Summary and Impacts of the Upcoming CDR Rule Changes (Aug 2024)

The CDR Rules team loves a Friday special – predictably releasing hundreds of pages of new draft rules on a Friday just as everyone is winding down their week. Luckily, the team at Adatree loves reading and dissecting the Rules to analyse if they’re just right, too far or not far enough and how the rules will impact to the consumer, Data Holders, Accredited Data Recipients (ADRs) and all entities receiving data. We read it so you don’t have to.

Here is Adatree’s breakdown of the latest CDR Rules 

1. Digitising business consents for nominated Representatives

What is it: A requirement that those who can complete a consent for a business (a ‘CDR consumer that is not an individual’) must be able to be nominated online. Rule 1.13(1)(c, d), Rule 1.13(1A)

Why it matters: There are so many use cases that can be realised with CDR business data, and a key reason they’re not live yet is because banks require paper forms to nominate an individual to do a consent. Consent is always digital, but the paperwork required to facilitate the consent has been an unfortunate roadblock designed by Data Holders. The latest CDR rules will remove this manual process to streamline business consents – which is fantastic news for anyone wanting to use business data. 

Verdict: A great step, but key changes are needed to make it airtight and useful: 

1. Service level agreements. We need SLAs that require notification of when a consent becomes effective after the request was made. This should be effective immediately. If there is an online change and it goes to a mailbox and isn’t automated or acted on immediately, then the change is as good as paper (read: not good). 
2. Skipping nominations altogether. The new rules allow banks to completely avoid the implementation of a nomination process. The Rules should explicitly say that Data Holders can avoid nominations as a process and should allow a Data Holder to allow all users with certain access levels (e.g. making payments) to be able to perform consents. This avoids the implementation step and immediately opens up eligible users to consent on behalf of business.
3. Clarifying the ‘Simple and Straightforward’ Process: CX Guidelines must be designed and implemented to define the Must, Shoulds and Coulds of this. This would ensure a uniform and aligned experience with little room for interpretation. 
4. Clarifying wording around non-individual vs partnership. Clauses (c) and (d) don’t differentiate between partnerships and non-individuals. If rules apply to both, their application should be clearer, especially as it relates to account and/or entity types. 

Impacts: 

• Consumers? Businesses are consumers too! Assuming a business uses online banking, the removal of a paper form is excellent for simplifying their operations.
• Data Holders? There will be an impact to Data Holders who want to introduce an automated digital nomination process. But if they want minimal (or no) impact, they could enable all directors and/or people with Action access for online banking to consent.
• Recipients of Business Data? No action required – just the potential to build powerful services that leverage business data. 

2. Bundling consents

What is it: Data Recipients will not be able to “bundle” CDR consents, so consumers can give multiple consents with a single action. This bundles collection, use and disclosure consents and specifically excludes de-identificaiton and direct marketing consents. [Rule 2, 3, 4.3(a) and Notes] 

Why it matters: Previously these consents were technically separate. The detail of what denotes a use, disclosure and collection are very detailed, too much to expect a consumer to understand. The Data Minimisation principles still apply, so consumer safeguards are very strong. 

Verdict: Positive – will lead to reduced consent drop-off

• Consumers? Less information overload, better outcomes, maintain privacy safeguards
• Data Holders? No impact
• Accredited Data Recipients? Technically ADRs don’t have to implement bundling, but they should modify their consent UI to streamline consents.

3. Pre-selection of data

What is it: Pre-selection enables the CDR consumer to indicate (instead of actively select) the elements of an individual consent that would be reasonably necessary for the Data Recipient to provide the good or service. This extends to data clusters and duration. [Multiple instances; primarily Rules 4.11(1)]

Why it matters: The rules previously stipulated that a consumer was to ‘actively select’ (ticking boxes for) data points that were necessary for the service to be provided. Asking consumers to tick the necessary boxes for the required cluster of data introduced the risk of incorrect or incomplete data type selection. The good or service couldn’t be delivered without specific selections made by the consumer. This self-select expectation became a point of friction, increasing consumer fatigue and consent drop-off.

