The definitive guide to CDR access

The model that works best for your business will depend on your use cases, current and future. How strategic is Open Banking and Open Data to your business, and your partners or subsidiaries?

Whilst we’ve listed the most relevant models for six business types as a starting point, none of these are a straitjacket and other options - or combinations - could potentially be better suited for your organisation.

• Banks: As an ADI you can complete a streamlined application form to become an unrestricted ADR. This gives you the flexibility to use CDR data for multiple use cases and share CDR insights outside CDR. You can also have Affiliates and Representatives. You can decide to collect CDR data yourself, or work with a partner like Frollo for collection, enrichment and use cases.
• Lenders: The unrestricted ADR model provides access to the data you need and your subsidiaries can become Representatives. unrestricted ADR An alternative is the affiliate model, which has a lower cost and compliance burden for you, some of which is carried by your Sponsor.
• Fintechs: For verification of specific insights like identity, account balance, credits to or debits from the consumer’s accounts, you might not need accreditation in the CDR insights model. Instead you can work with a partner like Frollo for collection, enrichment and obtaining the required insight. If your use case requires broader access to CDR data you could look at becoming an Affiliate or Representative, sponsored by an unrestricted ADR like Frollo to lower your compliance burden and accreditation cost.
• Trusted advisers: The Trusted adviser model is meant for financial advisors, mortgage brokers, financial counselling agencies, accountants, registered tax agents, BAS agents, tax advisers and persons who are admitted to the legal profession. If you belong to any of these professions, you  
  could get access to CDR data from an ADR like Frollo without the need for accreditation yourself. You can use this data to streamline your customer onboarding and fact finding, or to provide ongoing services and deliver more value for your customers.
• Solution providers: Collecting and using CDR data to provide services to an ADR doesn’t require you to get accredited, as you’ll be classified as a (Collecting) Outsourced Service Provider. You will still need to comply with all the Rules and your client will have to ensure you’re compliant - facing significant civil penalties if you’re not. So, in most cases your best bet is to become an unrestricted ADR.
• Others: Access to CDR data isn’t limited to financial institutions. Anyone can potentially use CDR data to deliver value for their customers. The best model for your organisation depends on your current and future use cases. You may be able to access ongoing CDR insights without accreditation, or get accredited as an Affiliate to get full access to CDR data.

Next steps

Find out your next steps for each of the CDR models below.

Unrestricted ADR

To become an unrestricted ADR you will need proven, compliant CDR technology and get fully accredited. Your best place to start is to talk to partners who can help you with both the technology and accreditation. As the most experienced CDR auditor, RSM Australia can help you with the accreditation process and provide the information security audit report.

Representative 

A Representative needs a Principal who is fully liable for them and is an unrestricted ADR like Frollo.

Trusted adviser

As a Trusted adviser you don’t need to get accredited. If you want to offer your customers the option to use Open Banking data to streamline their onboarding, you need a partner that provides access to the data and insights you need. This could be one of your existing technology providers, or an intermediary like Frollo with Personal Finance Management and lending solutions.

Affiliate

Becoming accredited at the Affiliate level requires a self assessment and attestation with all the requirements in the Rules. RSM Australia can provide you with assurance on compliance with the rules, to enable you to accurately complete the self-assessment and attestation. 

You also need a Sponsor (intermediary), who's an unrestricted ADR like Frollo.

COSP

An unrestricted ADR can include you in the scope of their accreditation and will be fully responsible for your actions and compliance.

You still need to comply with the security controls and data safeguards.

CDR insights

If your use case falls within the CDR insights model, you won’t need accreditation. You will need to partner with an ADR like Frollo, who’s able to collect the data and provide the insights.

Your partners

It’s important to pick the right model, the right technology and the right partners. Frollo and RSM Australia and can help you get started. Get in touch to discuss the possibilities.

The unrestricted ADR provides what it says, unrestricted access to CDR data aligned with your use case and the consent provided by the consumer. An unrestricted ADR can also sponsor other organisations for accreditation as affiliates, or take on representative agents.

Who's this for?

The unrestricted ADR is for anyone, however, they need to be prepared to apply for the full accreditation with the ACCC. If you want to be able to have affiliates or representative agents, then you must become an unrestricted ADR. It also opens up the options on how to collect your CDR data.

The current ADRs (as at October 2021) are all unrestricted. Intermediaries will likely all be unrestricted ADRs to enable them to have affiliates or representative agents. It also works well if there is one entity within a group that is unrestricted, as they can then take on other entities within the group as affiliates or representative agents.

