The National Open Banking Scheme has kicked off, but are you CDR ready?

15 September 2020

Tim Aman, Global Leader, Fintech
National Leader, Financial Services
Mark Griffiths, Partner, Risk Advisory |

The Australian National Open Banking Scheme opens the door to new opportunities for alternative banking institutions and Fintechs. However, to effectively capitalise on these changes, businesses will need to obtain the appropriate accreditation and ensure they have the right data management practices in place in line with the Consumer Data Right (CDR) Scheme.

Tim Aman, BDO Global Fintech Leader, Mark Griffiths, Partner in our Risk Advisory team and Ryan Kris, Associate Director in our Technology Advisory team discuss what the Open Banking Scheme and Consumer Data Right means for Fintechs and businesses within Australia’s financial services industry. For businesses and Fintechs looking to accept consumer data, they also outline the steps for obtaining accreditation as well as key considerations for accredited data recipients. 

Have you registered for our 2020 Fintech Friday webinar series?

In this series, BDO Fintech experts and industry leaders will be deep-diving into the diverse subsectors of the Fintech space, including blockchain/crypto, lending, insurance, regtech, personal finance, capital markets, wealth management, payments/billing, mortgage real estate, and money transfer/remittances.


A refresher of the National Open Banking Scheme 

Originally announced by the Government in 2017, but only recently going live in the banking sector on 1 July 2020, the National Open Banking Scheme intends to give consumers access and more control over what information banks hold about consumers. It aims to increase transparency, competition and create new opportunities within Australia’s financial services industry - creating ease in accessing alternative banking providers by allowing your information to be shared more freely.

According to the Australian Competition & Consumer Commission (ACCC), the Open Banking Scheme will promote competition within Australia’s banking sector, leading to greater product and service innovation and quality. It will also help consumers to compare financial solutions across different institutions and businesses more transparently and allow them to share their transaction history with a new party to obtain financial products at better prices.

To ensure that sharing financial data is safe, only Accredited Data Recipients (ADRs) will be able to access the data. Becoming an ADR is under strict rules around accessing and storing data and will be subject to the Privacy Act. This means that an organisation’s systems, processes, people and governance controls must be robust and documented.

While this process is viewed as cumbersome, especially for smaller Fintechs - only one financial provider is currently accredited, one month into the scheme - it will bring boundless opportunities for fintechs.

It’s important you seek out experienced advisors – including risk advisors, forensic accountants, auditors and technology advisors. This group of specialists can ensure your risks –including third party assurance, legal compliance and enterprise-wide risk frameworks - are managed and that the technology infrastructure you have in place supports data collection and security.

How will ‘Open Banking’ be achieved?

For the goals of open banking to be achieved, a new set of rules is needed to permit this data sharing – this is where the Consumer Data Right comes in.

The Consumer Data Right (CDR) is designed to give consumers greater control over their data and how it is used. Traditionally, the institution or business ‘owns’ their consumers’ data with consumers having limited access to this information, as well as being unable to share it with other competitors and institutions. As such, the CDR is seen by many as putting the power of data in the hands of consumers.

Under the CDR rules, certain institutions will be required to provide consumers with easy access to their data as well as the ability to safely transfer it to an accredited third party or provider. However, for third parties or providers to accept this consumer data, they will need to obtain accreditation from the ACCC, who is responsible for implementing, administering and enforcing the CDR.

To put these two together, the National Open Banking scheme refers to the implementation of the CDR to Australia’s financial services industry. The CDR rules, however, will not be limited to financial services but are expected to apply to more industries in the future including Australia’s energy and telecommunications sectors.

What are the current ‘rules’ in place and what do they mean for financial institutions?

Currently - as of 1 July 2020 - customers of the major four banks can request their financial institution to share their data relating to credit cards, debit cards, transaction accounts and deposit accounts with an alternative financial services party or provider.

This data sharing will be extended from 1 November 2020, to include consumer data relating to personal loans and mortgages, and more financial institutions will be required to comply with these rules over time.

Fintech Australia is working on lobbying the Government to allow third-party intermediaries to have access to data too.

For Fintechs and smaller financial services providers, the new CDR rules provide a significant opportunity for growth and innovation. As consumers can now opt for their current financial institution to share their data with third parties, such as a Fintech or money management app, these businesses will be able to attract and onboard new customers more easily. Furthermore, access to data such as transaction history will also allow them to develop better products and services that can be customised for the user. 

But, for these alternative financial institutions to effectively capitalise on this opportunity, they will need to need to become an Accredited Data Recipient and apply for accreditation using the ACCC’s Consumer Data Right Register and Accreditation Application Platform (RAAP) accessible here.

For the major banks and incumbents, the CDR brings both opportunity and challenge. Similar to smaller institutions and Fintechs, financial services providers who can quickly innovate, develop quality products and deliver good customer experiences will benefit from being able to obtain new customers more easily. However, providers that are slow to innovate and respond to changing consumer needs are at risk of losing existing customers more easily and will have to give up valuable consumer data.

