The “Consumer Data Right (CDR) as a service” for Australian Fintechs: A workable way out of a scrape

This article was published in the LexisNexis Australian Banking & Finance Law Bulletin (2021) Volume 37, No 2, pages 21 to 26.

Australia’s consumer data right regime[1](CDR Regime) as it applies in the banking sector[2] is intended to give CDR “consumers” (broadly, any individual or company having a specified type of account with a bank) “greater access to and control over their data.  It will improve consumers’ ability to compare and switch between products and services, and will encourage competition between service providers, leading not only to better prices for customers but also more innovative products and services.”[3]

This is truly exciting reform that has been consistently advanced since 2018.[4]  There have been some delays in the phased “go live” dates for the reform but in my view this is understandable given the magnitude and complexity of the reform.  Further, at every stage, policy makers need to manage the tension between promoting competition and innovation on the one hand and maximising consumer safety, confidentiality and privacy on the other.  This tension is why it is taking time to develop a workable model for start-up FinTechs[5] – and established but small FinTechs – to have the benefit of “CDR as a Service” as a relatively quick and cost-effective way to participate in the CDR Regime.  I suggest that Australia is now no more than two years away from developing this model.

In the meantime, many Australian FinTechs are unable or unwilling to take the time, and incur the expense, to become accredited data recipients under the CDR Regime.  It is estimated to cost as much as A$250,000 to complete an application to become an accredited data recipient ADR at the only level that is presently available, that is, the “unrestricted” level.[6]  Further, the Australian Competition and Consumer Commission (ACCC) estimates that it costs in the vicinity of A$50,000 to A$70,000 just to set up a data storage centre for storing CDR data. [7]

Therefore, for now, many FinTechs continue to use alternative data capture mechanisms to offer their services.  Those alternative mechanisms include “screen scraping” and – for bigger players like the providers of business and accounting platforms – direct data feeds negotiated on a bilateral basis between service providers and Australian banks. In the banking context, “screen scraping” – or the less harmful sounding “digital data capture” – refers to the practice of an organisation (like a FinTech, a bank – say bank B – or a data aggregator) using a customer’s login details to access the customer’s bank accounts with bank A in order to provide a secondary product or service. This sometime happens on an ongoing basis and at other times on a one-off basis.  This technology is widely used by banks, lenders, financial management applications, personal finance dashboards and accounting products.[8]

Accredited data recipients” under the CDR Regime

The CDR Regime, as it applies in the banking sector, permits an “accredited data recipient” (ADR) such as a FinTech to receive a CDR consumer’s CDR data from a data holder (the CDR consumer’s bank) with the consent of that CDR consumer. Broadly, “CDR data” in the banking sector includes customer data, account data and transaction data in relation to a range of bank accounts.[9]  An ADR must obtain a consumer’s consent before requesting the consumer’s CDR data from the consumer’s bank. That consent must be voluntary, express, informed, specific as  to purpose and time-limited (to a maximum period of 12 months unless withdrawn earlier).[10] Further, the bank must ask the consumer to authorise the bank to disclose the applicable CDR data to the ADR.[11]

An ADR is subject to privacy[12] rules about how it handles CDR data.[13]  Amongst other things, the ADR must establish a formal governance framework for managing information security risks relating to CDR data setting out the policies, processes, roles and responsibilities required to facilitate the oversight and management of information security. An ADR must also assess, define and document the boundaries of its “CDR data environment”,  that is, the information technology systems used for, and processes that relate to, the management of CDR data.  An applicant for accreditation as an ADR must provide evidence to demonstrate that it satisfies the detailed security requirements about the security of CDR data.  This evidence includes an IT security assurance report prepared in accordance with specified standards or evidence that the applicant has ISO 27001 certification.[14]

A working model for “CDR as a Service” 

I suggest a working model for “CDR as a Service” with the features set out below. These features combine proposals made in the Government’s CDR Rules Expansion Consultation Paper of September 2020 (CDR Expansion Consultation Paper),[15] submissions made by prospective intermediaries in October and November 2020 in response to that Consultation Paper,[16] and the CDR Future Directions Report publicly released in December 2020.[17] The features of this working model do not correspond exactly with any particular proposal.

