Consumer Data Right (CDR) Insights

Technology Insights

The Consumer Data Right (CDR) insights model enables Open Banking (and in the future Open Energy, Open Telecoms, and Open Finance) consumers to consent for an accredited party to share low-risk identifiable CDR data outside of the protection of the CDR Rules.

For the purposes of this document, an accredited party incorporates an Unrestricted ADR, Affiliate ADR or Representative Agent (noting that a Representative Agent is not actually accredited themselves, but acting as an agent of an Unrestricted ADR).

This enables consumers to consent to share low risk identifiable CDR data (or data derived from CDR data) with non-accredited parties to receive a good or service.  The accredited party can only obtain consent to share the insights outlined in the CDR Rules. Requesting other CDR to be shared is a breach of the Rules.


EXAMPLES OF AN CDR INSIGHT

The specified purposes for which an insight disclosure consent could be given are:

  • to verify the consumer’s identity (CDR insights could be used as supporting information about a consumer’s identity, but they would not necessarily substitute for formal proof of identity requirements such as proving someone is of age to buy alcohol, identification elements needed to set up a bank account, or instances where a particular identity proofing standard is required);
  • to verify the consumer’s account balance; or
  • to verify the details of credits to or debits from the consumer’s accounts, but where the CDR data relates to more than one transaction—does not authorise the accredited data recipient to disclose an amount or date in relation to any individual transaction.

For these purposes, ‘verify’ refers to confirming, denying or providing some simple information about the consumer’s identity, account balance, credits or debits based on their CDR data.

CDR insights allow consumers (data holders) to securely provide and confirm relevant factual information about themselves, while giving the recipient comfort in its authenticity. Insight examples are low-risk outcomes that relate to a specific purpose, including (per the Explanatory Statement released with Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021): 

  • provide average income/expenses over period of time;blue_risk_2.png
  • confirm whether a consumer’s account balance is over a certain amount;
  • disclose a consumer’s account balance at a specific point in time;
  • disclose the amount, date, counterparty and a description of a single transaction;
  • disclose the consumer’s average income over a specific period of time;
  • provide a summary of the total amount a consumer spent at a store over a month;
  • provide a summary of the total amount a consumer spent on different categories of goods over a month;
  • confirm whether a consumer has received a transfer of funds from a specific counterparty;
  • notify a merchant whether a direct debit payment will fail;
  • notify when transactions with a particular store exceed a specific amount;
  • confirm whether a consumer made a transaction at a specific store on a specific day;
  • disclose a profit and loss statement (that does not include itemised transactions); or
  • confirm the number of times over the last 6 months that a consumer paid their rent after the due date.

WHAT ARE THE LIMITATIONS WITH SHARING CDR INSIGHTS?

The following would not be permitted to be disclosed as a CDR insight because they are not consistent with the listed verification purposes:

  • disclose a recommendation to a provider about whether the consumer should be eligible for a product or service;
  • disclose a recommendation to a provider about the price a consumer should pay for a product or service; or
  • disclose a consumer ‘score’ or ‘ranking’.

The current list of Insights are focused on Open Banking. There are no additional Insights designated for Open Energy, which is due to go live in November 2022.

The act of sharing the data is subject to information security standards, like data encryption in transit, but the receiving organisation isn’t subject to an external accreditation or the CDR privacy safeguards.
The data minimisation principle in CDR Rule 1.8 of the CDR Rules will apply to accredited data recipients when disclosing CDR insights. This means that an accredited data recipient must not use or collect a consumer’s data beyond what is reasonably needed to provide goods or services.

An accredited data recipient (ADR) must not disclose a CDR insight if it includes or reveals sensitive information about a consumer, for example: data sharing payments to a doctor, psychologist or other health service provider; payments/reimbursements made to an individual’s bank account from Medicare; or payments to a political party, union or professional association.

An insight held by an accredited organisation is CDR data and therefore needs to comply with the privacy safeguards. The accredited party generating the insight must retain a copy of the insight and then continue to treat the insight as data derived from CDR, with the privacy safeguards continuing to apply.
An ADR cannot share an insight with an unaccredited system they own to remove the CDR requirements (and the associated costs/limitations of compliance). Also, if the receiving organisation is themselves an accredited party then they must treat the insight as if it is data derived from CDR data, and therefore the privacy safeguards do apply to the receiving accredited party. 

Further information on the limitations on the sharing of Insights with accredited parties can be found here.


CDR INSIGHT DISCLOSURE CONSENT WIREFRAMES 

In March 2022, the consent wireframes for sharing CDR data via an insight were released by Data 61. They can be found here.

RSM Australia provides Consumer Data Right (CDR) information security accreditation assurance and advisory services. We are the most experienced CDR auditor and advisor, having provided CDR assurance services to over 60% of the FinTech ADRs. We also support organisations seeking access to CDR data through the Sponsor/Affiliate and Representative Agent models.

Authors

Darren Booth
National Head of Cyber Security and Privacy Risk Services
asset_3.png

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.