Since 2020, the Australian Competition and Consumer Commission (ACCC) has introduced amendments to the Competition and Consumer Act 2010 which enable consumer data information to be shared, in order to facilitate the process known as open banking.
At present, Consumer Data Right legislation solely relates to information held by banks and energy companies. It is anticipated that there will be a further and more significant roll out of legislation impacting the wider financial sector, as well as other sectors within the economy, in the next several years.
Holman Webb Lawyers is currently assisting broker groups, aggregators and software providers in relation to banking Consumer Data Right requests, and is similarly advising accredited data recipients with respect to their entrance into the financial services area, to enable applications for consumer credit.
The process surrounding the release of Consumer Data Right information is developing rapidly, as new technology emerges. There are privacy concerns relating to the management of this information, with detailed legislation and systems having been introduced to enable this information management to occur.
Below is a brief analysis of the legislative process. Readers should note that there will undoubtedly be further change, as the Consumer Data Right process gains traction.
What is Consumer Data?
Consumer Data is information designated by the relevant minister, which might be held by a bank or energy company (or organisations within other industries) and which is deemed to be information which should be available to be provided on the request of a consumer.
A Consumer Data Right (CDR) consumer is a person to whom the data relates, because they have in the past been supplied with a good or a service.
A CDR Data Holder is someone who holds that data.
Requests relevant to the financial services industry
The type of requests for CDR data in financial services relate to:
- Information held by data holders (such as banks) concerning financial history of consumers; and
- Information which would be relevant to either a credit provider or broker, or some other person responsible for deciding whether further or additional credit should be provided for that consumer.
The CDR data request process will enable a CDR consumer to authorise a person seeking information on their behalf to obtain it, without the CDR consumer having to apply for the information. That is, it is an authority by the consumer to a ‘Trusted Advisor’, to allow the Trusted Advisor to request that their data be provided directly to the Trusted Advisor, by the data holder.
It avoids the necessity for the CDR consumer to obtain the credit information and then provide it to the broker or credit provider. This is intended to shortcut the process of applications and remove task duplication.
Trusted Advisor status and process
The process occurs where the CDR consumer nominates a person as their Trusted Advisor to make the application on their behalf. The release of that information to the Trusted Advisor is subject to the obtaining of appropriate authorities and consents from the CDR consumer, to enable the Data Holder to release the data.
Trusted Advisors are defined in the Competition and Consumer (Consumer Data Right) Rules 2020 and include:
- Qualified accountants;
- Lawyers;
- Tax agents;
- Financial counselling agencies;
- Mortgage brokers appointed within the meaning of the National Consumer Credit Protection Act 2009;
- Stockbrokers; and
- Financial services providers licenced under the Corporations Act 2001.
All subject to consent
The CDR consumer must provide formal, informed consent to enable the Data Holder to provide the data to an authorised recipient, and also to any Trusted Advisor. Absent an appropriate consent, the releasing of information is unlawful.
This is to ensure that the stringent requirements of the Privacy Act 1988 are complied with.
Accredited Data Recipients
The legislation creates a number of new software service roles, by which organisations and entities have established businesses as Accredited Data Recipients. These are software companies that can seek out and obtain the data from the Data Holder at the request of the Consumer, and then provide that data in a way which is meaningful to the Consumer and any Trusted Advisor.
These Accredited Data Recipients must meet minimum standards, and secure the data against both loss and other privacy breaches. They must also otherwise ensure compliance with the legislation.
CDR Representatives
It is envisaged that there will be a number of intermediaries who may assist CDR Consumers and Trusted Advisors to seek information. These entities must meet certain criteria in order to be able to receive the data, to ensure it is not compromised.
The term ‘CDR Representative’ is expressly addressed within the Competition and Consumer (Consumer Data Right) Rules 2020 which envisages a Representative taking on many of the tasks of the principal Trusted Advisor or Accredited Data Recipient.
Other agents status
It is evident that there will be a number of other persons who might be involved in the process, but who do not fall within the definitions of ‘Authorised Data Recipient’ or ‘CDR Representative’, and who are conduits of information pursuant to a software process or software provider status.
At present, these individuals are not expressly dealt with within the legislation – they have been dealt with by being described as legal agents of Data Recipients.
This area may require further and additional regulatory change.
See our recent article Financial Services Privacy Update (Part One): Credit Reporting Information for information concerning:
- The Privacy Act 1988 and the concept of credit reporting;
- The privacy legislation; and
- Credit reporting body obligations.
If you have a query relating to any of the information in this article, or you would like to speak with someone in respect of a matter of your own, please don’t hesitate to get in touch with Nick Maley, Partner within Holman Webb’s Banking & Finance Group.