ACCC releases a consultation draft of CDR Rules

4 minute read 09.05.2019 Anthony Borgese, Alexander Horder, Rachel Johnston

ACCC released the consultation draft of its Consumer Data Right (CDR) Rules ahead of the expected 1 July 2019 rollout of the CDR regime to the banking sector.

We explain the key changes in the CDR Rules from the previous Rules Outline and Rules Framework released last year that the banking sector should be aware of as they set up their internal policies and processes to ensure compliance.

Key takeouts

The ACCC has released a consultation draft of its CDR Rules to accompany the legislative frameworks proposed by the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth).

Key changes affecting the banking sector include clarifying the definition of CDR data, extending the robust CDR data security controls and increased process around customer consent.

With the bill lapsing in parliament, it appears likely that the legislation will pass later than expected and the ACCC's previous compliance date of 1 July 2019 for the banking sector will be adjusted. Despite this, clients should ensure they have processes in place to achieve compliance.

Following our October update on the new Australian Consumer Data Right (CDR), A new right – the Consumer Data Right and framework unpacked, the Australian Competition and Consumer Commission (ACCC) released a consultation draft of its CDR Rules on 29 March 2019 (Rules). This accompanies the legislative framework proposed by the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) (Draft Legislation).

The Rules set out the proposed regulatory framework for the CDR, with a particular focus on the implementation of CDR in banking. Authorised Deposit Taking Institutions (ADIs) are the 'first cab off the rank' under the CDR regime and the Rules are drafted to target the 'big four' banks and their customer data related to credit and debit cards, as well as deposit and transaction accounts.

In this article we highlight some of the key changes made to the proposed CDR regime since ACCC released the Rules Framework in September 2018 and a Rules Outline in December 2018. These changes are especially relevant to our clients in the banking sector.

New developments in the Rules

Definition of CDR Data for the banking sector

Schedule 2 of the Rules clarifies that in respect of the banking sector, 'CDR Data' will be defined to include 'primary data' only (ie. not data that is wholly or partly derived from other information). This is in response to stakeholder concerns that disclosure of 'derived' or 'value-add' data would also be required to be disclosed. As CDR Data is still defined to include 'derived data' under the Draft Legislation, clients in other sectors, such as the energy and telecommunications, may still be required to disclose such derived data.

Privacy Safeguard 12

The Rules also prescribe a set of 24 minimum information security standards (or minimum mandatory information security controls) that an accredited data recipient must have in place to protect CDR data. This is an extension of the 12 mandatory controls prescribed by the Rules Outline.

Customer consent

The most significant development to the Rules however, may be the increased process around customer consent. The Rules now provide that an accredited entity must enter into a contract with the relevant consumer (under which the accredited entity may wish to leverage a customer's CDR Data) prior to accredited entity being able to receive that customer's CDR Data. Previously, an accredited entity only needed to obtain the consumer's consent to access that customer's CDR Data, without the need for that customer to have actually contracted with that entity.

Reciprocity

While these developments will ensure the security of the transfer and possession of CDR Data, consultation to date has revealed that industry stakeholders are concerned about the lack of reciprocity in the sharing of data in the opposite direction – that is, from accredited data recipients (e.g. non-ADI credit providers) back to ADIs. We anticipate that this issue will be raised later in the consultation process.

Implications for the banking industry

While the ACCC is expecting the banking sector to comply with the final Rules by 1 July 2019 (Compliance Date), the Draft Legislation lapsed in Parliament due to the calling of the May 18 federal election. Accordingly, it appears likely that the Draft Legislation will pass later than expected, and the Compliance Date will be adjusted. Further, despite the Economics Legislation Committee recommending that the Draft Legislation be passed unamended, the Labor Opposition Government has raised its concerns about privacy and the treatment of derived data under the Draft Legislation and has flagged that it intends to propose a number of amendments in the Senate. It is uncertain what these proposed changes would be at this time.

The uncertainty around when and what the CDR Regime will look like when it comes into force creates difficulties for our clients in the banking sector in preparing for compliance. However, we anticipate that the costs and time to become compliant will be significant, with the Government’s Explanatory Memorandum to the Draft Legislation estimating an increase of $86.6 million per year in an entity's compliance costs.

With the information that is known to date, clients should consider how they will ensure compliance, particularly in respect of:

the requirement to have an online consumer dashboard allowing consumers to understand where their data is going and to whom, and importantly how to revoke their consent to data transfers;
how to meet the accreditation requirements to become an accredited data recipient;
its own internal practices and processes and whether those processes need to be uplifted to ensure an entity can remain accredited and compliant. This may include: identifying consumer data within its current systems, uplifting existing information security practices and protocols, implementing data management frameworks; and
its arrangements with existing suppliers. In particular, clients will need to take a critical view of these arrangements to ensure that those suppliers have the capacity and capability to assist the client in being, and remaining, compliant.

Next steps

For further information and assistance in understanding your obligations under the Rules or the Draft Legislation, or if you would like assistance in ensuring your entity's compliance, please contact us.