This year, Australia’s Consumer Data Right (CDR) is expanding to include the non-bank lending sector. Specific Non-Bank Lenders will be designated as ‘Data Holders’ within the CDR framework, requiring them to implement systems to facilitate consumers in being able to transfer their data to accredited third parties.    

This builds upon the designations in the Banking and Energy sectors, where Data Holders are already operational, allowing consumers to effectively transfer their data. 

November 2024 marks the first milestone for Non-Bank Lenders. So what do Non-Bank Lenders need to be aware of? 

Quick recap

The Consumer Data Right (CDR) is an economy wide designed to empower consumers with greater control over their data. It facilitates the secure sharing of data, currently housed in various organisations, with third parties in taking up new services. Banking was the first implementation of the CDR, commonly known as Open Banking, allowing consumers to consent to sharing their banking data with accredited third parties. For more detailed information on Open Banking, refer to Basiq’s definitive guide.

Following Banking, the Energy sector adopted the CDR and soon, Non-Bank Lenders will join this initiative. Presently there are over 90 Banks and Energy providers acting as data holders. To see the complete list, click here. 

Which Non-Bank Lenders must serve as Data Holders?

Treasury has delineated two categories of providers:

Initial provider: A non-bank lender that on the commencement date has over $10 billion in loans/leases and has averaged over $10 billion for the preceding 11 months.

Large provider: A non-bank lender that on the commencement date has over $500 million but less than $10 billion in loans/leases, averaged over $500 million for the preceding 11 months, has more than 500 customers.

What types of Non-Bank Lenders does it apply to?

Some examples of organisations it applies to include:

• Mortgage lenders
• Consumer finance companies
• Buy Now Pay Later (BNPL) providers
• Leasing and hire purchase providers
• Marketplace lenders
• Payday lender
• Peer-to-peer lenders
• Salary advance providers

What are Data Holders required to do?

Data Holders must be authorised by the ACCC, fulfilling specific criteria for data security, privacy, and technical capabilities. The implementation of robust security measures, such as encryption and access controls is required to safeguard data. Privacy compliance is crucial, ensuring data use aligns with relevant privacy laws.

Data Holders are obligated to adopt technical standards to facilitate seamless data sharing across  entities within the CDR ecosystem. This involves establishing a consent management framework to obtain and manage consent from consumers. 

Furthermore, ongoing regulatory oversight requires Data Holders to submit regular compliance reports to the ACCC and promptly address any inquiries and issues that may arise.

What are the key dates?

What is a complex request?
A “complex request” under the draft rules is a consumer data request that:

• Is made on behalf of a secondary user of the consumer
• Relates to a joint account or a partnership account
• Is made on behalf of a non-individual CDR consumer whose authorisations are handled by a nominated representative

I’ll be required to be a Data Holder, what should I do?

While providing access to consumer and product data via APIs seem straightforward, the process of becoming a Data Holder is a complex undertaking. Beyond initial requirements, there are continuous obligations related to regulatory changes, maintenance and reporting. Based on feedback from existing Data Holders in the banking sector, it’s prudent to consider engaging a Partner with the requisite  expertise, experience and knowledge.  

Given the urgency and complex requirements, Non-Bank Lenders falling under the scope of becoming a Data Holder should take proactive steps in initiating their CDR implementation projects. Here are our recommended actions. 

Step 1: Requirements and Timing
Familiarise yourself with what’s required and “go-live” deadlines

Step 2: Engage a Partner
Work with a Partner that can help you navigate the complex build and maintenance requirements

Step 3: API development
Start building the internal API layer to surface Users, Accounts, Transactions – needs to be done regardless of whether you engage a Partner or not. 

Want to know more?

Get in touch with the Basiq team and talk to the experts when it comes to Open Banking