Legal development

Consumer data right news for non-bank lenders and buy now pay later, screen scraping and energy rollout

Insight Hero Image

    A busy time for a data regime that is allegedly on "pause"

    What you need to know

    Non-bank lending and buy now pay later:

    • The Consumer Data Right (CDR) is commencing its push into Open Finance, with an expansion to non-bank lenders and Buy Now Pay Later (BNPL) products coming soon, allowing consumers to request the sharing of product and consumer data from non-bank lenders and banks that offer BNPL products.
    • Treasury consultation on exposure draft amendments to the CDR Rules is open until 6 October 2023. These updates are expected to be passed in late 2023, with non-bank lender product data sharing for initial providers and large providers expected from 1 November 2024. Expansion to BNPL products will also start from 1 November 2024.
    • Ashurst client webinar: Consumer Data Right is set to expand to non-bank lending and buy now pay later products – Join us for a deep dive into this proposed expansion of the CDR on Thursday, 28 September 2023 at 12.30pm. To register your interest, please email Australia Ashurst Events.

    Larger energy retailers:

    • The CDR rollout to larger energy retailers (any retailer that had 10,000 or more small customers on 15 November 2021) is also fast approaching, with data sharing obligations switching on from 1 November 2023.

    New consultations and screen scraping:

    • The expansion to non-bank lenders and other BNPL products comes amid a "pause" declared by the Minister on the CDR's rollout to new sectors, although it remains a busy period, with a number of open consultations on consent, operational enhancements and screen scraping.

    What you need to do

    • In-scope non-bank lenders and data holders that offer BNPL products must plan their CDR implementation projects carefully, taking into account the applicable 'go-live' dates. In our experience, ensuring compliance with these rules requires forward planning, and an integrated regulatory, legal and technical engagement across the organisation.
    • Larger energy retailers (with greater than 10,000 small customers) will also be required to comply with general obligations under the CDR from this November, and must ensure they are in a position to disclose consumer data and provide a compliant consumer dashboard.
    • For challenger brands and intermediaries, consider what risks and opportunities access to consumer data can pose to your business. Becoming an accredited data recipient (ADR) under the CDR regime could allow you to offer expanded functionality, more competitive service offerings and the opportunity to market to less 'sticky' customers, but it's a still a long and complex road to accreditation.

    Next steps:

    • For larger retailers in the energy sector, get up to speed on what the energy CDR means for you, and get ready for launch in November.



    This article summarises some of the key changes that have happened in the CDR space in late 2023, including the rollout to non-bank lenders and buy now pay later, expansion to larger energy retailers, and new consultations being undertaken by Treasury – all in the wake of a "pause" in activity on the CDR announced earlier this year.

    What is the CDR and what does it mean for consumers?

    The consumer data right (CDR) gives consumers more control over their data, making it easier to access their own data held by organisations and compare relevant products and services.

    It is being rolled out on a sector-by-sector basis. The CDR was first introduced in 2020 in the banking sector (Open Banking), followed by the energy sector in 2022 (Open Energy). Open Finance, which includes the non-bank lender (NBL) sector, is the next cab off the rank.

    The CDR is designed to help save consumers time and money by encouraging product switching and streamlining existing application processes.

    For example, switching lenders often requires consumers to manually enter their personal and financial information, as well as details of any account balances or loans. The CDR could allow consumers to automatically and securely share this data at the click of a button.

    The introduction of action initiation, will further realise the potential uses of the CDR regime once uptake of the CDR increases across the economy.

    Expansion to non-bank lenders and BNPL

    Non-bank lenders

    Treasury recently released an exposure draft of the CDR Rules for the NBL sector and is accepting submissions up until 6 October 2023. This will make the NBL sector the third sector to fall within the CDR.

    The proposed CDR Rules will impose obligations on certain 'tranche 1' NBLs from 1 November 2024. The following NBLs will be captured by the rules:

    • Initial providers – who have resident loans and finance leases valued at over $10 billion in the calendar month preceding the commencement date and averaged over the 11 previous calendar months; and
    • Large providers – who have resident loans and finance leases valued at over $500 million (but less than or equal to $10 billion) in the calendar month preceding the commencement date and averaged over the 11 previous calendar months, provided the NBL also has more than 500 customers.

    Relevantly, a consumer (which can include an individual or a business) will only be in-scope with respect to a NBL if they have an open account that relates to a relevant non-bank lending product and that account is set up to have online access. This reflects the same rule that applies in the banking sector, but is different from the energy sector, which does not have the same "online access" limitation.

    BNPL products

    Notably, the proposed CDR Rules introduce BNPL products into the remit of the CDR in both the banking and NBL sectors. This means that consumers will be able to share and link their data across most payment providers, potentially generating highly valuable consumer spending data and insights for both consumer and business use cases.

