Obtaining assurance on the security of your CDR data environment

With CDR going live on 1 July 2020, Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology. The key is to demonstrate security, whilst minimising the cost.

Does your organisation know:

  • The scope of the CDR data environment?
  • What security controls are needed?
  • What’s involved in obtaining an independent assurance report?
  • How long will the process take?
  • What are the ongoing requirements?
  • If there is more to CDR assurance than just compliance?
Your practical guide to being an accredited data recipient

The seven stages to being accredited and active in the CDR

ADR Practical Guide

RSM Australia, Adatree, Trend Micro, DNX Solutions & Fintech Australia present a detailed guide to being an ADR efficiently, from use case to active status.

Accelerating your journey to receiving CDR data and bringing Open Banking to life in your business is outlined in seven key stages.

Download our comprehensive information guide to navigate the Data Recipient path.

Download our eBook based on hands-on experience through the journey from use case to active status


Consumer Data Right (CDR) information security accreditation

What security controls are needed?

The CDR Rules require an organisation applying to become an ADR to meet minimum requirements for protecting CDR data from two broad types of risk: (a) misuse, interference, and loss, and (b) unauthorised access, modification, or disclosure. The CDR Rules outline the controls required to manage these risks in Schedule 2 Part 1 (security governance) and Schedule 2 Part 2 (minimum control requirements).

The CDR Rules also require an applicant to document their CDR data environment (the people, processes and technology) in a comprehensive system description.

Options for reducing the scope of your CDR data environment include network segmentation, tokenisation, de-identification, anonymisation and pseudonymisation. This process can be complex, expensive and reduce the effectiveness of your business case for accreditation, so they need to be carefully considered.

What is required when applying for accreditation?

To become an ADR, an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed. For a nonauthorised deposit-taking institution (non-ADI), this requires a “Type I” reasonable assurance report in accordance with the Standard on Assurance Engagements ASAE 3150 – Assurance Engagements on Controls, or accepted comparable standards, as identified by the ACCC in the ‘CDR - Supplementary accreditation guidelines information security’.


A Type I provides assurance on the design and implementation of controls at a date or point in time.

In Australia, these reports can only be prepared by an independent registered auditing firm (CAANZ or CPA) and only a suitably experienced, qualified and independent individual can sign the report as the lead information security assurance practitioner.

RSM has already completed the CDR information security assurance reports for two FinTech companies applying to become ADRs in Australia.

Key contact

Darren Booth - National Head of Cyber Security and Privacy Risk Services in Melbourne

Darren Booth

National Head of Cyber Security and Privacy Risk Services

T: +61 3 9286 8158

E: [email protected]

View profile

Darren has delivered security and privacy assessments across multiple countries for large multinational corporations, and locally for Australian based organisations in both the public and private sectors across all industries.

Contact our CDR specialists

The CDR information security accreditation process is complex.

If you want to discuss your accreditation with one of our experienced team members, please get in touch.

Lead Generation - CDR data environment