What is the Consumer Data Right (CDR)?
In 2017, then-Treasurer Scott Morrison initiated the beginnings of the Consumer Data Right, Australia’s effort to give consumers control over their data held on their behalf by commercial organisations. Based on the worldwide shift to Open Banking, as seen in the UK and Europe, financial services was the first industry to be mandated under this initiative. Future Australian industries to receive their own CDR specifications will include Energy and Telecommunications.
Since then, Data61 and the Australian Competition and Consumer Commission (ACCC), in conjunction with industry participants such as Ping Identity, have developed a set of open standards that enable data holders (generally, the banks who hold customer transaction data) and data recipients (banks, fintechs and other certified parties) to share user data via standard RESTful APIs, based on informed and granular customer consents. The underlying specifications for the CDR include:
The data sharing APIs, which detail the standard requests and responses to enable data to flow
The information security (InfoSec) specification, which details the cryptographic standards to be used for communications, as well as the required authentication flow, the user consent requirements and other security pieces
The ACCC registry API specification, allowing certified participants to register their organisations and applications and receive cryptographic material to be used to trust and secure the API communications between each other
Non-functional specifications, detailing availability requirements and other environmental concerns
The specifications have been in constant flux since the start of development, with a number of major changes to the design occurring through industry consultation. With the release of version 1.2 in February 2020, participants now have a finalised specification to implement for their respective production release dates mandated by the ACCC: July 2020 for the Big 4 banks and July 2021 for other data holders.
It’s important to note that participants must apply to be certified to use the open APIs of the CDR. While the details of the APIs are open to all, use of them will be highly regulated by the ACCC.