    Traditionally, BNPL debts do not appear on an individual's credit score. Certain banks have identified that they will be considering any BNPL debts when assessing home loan affordability. The proposed expansion of the CDR to BNPL products will make credit assessments a simpler and more transparent process.

    What do initial and large NBL providers need to do?

    Relevant NBLs should begin taking steps to ensure that they are ready to implement the CDR when it is introduced.

    The obligations under the CDR generally require data holders to:

    • disclose consumer data when they receive a valid request;
    • offer consumers a dashboard to manage their data sharing authorisations;
    • comply with the relevant privacy safeguards;
    • maintain appropriate dispute resolution services; and
    • keep records and report to the ACCC.

    Participants may need to uplift systems, processes and training to ensure they are compliant. In our experience in the banking and energy sectors, rollout of the CDR has been a complex, multi-year project spanning various teams within the organisation. Ensuring compliance with these rules requires forward planning, and an integrated regulatory, legal and technical engagement across the organisation.

    What happens if the rollout timeframes are not met?

    The stakes are high for non-compliance, as penalties of up to $10 million may be imposed for an organisation's non-compliance with certain obligations under the CDR regime.

    The ACCC has already instigated enforcement action against certain data holders. For example in 2022, a bank paid a penalty of $133,200 to the ACCC for allegedly breaching the CDR Rules by failing to provide a service enabling consumers’ data to be shared for more than five months after the required go-live date.

    This demonstrates the importance of ensuring that relevant businesses are able to meet all obligations by the required date, or if this is not possible, constructively and proactively engaging with the regulator. This may include seeking pre-emptive exemptions, or engaging early with the regulator on areas of concern.

    What does this mean for consumers?

    The CDR provides consumers with a way to access their data in a standardised and trusted way, confident in the knowledge that their data will only be shared with third parties if the strict privacy and security requirements set out in the CDR Rules and the Consumer Data Standards are met.

    This presents an opportunity for accredited data recipients to offer new and innovative data-driven products and services in a way that other competitors cannot.

    Opportunities for ADRs

    Accredited data recipients (ADRs) are businesses accredited by the ACCC to receive CDR data. They must meet strict security and technical standards designed to protect consumers' privacy and security.

    Non-bank lenders should be aware of the role of ADRs, and may wish to consider whether they pursue this accreditation. Becoming an ADR may provide incumbent providers, challenger brands and third party intermediaries with a competitive advantage and new service offerings. In particular:

    • in the banking sector, all of the big four banks pursued accreditation as an ADR in order to benefit from the wealth of available consumer data. There has also been an influx of fintechs offering their services as ADRs;
    • similarly, energy retailers or non-bank lenders can become ADRs in their own right, and potentially secure a competitive advantage through enabling product comparisons, or by creating new customer-centric offerings that combine data offerings from multiple sources; and
    • opportunities also exist for existing comparison services to use the CDR to obtain greater access to customer data to improve the ease and accuracy of comparison use cases.

    The "pause" on CDR and other developments

    In June 2023, the Minister for Financial Services announced that the CDR rollout to new sectors would be paused and the government would instead take the time to make improvements and build awareness of the CDR in the current sectors. This paused the previously anticipated rollouts to telecommunications and insurance sectors.

    In many regards, knowledge and uptake of the CDR by consumers has been lower and slower than the Government anticipated. However, the Government's renewed push to expand digital identity could reduce friction in user interactions and help bring more customers on-board.

    Despite the pause, there are a range of other developments continue to roll out for existing sectors, including recent operational enhancements to allow new categories of CDR representatives, and a range of proposed changes and consultations underway.

    Businesses should remain alert to new CDR developments, particularly if they are in the three sectors not affected by the pause (banking, energy and the NBL sector). It remains a busy period for CDR developments and will likely remain so over the coming years.

    What happened to action initiation?

    The next big step for the CDR is action initiation (also known as "write access"), which would allow accredited third parties to take actions on the consumer's behalf – such as opening accounts, authorising payments or switching.

    The Government has introduced a bill to expand the CDR to Action Initiation (with the Senate, at the date of publication of this article), and no doubt this action initiation will be the subject of much industry comment and consultation prior to its implementation.

    Impending launch of CDR for larger energy retailers

    The broadening of the CDR to larger energy retailers is fast approaching. From 1 November 2023, larger energy retailers (any retailer that had 10,000 or more small customers on 15 November 2021) will be required to comply with the CDR's data-sharing requirements.

    In particular, larger energy retailers must comply with the general obligations under the CDR, such as disclosing consumer data, offering consumers a dashboard to manage their data sharing, complying with privacy safeguards, maintaining appropriate dispute resolution services, and keeping records and reporting to the ACCC.

