THE FUTURE OF OPEN BANKING ACCESS MODELS

Enabling more participants in the CDR while leveraging Adatree's unrestricted accredited and active status

New CDR Access Models

On October 5, 2021, Treasury released amendments to the Consumer Data Right Rules (Version 3), with specific amendments for:

  • Introducing a sponsored tier of accreditation and a CDR representative model
  • Allowing consumers to share their data with trusted professional advisers
  • Allowing participants to share CDR insights with consumer consent for specific purposes
  • Making the consent data sharing permissions for joint accounts more user friendly

Adatree will be supporting businesses with the CDR Representative model, Sponsor / Affiliate Model, Trusted Advisers and CDR Insights. Below is an overview of the changes, with impacts to CDR and diagrams to illustrate key changes and data flows.

QUICK ACCESS

Access Model Comparison update (1200 x 650 px)

Principal / CDR Representative Model

Overview of CDR REPRESENTATIVE Access Model

A CDR representative arrangement is a commercial arrangement with an unrestricted principal ADR (Adatree) and the CDR representative. This arrangement is disclosed to the regulator but there is no official  government accreditation outside of this commercial relationship. A CDR representative can only have this arrangement with one principal. 

The CDR representative provides services to their customers, using the principal’s access to data and their CDR policy. For example, Aussie Payments Co provides services to their clients, and Adatree provides technical connections and support for CDR data access to Aussie Payments Co. 

Where is the data stored? 

Up to you - your cloud environment or Adatree’s. The CDR representative still has to maintain tight controls and boundaries over their CDR data, which can either be in their own environment, or stored with Adatree’s audited environment. Storing it in Adatree’s environment will make it easier for the Representative to access CDR data since it has all of the necessary controls and boundaries in place, meaning you get access to CDR data faster. 

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can be a CDR Representative? 

Any business can be a CDR representative! All of the regulatory requirements, controls and policies must be in place, assessed or attested to, though. Adatree will consider security posture, reputation, business case and general business sophistication when deciding to take a Representative on. 

Why would you want to be a CDR Representative? 

Being a CDR Representative has many benefits, including: 

  • Accessing CDR data in as little as two weeks!
  • Receiving the same data fields whether you’re a Representative or an unrestricted ADR
  • Full turnkey solution to access data, including a consent dashboard and journey too
  • Lower costs to your CDR journey
  • No formal external audit required
  • No regulator assessment means way faster onboarding timelines
  • Adatree, your Principal, carries all of the technical burden

If you’re looking for a shortcut and don’t want technical controls in place, being a Representative isn’t for you. It is for companies that have secure practices in place so their path to meeting regulatory requirements is much shorter. 

Key points of the CDR Representative Model:

Being a CDR Representative has many benefits, including: 

  • Accessing CDR data in as little as two weeks!
  • No external accreditation required, only commercial relationship between principal (Adatree) and CDR representative
  • Incredibly fast timeline to access data
  • Accelerated if you have external certifications, like SOC2 or ISO27001
  • Consumer has the relationship with the Representative, not Adatree
  • Data is collected from the Data Holders by Adatree, then passed to the CDR representative
  • Data storage option to be stored with Adatree (available now)
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about being Adatree's CDR Representative

Sponsor / Affiliate Model

Overview of SPONSOR / AFFILIATE Access Model

The Sponsor/Affiliate Model enables organisations to access CDR data through the sponsor, which is an unrestricted and active ADR. The two things needed to have in place are sponsored accreditation and a sponsorship arrangement.

Sponsored accreditation means a different and new type of accreditation still issued by the ACCC (Data Recipient Accreditor). It has all of the current requirements except a formal information security audit. It has a self-assessment for Schedule 2 of the Rules and a self-attestation every two years.

A sponsorship arrangement is a commercial arrangement with an unrestricted ADR (like Adatree) and the affiliate. It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements.

Who can be a CDR Affiliate? 

Any company can be an affiliate, but the sponsor has to consider security posture, reputation, business case and general business sophistication when deciding to sponsor the affiliate. This is similar to the CDR Representative, but more liability is taken on by the affiliate.

