Financial Rights Legal Centre
Hotline
Call the National Debt Helpline
on 1800 007 007.
Open Banking and the Consumer Data Right: What is it and what can I do when something goes wrong?

This fact sheet is for information only. It is recommended that you get legal advice about your situation.

What is Open Banking and the Consumer Data Right?

Open Banking is the ability for consumers to access and control their financial data and share it with other banks or third party financial services who may provide a range of services using the data – from account and credit card switching to budgeting and tax advice.

The Consumer Data Right (CDR) is the broader right the government is introducing to enable people to access their data and provide it to an accredited business (an accredited CDR provider). The banking sector – via Open Banking – is the first sector to provide this access. It is expected to roll out to other sectors include telecommunication, energy, superannuation, insurance and others.

The types of financial data that you can share include:

  1. customer data such as your name and contact details
  2. account data such as your account number and name; account type; interest rates, fees and discounts; and your direct debits, scheduled payments and saved payees.
  3. transaction data such as your incoming and outgoing transactions; amounts; dates; and descriptions of your transactions.

How does Open Banking and the CDR help me?

The objective of the CDR is to provide you with the ability to efficiently and conveniently access the data banks hold about you and your finances. This can help us identify and correct any issues with that data.

The CDR also allows you to authorise the secure disclosure of this data to companies offering new financial services via websites and apps. The CDR is designed to give you more control over your data, leading, for example, to more choice in where you can take your business or a great ability to budget or manage your finances. You could use your CDR data to:

  1. investigate whether a new banking service is appropriate for you.
    For example, you might consent to your data being used to find a savings account, mortgage or credit card.
  2. compare banking services to see which one is better for you.
    For example, you might consent to your account data being provided to an accredited CDR provider to see whether they can provide you with a better interest rate.
  3. access a new financial service that needs your data to operate.
    For example, you might consent to your transaction data being provided to an accredited CDR provider that offers a budgeting or savings app.

How do I share my CDR Data?

You can only share your CDR data with an accredited CDR provider. This means that the business has been approved to handle CDR data by the Australian Competition and Consumer Commission (ACCC) and must comply with relevant regulatory requirements. You can check whether they are accredited by going to the CDR Current Provider Portal or by calling the ACCC on 1300 302 502. As at July 2020, there are currently only a small number of accredited parties including ANZ, NAB, Westpac, Commonwealth Bank, Regional Australia Bank and Frollo.

On the accredited party’s website or app you’ll be provided instructions about how to access your data and use their service. The steps that you will take will be:

  1. You will need to give consent for the accredited CDR provider to access your data.
  2. There will be an identity check to verify yourself with your bank using a one-time password.
  3. The website or app will then link with your bank and confirm with you what data you wish to share
  4. The data will then be shared between your bank and the accredited CDR provider
  5. Then you can start using the accredited CDR provider’s services.

TIPS!

  • You do not have to share your CDR data if you do not want to. Always think carefully about whether sharing your sensitive financial data is in your best interests. Get legal advice if you are unsure.
  • Only share the minimum amount of data required to use the service!
  • Be comfortable with how your data will be used: Be alert to whether they will use it to advertise to you? Will they recommend you the best deal for you or the deal that makes them the most money?
  • Take note of how long they will have access to your data – the maximum length of time is 12 months and you can always withdraw your consent.
  • Manage your consents within the website or app and familiarise yourself with how to withdraw your consent and how to delete your data.

Do I have to provide my consent?

Your consent must be given for your data to be shared. You have the right to choose which services see and use your data, what types of data you want to transfer and how you want your data to be used. You can also stop the transfer of data at any point by removing your consent. You will be able to do this under Manage Your Consents on the website or in the app or by writing to the accredited CDR provider and explaining that you are removing your consent.

Example

Tan has signed up to Save Your Dollars, a mobile savings app which helps consumers put together a savings plan. The representative at Save Your Dollars explains to Tan that he must provide his consent for Save Your Dollars to use his transaction data. Tan receives the consent form and notices that the form states ‘I give my consent to Save Your Dollars to use my data for any purpose’. Tan ticks this box even though he only wants his data to be used for the purposes of a savings plan. Tan feels uncomfortable with this and so he gets advice.  Tan discovers that he does not have to consent to his data being used for any purpose. Tan writes to Save Your Dollars and explains that he removes his general consent and provides consent for his data to be used for the purpose of a savings plan only. Save Your Dollars can now only use Tan’s transaction data for this limited purpose.