    For those that are, the timeframe for launch is very soon and testing is underway. If delays to your launch are expected, carefully consider seeking a formal exemption from the ACCC or reporting items on the ACCC's rectification register.

    Consent, operational enhancements and screen scraping

    Concurrently, Treasury is consulting on consultation papers for consent and operational enhancements (closing 6 October 2023) and screen scraping (closing 25 October 2023).


    Treasury is considering areas of friction when it comes to providing consumers with 'intuitive, informed and trustworthy consent experiences' under the CDR. The main proposals for feedback in the paper include consent bundling, pre-selection of essential datasets, prescribed information for CDR receipts, 'deletion by default' options and, most interestingly, potential prohibitions on 'dark patterns'.

    Dark patterns refers to user interfaces designed or intended to confuse users, making it difficult for consumers to express their preferences, or manipulating consumers into taking certain actions. The consent design paper summarises a range of 'dark patterns' that would potentially be prohibited, such as nagging, obstruction, interface interference, sneaking, forced action and scarcity cues that undermine user autonomy in decision making.

    The ACCC has dark patterns in its sights already, with its September 2023 Digital Platform Services Inquiry report , as well as its potential prohibition on unfair practices, see Consultation begins on whether Australia needs a prohibition on unfair practices

    Operational enhancements

    Treasury has proposed a raft of operational enhancements across three categories, with the intent of ensuring the CDR Rules are fit-for purpose and support the policy aims of the CDR. These operational enhancements include:

    • Proposed changes to CDR rules generally, including changes to secondary user and nominated representative rules, the expansion of 'avoidance of harm' provisions and new rules for outsourced service providers and CDR representatives;
    • Proposed changes specific to the energy sector CDR rules, including the deferral of nominated representative obligations from 1 November 2023 to 1 May 2024 and the addition of new rules regarding trial products, insight disclosures and protections for incorrect sharing of certain data; and
    • New issues for future consideration, including the rules applying to banks that are also data holders, CDR data correction processes and changes to improve multiple consent management.

    Screen scraping

    Finally, and perhaps most importantly, the Government has also commenced consultation on proposals to prohibit screen scraping (also referred to as data aggregation).

    Screen scraping is a common process used as an alternative to CDR data sharing. The practice involves prompting a consumer to log into their account via a third party service, with the service extracting the data displayed "on screen", and sharing that with another provider or service.

    Treasury has expressed concern over the practice of screen scraping (and in particular the storage and use of a user's password) as it circumvents data safeguards and industry-standard data handling practices more generally.

    In its published consultation paper, Treasury asks industry for insight into the use of screen scraping and whether participants use or are aware of any practices to prevent it. Although the discussion paper does not provide any concrete recommendations, it does signal that a prohibition on screen scraping is up for consideration, particularly as the CDR makes gains in maturity and adoption.

    Next steps

    We anticipate that the CDR will continue to evolve over the next 12 months, despite the "pause" in its rollout to other sectors.

    To thrive in this environment, providers in CDR sectors should rethink how they engage with customers well beyond a tick-the-box approach to compliance.

    In particular, organisations should consider implementing systems and practices to:

    • comply with the obligations imposed by the CDR, including mapping of the required technical and operational controls;
    • ensure they have a well-defined data strategy and a holistic approach to data management to enable them to meet the strict requirements of the CDR and associated privacy requirements;
    • use analytics to better understand their business, customers and competitors; and
    • consider the strategic plans they have in place to meet the challenges, and leverage the opportunities, of open sharing of data.

    The rollout of the CDR in an organisation is more than just a technical implementation – it is a legal, regulatory and technical challenge that requires close co-ordination of many areas of the business.

    What does the future hold?

    As the CDR continues to expand, an understanding of customer drivers and retention may need to be re-thought if the key decision maker is no longer the consumer, but a recommendation engine. Competing in this new world may mean rethinking pricing, investigating more dynamic pricing offers (as permitted by law), and potentially creating new brands, offerings or business units optimised for less direct customer interaction.

    Engaging early and planning through their strategic offerings in detail can allow participants to leverage their CDR implementation as an asset to engage with customers and realise value, instead of just another technical change to manage.

    Authors: Tim Brookes, Partner; Geoff McGrath, Partner; Sashini Walpola, Senior Associate; Jarred Gerson, Senior Associate; Jeremy Waite, Graduate.


    Ashurst client webinar: Consumer Data Right is set to expand to non-bank lending and buy now pay later products – Join us for a deep dive into this proposed expansion of the CDR on Thursday, 28 September 2023 at 12.30pm. To register your interest, please email Australia Ashurst Events.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest