On 3 March 2025, Treasury published the long anticipated amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) that expand the reach of the Consumer Data Right (CDR) to non-bank lenders (NBLs), and in doing so impose data sharing obligations on 'Buy-Now-Pay-Later' (BNPL) product providers. This article provides an update on the new CDR obligations and timelines which relevant NBLs must now consider, and how these NBLs can prepare to become compliant.

Who is included in this roll out of the CDR regime?

The updated CDR Rules contemplate two categories of NBLs – being either 'initial' or 'large' providers. Importantly, the definitions of 'initial' and 'large' providers contained in the March 2025 amendments are different to those in the previously released draft exposure amendments – specifically in relation to the applicable monetary thresholds.

An 'initial provider' is a data holder of NBL sector data that has:

• over $10 billion in resident loans and finance leases reported to APRA in relation to the most recent calendar month for which a report was given to APRA before 4 March 2025 (being the commencement date of the amendments to the CDR Rules (Commencement Date)); and
• averaged over $10 billion in resident loans and finance leases reported to APRA in the 12 preceding calendar months.

A 'large provider' is a data holder of NBL sector data that is not an 'initial provider' but has, on either the Commencement Date or on the 1 July after that date (the relevant day):

• over $1 billion in resident loans and finance leases reported to APRA in relation to the most recent calendar month for which a report was given to APRA before the relevant day;
• averaged over $1 billion in resident loans and finance leases reported to APRA in the 12 calendar months preceding the relevant day; and
• more than 1,000 customers.

The concept of a 'large provider' also includes an NBL that is not an 'initial provider' but is a data holder of NBL sector data as well as an accredited person on either the Commencement Date or any subsequent day.

NBLs that do not qualify as initial providers or larger providers can still elect to participate in the CDR on a voluntary basis – but, if they elect to do so, then they must comply with all relevant CDR obligations.

Key dates for the CDR regime

The roll-out of the CDR regime to NBLs will commence, in tranches, from 13 July 2026. The date on which certain data holders in the banking sector, who offer BNPL products, will be subject to the CDR regime in respect of those BNPL products will be determined based on the date on which the relevant product started being offered.

As part of the first tranche of the roll-out, both initial and large providers (as well as banking data holders providing BNPL products on or before 13 July 2026) will be required to comply with Part 2 of the CDR Rules in relation to product data requests. Banking data holders that provide BNPL products for the first time between 14 July 2026 and 10 May 2027 will be required to comply with Part 2 of the CDR Rules in respect of CDR data relating to a BNPL product on and after the day that is 12 months after the date on which they first offered that BNPL product.

Generally speaking, in the context of the CDR, 'product data' is information about the products that are provided by a data holder. This information does not include consumer data, which relates to consumers and the use of products by consumers (eg in the banking sector, consumer data would include transaction data and account balances). In the context of the upcoming changes, 'product data requests' will cover requests for both:

'required product data', which is essentially data that is:

(i) banking sector data or NBL sector data (as applicable);

(ii) product specific data about a covered product (other than certain covered products such as foreign currency accounts, consumer leases, reverse mortgages, margin loans and asset finance that is non-standard vehicle finance); and

(iii) held in a digital format,
or;

'voluntary product data', which is essentially data that is:

(i) banking sector data or NBL sector data (as applicable);

(ii) product specific data about a covered product; and

(iii) not 'required product data'.

The second tranche of the roll-out is proposed to commence on 9 November 2026, when initial providers and banking data holders providing BNPL products on or before 13 July 2026 will be required to comply with Part 4 of the CDR Rules relating to consumer data requests (with the exclusion of complex requests, being those requests made on behalf of a secondary user, relating to a joint / partnership account, or made by nominated representatives on behalf of a non-individual CDR consumer). Banking data holders that provide BNPL products for the first time between 14 July 2026 and 10 May 2027 will be required to comply with Part 4 of the CDR Rules in respect of CDR data relating to a BNPL product (with the exclusion of complex requests) on and after the day that is 15 months after the date on which they first offered that BNPL product.

Correspondingly, large providers will be required to comply with Part 4 of the CDR Rules relating to consumer data requests (excluding complex requests) from the commencement of tranche 3, on 10 May 2027.

Planning for compliance

The amendments impose obligations to NBLs in respect of:

(a) eligibility requirements for consumers seeking to make requests for CDR data;

(b) in-scope products for which data must be disclosed on request (or may be disclosed voluntarily); and

(c) certain requirements around dispute resolution.

NBLs should familiarise themselves with their CDR obligations, and the dates from which they begin, to ensure they are compliant. Many of the requirements can be seen as fairly onerous. Some of these obligations are detailed below.

Both initial and large providers must be prepared to meet their new obligations under Part 2 of the CDR Rules by 13 July 2026. These providers will need to be in a position to disclose required and voluntary product data when a request is made in accordance with the CDR Rules, in a machine-readable form and in accordance with the consumer data standards. Among other things, this will require the consideration of what further infrastructure, internal policies, procedures and staff training may be required to ensure the business manages its new obligations. It is also worth noting that concerns with the quality of product data contributed to the 'pause' on the CDR roll-out announced in June 2023. Accordingly, we anticipate product data quality will be an area of focus for CDR regulators as the roll-out resumes.

Initial providers should also plan ahead for the steps they need to take to prepare for the second tranche of the roll-out due to commence on 9 November 2026 in respect of consumer data requests. For instance, providers should consider what IT builds (and other steps) they need to implement to facilitate seeking consent from CDR consumers to disclose consumer data when requested by accredited persons, as well as the actual disclosure of the data in a form that meets the applicable standards. Large providers should also consider this in order to meet their equivalent obligations from 10 May 2027.

Now is the time for all NBLs to review their existing internal dispute resolution policies, and whether these comply with their new obligations under the CDR Rules. Concurrently, this is a good opportunity for participants to consider their compliance with the external dispute resolution scheme (of which it is expected they would already be a member) operated by the Australian Financial Complaints Authority.

NBLs should also be aware of the requirement that data holders must have and maintain an up-to-date CDR policy in respect of their management of CDR data. This CDR policy must be in a form that is approved by the Information Commissioner and distinct from the NBL's privacy policies. There are a number of other requirements that must be met under the CDR Rules and the Competition and Consumer Act 2010, which NBLs should carefully consider when drafting a CDR policy.

With new obligations under the amended CDR Rules set to commence on 13 July 2026, NBLs and BNPL product providers should take this time to consider how best to prepare their business for the changes brought by the CDR roll-out to their industry sector, and consider their capacity to comply with the CDR Rules.

We will continue to publish industry updates as the CDR regime progresses. Please contact us if you would like to understand and prepare for the expansion of the CDR regime or to obtain further information on CDR compliance.