• An organisation (“A”) which has the highest level of accreditation as an ADR (“unrestricted”) may “sponsor” an affiliate/authorised representative (“B”).
• That sponsorship may involve the enrolment of B as an ADR at a lower level of “affiliate accreditation” from the regulator[18] or B will be enrolled as an authorised representative of A. It will be relatively less costly and quicker for B to be sponsored in this way, amongst other things reflecting that B will not need to obtain an IT assurance report and satisfy the other costly and time consuming IT-related conditions that are required for an “unrestricted” ADR accreditation. The enrolment of B will record that A is B’s sponsor and that B is an affiliate/authorised representative of A.
• A is responsible for policing B’s handling of CDR data, including by reviewing B’s risk, security and privacy controls. This includes an initial review to confirm the adequacy of those controls prior to A certifying that B is permitted to be A’s affiliate or authorised representative and ongoing monitoring of those controls for so long a B is an affiliate or authorised representative sponsored by A.
• A will be required to provide a regular certification to the regulator about the affiliates or authorised representatives (like B) that are sponsored by it, and A will be subject to additional liability under the CDR Regime as a result of providing that certification.[19] In support of this certification function, A must have “a demonstrably mature third-party governance [program] integrated with [its] overall risk management program….This is not simply a point-in-time assessment or attestation, but rather a comprehensive set of preventative, detective and response controls implemented in the initial due diligence, onboarding and duration of the … relationship [between A as sponsor and B as A’s affiliate or authorised representative]”.[20]
• As an ADR (although with an “affiliate accreditation” and not an “unrestricted” accreditation) or an authorised representative of A, B will be subject to the obligations imposed on affiliate ADRs or authorised representatives under the CDR Regime. These include obligations relating to seeking consent, deletion and de-identification of CDR data.[21] A will most likely provide B with the technical infrastructure to comply with these obligations, potentially by means of features that are “white-labelled”, i.e. provided by A but with B’s branding.
• A can sponsor multiple affiliates or authorised representatives, subject to the approval of the regulator of each application for affiliate accreditation or appointment of an authorised representative.
• B must disclose to CDR consumers that B is an affiliate or authorised representative of A.

I have described the above model as “CDR as a Service” because it is loosely analogous to “software as a service”: in the same way that software as a service removes the need for  organisations to install and run applications within their own IT environment, this model enables affiliates or authorised representatives like B to rely on intermediaries like A for a significant portion of the infrastructure that B needs in order to handle CDR data in accordance with the CDR Regime.  It is a loose analogy because B will have obligations in its own right under the CDR Regime, either as an ADR (although with an “affiliate” accreditation and not an “unrestricted” accreditation) or as an authorised representative of A.

Will the “CDR as a Service” Model (or a variant of it) be accepted?  

The CDR as a Service Model, or any variant of it, has not been accepted as of the end of March 2021.  The last six months has been a period of intense regulatory review and lobbying activity as various CDR intermediary models have been considered in detail by the Australian Government.  There is a lot at stake.  What follows are snapshots from publicly available materials that have been released on this topic in the six months from the end of September 2020 up to the end of March 2021.

CDR Expansion Consultation Paper: September 2020 

This Consultation Paper recognised that:[22]

For the consumer benefits of the CDR to be fully realised, it is critical for there to be a broad range of accredited data recipients participating in the system…to achieve the competition and innovation objectives of the regime, and for the CDR to support Australia’s digital economy.  [The Australian Government] wants to support participation from entities that may not be able to meet the requirements for accreditation [at the “unrestricted” level] having regard to the nature of their business or the type of data they seek to access….The three kinds of restricted accreditation in the proposed rules are the limited data restriction, the data enclave restriction and the affiliate restriction.  The proposals seek to lower barriers to entry by reducing some of the upfront and ongoing costs of accreditation as compared to the unrestricted level, while maintaining appropriate information security and consumer protections.

