Consumer Data Right Options

Technology Insights

As the CDR ecosystem expands, organisations are asking what models are available to access the Consumer Data Right (CDR) Open Banking data. A summary of options available for product owners is outlined below.

Accredited Data Recipient (ADR)

Standard approach to CDR Rules and accreditation, with the ADR enabling consumers to access Open Banking Data.

Outsourced Service Provider (OSP)

The OSP information security controls will be assessed as part of the ADR’s accreditation (carve-in approach to the ASAE 3150 information security assurance report).

  • consumer data rightSchedule 2 to the rules sets out detailed steps for privacy safeguard 12. These steps are also relevant to persons who receive CDR data under a CDR outsourcing arrangement.
  • An accredited person must ensure that, if they disclose CDR data to another person under a CDR outsourcing arrangement, the recipient complies with its requirements under the arrangement.
  • The Outsourced Service Provider (recipient) must take the steps in Schedule 2 to protect that CDR data, and any CDR data that it directly or indirectly derives from that CDR data, as if it were an accredited data recipient.
  • The recipient must, when so directed by the discloser, do any of the following:
  1. Return to the discloser CDR data that the discloser disclosed to it
  2. Delete CDR data that it holds in accordance with the CDR data deletion process
  3. Provide, to the discloser, records of any deletions that are required to be made under the CDR data deletion process
  4. Direct any other person to which it has disclosed CDR data, to take corresponding steps.


consumer data rightAccredited persons may utilise SaaS and other software products provided by non-accredited persons, to collect Consumer Data Right data, where the accredited person controls its Secrets Manager component, and does not permit the third party to access its security artefacts. Where the accredited person does not disclose Consumer Data Right data to these unaccredited providers, a Consumer Data Right outsourcing arrangement is also not required.

Combined Accredited Person (CAP)

Draft Rules to enable this accredited intermediary model are currently being considered (potentially approved Nov/Dec 2020).

In the draft Rules currently being considered, a CAP Provider (accredited intermediary) would collect CDR data on behalf of one or more CAP Principals from the data holders. The CAP Principal is the organisation that gains consent from consumers to access their CDR data. In this model, both the CAP Provider and CAP Principal need to be ADRs, and the CAP Provider needs to ensure data segregation so that a CAP Principal can only access their consented data.


If you would like to discuss the options available, and the impact on your CDR application to become an Accredited Data Recipient, please contact Darren Booth.


Want to read more about your Consumer Data Right (CDR) information security accreditation at RSM?

Click here to


Darren Booth
National Head of Cyber Security and Privacy Risk Services

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.