In August 2023, Treasury introduced for consultation exposure draft amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) that would expand the reach of the Consumer Data Right (CDR) to non-bank lenders (NBL) and banking data holders offering 'Buy-Now-Pay-Later' (BNPL) products. The exposure draft materials set the timeline for the staged implementation of this roll-out to commence on 1 November 2024. With this in mind, this article provides an update on the CDR regime and how entities can prepare to become compliant now.
Who will be included in the CDR regime?
The amendments contemplate two categories of NBLs – being either 'initial' or 'large' providers.
An 'initial provider' is a data holder of NBL sector data that has:
- over $10 billion in resident loans and finance leases in the calendar month immediately before the commencement day of the amendment rules (Commencement Day); and
- averaged over $10 billion in resident loans and finance leases in the 11 preceding calendar months.
A 'large provider' is a data holder of NBL sector data that is not an initial provider but has, on either the Commencement Day or any subsequent day:
- between $500 million and $10 billion in resident loans and finance leases in the calendar month immediately before that day;
- averaged between $500 million and $10 billion in resident loans and finance leases in the preceding 11 calendar months; and
- more than 500 customers.
In addition, a 'large provider' also includes an NBL that is not an initial provider but is a data holder of NBL sector data as well as an accredited person on either the Commencement Day or any subsequent day.
NBLs that do not qualify as initial providers or larger providers can still elect to participate in the CDR on a voluntary basis – but, if they elect to do so, then they must comply with all relevant CDR obligations.
Key dates for the CDR regime
If legislated as drafted, the roll-out of the CDR regime to NBLs will commence, in tranches, from 1 November 2024. The date on which the CDR regime will start applying to certain BNPL product providers will be determined based on the date on which the relevant product provider started offering BNPL products. As part of the first tranche of the roll-out, both initial and large providers will be required to comply with Part 2 and Schedule 3 of the CDR Rules in connection with product data requests.
Generally speaking, in the context of the CDR, 'product data' is information about products that are provided by a data holder. This information does not include consumer data, which relates to consumers and the use of products by consumers (e.g. in the banking sector, consumer data would include transaction data and account balances). In the context of the upcoming changes, 'product data requests' will cover requests for 'required product data' which is essentially data that is:
- banking sector data or NBL sector data (as applicable);
- about the eligibility criteria, terms and conditions, price, availability or performance of a covered product;
- publicly available (if in respect of availability or performance data);
- product specific data about a covered product; and
- held in a digital format.
The second tranche of the roll-out is proposed to commence on 1 February 2025, when initial providers will be required to comply with Part 4 of the CDR Rules relating to consumer data requests (with the exclusion of complex requests, being those requests made on behalf of a secondary user, relating to a joint/partnership account, or made by nominated representatives on behalf of a non-individual CDR consumer). Complex requests will need to be satisfied by initial providers as part of tranche 3, which is projected to commence on 1 May 2025.
Correspondingly, unless the current timing changes, large providers will be required to comply with Part 4 of the CDR Rules relating to consumer data requests (excluding complex requests) from the commencement of tranche 4, planned for 1 August 2025, and relating to complex requests when tranche 5 commences as planned from 1 November 2025.
This timeline may be subject to modification in respect of certain entities, depending on factors that relate to the timing of their classification as large providers.
Planning for compliance
The draft amendments apply obligations to NBLs in respect of:
- eligibility requirements for consumers seeking to make requests for CDR data;
- in-scope products for which data must be disclosed on request (or may be disclosed voluntarily); and
- certain requirements around dispute resolution.
NBLs should familiarise themselves with their CDR obligations, and the dates from which they begin, to ensure they are compliant. Many of the requirements can be seen as fairly onerous. Some of these obligations are detailed below.
If the draft amendments are legislated to align with the 1 November 2024 timeline, both initial and large providers must be prepared to meet their new obligations under Part 2 and Schedule 3 of the CDR Rules. These providers will need to be in a position to disclose required product data (and voluntary product data if the provider so chooses) when a request is made in accordance with the CDR Rules, in a machine-readable form and in accordance with the consumer data standards. Among other things, this will necessitate a consideration of what further infrastructure, internal policies or procedures, and staff training may be required to ensure the business manages its new obligations. It is also worth noting that concerns with the quality of product data contributed to the 'pause' on the CDR roll-out announced in June 2023. Accordingly, we anticipate product data quality will be an area of focus for CDR regulators as the roll-out resumes.
Initial providers should also plan ahead for the steps they need to take to prepare for the second tranche of the roll-out due to commence on 1 February 2025 in respect of consumer data requests (followed by complex requests from 1 May 2025). For instance, providers should consider what IT builds (and other steps) they need to implement to facilitate seeking authorisation from CDR consumers to disclose consumer data when requested by accredited persons, as well as the actual disclosure of the data in the correct form that meets the applicable standards. Large providers should also consider this in order to meet their equivalent obligations from 1 August 2025 (and from 1 November 2025 in respect of complex requests).
Now is the time for all NBLs to review their existing internal dispute resolution policies, and whether these comply with their new obligations under the CDR Rules. Concurrently, this is a good opportunity for participants to consider their compliance with the external dispute resolution scheme (of which it is expected they would already be a member) operated by the Australian Financial Complaints Authority Limited.
NBL entities should also be aware of the requirement that data holders must have and maintain an up-to-date CDR policy in respect of their management of CDR data. This CDR policy must be in a form that is approved by the Information Commissioner and distinct from the NBL's privacy policies. There are a number of other requirements that must be met under the CDR Rules and the Competition and Consumer Act 2010, which NBLs should carefully consider when drafting a CDR policy.
While consultation on the exposure draft amendments closed on 6 October 2023, they have not yet been registered on the Federal Register of Legislation. The amendments may still be enacted in time to meet the 1 November 2024 timeline, so NBLs and BNPL product providers should take this time to consider how best to prepare their business for the changes brought by the upcoming CDR roll-out.
Even if the anticipated amendments are legislated at a later date, it is prudent for NBLs and BNPL product providers to consider their capacity to comply with the proposed rules, as this is the expected next step in the expansion of the CDR regime.
We will continue to publish industry updates as the CDR regime progresses. Please contact us if you would like to understand and prepare for the potential consequences of the expansion of the CDR regime or to obtain further information on CDR compliance.