Requirements

• The unrestricted ADR will need to obtain an independent assurance report (ASAE 3150 or SOC 2), from an auditor like RSM Australia, on their compliance with the information security requirements in Schedule 2 Part 1 and Part 2
• The unrestricted ADR needs to comply with all other requirements of the accreditation process, CDR Policy, Fit & Proper, Insurance and Dispute Resolution
• Once accredited, the unrestricted ADR needs to be onboarded and pass the conformance test suite to become ‘active’ with live consumers. You will need proven, compliant CDR technology
• Once accredited, the unrestricted ADR needs to annually attest that they comply with the Rules and obtain an independent assurance report, from an auditor like RSM Australia, on their compliance with the information security requirements every 2 years for the preceding 12 months

The definitive guide to CDR access

We expect to continue to see a number of organisations obtain the unrestricted ADR, even with the sponsorship and representative models being available. 

To become an unrestricted ADR you will need proven, compliant CDR technology and get fully accredited. Your best place to start is to talk to partners who can help you with both the technology and accreditation. You can decide to collect CDR data yourself, or work with a partner like Frollo for collection, enrichment and use cases.

As the most experienced CDR auditor, RSM Australia can help you with the accreditation process and provide the information security assurance report.

In the Sponsorship model an unrestricted ADR sponsors an Affiliate, reducing the compliance burden and cost for the Affiliate to become accredited.

Who's this for?

The main purpose of the Sponsorship model is to lower barriers and cost to accreditation, without limiting the use of CDR data. The Sponsorship arrangement does still require the Affiliate to comply with all of the requirements 
in the Rules, so the investment can still be significant.

This model is most relevant for businesses with broader or ongoing use cases such as account aggregation, financial planning or regular financial check-ups. For example fintechs.

Requirements

• The Affiliate will need to provide a self-assessment and attestation of compliance with all the requirements in the Rules, in particular those related to information security in Schedule 2 Part 1 and Part 2. Working with an experienced advisor like RSM Australia will make this more efficient and increase your comfort that you will comply with the Rules.
• The Affiliate needs to comply with all other requirements of the accreditation process, CDR Policy, Fit & Proper, Insurance and Dispute Resolution
• The Affiliate needs both a sponsored accreditation and a sponsored arrangement to collect CDR data
• The Affiliate can apply for and get accredited prior to entering into a sponsored arrangement
• The Rules, consent, privacy safeguards etc. still apply to the Affiliate
• Before an Affiliate can use the services of their Sponsor, a contract is required that sets out the obligations of the Sponsor and the Affiliate
• The Affiliate must allow access to their operations that the sponsor needs
• Sponsors have an obligation to implement a third party management framework, which includes due diligence over the affiliate, assistance or training in technical and compliance matters, to ensure the Affiliate complies with the Rules.
• The Sponsor has to provide details of the arrangement to the ACCC and include the details of the Affiliates in their CDR Policy

Restrictions

• An Affiliate can’t enter into an Outsourced Service Provider (OSP) arrangement to collect data, but can disclose the collected data to an OSP for other services like enrichment or analysis
• An Affiliate can’t have Representatives

Our take on the Sponsorship model

Although the Sponsorship model reduces the compliance burden and cost for Affiliates by shifting most of this to the Sponsor, it remains to be seen how 
effective this model will be.

For example, security controls and data safeguards still apply for the Affiliate. And although an external audit for accreditation isn’t required, the Sponsor needs to obtain assurance that the Affiliate complies with the information security requirements. This will require some sort of assessment to be performed. All the other accreditation requirements like dispute resolution and adequate insurance also still apply to the Affiliate and need to be provided to the ACCC to become accredited.

The responsibilities shifted onto the Sponsor from both the Affiliate and the ACCC will lead to increased cost, which will be shared between the Affiliate and Sponsor based on a commercial arrangement.

The responsibility and liability for Affiliate’s use and disclosure of data they receive, lies with the Affiliate.

The Representative model allows a business to use CDR data without being accredited, as a Representative of an unrestricted ADR, also referred to as the Principal in this arrangement. The Principal collects the CDR data and discloses it to the Representative, who can use it to offer either their own or the Principal’s services. The Principal is liable for the Representative.

Who's this for?

