The path to becoming an Accredited Data Recipient

Technology Insights

As a potential Accredited Data Recipient (ADR) for Open Banking and Open Energy, the path to achieving Consumer Data Right accreditation may appear complex and time consuming to navigate.  

The Treasury’s Consumer Data Right newsletter spoke to Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM, to break down the information security requirements.

The Treasury’s Consumer Data Right newsletter spoke to Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM, to break down the information security requirements.

Tell us about RSM Australia – what is your role in the CDR accreditation process? 

RSM Australia is a leading provider of audit, tax and consulting services to entrepreneurial growth-focused organisations.

Our main role in CDR is to provide the information security independent audit report (ASAE 3150 or SOC 2) for an unrestricted ADR application.

We have completed CDR information security assurance reports for over 50% of the current FinTech ADRs, including Frollo, Intuit, Adatree, Finder, Basiq, Zepto and TrueLayer. With Rules v3, we will also now be providing assurance that affiliates or representative agents comply with the CDR information security requirements.

We have heard industry feedback that accreditation to become a data recipient can be daunting – can you talk us through your thoughts on this?

I like to split accreditation into two components - compliance with the Rules and then the actual accreditation submission.

Regardless of the participation model, any organisation interacting with CDR data needs to comply with the Rules. This is the main pain point that we have seen for ADRs and doesn’t change under Rules v3. The information security requirements are aligned to many of the other frameworks in existence (CPS 234, Australian Government Essential Eight, ISO 27001, PCI DSS and SOC 2). Whilst they may be new for a FinTech to comply with, they are standard information security controls.

The difficulty comes in determining the scope of the people, processes and technologies that the controls need to apply to. There is very little guidance in CDR materials for this, which is why the ADR applicant needs to engage experienced auditors and advisors.

We usually find that the first few discussions we have with an applicant are eye-opening for them. They realise which systems are in scope for their use case because they interact with derived data or don’t meet the deidentification threshold. 

The accreditation submission itself is quite straightforward, although it would be great if the submission assessment was faster. The other thing to remember is that getting accredited isn’t the end goal, that is to become ‘active’.Consumer Data Right & Accredited Data Recipients

What are some of the most common use cases you see offered by applicants? 

Due to the restrictions around derived data, prior to Rules v3 the only viable use cases were around presenting CDR data to the consumer.

It was difficult for the ADR to build any system logic or actions using CDR data as it resulted in derived data.

For example, a lot of applicants wanted to validate bank accounts and account balances to facilitate valid payments. But once CDR data was used to validate the account/balance it was derived data and was going to require all downstream participants in the payment process, including the banks, to be accredited. The exciting thing about Rules v3 is the ability to share CDR data with Trusted Advisors and share some insights with any person, which opens up quite a few use cases. 

What sets CDR apart from alternative data portability frameworks, both within Australia (e.g., screen-scraping) and in an international context (e.g., PSD2)?

I love the economy-wide approach to CDR. It’s the key thing that sets CDR apart from other data portability frameworks and will open up so many new use cases when data from multiple sectors can be combined.

Once Action Initiation is realised that will be the real game changer. Some of those use cases can’t even be considered today. But the restrictions around derived data may hold back innovation and competition, so it will be interesting to see how they evolve. Consent exists in different formats in different frameworks but few, if any, have the framework applying to all derived data.

How can RSM help?

If you’d like to discuss the options available for becoming an Accredited Data Recipient, please contact Darren Booth.


Darren Booth
National Head of Cyber Security and Privacy Risk Services

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.