Consumer data right news for non-bank lenders and buy now pay later, screen scraping and energy rollout
22 September 2023
22 September 2023
This article summarises some of the key changes that have happened in the CDR space in late 2023, including the rollout to non-bank lenders and buy now pay later, expansion to larger energy retailers, and new consultations being undertaken by Treasury – all in the wake of a "pause" in activity on the CDR announced earlier this year.
The consumer data right (CDR) gives consumers more control over their data, making it easier to access their own data held by organisations and compare relevant products and services.
It is being rolled out on a sector-by-sector basis. The CDR was first introduced in 2020 in the banking sector (Open Banking), followed by the energy sector in 2022 (Open Energy). Open Finance, which includes the non-bank lender (NBL) sector, is the next cab off the rank.
The CDR is designed to help save consumers time and money by encouraging product switching and streamlining existing application processes.
For example, switching lenders often requires consumers to manually enter their personal and financial information, as well as details of any account balances or loans. The CDR could allow consumers to automatically and securely share this data at the click of a button.
The introduction of action initiation, will further realise the potential uses of the CDR regime once uptake of the CDR increases across the economy.
Treasury recently released an exposure draft of the CDR Rules for the NBL sector and is accepting submissions up until 6 October 2023. This will make the NBL sector the third sector to fall within the CDR.
The proposed CDR Rules will impose obligations on certain 'tranche 1' NBLs from 1 November 2024. The following NBLs will be captured by the rules:
Relevantly, a consumer (which can include an individual or a business) will only be in-scope with respect to a NBL if they have an open account that relates to a relevant non-bank lending product and that account is set up to have online access. This reflects the same rule that applies in the banking sector, but is different from the energy sector, which does not have the same "online access" limitation.
Notably, the proposed CDR Rules introduce BNPL products into the remit of the CDR in both the banking and NBL sectors. This means that consumers will be able to share and link their data across most payment providers, potentially generating highly valuable consumer spending data and insights for both consumer and business use cases.
Traditionally, BNPL debts do not appear on an individual's credit score. Certain banks have identified that they will be considering any BNPL debts when assessing home loan affordability. The proposed expansion of the CDR to BNPL products will make credit assessments a simpler and more transparent process.
Relevant NBLs should begin taking steps to ensure that they are ready to implement the CDR when it is introduced.
The obligations under the CDR generally require data holders to:
Participants may need to uplift systems, processes and training to ensure they are compliant. In our experience in the banking and energy sectors, rollout of the CDR has been a complex, multi-year project spanning various teams within the organisation. Ensuring compliance with these rules requires forward planning, and an integrated regulatory, legal and technical engagement across the organisation.
The stakes are high for non-compliance, as penalties of up to $10 million may be imposed for an organisation's non-compliance with certain obligations under the CDR regime.
The ACCC has already instigated enforcement action against certain data holders. For example in 2022, a bank paid a penalty of $133,200 to the ACCC for allegedly breaching the CDR Rules by failing to provide a service enabling consumers’ data to be shared for more than five months after the required go-live date.
This demonstrates the importance of ensuring that relevant businesses are able to meet all obligations by the required date, or if this is not possible, constructively and proactively engaging with the regulator. This may include seeking pre-emptive exemptions, or engaging early with the regulator on areas of concern.
The CDR provides consumers with a way to access their data in a standardised and trusted way, confident in the knowledge that their data will only be shared with third parties if the strict privacy and security requirements set out in the CDR Rules and the Consumer Data Standards are met.
This presents an opportunity for accredited data recipients to offer new and innovative data-driven products and services in a way that other competitors cannot.
Accredited data recipients (ADRs) are businesses accredited by the ACCC to receive CDR data. They must meet strict security and technical standards designed to protect consumers' privacy and security.
Non-bank lenders should be aware of the role of ADRs, and may wish to consider whether they pursue this accreditation. Becoming an ADR may provide incumbent providers, challenger brands and third party intermediaries with a competitive advantage and new service offerings. In particular:
In June 2023, the Minister for Financial Services announced that the CDR rollout to new sectors would be paused and the government would instead take the time to make improvements and build awareness of the CDR in the current sectors. This paused the previously anticipated rollouts to telecommunications and insurance sectors.
In many regards, knowledge and uptake of the CDR by consumers has been lower and slower than the Government anticipated. However, the Government's renewed push to expand digital identity could reduce friction in user interactions and help bring more customers on-board.
Despite the pause, there are a range of other developments continue to roll out for existing sectors, including recent operational enhancements to allow new categories of CDR representatives, and a range of proposed changes and consultations underway.