Due to the civil penalties involved for the unrestricted ADR, it is likely that this model will only be relevant for larger banks that already have a liability for their agents or for related entity subsidiaries of an unrestricted ADR.

Another way this could work is through a ‘whitelabel’ or ‘data enclave’ model, where the unrestricted ADR provides access to CDR data and features within its own environment, thereby limiting the risk. End-to-end Open Banking providers like Frollo are well placed to offer services like this, for example through whitelabel PFM apps.

Requirements

• A Representative doesn’t have to be accredited
• A contract is required that sets out how the consumer data request is made and the obligations of both the Principal and the Representative
• The ACCC needs to be notified of any new or proposed arrangements within 30 days of entering an agreement
• The Principal must include details of the Representative in their CDR policy
• The Rules, consent, privacy safeguards etc. still apply to the Representative and they must adhere to the Principal’s CDR data policy
• The customer of the Representative must be given the option of using a pseudonym
• The Principal has to keep records of each CDR arrangement along with the steps taken to ensure the Representative complies
• The Principal is responsible for dispute resolution
• The Principal is fully liable for the Representative. Civil penalty is the greatest of: $10,000,000; three times the benefit derived from the contravention; or 10% of annual turnover of the Principal

Restrictions

• The Representative can’t enter into an arrangement with another Principal
• The data cannot be disclosed other than in accordance with the contract

Our take on the Representative model

The Representative model can significantly reduce the cost and compliance burden for Representatives when they’re agents of their Principal.

It does not require an external audit for accreditation, saving some costs. But security controls and data safeguards still apply.

To take on the liability for an unrelated entity, we expect representatives to require their agents to provide assurance that they comply with the Rules (although this is not a requirement in the Rules).

End-to-end Open Banking providers like Frollo could use this model with their customers as Representatives, potentially through data enclaves or whitelabelled solutions.

This model will permit an unaccredited intermediary to collect data from Data Holders on behalf of an ADR. These are called Collecting Outsourced Service Providers (COSP’s).

Hence, under these rules any OSP, whether accredited or not, can collect CDR data on behalf of an ADR and use that data to provide goods and services to the ADR.

The ADR is fully responsible for the actions and compliance of the COSP, and the COSP needs to comply with the security control, data safeguards and Data Standards.

Who's this for?

The model is most relevant for organisations who have a subsidiary that provides IT services. In this example the subsidiary could be the COSP and provide the intermediary services whilst remaining unaccredited.

For ADI’s, the COSP is not in scope for their accreditation audit when applying to become an unrestricted ADR. However, for non-ADI’s,

Our take on the COSP model

This model allows ADRs to make a choice between working with accredited or unaccredited OSPs for collecting CDR data.

Given that for non-ADIs the collecting OSP will need to be included in the audit, these ADRs would be better off using an accredited intermediary.

The Trusted adviser model allows consumers to consent to an ADR disclosing their CDR data outside the CDR system, with professionals that are sufficiently regulated to receive this data.

Who's this for?

Trusted advisers are persons that belong to a profession on the list below:

• Financial advisers
• Financial counselling agencies
• Mortgage brokers
• Registered tax agents, BAS agents and tax advisers
• Accountants
• Persons who are admitted to the legal profession

Requirements

• Disclosure of data can only occur with a consumer’s consent. Specifically a Trusted adviser disclosure consent is required to disclose CDR data to a nominated Trusted adviser
• This disclosure must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn
• Any ADR can invite a CDR consumer to nominate one or more Trusted advisers
• The ADR has to confirm the Trusted adviser is a member of an approved class, by either checking relevant registers or seeking confirmation
• When disclosing the CDR data, it must be encrypted during transit
• The ADR must show in their CDR dashboard what data is disclosed, who it’s disclosed with and when it was disclosed
• The ADR is required to maintain records explaining the disclosures of CDR data, the Trusted advisers to whom CDR data was disclosed and the steps taken to confirm that a Trusted adviser is a member of an approved class
• The ADR must report on the number of consents it received from CDR customers and for each category (class) of Trusted advisers, and the number of Trusted advisers to whom the CDR data was disclosed

Restrictions

• The ADR can’t make the nomination of a Trusted adviser or the giving of a Trusted adviser disclosure consent a condition for the supply of goods and services requested by the CDR consumer

Our take on the Trusted advisor model

Given the proposed Rules do not require the Trusted adviser to meet any of the requirements in the CDR Rules, any Trusted adviser could use CDR data freely without any additional costs to comply. This will significantly open up the use of CDR data by Trusted advisers.

