Consumer Data Right (CDR) was introduced in response to several government reviews, all with the common need to develop standards for consumers to access and transfer their information in a usable format.

The Australian Government designed and oversees the Consumer Data Right system, to ensure it is safe and secure for consumers, and the Australian Competition and Consumer Commission (ACCC) manages the process.

CDR enables consumers the ability to easily:

• compare products and services;
• access better value and improved services; and
• assist financial and cashflow management.

To date, CDR has been introduced into the banking and energy sectors, where providers of these services must adhere to the rigorous requirements set by the ACCC to become an accredited provider. Accreditation is a complex process, and providers are required to meet certain information security requirements to demonstrate their ability to protect consumer data. 

RSM Australia’s CDR information security accreditation assurance and advisory experience is second to none. We have completed CDR information security audit reports for over 50% of the current Accredited Data Recipients (ADRs), including Frollo, Intuit, Adatree, Finder, Basiq, Zepto and TrueLayer, just to name a few. 

Our CDR services for ADR applicants include:

• Access to our free CDR Information Security Accreditation Toolkit with examples from successful accreditations
• ADR application advisory support based on seeing what has been accepted and not accepted by the ACCC
• CDR Security by Design & Gap Assessment, to ensure the scope of the CDR data environment boundary is correct and you understand the information security requirements
• CDR Pre-audit/Readiness Assessment to determine whether you are ready for accreditation
• Independent reasonable assurance audit report (ASAE 3150 or SOC 2) for the unrestricted ADR application
• Assurance to a sponsor or principal that an affiliate or representative agent complies with the CDR information security requirements
• CREST accredited Penetration Testing as per CDR Schedule 2 Part 2 - Vulnerability Management (optional)
• CDR Control Assessment Program or ISO 27001 Lead Auditor internal audit (where we are not the independent assurance provider)

We have extensive experience in PCI DSS, ISO 27001, AWS, GCP and Azure, with team members holding PCI, ISO 27001, AWS Security Specialty and Azure Security Associate certifications, Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE). 

We have already provided assurance over all the complex areas in the CDR Rules, including: 

• Derived data
• De-identification
• Third party providers
• Outsourced service providers
• Intermediaries
• Managed service providers
• Multi-cloud environments
• Complex group structures with multiple legal entities
• Overseas based applicants; and 
• Leveraging of other security frameworks/certifications.

We are confident that our engagement will result in a cheaper total cost for your accreditation due to our knowledge of the Rules, our experience with different technologies and processes that can effectively demonstrate compliance, and our more efficient end-to-end accreditation process.

Are you interested in learning more about CDR? Or perhaps looking for a successful, flexible, and experienced partner to take you on your CDR journey? Reach out to RSM. 
 

KEY CONTACTS