As noted above, the Consultation Paper proposed three kinds of restricted accreditation that would be easier to obtain than the “unrestricted” accreditation:

• Limited data accreditation: This accreditation is for applicants who wish to handle CDR data that has been assessed as lower risk compared to the complete range of data that is in scope and able to be handled by ADRs with an unrestricted accreditation.[23]
• Data enclave restriction: This accreditation is for applicants who will work with higher risk data sets behind the data security firewalls of higher tier accredited parties. Those higher tier accredited parties will be those who have established a “data enclave”.  The applicant who is subject to a data enclave restriction will not be able to access the relevant data outside the enclave or download local copies of the data to another environment.[24]
• Affiliate restriction: This accreditation is for applicants who have a commercial relationship with an ADR with an unrestricted accreditation. That ADR would “sponsor” the applicant into the CDR Regime by certifying that sponsor is satisfied that the applicant meets the accreditation criteria that need to be complied with by an affiliate.[25]  This model is closest to the “CDR as a Service” model outlined above.

Submissions in Response to the CDR Expansion Consultation Paper: October/November 2020

Over 50 Submissions made in response to the CDR Expansion Consultation Paper have been made publicly available by the Australian Competition and Consumer Commission.[26]  Several regulators, banks, prospective intermediaries (sponsors), FinTechs, industry associations and consumer advocates have expressed concern about the complexity of the proposals outlined in the CDR Expansion Consultation Paper.[27]  Prospective sponsors generally endorsed the affiliate restriction (thereby  favouring a form of “CDR as a Service” model).[28]  However, for reasons that are examined later in this article, one prospective sponsor strongly challenged the model under which sponsors would be responsible or liable for the acts or omissions of affiliates sponsored by it in relation to the affiliates’ handling of CDR data.[29]

Public Release of the “CDR Future Directions” Report: December 2020

The following recommendations in the CDR Future Directions Report (CDR Future Directions Report)[30] are relevant to the increase of participation in, and access to, the CDR system by means a “CDR as a Service” mechanism or a variant of it:

• Authorised representatives: “CDR data should be able to be released to a CDR-authorised representative of an accredited data recipient, with the customer’s consent.  The authorised representative should be able to hold a lower tier of accreditation, in light of the principal accredited data recipient providing data access, taking on liability for Consumer Data Right compliance and taking on responsibility for putting in place arrangements to ensure compliance.  The design of arrangements should have close regard to the role of authorised representatives under the Australian financial services licensing regime.”[31]
• Providing data outside the CDR system to regulated parties: “The Consumer Data Right should allow regulated third parties operating outside the Consumer Data Right ecosystem to receive varying levels of data with the consent of the consumer, with reference to the level of regulation of the recipient. This access should include transfers of CDR data or derived data for regulated activities or for regulatory compliance activities at the customer’s direction,”[32]  The regulated third-party receiving data from the accredited data recipient may be the consumer’s:
  • lawyer or financial adviser receiving the consumer’s financial data;
  • accountant receiving the consumer’s accounting data;
  • mortgage broker receiving data feeds to generate analyses and pre-fill forms; or
  • prospective lender (not accredited in the CDR Regime) receiving income and expense verifications.[33]
• Insights for non-accredited persons: “The Consumer Data Right should allow non-accredited third parties operating outside the Consumer Data Right ecosystem to receive, from a [bank] or an accredited data recipient, lower risk insights data derived from CDR data.”[34] This would be to fulfil a particular purpose (sole purpose) mandated by a consumer and could include outcomes of income and expense verification or information confirming cash flows and prior rental history that real estate agents require before renting a property to new tenants.[35]
• Tiering of obligations: “The accreditation criteria should not create an unnecessary barrier to entry by imposing prohibitive costs or otherwise discouraging suitable parties from participating in the Consumer Data Right. A tiered, risk-based accreditation model should be used to minimise costs for prospective participants.”[36]  “The accreditation criteria must set out any minimum level of insurance coverage required by those eligible for lower tiers of accreditation, to provide assurance that losses from data breaches can be recovered.  Allowing lower tiers of accreditation will also provide insurers greater clarity regarding the limitations of various users of the CDR, so insurers can match their coverage to the specific risks faced by an ADR.”[37]  “A detailed segregation or delineation of the roles, responsibilities and protections required for each tier will also provide a clear scope for auditors to address when providing assurance services, such as what levels of information security safeguards are applicable.”[38]
• Aligning similar data safety accreditations; recognising external data safety accreditations: where external data safety accreditations align with Consumer Data Right requirements, these could be recognised in the CDR Regime or at least enable the holders of those external accreditations to go through streamlined CDR accreditation.[39]

What happens next?

