Consumer Data Right

Consumer Data Right

Consumer Data Right

If you are starting your Open Banking or Open Energy journey, then you need to work with experienced and flexible partners.

RSM Australia’s Consumer Data Right (CDR) information security accreditation assurance and advisory experience is second to none. We have completed CDR information security audit reports for over 50% of the current Accredited Data Recipients (ADRs), including Frollo, Intuit, Adatree, Finder, Basiq, Zepto and TrueLayer.

Consumer Data Right


Darren Booth

E: [email protected]
T:+61 3 9286 8158

How can we help you?

 Locate nearest office

RSM Australia assists ADR applicants with:

  • Access to our free CDR Information Security Accreditation Toolkit with examples from successful accreditations
  • ADR application advisory support based on seeing what has been accepted and not accepted by the ACCC
  • CDR Security by Design & Gap Assessment, to ensure the scope of the CDR data environment boundary is correct and you understand the information security requirements
  • CDR Pre-audit/Readiness Assessment to determine whether you are ready for accreditation
  • Independent reasonable assurance audit report (ASAE 3150 or SOC 2) for the unrestricted ADR application
  • Assurance to a sponsor or principal that an affiliate or representative agent complies with the CDR information security requirements
  • CREST accredited Penetration Testing as per CDR Schedule 2 Part 2 - Vulnerability Management (optional)
  • CDR Control Assessment Program or ISO 27001 Lead Auditor internal audit (where we are not the independent assurance provider)

Download our guide to being an accredited data recipient

Information and Data Privacy services

We have extensive experience in PCI DSS, ISO 27001, AWS, GCP and Azure, with team members holding PCI, ISO 27001, AWS Security Specialty and Azure Security Associate certifications, Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE).

We have already provided assurance over all the complex areas in the CDR Rules, including: derived data, de-identification, third party providers, outsourced service providers, intermediaries, managed service providers, multi-cloud environments, complex group structures with multiple legal entities, overseas based applicants and leveraging of other security frameworks/certifications.

We are confident that our engagement will result in a cheaper total cost for your accreditation due to our knowledge of the Rules, our experience with different technologies and processes that can effectively demonstrate compliance, and our more efficient end-to-end accreditation process.

Our team provides an iterative and collaborative audit approach to ensure you obtain timely feedback to remediate control weaknesses and meet your project timelines.

RSM Information and Data Pricavy services

Download the definitive guide to Consumer Data Right access models

This guide provides an overview of the new CDR access models and what they mean for businesses who want to use Open Banking data to compete.

Developed by Frollo and RSM Australia, this guide will help you decide which model is right, with an accreditation model cheat sheet.

Download our guide to Consumer Data Right access models


RSM offers Consumer Data Right advice

Risk Insider Newsletter - Edition #11

14 March 2022
We hope that this edition of the Risk Insider finds you well. The current circumstances that we are faced with are unprecedented and devastating. We want to take this opportunity to extend our support to any businesses that have been affected during this time

Australia’s digital future: Evolving the Consumer Data Right | Webinar Recording

3 March 2022
Darren Booth, National Head of Cyber Security and Privacy Risk Services at RSM, presented at the Committee for Economic De

Consumer Data Right and the Australian Privacy Principles

17 February 2022
Consumer Data Right (CDR) was introduced in 2019 by the Australian Government, with the intention of giving consumers (individuals, companies, business enterprises) the ability to ‘opt in’ and share their data between service providers of their choosing.

Protect the future of your business with security certification

2 December 2021
Cybersecurity is a real risk and one that needs to be considered and managed effectively in order to protect the future of your business. 

Case study: Zepto

8 November 2021
Zepto is a rapidly growing FinTech company on a mission to deliver innovative products that empower merchants to redefine the payment experience through automation, consent, data, and open exchange of information.

The path to becoming an Accredited Data Recipient

20 October 2021
As a potential Accredited Data Recipient (ADR) for Open Banking and Open Energy, the path to achieving Consumer Data Right accreditation may appear complex and time consuming to navigate.  

Using the Office of the Australian Information Commissioner (OAIC) CDR Privacy Safeguard Guidelines as a FAQ

30 September 2021
There is a lot of reading to do if you want to receive and use Consumer Data Right (CDR) data for Open Banking or Open Energy.

Submission to Treasury on Consumer Data Right rules amendments

10 August 2021
RSM's experience in completing Consumer Data Right (CDR) information security accreditation reports and applications has informed a recent submission to Treasury on CDR rules amendmen

Consumer Data Right Options

4 September 2020
As the CDR ecosystem expands, organisations are asking what models are available to access the Consumer Data Right (CDR) Open Banking data. A summary of options available for product owners is outlined below.

RSM's Consumer Data Right (CDR) submission

30 July 2020
As the Consumer Data Right (CDR) Rules continue to evolve, RSM submitted a response to the request for submissions related to the draft ‘intermediary’ Rules, which were published in June 2020.

Consumer Data Right (CDR) information security accreditation

23 June 2020
Obtaining assurance on the security of your CDR data environment. With CDR going live on 1 July 2020, Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology. The key is to demonstrate security, whilst minimising the cost.