Consent is supposed to be ‘unbundled’ which means that you should be able to consent (or not consent) to separate uses of your data such as mortgage recommendations, savings account options and other functions. It can’t be one tick a box where you consent to all or nothing. You should only consent to your data being used in the way you want it to be used.

Example

Sharon is interested in opening up a savings account with THE BANK. Sharon is a very private person. The manager at THE BANK explains to Sharon that she can only open up a savings account if she shares all of her CDR DATA with THE BANK. Sharon is happy to provide the manager with relevant documents but she does not want to share all of her CDR DATA. The manager is very persistent and will not take no for an answer.

Even if a business is an accredited CDR provider you do not have to share your CDR data with them. You should think carefully about whether sharing your data is a good thing. Call us for legal advice if you are unsure of your rights.

How is my privacy protected?

Any business that is accredited to deal with CDR data must comply with regulations that protect your privacy. The Australian Information Commissioner has provided a comprehensive explanation about how your data will be protected on their Protecting Your CDR Data page. You can also ask for your data to be deleted or de-identified when it is no longer needed.

Example

Audrey has a mortgage with THE BANK. Audrey wants to know whether a different bank will provide her with a better interest rate on her mortgage. Audrey discovers that Fair Compare, a mobile app, allows users to compare banking services. Audrey consents to Fair Compare using her account data for that purpose. Audrey uses the app and decides that she is happy with the interest rate provided by THE BANK. Audrey no longer needs the comparison app and wants to delete her data. 

You can choose for your data to be deleted when you withdraw your consent or once the data is redundant and no longer needed. You should be able to make this election at any time through the website or the app. The accredited CDR provider should also tell you whether they have a general policy of deleting redundant data and at what point your data will become redundant.

Warning!
Non-CDR accredited financial service may ask you to download your CDR data and provide it to them. Some may even deny you service unless you do so.

Example

Larry has recently been made redundant from his job as a travel agent. Larry’s partner is eight months pregnant. Larry’s sole source of income is now Centrelink. Larry has no savings and cannot afford a cot for the new baby. Larry is getting desperate and is unsure what to do. Larry approaches Quik Bucks, a PAYDAY LENDER for a loan of $400. The PAYDAY LENDER agrees to provide Larry with the loan on the condition that he gives them access to all of his CDR DATA. Larry is unsure about whether he is required to give Quik Bucks all of this information and whether this is in his best interests.

Example

Talia lives in RURAL AUSTRALIA. There is only one store in town. Tony, the store manager, tells Talia that if she wants to buy anything from the store she has to hand over all her CDR DATA. Tony tells Talia that the new CDR laws mean that she has to do this. Talia is unsure what she should do. She needs to buy things from the store, but doesn’t want to give Tony all of her information.

Do not provide your CDR data to non-accredited financial services. The strong privacy protections under the CDR system are unavailable to you if you pass on your data in this way. You place yourself at real risk of breaches of your sensitive financial data, the data being mis-used or sold on to other parties or even your identity being stolen.

Check whether they are accredited by going to the CDR Current Provider Portal

If you are unsure of your rights you should call us for legal advice.

My data is inaccurate! Can I request corrections?  

You have a right to request the correction of any inaccurate CDR data. If you do request a correction then the provider must respond to your request and either:

  • correct your CDR data,
  • provide you with a statement, or
  • explain to you why a correction and/or statement is not necessary or appropriate.

What do I do if I have a complaint?

Step 1

You should complain to the accredited CDR provider first.

You can find out how to complain through their CDR Policy. This policy should be available through the accredited provider’s website or mobile app. The accredited provider is also required to give you a copy of the policy if you ask for it.

The Office of the Australian Information Commissioner (OAIC) has a template which you can use to make a complaint plus a CDR portal with further information on the CDR.

You should give the accredited provider at least 30 days to respond to your complaint.

Step 2

If the accredited CDR provider:

  1. fails to respond in 30 days;
  2. or you are not happy with their final response

The next step would be to escalate the dispute with either:

  1. the Australian Financial Complaints Authority (AFCA) at afca.org.au or call them on 1800 931 678. This is a free and independent consumer complaints service, and they can take complaints within 2 years of the final written decision about your complaint (you must also lodge within 6 years of the date you first realized or should have realized you had a complaint); or
  2. OAIC or call them on 1300 363 992. You only have 12 months from the date you became aware of the issue in relation to your CDR data to file your complaint with the OAIC.

You can ring us for advice if you have any questions.

Last updated: 12 August 2020