The challenge is for ADRs to find an efficient way to validate that the Trusted adviser is a member of an approved class, potentially requiring a digital identity solution to be implemented to also verify that the Trusted adviser is who they say they are.

The CDR insights model allows consumers to consent to insights being shared outside the CDR ecosystem for a range of prescribed purposes that are considered low risk.

Consumers can consent to the ADR to provide insights to any person, provided it is for a purpose specified in the Rules.

These purposes are:

• To verify the consumer’s identity
• To verify the consumer's account balance
• To verify the details of credits to or debits from the consumer’s accounts

For these purposes, ‘verify’ means to confirm, deny or provide some simple information about the consumer’s identity, account balance, credits or debits based on their CDR data.

Examples of insights include Yes and No answers, account balances at a point in time, if a direct debit will fail, average income over a specified period.

Who's this for?

The CDR insights model lowers the barriers to use CDR data for businesses with a very limited use case, that often doesn’t justify significant investments in accreditation and technology.

Any business could use CDR insights to verify customer identities, account balances or income. They don’t have to be in the financial domain. For example energy companies, telco’s or other organisations that need to verify personal or financial information.

Requirements

• An insight disclosure consent is required to disclose the data to a specified person
• The ADR must explain the insight to the consumer
• The ADR is responsible for ensuring that the CDR insights they disclose align with the purpose consented to by the consumer
• The ADR must keep records of CDR insights, including a copy of each insight itself and when and to whom it was disclosed
• The insight is not required to be included on the ADRs consumer dashboard, but the dashboard must notify consumers that they are entitled to request further records and information about how to make such a request
• Insight disclosures are part of ACCC periodic reporting for ADRs

Restrictions

• ADRs are required to limit insights to only what is necessary to meet the consumers request
• ADRs are not permitted to disclose the CDR insight if it includes or reveals sensitive information within the meaning of the Privacy Act 1988

Our take on the CDR insights model

The insights model has the potential to open up many more use cases for CDR. In particular, any use case that requires insights using the three purposes will now be enabled for non-accredited organisations.

Frollo is a purpose driven fintech on a quest to help people feel good about money. We help businesses use Open Banking to deliver better customer outcomes. From reducing debt and increasing savings, to getting a better deal on their finances.

As the first Open Banking intermediary and the first to go live with CDR in July 2020, Frollo is a leader in Open Banking technology for Data Recipients. The Frollo CDR Gateway is a resilient, reliable and flexible platform, responsible for 95% of all Data Recipient activity to date (16 Million+ API calls).

Trusted by clients like ANZ, P&N Group and REA Group, the CDR Gateway enables businesses to collect and use Open Banking data within their customer experience.

Our modular Open Banking platform consists of three layers:

• Collect - Takes care of the end to end process of CDR data collection and consent management on your behalf
• Enrich - Our AI powered Data Enrichment engine categorises transactions, classifies merchants and identifies regular payments
• Experience - Integrated Personal Finance Management tools and Financial Passport help you deliver personalised and streamlined experiences to your customers

Learn how Frollo can help you get started with Open Banking on frollo.com.au or get in touch on [email protected]

RSM Australia is a leading provider of audit, tax, and consulting services for entrepreneurial growth-focused organisations, with over 1,200 staff delivering highly personalised services out of 30 offices throughout Australia.

RSM Australia provides Consumer Data Right (CDR) information security accreditation assurance and advisory services. We are the most experienced CDR auditor having provided CDR assurance reports for over 50% of the FinTech ADRs. Our CDR services include:

• Access to our free CDR Information Security Accreditation Toolkit with examples from successful accreditations
• ADR application advisory support based on seeing what has been accepted and not accepted for accreditation
• CDR Security by Design & Gap Assessment, to ensure the scope of the CDR data environment boundary is accurate and you understand the information security requirements
• CDR Pre-audit/Readiness Assessment to determine whether you are ready for accreditation
• Independent reasonable assurance audit report (ASAE 3150 or SOC 2) for the unrestricted ADR application
• Facilitated information security self assessment to enable an affiliate to make an accurate attestation for affiliate accreditation
• Assurance to a sponsor or principal that an affiliate or representative agent complies with the CDR information security requirements
• CREST accredited Penetration Testing as per CDR Schedule 2 Part 2 - Vulnerability Management
• CDR Control Assessment Program or ISO 27001 Lead Auditor internal audit