Businesses should remain alert to new CDR developments, particularly if they are in the three sectors not affected by the pause (banking, energy and the NBL sector). It remains a busy period for CDR developments and will likely remain so over the coming years.
The next big step for the CDR is action initiation (also known as "write access"), which would allow accredited third parties to take actions on the consumer's behalf – such as opening accounts, authorising payments or switching.
The Government has introduced a bill to expand the CDR to Action Initiation (with the Senate, at the date of publication of this article), and no doubt this action initiation will be the subject of much industry comment and consultation prior to its implementation.
The broadening of the CDR to larger energy retailers is fast approaching. From 1 November 2023, larger energy retailers (any retailer that had 10,000 or more small customers on 15 November 2021) will be required to comply with the CDR's data-sharing requirements.
In particular, larger energy retailers must comply with the general obligations under the CDR, such as disclosing consumer data, offering consumers a dashboard to manage their data sharing, complying with privacy safeguards, maintaining appropriate dispute resolution services, and keeping records and reporting to the ACCC.
For those that are, the timeframe for launch is very soon and testing is underway. If delays to your launch are expected, carefully consider seeking a formal exemption from the ACCC or reporting items on the ACCC's rectification register.
Concurrently, Treasury is consulting on consultation papers for consent and operational enhancements (closing 6 October 2023) and screen scraping (closing 25 October 2023).
Treasury is considering areas of friction when it comes to providing consumers with 'intuitive, informed and trustworthy consent experiences' under the CDR. The main proposals for feedback in the paper include consent bundling, pre-selection of essential datasets, prescribed information for CDR receipts, 'deletion by default' options and, most interestingly, potential prohibitions on 'dark patterns'.
Dark patterns refers to user interfaces designed or intended to confuse users, making it difficult for consumers to express their preferences, or manipulating consumers into taking certain actions. The consent design paper summarises a range of 'dark patterns' that would potentially be prohibited, such as nagging, obstruction, interface interference, sneaking, forced action and scarcity cues that undermine user autonomy in decision making.
The ACCC has dark patterns in its sights already, with its September 2023 Digital Platform Services Inquiry report , as well as its potential prohibition on unfair practices, see Consultation begins on whether Australia needs a prohibition on unfair practices
Treasury has proposed a raft of operational enhancements across three categories, with the intent of ensuring the CDR Rules are fit-for purpose and support the policy aims of the CDR. These operational enhancements include:
Finally, and perhaps most importantly, the Government has also commenced consultation on proposals to prohibit screen scraping (also referred to as data aggregation).
Screen scraping is a common process used as an alternative to CDR data sharing. The practice involves prompting a consumer to log into their account via a third party service, with the service extracting the data displayed "on screen", and sharing that with another provider or service.
Treasury has expressed concern over the practice of screen scraping (and in particular the storage and use of a user's password) as it circumvents data safeguards and industry-standard data handling practices more generally.
In its published consultation paper, Treasury asks industry for insight into the use of screen scraping and whether participants use or are aware of any practices to prevent it. Although the discussion paper does not provide any concrete recommendations, it does signal that a prohibition on screen scraping is up for consideration, particularly as the CDR makes gains in maturity and adoption.
We anticipate that the CDR will continue to evolve over the next 12 months, despite the "pause" in its rollout to other sectors.
To thrive in this environment, providers in CDR sectors should rethink how they engage with customers well beyond a tick-the-box approach to compliance.
In particular, organisations should consider implementing systems and practices to:
The rollout of the CDR in an organisation is more than just a technical implementation – it is a legal, regulatory and technical challenge that requires close co-ordination of many areas of the business.
As the CDR continues to expand, an understanding of customer drivers and retention may need to be re-thought if the key decision maker is no longer the consumer, but a recommendation engine. Competing in this new world may mean rethinking pricing, investigating more dynamic pricing offers (as permitted by law), and potentially creating new brands, offerings or business units optimised for less direct customer interaction.
Engaging early and planning through their strategic offerings in detail can allow participants to leverage their CDR implementation as an asset to engage with customers and realise value, instead of just another technical change to manage.
Authors: Tim Brookes, Partner; Geoff McGrath, Partner; Sashini Walpola, Senior Associate; Jarred Gerson, Senior Associate; Jeremy Waite, Graduate.
Ashurst client webinar: Consumer Data Right is set to expand to non-bank lending and buy now pay later products – Join us for a deep dive into this proposed expansion of the CDR on Thursday, 28 September 2023 at 12.30pm. To register your interest, please email Australia Ashurst Events.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.