Open Banking is here with the legislation creating the Consumer Data Right receiving Royal Assent

The Treasury Laws Amendment (Consumer Data Right) Act 2019 (Act) received Royal Assent on 12 August 2019, creating the new Consumer Data Right (CDR) regime. Broadly, the regime:

• provides consumers (including SMEs) in certain sectors of the Australian economy with a right to access specified data relating to themselves, products and services
• allows those consumers to compel that data to be disclosed for their own use or to certain third parties, and
• applies first to the banking sector more commonly known as “Open Banking” with the energy and communications sectors (and potentially others) soon to follow.

Open Banking gives customers a right to direct that the information they already share with their bank be safely shared with others they choose to trust. It is designed to give customers more control over their information, with a view to provide consumers with more choice in their banking and more convenience in managing their money. The Australian Government suggests that this will result in more confidence in the use and value of an asset mostly undiscovered by customers, their data, as well as drive competition in the marketplace.

The regulatory framework

The Act sets out the overarching framework of the regime. Consumer Data Rules and Standards will also apply (currently in draft form), which will govern how data is to be shared and the technical standards for sharing of the CDR data.

The Rules are being developed by the Australian Competition and Consumer Commission (ACCC), as lead regulator of the CDR. A legislative instrument will designate sectors of the Australian economy that must comply with the CDR regime. The draft instrument applicable to banks contains descriptions of the types of data to which Open Banking can apply, and to whom Open Banking is to apply.

How does it work?

Once a sector is designated under the CDR, certain data must be disclosed on the request of the consumer. This includes:

• product data: such as generic product information of the supplier, including terms and conditions or the availability of a product. Information about specific consumers does not fall within this category.
• consumer data: is CDR data that is specific to the consumer, such as name and contact details, account details and transactions details.

Under the regime:

• any third party recipients of the data need to be accredited
• clear customer consent is required before disclosure, and
• designated sectors will be regulated by the ACCC and Office of the Australian Information Commissioner (OAIC) with a new Data Standards Body (hosted by Data61, the data arm of the CSIRO), and new safeguards and liability frameworks are to be put in place.

In Open Banking, the type of data that must be shared at a customer’s request includes information about:

• banking products (product data)
• the user of banking products (consumer data), and
• the use of banking products (transaction data).

Who does it impact and when?

CDR hits the banking sector first, with energy and telecommunications sectors soon to follow. However, CDR has the potential to affect all sectors across the Australian economy.

Under Open Banking, all Australian Authorised Deposit-taking Institutions (ADIs) must comply with the regime and this includes banks, credit unions and building societies.

The big four banks are up first and will have to provide access to data across its products and services as follows:

• from July 2019: generic product data available on all credit and debit cards, deposit and transactions accounts
• from 1 February 2020: make CDR data available on mortgages and all credit and debit cards, deposit and transaction accounts, and
• from 1 July 2020: make CDR data available on all of its products.

Other ADIs will then face a similar timeline to make CDR available across products, but starting from 1 July 2020.

Other entities can opt-in to access the regime—for example by being accredited, the requirements of which are to be set out in the Data Rules and the Standards. If an entity becomes accredited under the CDR, it must also respond to customers’ requests to share their data.

ACCC, its role and enforcement

The primary regulator under regime is the ACCC, to be supported by the OAIC.

The OAIC has primary responsibility for complaint handling under the CDR framework, with particular attention to privacy of individuals and the confidentiality of small businesses.

In addition to its role in developing the CDR regime and in the designation of industry sectors as subject to the regime, the ACCC oversees the CDR from a consumer and competition perspective with particular focus on systemic enforcement.

Heavy penalties apply for certain breaches of the Act. Offences for misleading and deceptive conduct in relation to the transfer of CDR data, for example, can attract penalties of the higher of:

• $10 million
• three times the value of the benefit gained by the misleading conduct,
• or 10% of the annual turnover of the body corporate.

What do you need to do now?

Businesses in the banking sector that are now subject to the CDR regime should already be well prepared, and those in the energy and telecommunications sector (and other significant consumer-facing sectors that create, share and use consumer data) will be keenly watching the implementation of the regime. 

The finalisation of the Act is a good opportunity to consider how the CDR will impact your business, including reviewing consumer data holdings, rights, and obligations and developing a strategy for managing consumer data going forward.