Envestnet | Yodlee Security Office

A Checklist Based on the Envestnet l Yodlee Experience

Envestnet | Yodlee’s checklist boils down the most important steps we took throughout the accreditation process. To make these easier for you, we have included links to quickly direct you to the correct resources and forms for further information.

The Accredited Data Recipient Journey

Links to Forms and Resources for Australian ADR Accreditation

Australia is embracing their own form of the global open banking revolution termed the Consumer Data Right (CDR). And at Envestnet® | Yodlee®, we want to help you as you prepare for the steps involved in becoming an Accredited Data Recipient (ADR)—because we’ve been there, we’ve done it, and we’ve learned from it. Not only is Envestnet | Yodlee registered and accredited in Australia as an ADR, but we’ve achieved AISP licensure in the UK, and are leading the open banking initiative in the U.S., Canada, and South Africa.

The Nine-step Checklist for Accreditation

It’s important to employ your own legal counsel or consulting advice and refer back to the Australian Treasury Department who has oversight for the Consumer Data Right (CDR) and is the Regulator, on your journey to becoming an accredited data recipient. Now is a great time to start the process with our convenient nine-step checklist.

1. Account Creation:

Create an account on the CDR Participant Portal. The portal is also the place where you can update and manage your information, as well as view the CDR Register of Accredited Persons. Creating an account will require:

  • Your primary business contact information. It must be listed on your Australian Securities and Investments Commission business record, or the equivalent foreign business record if you are a foreign entity.
  • Verification of your identity.

2. Start an Application:

Once your account has been created, you can start a new application and proceed with one of two forms:

  • Standard form: Use the standard form if you are not an authorized deposit-taking institution.
  • Streamlined form: If you are an unrestricted authorized deposit-taking institution, you are eligible to use the streamlined form.

3. Prepare to Meet Accreditation Criteria:

To complete the accreditation form and meet its strict requirements, the following information and supporting documentation is necessary:

  • Products and services: Provide a description of products and services you will offer if accredited. Currently, the first and only industry to be brought into the CDR is banking, along with its associated products and services.
  • Organizational charts: Illustrate your corporate structure, identifying your company, and any subsidiaries and related bodies corporate. You will also need to consider those within your organization who will be making decisions about the management of CDR data and provide a chart identifying them. The chart should include full names and position titles.

Envestnet l Yodlee Documentation for Your Application Process

As you document your products and services, you can leverage Envestnet | Yodlee’s business and technical documentation to help you demonstrate compliance for the aspects of your CDR solution outsourced to Envestnet l Yodlee.

  • Fit and proper person: You must prove that you and your relevant associates are fit and proper to manage CDR data, provide date(s) of birth and disclose if any of the following apply:
    • Serious criminal convictions within the past ten years, including those abroad
    • Violations relating to the management of CDR data, including any foreign violations
    • Determinations relating to interfering with the privacy of an individual under the Privacy Act of 1988, or similar findings in another country
    • Insolvency or bankruptcy
    • Determinations made by an external dispute resolution scheme recognized under the Privacy Act of 1988, or a recognized external dispute scheme that required financial compensation, or any other relating matter
    • Disqualification or banishment of any of your directors from managing a company
  • Privacy safeguards: Part 7 of the Rules provides requirements for the privacy safeguards, including their presentation in a CDR Policy. The CDR requires that all ADRs are clear and transparent regarding the governance of CDR Data through the full lifecycle of acquisition, transmission, processing, storage and disposition. The Regulator will look to see that this Policy reflects your business-as-usual operations.
  • Information security: As one of the most important requirements, you must ensure that your system protects privacy as well as the secure transfer and management of data. Schedule 2 of the CDR Rules describes the necessary steps and requirements for compliance. This may mean that you need to redesign your system to ensure your data is properly segregated and segmented. Completing this step also requires obtaining an information security assurance report prepared by an independent and qualified auditor.

Our Experience with Information Security:

Envestnet l Yodlee presented our global SOC2 controls report rather than conduct a CDR-only engagement. We did this for a few reasons, but most importantly to obtain accreditation on the basis of our global risk posture and business-as usual operations. If you intend to do the same, we recommend you provide a mapping document between the CDR Rules Part 2 requirements and your controls matrix to help focus the regulator on the controls of interest. If you are conducting a CDR focused engagement, using the CDR Rules Part 2 as your guide will suffice.

  • Internal dispute resolution: You’ll need to outline how you intend to handle and resolve internal complaints relating to the management of CDR data. The outline should include:
    • When, where, and how a consumer can lodge a complaint
    • The information a consumer must provide in a complaint
    • When a consumer can expect their complaint to be acknowledged
    • Your process for handling consumer complaints
    • Time periods associated with various stages in the CDR consumer complaint process
    • Options for redress
    • Options for review, both internally and externally
  • External dispute resolution: You must satisfy this requirement by being a member of the Australian Financial Complaints Authority and showing proof of that membership. If you are not already a member, you can apply for membership. If you are a non-financial service provider in the banking sector, you can apply for membership, but your membership will be contingent upon confirmation of your accreditation.
  • Insurance: Obtain insurance that appropriately covers the nature and extent of your CDR data management. You will also need to provide proof in the form of:
    • Your insurance policy documents
    • A written statement signed by an authorized representative explaining how your policy meets the ACCC requirements by covering associated risks and protecting CDR consumers
    • A certificate of currency

4. Submit Application and Check for Completeness:

Once you have submitted your application, the ACCC will determine whether or not the application is complete. If incomplete, you will have the opportunity to add any missing information and resubmit your application.

5. Application Assessment:

The exact assessment timing is case-by-case and depends on how many applications have been submitted ahead of yours, but the ACCC also continues to increase its assessment speed. During this time, the ACCC may request more information from you, or consult with local or foreign authorities. Current estimates for the ACCC to assess your completed application may take anywhere from three to twelve weeks.

6. Your Accreditation and Inclusion in the Registrar:

You will be notified in writing of the ACCC’s decision. If you have been awarded accreditation, the CDR Registrar will be notified and your accreditation will be certified once you have been included in this registrar. If you have been denied accreditation, you have the right to appeal the decision.

7. Onboarding:

Once you have become a certified accredited data recipient, the ACCC will contact you to initiate the on-boarding process. Onboarding will introduce you to the CDR ecosystem and help you prepare to participate within it.

8. Testing:

To confirm your compliance with the Consumer Data Standards and CDR Register design and receive an “active” status, you must pass the Conformance Test Suite. This testing takes place in a secure environment without exposing consumer data or interfering with live software products and brands.

9. Active with Live Customers:

After passing the test, you become active with live customers. Congratulations! The current estimation to complete the accreditation process ranges from three to six months. And while the timeline for each stage is unique to each applicant, the process is accelerating as all participants gain experience and efficiencies. As a certified Accredited Data Recipient, Envestnet | Yodlee can provide our business and technical documentation to help you demonstrate compliance to the CDR. While we hope these steps provided a helpful overview to get you started, we recommend employing your own legal counsel or consulting firm and confirming your actions with the Regulator and the ACCC.

Secure, Open Banking-Compliant Data

At Envestnet | Yodlee, we look forward to partnering with you now, during, and after accreditation. We offer secure and open access to the most comprehensive data available, along with enhanced governance to keep sensitive data secure. With open banking-compliant workflows, we adhere to leading industry practices for data security, regulatory compliance, and privacy, partnering with Envestnet | Yodlee enables you to focus on delivering excellent consumer experiences.