Challenges & Opportunities as CDR legislation nears enactment

Herbert Smith Freehills’ briefing on the progress of the Consumer Data Right (CDR) regime in Australia following the CDR Bill’s introduction into Parliament last Wednesday.

Our briefing identifies key potential industry impacts, practical CDR issues and cross-sector CDR implications that businesses can expect when the CDR Bill is passed.

Challenges & Opportunities as CDR legislation nears enactment

Enactment of the Treasury Laws Amendment (Consumer Data Right) 2018 Bill (Bill) will mark an important regulatory step for the data economy and implementation of the consumer data right (CDR) regime in Australia. The CDR aims to empower consumers, improve competition, enable greater consumer portability and boost innovation. In a media release last week the Australian Treasurer, the Hon Josh Frydenberg MP expressed confidence that implementation of the CDR reforms will progress as planned.

Potential Industry Impacts

Once the Bill is passed, we expect that the ongoing implementation of the CDR regime in the financial sector will prompt sector participants to consider their businesses in a new light, in the world of increased access to data facilitated by the CDR regime. Considerations may include questions such as:

• what changes will there be to customers’ expectations about how their financial services providers deal with them;
• will a participant’s competitors become early adopters and create innovative ways of commercialising greater data accessibility; and
• will consumers accept sharing and portability, or remain reserved due to privacy concerns?

Responses based on initial client discussions have been mixed. Some have raised the significant cost of adoption, and some more established and less agile businesses who rely on dated technology may encounter challenges of existing system limitations delaying adoption.

Highly innovative, or smaller and more agile businesses from a range of industries may become early adopters, and test innovative ways of realising the opportunities presented by increased access to consumer data.  Businesses operating in the financial services, software as a service (SAAS), technology, data or analytics sectors may become data aggregators. Platforms may emerge offering commoditised products to both other industry players and end consumers.

Key Practical CDR Issues

Financial industry businesses are continuing to seek a deeper understanding of how the CDR may operate, and are engaging with us on key practical issues including:

• what is required to become an accredited data recipient;
• the impact of a cyber-attack or data breach on an accredited data recipient’s accreditation status; and
• the cost and timing of an internal regulatory and technology uplift to meet the necessary standards to become an accredited data recipient. 

While on a practical level technology and system redevelopment is costly and slow, there is also a non-technical aspect to CDR implementation. This relates to consumers’ trust, privacy, and confidence in using data sharing services. An Accenture survey in May 2018 reported that nearly two thirds of respondents were concerned about privacy security and almost one half didn’t see the value of sharing their financial data with non-bank participants in the financial sector.¹ It appears that in addition to businesses improving their understanding, a consumer education and awareness raising process may be required for open banking to be successful in practice.

Cross-sector CDR implications

Last week’s media release did not expressly address the CDR’s implementation in other sectors. However, the expected rollout of the CDR to the energy and telecommunications sectors is anticipated to provide opportunities for innovative synergies driven by consumer data access to disrupt aspects of traditional industry verticals, with the potential for new industry participants to emerge. Developments of this kind may facilitate technology and data driven convergence that is currently occurring across a range of sectors. Clients in these sectors are encouraged to continue engaging with CDR developments and to consider carefully what lessons they can draw from CDR implementation in the financial sector, particularly given the Government’s apparent commitment to rapid implementation of the CDR regime.

Timings for CDR implementation

The Bill was reintroduced to the House of Representatives on 24 July, having lapsed when Parliament was dissolved in April for the federal election, and is expected to pass Parliament as early as this week.

The final version of the rules governing the CDR regime in the financial sector is scheduled for release in August, and an ‘implementation’ draft of the technical Consumer Data Standards was issued earlier this month. In preparation for stage 1 of the CDR, three major banks have made available their initial product reference data sets, and the expected ‘official launch’ of the CDR in the financial sector remains proposed for February 2020 (at which time the major banks will make available consumer, account and transaction data).

Opportunities & Challenges

Now is the time for businesses to invest in their future and make strategic decisions about whether they will become early adopters of CDR, or wait until others have taken the first step. Participants in the impacted sectors should consider whether their technology and security capabilities are adequately robust or need to be improved and whether current product offerings can, or should, be redesigned to take advantage of an enriched data environment. Boards and decision makers will need to consider and understand the cyber security risk profile presented by the CDR to ensure that all decisions relating to increased consumer data use and access is informed and considered through a lens that balances risk and opportunity.

If you are interested to learn more, or would like to meet with any of our CDR specialists, please reach out to any of the HSF team members mentioned in the briefing.