Blog Image


Consumer Data Right rules established for the Australian banking sector

Home Insights Consumer Data Right rules established for the Australian banking sector

Contributed by:

Contributed by: Liz Blythe, Guy Lethbridge, Che Ammon and Rosie Judd

Published on:

Published on: February 11, 2020


The Australian Competition and Consumer Commission has announced the finalisation of the Competition and Consumer (Consumer Data Right) Rules. The Rules sit alongside the Treasury Laws Amendment (Consumer Data Rules) Act 2019, which came into force in August 2019, and provide further detail as to how the Australian regime will operate.

Following Minister Faafoi's December announcement regarding a potential Consumer Data Right (CDR) on the horizon in New Zealand, the release of the formalised Rules provide a valuable insight into how the Australian regime will operate and what an equivalent CDR regime might look like if implemented in New Zealand.

The Rules give legislative force and colour to Australia's statutory consumer data sharing obligations in banking that will become mandatory from 1 July 2020. The Rules will be rolled out in stages, with the four major Australian banks (who are already sharing product reference data on a voluntarily basis) expected to lead the charge.

In Australia, the CDR has been designed to be an "economy-wide reform" that will first apply to the Australian banking sector, with both the energy and telecommunication industries proposed to follow. Minister Faafoi has indicated that any New Zealand CDR regime would similarly apply across multiple sectors to the extent "necessary and appropriate".

Under the Rules, a CDR consumer will have two pathways to request CDR data - either directly from the data holder or indirectly via an accredited third party.

The Australian Rules confirm which specific sets of banking data will be subject to the CDR and highlight a distinction between 'required' and 'voluntary' data, with disclosure of voluntary data being optional and potentially chargeable.  

Other notable features include detail on the data minimisation principle to prevent over-sharing, dispute resolution procedures and penalties for non-compliance (with body corporates who refuse to provide required CDR data to potentially face a A$250,000 civil fine). As expected, the Rules place significant emphasis on privacy and security safeguards.

Organisations in New Zealand will no doubt be interested in following the progress of the CDR in Australia. A prudent watch over both the successes and struggles of the regime over the coming months will help to inform affected stakeholder responses to any similar proposals for a statutory CDR regime in New Zealand.

This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Talk to one of our experts:
Related Expertise