Verdict: Positive – pre-selection will reduce friction for the consumer and increase the success rate of consent approvals

Impacts: 

• Consumers? With only the necessary data fields being requested, pre-selection will improve UX, facilitate smoother processing and reduce friction
• Data Holders? No impact.
• Accredited Data Recipients? Technically ADRs don’t have to implement pre-selection, but they should modify their consent UI to streamline consents. 

4. Consolidation of information and delivery of CDR notifications

What: Receipts can be consolidated with timing and information, to be 90 days after they were last notified. [Multiple instances, primarily Rules 4.18, 4.20]

Why this matters: Instead of receiving a notification for each and every consent – resulting in consent fatigue and consumer disengagement – this update will consolidate all consent notifications associated with the service into into one email.

Verdict: Fewer notifications equates to a higher likelihood of a consumer engaging with a notifciation and taking the required actions. While it doesn’t impact initial CDR uptake numbers, it will support the ongoing engagement of consumers with their CDR consents – reducing friction for both the consumer and the good or service provider.

Impacts: 

• Consumers? Consolidate information, reduce notifications, simplified consent management, better outcomes. 
• Data Holders? No impact. 
• Accredited Data Recipients? Implementation changes will be required to update the logic and content of CDR receipts. 

5. Changing defaults to redundant data

What is it: It used to be that the deletion of redundant data was something a consumer needed to elect as their preference. This is now removed and the deletion of redundant data is now the default. [Multiple instances, primarily Rules 1.14(1), 4.11(e) and 4.20AB]

Why this matters: This shift is critical for the principles that underpin the Consumer Data Right – reducing the amount consumer data being shared when it isn’t necessary. By making deletion the default treatment for redundant data, the choice of what a consumer shares and how it’s handled becomes more explicit.

Verdict: Positive. 

• Consumers? Positive that deletion is the default. 
• Data Holders? No impact. 
• Accredited Data Recipients? Should modify consent UI, data treatment and adjust their defaults for redundant data. Anyone using redundant data should ensure their processes are up to date. They’ll also need to update their CDR Policy. 

6. Increased obligations for CDR Representatives 

What: The CDR Representative must provide a UI that meets the standards currently set for an Accredited Data Recipient. [Multiple instances; primarily Rule 1.10AA(1)(d)]

Why this matters: Having a consistent user experience across services is important for consents and the overall success of CDR. This change will align Representatives to ADRs. 

Verdict: Okay but, rules and enforcement need to go further. This only works if there is adequate enforcement of the CDR Principals UI and CX guidelines for CDR Representatives, and the Principals doing the right thing within the Representative and CDR Framework. The quality of CDR Principals ranges greatly, to the extent that some have been publicly named and shamed for poor practices which undermines the entire framework.

The rules should add these obligations for Representatives and CDR Principals: 

• The ACCC should have the right to directly audit CDR Representatives.
• Consequences should be very strict for CDR Principals found to be operating outside of the Rules.
• Third Party Management Frameworks should be mandated for the Principal and reviewed initially and regularly by the ACCC and OAIC. Frameworks should outline the risk appetite of the Principal and what and how exactly they collect and analyse information to ensure they are meeting the CDR Rules.
• Plus (non Rules) the regulator having strong enforcement mandates and mechanisms for Principals and their CDR Representatives. 

Impacts: 

• Consumers? More consistent experience for granting, viewing and managing consents. 
• Data Holders? No impact. 
• Accredited Data Recipients? Any good Principal should already have a compliant UI, but if not now would be the time to review and make adjustments. 

7. Changing treatment of CDR for Data Holders 

What is it: Introducing the ability for a Data Holder to receive data as an ADR, then ask the consumer to make the treatment as a Data Holder, not an ADR. Rule 7.2. 

Why this matters: This edit gives major powers and create inequalities in the market. This change essentially says that any bank/Authorised Deposit taking Institution (ADI) Data Recipient has the option to access CDR data, then convert it to Data Holder (banking) data.