For all institutions and providers, the key challenges are going to be effectively managing the risks involved with transferring and housing consumer data.

Key risks for businesses and Fintechs to be aware of

Cyber Security

One of these key risks is cyber security which according to the 2019 BDO and AusCERT Cyber Security Survey, is one of the top concerns for Australian businesses. One of the worrying findings of the survey was a 35% year-on-year increase in the number of Notifiable Data Breach (NDB) notifications made to The Office of the Australian Information Commissioner (OAIC).

Moreover, since the start of the year, with the rise in the number of people working from home due to COVID-19, there has been continued significant cyberattacks on businesses and government. As many smaller institutions and Fintechs may not have the extensive cybersecurity infrastructure and processes in place that many of the larger institutions have, Fintechs may be more vulnerable to cyberattacks.


Fintechs and smaller financial institutions will also need to ensure they have systems and risk management frameworks in place when it comes to detecting and preventing fraud and complying with Australia’s Anti-Money Laundering and Counter-Terrorism Financing legislation (AML/CTF).

BDO Forensic Partner, Adam Simms says:

“Today boards, directors and executives have greater accountability for their organisations’ actions more than ever before and in some instances face criminal prosecution. Since the Global Financial Crisis, Royal Commission into Financial Services and more recent AUSTRAC scandals, regulators are closely watching financial institutions to ensure they have good governance practices in place and are conducting themselves transparently and appropriately. In circumstances of noncompliance or a breach has occurred, regulators have handed out substantial penalties to both the organisation and senior leaders.”

He explains that one of the biggest challenges for fintechs ahead will be ensuring they have the right systems and processes in place to manage their AML/CTF and fraud risks as they grow in size and scale. Players in the digital payments sector have experienced unprecedented growth and at a rate that in some instances, make governance needs an unmet challenge.

These issues become even more pressing today, as the challenging ‘spin-offs’ of COVID-19 has created an ideal environment for financial crime to flourish. As a result, Adam recommends that Fintechs undertake some ‘serious housekeeping’ by reviewing their policies and crime risk assessments and response plans in the context of the current environment. He says, this should be a priority spend before the alternative happens, which could mean a media headline and/or significant loss. When in doubt seek expert advice which should keep you ahead of the COVID crime curve.

Data Governance

Data privacy and governance will also need to be considered especially around how data is used, stored, maintained and eventually disposed of.

In particular, if you are an outsourced provider or engaging with an outsourced provider, you may be required to undertake or obtain a Service Organisation Report (SOC Report). These reports address concerns related to the ability of the Service Organisation to accurately process transactions, protect user organisations confidential data, and maintain integrity.

Becoming an Accredited Data Recipient

As mentioned earlier, Fintechs and other financial services institutions looking to receive and hold consumer data will be required to go through the process of becoming an Accredited Data Recipient (ADR).

According to the OAIC guidelines, there are two types of participants under the CDR: data holders (those who are sharing the data) and ADA (those accredited by the ACCC to receive the data).

To become an ADA, the OAIC states that a business must demonstrate that they meet the following requirements:

  • Are a fit and proper person
  • Can take the steps required to adequately protect CDR data from misuse, interference, loss, unauthorised access, modification or disclosure
  • Have internal dispute resolution processes meeting the requirements of the CDR Rules
  • Are a member of a relevant external dispute resolution scheme
  • Have adequate insurance to compensate consumers for any loss that might occur from a breach of their CDR-related obligations, and
  • Have an Australian address
  • Are an accredited data recipient and have ongoing obligations under the CDR rules.

Non-Australian companies can also receive accreditation under the Consumer Data Right to receive and hold consumer data. As foreign entities are required to have a local agent, details of the local agent must be included in the application for accreditation.

For more information, the ACCC has released its finalised guidelines on the CDR accreditation process, including supplementary guidelines regarding the information security and insurance requirements of accreditation. Should you need assistance navigating the accreditation process or have questions, contact BDO.

BDO has a team of experts who can not only guide you through the requirements of CDR, but also undertake a review of your current systems and processes, and third party assurance to ensure it meets the regulatory body standards while providing the best customer experience for the consumer.

Download our data recipient checklist

Are you ready to become a data recipient? Make sure you have these five things ready first.

Download the checklist here

What’s next for the CDR?

While the CDR only currently applies to certain areas of the banking sector, the ACCC has announced that it expects this legislation to apply to the energy sector later this year and the telecommunications sector in the future.

Businesses within these industries should start assessing the impact these changes may have on them. For those looking to accept consumer data, they should be ensuring they have the right technologies, and security and privacy practices in place to effectively hold and utilise this information.

How we can help?

Whether you are a Fintech, online lender, credit union or other financial institution looking to become an accredited data recipient, our teams of risk, technology, forensic, audit and industry experts can help you both navigate the accreditation process as well as ensure you have the right systems and processes in place to mitigate potential risks.

For more information on the different areas we can you with see:

Should you have any questions about CDR and your business, don’t hesitate to contact your local office.