The CDR Rules require an organisation applying to become an ADR to meet minimum requirements for protecting CDR data from two broad types of risk: (a) misuse, interference, and loss, and (b) unauthorised access, modification, or disclosure. The CDR Rules outline the controls required to manage these risks in Schedule 2 Part 1 (security governance) and Schedule 2 Part 2 (minimum control requirements).

The CDR Rules also require an applicant to document their CDR data environment (the people, processes and technology) in a comprehensive system description.

Options for reducing the scope of your CDR data environment include network segmentation, tokenisation, de-identification, anonymisation and pseudonymisation. This process can be complex, expensive and reduce the effectiveness of your business case for accreditation, so they need to be carefully considered.

To become an ADR, an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed. For a nonauthorised deposit-taking institution (non-ADI), this requires a “Type I” reasonable assurance report in accordance with the Standard on Assurance Engagements ASAE 3150 – Assurance Engagements on Controls, or accepted comparable standards, as identified by the ACCC in the ‘CDR - Supplementary accreditation guidelines information security’.

A Type I provides assurance on the design and implementation of controls at a date or point in time.

In Australia, these reports can only be prepared by an independent registered auditing firm (CAANZ or CPA) and only a suitably experienced, qualified and independent individual can sign the report as the lead information security assurance practitioner.