Major implications:

• Banks could receive data through the CDR and hold it as normal data, without any of the CDR standards that protect that data-handling for the consumer.
• The data controls change it to banking protections instead of CDR – which means that it could be sold, shared anywhere, marketed to, etc.
• Consumers would lose their Privacy Safeguards and right to deletion.
• Data Holders could create the super-app to access all banking and energy data through CDR and treat it as BAU. The advantage to being an ADI would blow other accredited non-bank recipients out of the water.

Verdict: This would be a total double standard in market. Data Holders that are ADIs can take CDR-data, make it non-CDR data and hold it as they would a Data Holder. If there is a Data Holder that isn’t an ADI (even APRA-regulated ones!), this concession doesn’t apply. It should apply to all Data Holders or not at all. This benefits banks but should benefit all Data Holders. If the ABA has emphasised security and compliance, it should apply equally to all Data Holders or none at all. It disproportionately favours the banks when data treatment and ‘off-ramps’ should be consistent across the board.

Impacts: 

• Consumers? It’s sending mixed messages to consumers and will likely confuse them about what a Data Holder is asking them to do, and why. Consumers should question the absence of the ADR Privacy Safeguards. 
• Data Holders? This would introduce a new election process to make it non-CDR Data and change the data treatment. This is only applicable to ADRs, not Reps. 
• DH software providers? The burden of this change will likely fall on core banking providers – a costly and resource-intensive adjustment. This could be avoided with a change to rule treatment instead of a new nomination. 
• Accredited Data Recipients? This would introduce new capabilities for a new consent if they service ADI ADRs. 

8. Provide more supporting party information

Why this matters: This is a surprise one when other information is being consolidated or removed. It is minimal information and unlikely to be seen by a consumer if only in the Supporting Parties section of the consent, but it will be easier if consumers are interested in more information about an OSP. 

Verdict: Positive for transparency, but will have zero impact on uptake. 

Impacts: 

• Consumers? More information about OSPs if they’re interested. 
• Data Holders? No impact. 
• Accredited Data Recipients? Will need to modify consent UI about OSPs. 

WHAT ONE SIMPLE RULE CHANGE WILL SAVE AUSSIES MILLIONS, FROM TODAY? 

If the Minister wanted to immediately increase utilisation of the CDR and accelerate use cases and benefits, he’d make this rule change… 

Remove or change derived data

What is it? This is when new data is created from or based on CDR Data. Unfortunately it is currently treated as CDR Data, but it actually creates new kryptonite, if you will.

Why this matters: Say for exampl you want to do an energy account switch. you consent and disclose the information you need to share for the service and find out you can get a better deal with Amber Electric, saving $1,096 a year. While the Recipient had my customer and electricity data (raw CDR data) to make the comparison, the data gleaned through the comparison – Amber Electric and the savings amount – now becomes CDR data and is protect as such. This means that if you want to switch to Amber, you’ll need to do that manually. The service is not able to make the switch for you. To our knowledge, this isn’t the process anywhere else in the world. This kryptonite is a major blocker, preventing for some of the most simple-yet-powerful Open X use cases – switching and comparison services – from going live.

CDR is meant to improve consumer experiences, but in this case Australians are worse off. In the current rules, consumers can’t automatically switch to Provider X because the data that underpinned the suggestion for the switch can’t be shared and must be deleted. (Not without another consent, of course). 

TL;DR: this is the cancer clause of CDR and must go. This isn’t new and everyone (DHs, ADRs, etc) want it gone. 

Impacts? 

• Consumers? With switching and comparison use cases unlocked, this would have immediate benefits for consumers
• Data Holders? No impact, no cost. 
• Regulators? New Rule only. No new standards would be required. So it would have immediate applications and zero cost. What a “bang for buck” win!
• Data Recipients? Able to go live with comparison cases – whether an ADR, Rep or other access model. 

Implementation options: 

1. Remove derived data from the CDR rules. Control F – all of it gone. Simple.
2. Introduce use cases where derived data doesn’t apply. Introduce a rule where Derived Data doesn’t apply to the priority use cases, which are budgeting, lending and energy switching. This solution isn’t as helpful, but it’s less contentious.