THE FUTURE OF OPEN BANKING ACCESS MODELS

Enabling more participants in the CDR while leveraging Adatree's unrestricted accredited and active status

New Proposed CDR Access Models

On July 1, 2021, Treasury released draft amendments to the Consumer Data Right Rules for consultation (Version 3), with specific amendments for: 

  • Introducing a sponsored tier of accreditation and a CDR representative model
  • Allowing consumers to share their data with trusted professional advisers
  • Allowing participants to share CDR insights with consumer consent for specific purposes
  • Creating a single consent data sharing model for joint accounts

If you haven’t pored through the 243 pages of released material, Adatree has prepared an overview of the proposed changes below, with impacts to CDR and diagrams to illustrate key changes and data flows. 

Adatree will be responding to the consultation with feedback, so please reach out if you’re interested in giving any feedback, or more importantly, getting on our waiting list as we bring these new models and paths to life. 

QUICK ACCESS

CDR Access Models v2

 

Sponsor / Affiliate Model

Overview of Sponsor/Affiliate Access Model

The Sponsor/Affiliate Model enables organisations to access CDR data through the sponsor, which is an unrestricted and active ADR. The two things needed to have in place are sponsored accreditation and a sponsorship arrangement

Sponsored accreditation means a different and new type of accreditation still issued by the ACCC (Data Recipient Accreditor). It has all of the current requirements except a formal information security audit. It has a self-assessment for Schedule 2 of the Rules and a self-attestation every two years. 

A sponsorship arrangement is a commercial arrangement with an unrestricted ADR (like Adatree) and the affiliate. It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can be an affiliate? 

Any company can be an affiliate, but the sponsor has to consider security posture, reputation, business case and general business sophistication when deciding to sponsor the affiliate. 

Key Points of Sponsor/Affiliate Model: 
  • Aiming to reduce the cost of accreditation without a required third-party assurance report
  • Consumer aware if sponsor collects on behalf of affiliate, or if affiliate using sponsor, with disclosures in CDR Policy
  • Data collected from the data holders by the sponsor, then passed to affiliate 
  • Affiliate can’t disclose data to non-affiliate or non-sponsored person
  • Data storage either with Sponsor or Affiliate (Adatree has this feature ready now)
  • Sponsor provides technical and compliance assistance and training before and after arrangement in place
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about Adatree's Affiliate model

Principal / CDR Representative Model

Overview of CDR REPRESENTATIVE Access Model

The Principal/CDR Representative Model enables organisations to access CDR data through the principal.

A CDR representative arrangement is a commercial arrangement with an unrestricted principal ADR (like Adatree) and the CDR representative. This arrangement is disclosed to the DRA but there is no official accreditation outside of this commercial relationship. A CDR representative can only have this arrangement with one principal. 

The CDR representative provides goods and services to the consumer, using the principal’s CDR policy. The data enclave (storage within the principal’s CDR audited environment) may apply to control data in the confines of the environment and decrease responsibilities of the CDR representative. 

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can be a CDR Representative? 

Any company can be a CDR representative, but the principal will consider similar. With no external accreditation required, 

Key Points of CDR Representative Model: 
  • No external accreditation required, only commercial relationship between principal and CDR representative
  • Consumer aware if sponsor collects on behalf of the CDR representative it will be disclosed in the CDR Policy
  • Data collected from the data holders by the principal, then passed to CDR representative
  • Data storage option to be stored with principal or CDR representative in data enclave (Adatree has this feature ready now)
  • CDR representative can only disclose data to the Principal
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn more about Adatree's Access Models

CDR INSIGHTS

Overview of CDR INSIGHTS 

Insights have been a popular ask of the CDR Rule changes. The CDR insights model would enable consumers to consent to an insight informed by CDR data being shared outside of an accredited parity, for low-risk purposes. 

This enables consumer to engage with non-accredited parties to receive a good or service while limiting the disclosures that can be made. 

What is an example of an insight? 

Insight examples are low-risk outcomes that are a specific purpose or a yes/no, including: 

  • Verify customer income 
  • Verify customer expenses
  • Verify account ownership
  • Identify the customer (not KYC/AML)
  • Provide an actual balance at a specific point in time 
  • Provide alert to merchant if upcoming payment will fail
  • Provide average income over period of time

For example, if you wanted to verify that someone actually owned the account before a payment was made, the unrestricted ADR would ask state this in the purpose, ask to collect the data on behalf of a company, complete the consent authorisation process, analyse the data accordingly, and share the outcome to the intended company. No sensitive information is disclosed, and a consumer would be able to see the insight in the consent dashboard. 

The insight itself isn’t subject to privacy safeguards, so the organisation receiving the insight could store it themselves. 

It also outlines who will be collecting the consent from the consumer, where the data will be stored and it takes reasonable steps to assure that affiliate complies with all relevant requirements. 

Who can receive an insight? 

Any company with a commercial arrangement with an unrestricted ADR, like Adatree, provide insight analysis services. 

Key POINTS about Insights: 
  • No external accreditation required, only commercial relationship between principal and CDR representative
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a non-accredited company. 
  • This insight of a yes/no of example above is currently considered CDR data with companies able to receive that if accredited. This enables non-accredited parties to receive the low-risk, consented and purpose-driven data. 
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About Adatree's Insights as a Service

TRUSTED ADVISORS ACCESSING CDR DATA

Overview of trusted advisor access 

This new proposed access model would enable trusted advisors (examples below) to receive CDR data, based on the fact that they are regulated and trusted with consumer data now. Currently only data can be shared with unrestricted accredited ADRs. The trusted advisor model would enable consumers to share their data for goods and services with their advisors, without requiring them to go through accreditation themselves. The ADR that the trusted advisor works with would check for the relevant class and confirm too. 

Who would be a Trusted Advisor? 

Any in the following list:

  • qualified accountants
  • persons who are admitted to the legal profession
  • registered tax agents, BAS agents and tax (financial) advisers
  • financial counselling agencies
  • financial advisers or financial planners
  • mortgage brokers

If you wanted to share your ongoing transactional data with your BAS agent, the request would be made by an unrestricted ADR to consent this purpose-based data would be shared with a trusted advisor. This would be subject to information security standards, like data encrypted in transit, but the end trusted advisor wouldn’t be subject to an external accreditation. 

The consumer would be able to see what data disclosed to eh trusted advisor in the consent dashboard with the customer experience requiring updates for this informed consent. 

Key Changes about Trusted Advisor Model: 
  • No external accreditation required for trusted advisors, only commercial relationship between unrestricted ADR and trusted advisor
  • Consumer aware that ADR collects and analyses CDR data with specific outcome going to a trusted advisor
  • Consumer only consenting to share data based on purpose, with clear disclosures of parties involved and their protections

Learn About CDR for Trusted Advisors

 

moving forward & feedback

CONTRIBUTING  TO ADATREE'S CONSULTATION RESPONSE

If you have any questions, concerns or proposed changes to the above proposal, we'd love to hear from you. 

Adatree will be responding to the the consultation paper on what we support in the above access models and suggested changes. If you would like to contribute feedback, please get in touch at hello@adatree.com.au

ADATREE ROADMAP AND ONGOING CHANGES

Regardless of the final legislation, Adatree's service offerings will adapt to the CDR with access models, insights and other future changes. We future-proof your CDR data access so you can focus on your customer value propositions and use cases instead of the changing technical and regulatory landscape. 

REGISTER YOUR INTEREST: join our waitlist

 

Interested in more ways that Open Banking can be applied to different industries? 

Check out our report on 25 Ways That The Consumer Data Right Can Create Smoother and Smarter Customer Experiences


Learn More