CDR Access Methods FAQ

What are CDR access models?

As the Consumer Data Right is a regulated data sharing ecosystem, companies can access data through a variety of means, called access models. Initially, a company had to be accredited as an ADR with the ACCC. Now, there are streamlined ways to access CDR Data, depending on their own accreditations and licenses, use cases, customer data types received, and industry datasets. This changes regularly with regulatory updates.

What access models exist?

The current access models include:
– Accredited Data Recipient (ADR)
– CDR Representative
– Trusted Adviser
– Business Consumer Disclosure Consents
– CDR Insights

What is an ADR?

The Unrestricted Accredited Data Recipient (UADR) model is the original and the most comprehensive CDR access model. Under this model you are brought into the CDR system through your own accreditation and gain full, independent access to any and all CDR data sets. As you have your own licence, you are free to provide any kind of CDR service you’d like, provided they are in line with the CDR’s regulations.

Though you are accredited in your own right under this model, you can still enlist the assistance of other industry participants – such as Adatree or one of its exchange partners – to bring your use case to life more simply and easily.
Becoming a UADR is also the primary way for you to help others join the CDR system, including through many of the other access models outlined below.

Who can be an Accredited Data Recipient?

To become a UADR, you must be willing and able to comply with the CDR’s regulatory and technical control requirements. This includes direct reporting obligations to the ACCC, bi-yearly audits, and a need to understand the CDR’s unique regulatory framework. This access model therefore comes with the largest overheads, both from a regulatory and financial point of view. 
As such, it is likely to be most appropriate for those who either have a use case they are certain will fit with the CDR, or who want the increased flexibility and autonomy provided by the model compared to other access models.

What are the benefits and limitations of being an ADR?

Benefits
– Access to all CDR data sets.
– Ability to self direct new CDR  services 
– Ability to sponsor others into the CDR system

Limitations
– Direct regulatory relations with and accountability to the ACCC and OAIC
– Mandatory bi-yearly external audits requirements and self-attestations
– Direct civil and corporate liability
– Need to comply with the CDR’s bespoke technical and regulatory requirements

What is a CDR Representative?

A ‘CDR Representative’ is an organisation brought into the CDR ecosystem by an unrestricted ADR who acts as their ‘Principal’. This accredited Principal then facilitates CDR access for the unaccredited CDR Representative. This is similar to other regulated frameworks, like those used in the payments or the financial services sectors where one organisation exists under the regulatory wing of another. Under this model, the CDR Representative can access all the same CDR data as an ADR.

Even though they are not accredited by the ACCC, a CDR Representative is still required to abide by the majority of the CDR’s accreditation requirements through reference to its Principal. This includes needing to have appropriate technical controls in place, as well as needing consumer consent to access data and provide services.

Becoming a CDR Representative is not a way to avoid requirements of being an Accredited Data Recipient, but the assistance of your Principal can certainly simplify the process. 

What are Adatree’s requirements of companies that want to be its CDR Representative?

Adatree looks at a variety of factors when considering whether a prospective partner would be an appropriate CDR Representative, including existing security posture and certifications, reputation, business case and general business sophistication. Adatree also partners with providers who specialise in building CDR compliant environments, making it quicker and easier to become a CDR Representative.

The requirements are:
– Must have or willing to get an IT certification or audit (e.g. ISO27001, SOC-2 Type 2, ASAE3150),
– Clearly documented security policies and controls.

Adatree also accepts Representatives that are licensed by APRA (ADI) and companies with compliant, managed environments.

Adatree must abide by the regulations that govern CDR Representatives, as a CDR Principal. Updated guidance issued by the CDR regulators is found here, which both Adatree as a Principal and the CDR Representatives must comply.

There are no shortcuts to CDR access, and Representatives need to have the maturity and processes that are similar to an ADR. The regulators are frequently assessing and governing this.

What are the benefits and limitations of being a CDR Representative?

Benefits
– Access to all CDR data sets.
– Can go-live in as little as two weeks!
– Ability to rely on your Principal for the heavy lifting of building a technical solution
– Reporting obligations handled largely by your Principal
– No external accreditation required

Limitations
– Lower ability to self direct, with changes to your systems and use cases needing to be approved by your Principal
– Need to comply with the CDR’s bespoke technical and regulatory requirements
– The Principal, as the accredited entity, is required to feature in the user experience

What are CDR Insights?

The CDR Insights access model allows consumers to consent to information that verifies their identity, income, expenses or account balance being disclosed to anyone. 
This enables non-accredited parties to benefit from the CDR by securely receiving information from a reliable and regulated source, while protecting consumers by limiting the amount of information unnecessarily shared about them. 
A consumer must consent to the disclosure of a CDR Insight, specifying who they are consenting to the CDR Insight being shared with. Data may be disclosed multiple times under a single CDR Insight disclosure consent.
CDR Insights need to be for the purpose of verifying a consumer’s identity, credits and debits, or account balance.

What are some examples of CDR Insights?

Examples of CDR Insights could include: 
– Details about the owner of an account;
– Information about a customer’s account balance across all accounts;
– A summary of a customer’s monthly expenses;
– An alert to a merchant if an upcoming payment will fail; or
– A customer’s average income over a period of time

As CDR Insights are intended to verify factual information, they cannot include information which the consumer could not themselves confirm – like a score, ranking or recommendation.

Who can receive a CDR Insight?

Anyone (that isn’t an ADR) can receive a CDR Insight, however a recipient must partner with a CDR Insight provider who operates within the CDR system to collect the CDR data from the Data Holders and generate the CDR Insight. 

What are the benefits and limitations of CDR Insights?

Benefits
– No accreditation required 
– Set up in days
– Generally not required to comply with the CDR’s bespoke technical and regulatory requirements
– Able to benefit from the work of others operating within the CDR system
– Flexibility and customisation available by Adatree to enable the delivery of your specific required Insight

Limitations
– What is considered an Insight is regulated by law
– Need to partner with a CDR Insight provider operating within the CDR (like Adatree!)
– Adatree (CDR Insight provider) required to feature in the user experience

What is a Trusted Adviser?

The Trusted Adviser access model enables members of specific professional classes – known as trusted advisers (examples below) – to receive CDR data without needing to be accredited, based on the fact that they are already regulated and trusted with consumer data.

A consumer must consent to the disclosure of their CDR data to a Trusted Adviser, specifying who they are consenting to the CDR data being shared with. Data may be disclosed to a Trusted Adviser multiple times under a single consent. This is facilitated by an ADR.

Who is eligible as a Trusted Adviser?

Any member of the following professional classes can qualify as a Trusted Adviser:
– qualified accountants
– persons who are admitted to the legal profession
– registered tax agents, BAS agents and tax (financial) advisers
– financial counselling agencies
– financial advisers
– mortgage brokers
– and others, upon discussion

Though a Trusted Adviser can receive CDR data without accreditation, they must partner with an ADR to do so. The ADR will need to receive the consumer’s consent to collect CDR data from the Data Holders and provide it to the Trusted Adviser.
As the Trusted Adviser is not accredited under the CDR, they are subject to their existing data handling requirements, rather than those imposed through the CDR. 

What are the benefits and limitations of Trusted Advisers?

Benefits
– Leverage your existing licensing / certifications
– Access raw CDR data in days
– No accreditation required 
– Generally not required to comply with the CDR’s bespoke technical and regulatory requirements

Limitations
– Must fall within one of the listed Trusted Adviser classes
– Need to partner with an ADR operating within the CDR
– ADR partner required to feature in the user experience