and scarcity cues that undermine user autonomy in decision making.

No changes to CDR enforcement regime

The Assistant Treasurer did not comment on the enforcement of CDR and its effectiveness to date. This suggests that the Government is unlikely to propose any substantive changes to the current enforcement framework for non-compliance with the CDR rules and that the Australian Competition and Consumer Commission (ACCC) will remain the regulator overseeing the CDR regime.

The broader technology reform agenda

These changes have been proposed in the midst of a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term.

The Assistant Treasurer described the CDR as part of a “whole-of-government effort to ensure that consumers get the benefits that come from the digital economy – while ensuring that the rails of modern commerce are safe and secure.”

This ambitious agenda includes a range of coming reforms.

• Cyber and critical infrastructure – The Government is expected to introduce a Cyber Security Bill and critical infrastructure reforms in coming weeks, a key part of its 2023-2030 Cyber Security Strategy regulatory reform agenda.
• Scams – The Assistant Treasurer recently announced next steps on the approach to regulating scam protection.
• Digital ID – New Digital ID laws are expected to commence 1 December 2024, with work continuing on rules and standards required for launch.
• Misinformation – The Government has consulted on draft legislation to help combat misinformation and disinformation, and provide ACMA with powers to enforce a code of practice.
• Artificial intelligence – We expect significant announcements in September – an Australian Senate Select Committee will report on opportunities and impacts for Australia arising from AI by 19 September 2024, and the term of the temporary expert group advising on mandatory AI "guardrails" was recently extended to September. In addition, Australia's May 2024 budget allocated funding to review and strengthen regulation of AI in health care, consumer, and copyright law.
• Privacy and doxxing – The Attorney-General and the Prime Minister have announced that they will bring forward a long-awaited bill to implement Privacy Act reforms and regulate doxxing (the malicious disclosure of personal information) – we also expect the release of an important strategic operational review of the Office of the Australian Information Commissioner.
• Online Safety – New standards have been registered by the eSafety Commissioner, coming into effect 21 December 2024, completing the first tranche of codes and standards to manage the risks of seriously harmful online content such as child exploitation and pro-terror materials. A second tranche of new codes are being developed dealing with age-appropriate access to online content, and a statutory review of the Online Safety Act is due to report to the Minister by 31 October 2024.

Want to know more?

• The Consumer Data Right being rolled out to non-bank lenders and by now pay later products as part of Open Finance - 28 September 2023 (Webinar)
• Consumer data right news for non-bank lenders and buy now pay later, screen scraping and energy rollout - 22 September 2023 (Publication)
• Action Initiation under the Consumer Data Right is coming - 20 February 2023 (Publication)

Other authors: Kendrick Deng, Senior Associate; Anne Mo, Lawyer and Thomas Suters, Graduate.