CDR certification opens as 1 July kick-off nears

The true popularity of the open banking-enabling Consumer Data Right (CDR) will soon become clear as mortgage brokers, finance companies, banks and fintech businesses are given the green light to register for accreditation under the scheme before it goes live in July.

Managing body, the Australian Competition and Consumer Commission (ACCC), opened registrations for the CDR certification, which will allow businesses to be accredited for securely exchanging sensitive financial and demographic details between service providers.

Accreditation is being managed through the new CDR Participant Portal and CDR Register and Accreditation Application Platform (RAAP) – a portal and data encryption platform that the ACCC describes as the “IT backbone of the CDR”.

Its launch “means businesses of all sizes can take the first steps towards to being part of this crucial economic reform,” ACCC commissioner Sarah Court said in a statement.

“As more businesses become accredited over time, consumers will benefit from an increasing number of innovative services and a vastly improved experience that puts them in control of their data.”

Years in development, the CDR has been heralded as a way of giving consumers access to the data that banks hold about them.

Enabling legislation was passed in mid-2019, with CDR Rules finalised in February and penalties for non-compliance published earlier in May.

Initially designed to facilitate comparison-shopping and easy switching to better rates or financial products, mooted changes such as write access are set to expand the CDR into a more comprehensive ecosystem for exchanging often sensitive data amongst industry participants.

Banks must also standardise the representation of their products and services – facilitating meaningful comparisons between products and, federal Treasurer Josh Frydenberg said in announcing the latest launch, “giving them the power to instruct businesses, such as banks and fintechs, to provide safe and secure access of their data to trusted third parties.”

Defining a secure data exchange

Applicants for CDR accreditation must meet a range of criteria spelled out in the newly finalised CDR Accreditation Guidelines, which the ACCC launched simultaneously with the RAAP.

These guidelines include a core outline of accreditation policies as well as supplementary guidance around information-security requirements and insurance processes.

Applicants must, for example, have clearly defined internal and external dispute resolution processes, assurance reports that prove their information-security controls are suitable, and insurance “adequate... to cover risks it may be exposed to in connection with the management of CDR data.”

Applying entities and associated persons must be vetted to ensure they are “fit and proper” persons, and the ACCC may liaise with financial regulators like APRA and ASIC for relevant information such as past insolvency or convictions for dishonesty offences.

Security issues have been part of the CDR discussion since its early days, with a formal Treasury white paper in late 2018 outlining minimum CDR privacy protections – and delegating privacy oversight to the Office of the Australian Information Commissioner (OAIC), which has published multi-part CDR Privacy Safeguard Guidelines.

A recent ACCC consultation on amendments to CDR rules included tweaks to further improve security in areas such as the quality and security of CDR data, and its de-identification and deletion once it has become redundant.

The RAAP’s information-security standards require applicants to demonstrate the effectiveness of their security controls with a formal assurance report that evaluates the company’s security policies and controls – and clear plans to rectify any issues found within those controls.

Companies must also regularly lodge attestations to their ongoing security compliance – which, time has shown, can be difficult in practice.

Many companies push hard to meet compliance requirements for certification but – as found in audits of the PCI DSS certification required of all merchants, often fades once accreditation is granted; the latest Verizon Payment Security Report found that just 36.7 per cent of companies were fully compliant with PCI DSS.

Ensuring that accredited CDR bodies maintain their security will therefore be a core goal for the ACCC and OAIC, to ensure that CDR doesn’t become a lightning rod for cybercriminals seeking to exploit it.