On 1 October 2020, the ACCC made amendments to the CDR Rules to enable accredited intermediaries to collect data for other accredited parties.
The amendments describe how a person (provider) can perform tasks on behalf of another accredited person (principal) in a CDR outsourcing arrangement. Principals are required to be Accredited Data Recipients (ADR).
Two types of CDR outsourcing arrangements
There are now two types of CDR outsourcing arrangements, the new rules create the arrangement outlined in:
- Non-ADR Provider arrangement
- Accredited Intermediary arrangement
1 Non-ADR Provider arrangement
In this case the principal is an unrestricted ADR and the provider is not an ADR.
The provider can provide goods and services to the prinicpal using CDR data disclosed to it by the principal. In this arrangement, the provider cannot collect CDR data on behalf of the principal
2 Accredited Intermediary arrangement
In this case the principal is an unrestricted ADR and the provider is also an unrestricted ADR.
The provider in this arrangement can provide goods and services to the prinicpal using CDR data disclosed to it by the principal and can collect CDR data on behalf of the principal.
The difference between the CDR outsourcing arrangements
The Accredited Intermediary arrangement creates greater flexibility in the type of services that ADRs can offer other ADRs.
A practical example of how the Accredited Intermediary arrangement can be used is shown in the diagram below.
CDR data management
Any CDR data that:
- was collected from a consumer;
- disclosed to the provider;
- directly or indirectly derives from the CDR data
Under any CDR outsourcing arrangement (Service Data) must:
- be protected by the provider in accordance with Schedule 2 of CDR Rules (ie. Privacy safeguard 12);
- must only be disclosed in accordance with the contract between principal and provider;
- be accessible to the principal if requested;
- be returned or deleted (in accordance with CDR data deletion process) by principal if requested.
It’s the principal’s responsibility to ensure that the provider complies with the requirements under any CDR outsourcing arrangement.
CDR policy and disclosure
In any CDR outsourcing arrangement, the principal must provide the consumer with the following information when asking for consent:
- statement explaining that the consumer’s CDR data will be disclosed to or collected by the provider (whatever the case may be);
- a link to the principal’s CDR policy;
- a statement explaining that further information of the policy can be provided.
Accredited providers who are performing duties on behalf of accredited principals are, in all cases unless otherwise specified, considered acts of the principal in a CDR outsourcing arrangement.
This effectively places all civil liability on the principal.
New minimum controls
There are two new minimum controls, which any provider (whether or not an ADR) in a CDR outsourcing arrangement need to comply with:
- Encryption in transit: Implement robust network security controls to help protect data in transit, including: encrypting data in transit and authenticating access to data in accordance with the data standards (if any) aand industry best practice, implementing processes to audit data access and use, and implementing processes to verify the identity of communications
- Data seggregation: CDR data that is stored or hosted on behalf of an Accredited Data Recipient is seggregated from other CDR data to ensure it is accessible only by the Accredited Data Recipient for whom consent was given and remains directly attributable to that Accredited Data Recipient.
Frollo is leading the charge in the Consumer Data Right. As the first fintech ADR in Australia and the first to go live with CDR, we’ve built the technology to help you leverage CDR data to gain a competitive advantage.
The state of Open Banking
We’re collaborating with NextGen.Net to publish the first report on ‘The state of Open Banking in Australia. The report will be based on an industry survey, interviews and our own experience as an ADR in market since July 2020.
We need your help though. Please take a few minutes to fill out the survey, and you’ll be first to receive the report when we launch.