CDR ACCESS MODELS

HOW INNOVATIVE BUSINESSES PARTICIPATE IN CDR

CDR Access Models

Adatree is ready to support businesses wanting to join the CDR ecosystem through any of the access models made available in the current Consumer Data Right (version 3; released 5 October 2021) including: 

Access Model Comparison update (1200 x 650 px)

Principal / CDR Representative Model

Overview of CDR REPRESENTATIVE Access Model

A CDR representative arrangement is a commercial arrangement between an unrestricted Principal ADR (Adatree) and the CDR Representative. This arrangement is disclosed to the regulator but there is no official government accreditation outside of this commercial relationship. A CDR Representative can only have this arrangement with one principal. 

The CDR Representative provides services to their customers, using the principal’s access to data and their CDR policy. For example, Aussie Payments Co provides services to their clients, and Adatree provides technical connections and support for CDR data access to Aussie Payments Co. 

Where is the data stored? 

CDR Data can either be stored in your own environment or with Adatree's audited environment. But there are tight controls and regulations around how the data is stored and maintained. Storing data in Adatree’s environment removes that burden for Representatives, meaning less admin and faster access.

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can be a CDR Representative? 

Any business can be a CDR representative. But they need to find a principal who will agree to take a business on as a Representative and if meet all regulatory requirements, with the necessary controls and policies in place, assessed or attested to.

Adatree will consider security posture, reputation, business case and general business sophistication when deciding to take a Representative on. 

Why would you want to be a CDR Representative? 

Being a CDR Representative has many benefits, including: 

  • Access CDR data in as little as two weeks!
  • With a Principal like Adatree you can avoid the burden of building a technical solution and let us do the heavy lifting.
  • Receive the same data fields as an unrestricted Accredited Data Recipient (ADR).
  • No formal external audit required.
  • No regulator assessment required.
  • No external accreditation required, only  a commercial relationship with a Principal like Adatree.

Key considerations:

  • If you're looking for a shortcut to CDR data without the technical and regulatory hoops, CDR Representative probably won't suit your needs.
  • Timelines to accreditation are accelerated if you already have external certifications like SOC2 or ISO27001
  • Incredibly fast timeline to access data
  • Consumers have a relationship with you the Representative, not Adatree
  • Data is collected from the Data Holders by Adatree, then passed to the CDR representative
  • Data storage options available
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about being Adatree's CDR Representative

Sponsor / Affiliate Model

Overview of SPONSOR / AFFILIATE Access Model

The Sponsor/Affiliate Model enables organisations to access CDR data through the sponsor, which is an unrestricted and active ADR. The two things needed to have in place are sponsored accreditation and a sponsorship arrangement.

Sponsored accreditation means a different and new type of accreditation still issued by the ACCC (Data Recipient Accreditor). It has all of the current requirements except a formal information security audit. It has a self-assessment for Schedule 2 of the Rules and a self-attestation every two years.

A sponsorship arrangement is a commercial arrangement with an unrestricted ADR (like Adatree) and the affiliate. It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements.

Who can be a CDR Affiliate? 

Any company can be an affiliate, but the sponsor has to consider security posture, reputation, business case and general business sophistication when deciding to sponsor the affiliate. This is similar to the CDR Representative, but more liability is taken on by the affiliate.

Key points of the CDR Affiliate Model:

Being a CDR Affiliate has many benefits, including: 

  • Reduces the time, effort and cost of accreditation without a required third-party assurance report
  • Consumer aware if sponsor collects on behalf of affiliate, or if affiliate using sponsor, with disclosures in CDR Policy
  • Data collected from the data holders by the sponsor, then passed to affiliate
  • Affiliate can’t disclose data to non-affiliate or non-sponsored person
  • Data storage either with Sponsor or Affiliate (Adatree has this feature ready now)
  • Sponsor provides technical and compliance assistance and training before and after arrangement in place
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about Adatree's Affiliate model

CDR INSIGHTS

Overview of CDR INSIGHTS 

Insights have been a popular ask for CDR Rule changes. The CDR insights model would enable consumers to consent to an insight informed by CDR data being shared outside of an accredited parity, for low-risk purposes. 

This enables consumer to engage with non-accredited parties to receive a good or service while limiting the disclosures that can be made. 

What is an example of an insight? 

Insight examples are low-risk outcomes that are a specific purpose or a yes/no, including: 

  • Verify customer income 
  • Verify customer expenses
  • Verify account ownership
  • Identify the customer (not KYC/AML)
  • Provide an actual balance at a specific point in time 
  • Provide alert to merchant if upcoming payment will fail
  • Provide average income over period of time

For example, if you wanted to verify that someone actually owned the account before a payment was made, the unrestricted ADR would ask state this in the purpose, ask to collect the data on behalf of a company, complete the consent authorisation process, analyse the data accordingly, and share the outcome to the intended company. No sensitive information is disclosed, and a consumer would be able to see the insight in the consent dashboard. 

The insight itself isn’t subject to privacy safeguards, so the organisation receiving the insight could store it themselves. 

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can receive an insight? 

Any company with a commercial arrangement with an unrestricted ADR, like Adatree, provide insight analysis services. 

Key POINTS about Insights: 
  • No external accreditation required, only commercial relationship between principal and CDR representative
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a non-accredited company. 
  • This insight of a yes/no of example above is currently considered CDR data with companies able to receive that if accredited. This enables non-accredited parties to receive the low-risk, consented and purpose-driven data. 
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About Adatree's Insights as a Service

TRUSTED ADVISERS ACCESSING CDR DATA

Overview of TRUSTED ADVISERS

his new access model would enable trusted advisers (examples below) to receive CDR data, based on the fact that they are regulated and trusted with consumer data now.

Currently only data can be shared with unrestricted accredited ADRs. The trusted adviser model would enable consumers to share their data for services with their advisers, without requiring them to go through accreditation themselves. Adatree also checks that the trusted adviser meets the guidelines (like being a current Chartered Accountant or a mortgage broker) before sending the data.

Who would be a trusted adviser?

Anyone in the following list:

  • qualified accountants
  • persons who are admitted to the legal profession
  • registered tax agents, BAS agents and tax (financial) advisers
  • financial counselling agencies
  • financial advisers or financial planners
  • mortgage brokers

If you wanted to share your ongoing transactional data with your BAS agent, the request would be made by an unrestricted ADR to consent this purpose-based data would be shared with a trusted adviser. This would be subject to information security standards, like data encryption in transit, but the end trusted adviser wouldn’t be subject to an external accreditation.

The consumer would be able to see what data disclosed to the trusted adviser in the consent dashboard with the customer experience requiring updates for this informed consent.

The insight itself isn’t subject to privacy safeguards, so the organisation receiving the insight could store it themselves. 

Key points about CDR for Trusted Advisers: 

  • No external accreditation required for trusted advisers, only commercial relationship between Adatree, the unrestricted ADR, and the trusted adviser
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a trusted adviser (either raw data or insight)
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About CDR for Trusted Advisors

REGISTER to access cdr now

 

Interested in more ways that Open Banking can be applied to different industries? 

Check out our report on 25 Ways That The Consumer Data Right Can Create Smoother and Smarter Customer Experiences


Learn More