On 13 February 2019, the Australian Government officially passed Consumer Data Right (CDR) into law; it will be officially launched on 1 July 2020.

CDR aims to provide Australians with more control over how their data is used and disclosed. It will improve consumers’ ability to compare and switch between products and services, encourage competition between service providers, drive the development of more innovative products and services, and reduce prices.

CDR is intended to create market competition and drive new product innovation for consumers. At the core of the CDR and the open banking program is a more robust, secure and private way for entities to share data about consumers and their accounts. This will have an impact on all sectors – the first directly affected by CDR is Financial Services through Open Banking, with Utilities and Telecommunications likely to follow soon after.

Read more about Open banking


CONTACT Matthew Green

Partner - Grant Thornton Consulting

Contact Matthew

Benefits to impacted industry sectors

  • Decreased barriers to entry
  • More secure method of data sharing
  • Increased collaboration between incumbents and the start-up community
  • Opportunity to build trust and confidence with consumers
  • Opportunity to increase quality of products to solve consumer pain-points in the market

Benefits to consumers

  • Innovative new products
  • Increased transparency around information sharing
  • Increased control via explicit consent model
  • More confidence due to security and privacy oversight
  • Better ability to compare products
  • More competition
  • Lower costs

Becoming an Accredited Data Recipient

Entities wishing to gain access to consumer data under the CDR will need to become an Accredited Data Recipient (ADR) as detailed in the recently released Draft Accreditation Standards. This process of accreditation ensures only entities that have appropriate processes and controls in place to protect consumer data are given access. To achieve ADR status, entities will need to undergo an independent audit of processes and controls under the ASAE3150 standard as part of the accreditation application.

While the audit scope will be defined by the systems, processes and controls of the individual entity seeking accreditation, the ACCC has provided guidance that includes the following requirements of what is expected:

  • have processes in place to limit the risk of inappropriate or unauthorised access
  • take steps to secure their network and systems
  • securely manage information assets over their lifecycle
  • implement a formal vulnerability management program to identify, track and remediate vulnerabilities in a timely manner
  • take steps to limit prevent, detect and remove malware
  • Implement a formal information security training and awareness program for all personnel interacting with CDR data.

Our Technology Risk team can carry out the ASAE3150 Type 1 accreditation audit for entities wishing to become an ADR. The Type 1 audit is required within 3 months of submitting the application to become accredited, with ongoing Type 2 reviews then required every other year.  We have extensive experience conducting type I and type II controls audits under various standards such as ASAE3150, ASAE3402, SOC2 and ASRS4400.