Key points of the CDR Affiliate Model:

Being a CDR Affiliate has many benefits, including: 

  • Reduces the time, effort and cost of accreditation without a required third-party assurance report
  • Consumer aware if sponsor collects on behalf of affiliate, or if affiliate using sponsor, with disclosures in CDR Policy
  • Data collected from the data holders by the sponsor, then passed to affiliate
  • Affiliate can’t disclose data to non-affiliate or non-sponsored person
  • Data storage either with Sponsor or Affiliate (Adatree has this feature ready now)
  • Sponsor provides technical and compliance assistance and training before and after arrangement in place
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about Adatree's Affiliate model

CDR INSIGHTS

Overview of CDR INSIGHTS 

Insights have been a popular ask for CDR Rule changes. The CDR insights model would enable consumers to consent to an insight informed by CDR data being shared outside of an accredited parity, for low-risk purposes. 

This enables consumer to engage with non-accredited parties to receive a good or service while limiting the disclosures that can be made. 

What is an example of an insight? 

Insight examples are low-risk outcomes that are a specific purpose or a yes/no, including: 

  • Verify customer income 
  • Verify customer expenses
  • Verify account ownership
  • Identify the customer (not KYC/AML)
  • Provide an actual balance at a specific point in time 
  • Provide alert to merchant if upcoming payment will fail
  • Provide average income over period of time

For example, if you wanted to verify that someone actually owned the account before a payment was made, the unrestricted ADR would ask state this in the purpose, ask to collect the data on behalf of a company, complete the consent authorisation process, analyse the data accordingly, and share the outcome to the intended company. No sensitive information is disclosed, and a consumer would be able to see the insight in the consent dashboard. 

The insight itself isn’t subject to privacy safeguards, so the organisation receiving the insight could store it themselves. 

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can receive an insight? 

Any company with a commercial arrangement with an unrestricted ADR, like Adatree, provide insight analysis services. 

Key POINTS about Insights: 
  • No external accreditation required, only commercial relationship between principal and CDR representative
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a non-accredited company. 
  • This insight of a yes/no of example above is currently considered CDR data with companies able to receive that if accredited. This enables non-accredited parties to receive the low-risk, consented and purpose-driven data. 
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About Adatree's Insights as a Service

TRUSTED ADVISERS ACCESSING CDR DATA

Overview of TRUSTED ADVISERS

his new access model would enable trusted advisers (examples below) to receive CDR data, based on the fact that they are regulated and trusted with consumer data now.

Currently only data can be shared with unrestricted accredited ADRs. The trusted adviser model would enable consumers to share their data for services with their advisers, without requiring them to go through accreditation themselves. Adatree also checks that the trusted adviser meets the guidelines (like being a current Chartered Accountant or a mortgage broker) before sending the data.

Who would be a trusted adviser?

Anyone in the following list:

  • qualified accountants
  • persons who are admitted to the legal profession
  • registered tax agents, BAS agents and tax (financial) advisers
  • financial counselling agencies
  • financial advisers or financial planners
  • mortgage brokers

If you wanted to share your ongoing transactional data with your BAS agent, the request would be made by an unrestricted ADR to consent this purpose-based data would be shared with a trusted adviser. This would be subject to information security standards, like data encryption in transit, but the end trusted adviser wouldn’t be subject to an external accreditation.

The consumer would be able to see what data disclosed to the trusted adviser in the consent dashboard with the customer experience requiring updates for this informed consent.

The insight itself isn’t subject to privacy safeguards, so the organisation receiving the insight could store it themselves. 

Key points about CDR for Trusted Advisers: 

  • No external accreditation required for trusted advisers, only commercial relationship between Adatree, the unrestricted ADR, and the trusted adviser
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a trusted adviser (either raw data or insight)
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About CDR for Trusted Advisors

REGISTER to access cdr now

 

Interested in more ways that Open Banking can be applied to different industries? 

Check out our report on 25 Ways That The Consumer Data Right Can Create Smoother and Smarter Customer Experiences


Learn More