I suggest that by no later than two years from now (i.e. by the end of March 2023) Australian FinTechs will have the option of participating in the CDR Regime using the “CDR as a Service” model or a variant of it.

Sponsor’s liability for breaches by its affiliates/authorised representatives

For my bold prediction to be fulfilled, one of the key issues to be addressed is the extent of a Sponsor’s liability for breaches of the rules of the CDR Regime by affiliates or authorised representatives.  Policy makers will need to work with regulators, insurers, the finance industry and consumer advocates to determine the appropriate scope and type of a sponsor’s liability in these circumstances.

In addressing the issue as to the liability of sponsors, special rules will most likely need to be made for accounting and business platforms that provide services to businesses as well as accountants and bookkeepers.  One major platform contends that once banking data is connected to the general accounting ledger in its system, the data should be considered to be “materially enhanced data” that should therefore no longer be treated as CDR data under the designation relating to the banking sector.[40]  Another major platform has expressed concern that data connected to the general accounting ledger may be derived data that is within the CDR Regime despite the fact that the Ministerial designation applies to the banking sector and not the accounting sector.[41]  It adds that it is a “digital service provider” which complies with the Australian Taxation Office Security Standard for Add-on Marketplaces (SSAM).  It contends that it is not reasonable for digital service providers like it to bear ultimate responsibility for the compliance of its affiliates in the manner that was suggested in the CDR Expansion Consultation Paper.  One reason for this is that the platform operates in an ecosystem that is subject to the SSAM.

To the extent that accounting and business platforms dispense with direct bank feeds and become ADRs under the CDR regime, it may be possible for them to be subject to different liability rules in reliance on their affiliates/authorised representatives being accredited under the SSAM. This would be consistent with the recommendation in the CDR Future Directions Report about the recognition of external data safety accreditations.[42]

The difference of approach between prospective intermediaries whose business models involve taking responsibility for their affiliates/authorised representatives[43] and the business and accounting platforms which are resisting taking on liability in this way may be explicable on account of the different contexts in which those two groups operate.  I understand that, outside the CDR Regime, the major business and accounting platforms typically obtain Australian bank data by way of direct bank feeds under bilateral arrangements with banks; i.e. screen scraping accounts for only a small proportion of the bank data that is pulled into those platforms.  Further, the platforms often provide their services in a regulated SSAM environment. In contrast, intermediaries which manage ecosystems outside the CDR Regime containing bank data collected via screen scraping may have a relatively higher incentive to police the data security of their ecosystems (including their affiliates’ data security) given that screen scraping continues to dwell in an uncertain space from a legal perspective.[44]

Screen scraping

The Australian Securities & Investments Commission’s second consultation paper on amendments to the ePayments Code is due to be released shortly.  It is not clear if that paper will recommend any changes to the risk allocation between a Code subscriber and its customers for unauthorised transactions where the customer has voluntarily disclosed their login details to a FinTech or an intermediary in a screen scraping process.  Several FinTech submissions to the Bragg Committee suggested that the ePayments Code should be amended to specifically allow for screen scraping practices; consumer advocates strongly disagreed with that suggestion.[45]  The Bragg Committee’s interim recommendation was that “an outright ban on screen scraping is not prudent at the present time, …in many cases these practices are enabling companies to innovate and provide competition in the financial services sector. This situation should continue to be monitored, however, as Open Banking is rolled out.”[46]  In the specific context of payment initiation only (as opposed to “read only” access or other types of action initiation) the CDR Future Directions Report recommended the eventual prohibition of screen scraping once CDR payment initiation is fully implemented as a viable alternative.[47]

The CDR Regime is in its infancy.  As of 6 April 2021, only nine data recipients have been accredited, and only three of those nine are active.  Over time, some participants will rely solely on the CDR Regime and others will rely solely on other data capture methods like screen scraping and direct bank feeds. Others will use the CDR and other data capture methods concurrently.  This is recognised in the ACCC’s Guidance on Screen Scraping released on 26 March 2021[48] which notes that some ADRs may obtain data through both CDR and non-CDR mechanisms.  As a result, the guidance states that ADRs need to design their consent flows carefully to ensure that they comply with the CDR Regime and do not mislead consumers.  The ACCC’s examples of ADR conduct that would be problematic include the following:

• Bundling CDR consents with screen scraping consents.
• Implying that data will be collected through the CDR when screen scraping is actually being used.
• Implying that data collected via screen scraping is subject to the same protection as CDR data.

