CX Guidelines | ADI or NBL to hold CDR data as a DH

[CDR-CX-Stream]

Description

Following the registration of the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024 on 12 November 2024, the DSB CX team has received requests for CX Guidelines to be developed that demonstrate how a CDR Participant can implement the functionality outlined in the updated clause 7.2 of Schedule 3 of the principal rules.

As outlined in the Explanatory Statement which accompanied the making of these rules (see items 31–40), the amending rules expand the circumstances in which an accredited authorised deposit-taking institution (ADI) can hold data as a data holder (DH) by creating a second set of conditions to allow accredited ADIs to hold CDR data they receive under the CDR Rules as a data holder.

Draft rules amendments consulted on in late 2024 also propose that clause 7.2 of Schedule 3 be amended to include non-bank lenders (NBL), allowing both ADIs and NBLs to hold CDR data as a DH, provided the conditions of the clause are met. The draft amending rules also propose to clarify that this mechanism only applies if the ADI or NBL in question is already subject to data sharing obligations in their capacity as a data holder of other CDR data. While these rules have not yet been made, the DSB is considering their impact on the request for CX Guidelines.

Intention and Value of Change

The intention of these CX Guidelines would be to demonstrate how a data recipient who is an ADI could implement requirements as stipulated in clause 7.2 of Schedule 3.

These CX Guidelines would be developed in collaboration with policy makers and regulators along with the community and would demonstrate implementations of the rules to help CDR participants in implementing this functionality.

The CX team is considering whether additional CX Guidelines on Consent Management are required to demonstrate how this type of consent would be displayed on the consumer dashboard.

Area affected

It is expected that new CX Guidelines demonstrating the consent flow would be a variant of the Collection and Use Consents on the DSB’s CX Guidelines website.

Any CX Guidelines demonstrating the consumer dashboard are expected to be variants of the Consent Management (data recipient): Collection and use consents on the CX Guidelines website.

Participant feedback on these publishing locations is welcome.

New item or change proposed

• New variant CX Guidelines of the Collection and Use Consents,
• Consider new variant CX Guidelines of the Consent Management (data recipient): Collection and use consents.

The DSB CX team will use Maintenance Iteration (MI) 22 to consult on this topic with the community.

The DSB is now seeking community input on the questions CDR participants are seeking to have answered by these CX Guidelines. Participants are invited to provide feedback directly in this thread, as part of MI calls, or via email to [email protected]. The deadline for this input is the end of the 2nd call of MI22 (i.e. 3pm AEDT, 19th February).

The DSB will then prepare draft CX Guidelines, and seek community input on these draft guidelines by the end of the final call of MI22 (i.e. 3pm AEDT, 2nd April).

Following the conclusion of the MI consultation period, the DSB CX team will determine whether to publish finalised guidelines on the CX Guidelines website, or whether to continue consultation during MI23, if questions or concerns remain outstanding.

---

⚠️ Disclaimer ⚠️
The CX Guidelines provide optional implementation examples for key rules, standards, and best practice recommendations.

They demonstrate key aspects of the consent model, but certain areas may be considered out of scope. This may include, for example, where the rules and/or standards are silent or non-prescriptive to provide CDR participants with flexibility or discretion according to their own systems or protocols.

❗The CX Guidelines span policy, rules, standards, and best practice, so requests will be considered on a case by case basis and timings may not fall within a Maintenance Iteration cycle.

Importantly, the CX Guidelines are optional to follow, but the CDR rules require CDR participants to have regard to them. The CX Standards differ in that they are binding data standards that must be followed.

[CDR-CX-Stream]

The DSB has extended input on questions CDR participants are seeking to have answered by these CX Guidelines to COB Friday February 21. Participants are invited to provide feedback directly in this thread or via email to [email protected].

[MastercardOpenBankingAustralia]

Mastercard welcomes the opportunity to comment on this proposal. Clear guidance on how ADIs/NBLs could implement the functionality in clause 7.2 of Sch 3 will be of benefit to the ecosystem.

We consider that the following issues should be explored as part of the development of CX Guidelines:

• the nature of the CDR consents required to be obtained by the ADI/NBL when relying on this clause and specifically, guidance on the CX implications that result from a situation where a collection consent is the only CDR consent type that the ADI/NBL requires;
• the nature and extent of information that should be provided by the ADI/NBL to describe its "usual data holding practices", and the positioning of this information (e.g. in the pre-consent flow vs in the consent flow itself);
• how an ADI/NBL's CDR Policy should be positioned to consumers, particularly in situations where there may be differences in an ADI/NBL's "usual data holding practices" when compared with CDR Policy requirements (e.g. deletion of redundant data); and
• the use of supporting third parties (e.g. OSPs) and the requirement to disclose details of same in the consent flow where an ADI/NBL relies on this clause.

[anzbankau]

ANZ would like to see CX guidelines reflecting the practical application of clause 7.2 of Schedule 3 - how specific use cases that may now be facilitated by the amended rules may be implemented. For example, a home loan application for joint applicants - how a DH may disclose individual applicant CDR data.