Conclusion

Enabling FinTechs’ cost effective access to the CDR Regime, in conjunction with the continued availability of other  data capture options, in a legal and IT environment that appropriately takes account of consumers’ safety, privacy and confidentiality, will do much to promote a vigorous and innovative FinTech industry in Australia.  I believe this will happen within the next two years.

[1] Competition and Consumer Act 2010 (Cth), Part IVD and the Competition and Consumer (Consumer Data Right) Rules 2020.

[2] Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019. 

[3] See the Australian Competition and Consumer Commission (ACCC) CDR project overview at https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0, accessed on 28 March 2021.

[4] See D Kreltszheim, “Closing the Deal on Open Banking” (2018) 34 Australian Banking & Finance Law Bulletin 28.  Also see A Flannery, “Australia’s Consumer Data Right is Now a Reality: Implementation in the Financial Sector” (2019) 35 Australian Banking & Finance Law Bulletin 123.

[5] FinTech is “the technology and innovation that aims to compete with traditional financial methods in the delivery of financial services. It is an emerging industry that uses technology to improve activities in finance… Financial technology companies consist of both startups and established financial institutions and technology companies trying to replace or enhance the usage of financial services provided by existing financial companies”: see: https://en.wikipedia.org/wiki/Financial_technology , viewed on 28 March 2021.

[6] See FinTech Australia, “Submission to the ACCC: CDR Participation of Third Party Service Providers” (January 2020) at p. 6, available at https://www.accc.gov.au/system/files/CDR%20Rules%20-%20Intermediaries%20consultation%20submission%20-%20Fintech%20Australia%20REDACT.pdf (viewed on 28 March 2021); also see Illion (formerly Dun & Bradstreet), “Submission to the ACCC Consultation of the CDR Rules Expansion Amendments” (24 October 2020) at p 2, available at https://www.accc.gov.au/system/files/illion%20%2826%20October%202020%29.pdf (viewed on 28 March 2021).

[7] See the Australian Senate, Select Committee on Financial Technology and Regulatory Technology: Interim Report (September 2020) at p. 137.

[8] Ibid, pp. 142-143.

[9] Competition and Consumer (Consumer Data Right) Rules 2020, Schedule 3.

[10] Competition and Consumer (Consumer Data Right) Rules 2020, Part 4, Division 4.3.

[11] Competition and Consumer (Consumer Data Right) Rules 2020, Part 4, Division 4.4.

[12] In this instance, “privacy” extends to the protection of CDR data that is not “personal information”, i.e. CDR data of consumers who are not natural persons, e.g. companies and other artificial legal persons.

[13] Competition and Consumer Act 2010 (Cth), Part IVD, Division 5 (privacy safeguards).

[14] See Australian Government, Consumer Data Right Supplementary Accreditation Guidelines: Information Security (Version 2.0, October 2020), available at https://www.accc.gov.au/system/files/CDR%20-%20Accreditation%20-%20Supplementary%20Accreditation%20Guidelines%20Information%20Security.pdf (viewed on 28 March 2021).

[15] See Australian Government, “Consumer Data Right Rules Expansion Amendments Consultation Paper” (September 2020), available at https://www.accc.gov.au/system/files/CDR%20rules%20expansion%20amendments%20-%20consultation%20paper%20-%2030%20September%202020.pdf (viewed on 28 March 2021).

[16] See True Layer, “Consultation on Consumer Data Right Rules Updates per September 2020” (October 2020), at p 11, available at https://www.accc.gov.au/system/files/TrueLayer%20%2829%20October%202020%29.pdf (viewed on 28 March 2021); Envestnet Yodlee, “Response to the ACCC Draft Rules that Allow for Accredited Collecting Third Parties (Intermediaries) to Participate in the Consumer Data Right” at pp 1-2, available at https://www.accc.gov.au/system/files/Envestnet%20Yodlee%20%2829%20October%202020%29.pdf (viewed on 28 March 2021).

[17] See text associated with nn 30 to 39 below.

[18] Contra True Layer, above n 16, suggesting that the affiliate (B) should not need to be accredited in its own right.

[19] The CDR Expansion Consultation Paper, at p.16, suggests that there be an annual attestation by the sponsor A that its affiliate B continues to meet the accreditation criteria, including evidence of an annual self-assessment and attestation statement by B regarding its continued compliance with Schedule 2 of the Competition and Consumer (Consumer Data Right) Rules 2020.

[20] See Envestnet Yodlee, above n 16, at p. 4.

[21] See CDR Expansion Consultation Paper, above n 15, at p. 15.

[22] CDR Expansion Consultation Paper, above n 15, at p. 9.  Emphasis added.

[23] CDR Expansion Consultation Paper, above n 15, at pp. 11-12.

[24] CDR Expansion Consultation Paper, above n 15, at pp. 13-15.

[25] CDR Expansion Consultation Paper, above n 15, at pp. 15-17.

[26] See  https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/consultation-on-proposed-changes-to-the-consumer-data-right-rules (Viewed on 28 March 2021).

[27] See Office of the Australian Information Commissioner, “OAIC Submission to the CDR Rules Expansion Amendment Consultation” (29 October 2020), at p 3; Office of the Victorian Information Commissioner, “Submission in Response to the Consultation Paper on CDR Rules Expansion” (29 October 2020); FinTech Australia, Submission to the ACCC; Consumer Data Right – Consultation on Proposed Changes to the CDR Rules (November 2020), at p. 5; Australian Banking Association, “ACCC Consultation on Proposed Changes to the CDR Rules” (29 October 2020) pp 1, 4.  All these submissions are available at the url specified in n 26.

[28] See the True Layer and Envestnet Yodlee submissions, above n 16.

[29] See Xero, “Consultation on Proposed Changes to the CDR Rules” (5 November 2020) pp 3-4, available at https://www.accc.gov.au/system/files/Xero%20%285%20November%202020%29.pdf (viewed on 28 March 2021).

[30] See Australian Government, Future Directions for the Consumer Data Right (October 2020, publicly released on 23 December 2020).

[31] See CDR Future Directions Report, above n 30, at p 109 (Recommendation 6.4).

[32] See CDR Future Directions Report, above n 30, Select Committee on Financial Technology and Regulatory Technology: Interim Report, above n 7,, at p 112 (Recommendation 6.6).

[33] See CDR Future Directions Report, above n 30, at pp. 110-112.

[34] See CDR Future Directions Report, above n 30, at pp. 112-113 (Recommendation 6.8).

[35] Ibid.

[36] CDR Future Directions Report, above n 30, at p 119 (Recommendation 6.12).

[37] Ibid.

[38] Ibid.

[39] CDR Future Directions Report, above n 30, at pp. 194-195 (Recommendations 8.6 and 8.7).

[40]  See MYOB, “Submission to Senate Select Committee on Financial Technology and Regulatory Technology” (December 2020), at p. 7.  The Ministerial designation is set out in the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019. Sections 5(1)(b) and 9 of that designation exclude “materially enhanced information” from the ambit of the data that is covered by that designation.

[41] See Xero, above n 29, at pp. 1-2.

[42] See n 39 above and the associated text.

[43] See the submissions referenced at n 16 above.

[44] See D Kreltszheim, above n 4 at p. 30.

[45] See Select Committee on Financial Technology and Regulatory Technology: Interim Report, above n 7, at pp. 149-150.

[46] See Select Committee on Financial Technology and Regulatory Technology: Interim Report, above n 7, at p. 220.

[47] See CDR Future Directions Report, above n 30, at p. 97.

[48] See ACCC Guidance on Screen Scraping (26 March 2021), available at https://cdr-support.zendesk.com/hc/en-us/articles/900005316646-Guidance-on-screen-scraping (viewed on 28 March 2021).

Queries

For further information please contact the author or any member of our Fintech, Privacy & Emerging Technologies team.

Disclaimer

This information and the contents of this publication, current as at the date of publication, is general in nature to offer assistance to Cornwalls’ clients, prospective clients and stakeholders, and is for reference purposes only. It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.