Consumer banking data privacy

In 2024, non-bank lending comes into the Consumer Data Right

Australias Consumer Data Right (CDR) is advancing into open finance with non-bank lending coming into the statutory data sharing regime next year.

This is an exciting time for CDR, which was established in open banking in 2020, before moving into open energy from 2022. 

The target launch date for the first non-bank lenders to come into CDR is November 2024. 

Heres what non-bank lenders need to know.

What are the new CDR Rules for non-bank lending?

This latest CDR rollout will allow individual and business consumers to request data sharing from in-scope non-bank lenders. 

Treasury unveiled the exposure draft legislation back in August and the CDR Rules are expected to be amended in November alongside the new technical data standards being developed. 

If legislated, those new rules will require non-bank lenders to become data holders if they meet certain criteria and therefore fall within the scope of the CDR Rules. 

The rules will also bring buy-now pay-later (BNPL) products into CDR for banks – who are already subject to the open banking regime – and non-bank lenders. 

Which non-bank lenders are coming into CDR? And when?

There are two categories of non-bank lenders who will be coming into CDR and the draft rules describe them as initial providers” and large providers” depending on the size of their loan books.

These non-bank lenders will need to become data holders registered with the ACCC. 

Both initial and large providers are expected to start sharing product data in November 2024, however, after that time, there is a different timeframe envisaged for compliance. Initial providers are expected to go live with consumer data sharing (excluding complex requests) in February 2025 and large providers in August 2025. 

What products are in scope?

There is a very broad range of products offered within the non-bank lending sector. 

A specific set of products has been listed in the draft rules, including credit cards, home loans, personal loans, business finance, investment loans, leases, and BNPL products. 

What will a non-bank lender need to do as a data holder?

Data holder requirements include providing a consumer dashboard and authentication mechanism, making an API endpoint available for secure data sharing, having a dispute resolution process, and complying with regulatory reporting and other obligations such as privacy safeguards and technical data standards. 

As a data holder, your IT system needs to respond to API calls to share certain datasets with accredited third parties. Those API calls can come any time of the day or night and you need a robust solution to maintain the required uptime and response speeds.

How can non-bank lenders get ready?

There are essentially two ways you can prepare to be compliant: either build your own solution, or work with a vendor who has a Data Holder as a Service” offering. (This is not something that Envestnet | Yodlee provides, although we work closely with those vendors.)

Drawing on the experience of open banking, banks who went down the vendor route generally had faster and less stressful experiences in achieving compliance and, especially for smaller banks, choosing to partner with the right vendor was a smart choice. 

An assessment of internal capabilities will be very helpful to understand the best way to choose and partner with external vendors. 

Taking a customer journey lens is a useful way to take stock of your IT systems and assess whether a technology uplift may be required. 

Your end goal should be a seamless transfer of all CDR data between systems and consistent quality across all domains. 

How to take a strategic and integrated approach to CDR implementation?

Non-bank lenders who fall within the scope of the new CDR Rules should now carefully strategise their implementation projects considering the specific go-live” deadlines. 

CDR implementation demands proactive planning and the coordination of legal, regulatory, and technical efforts across your entire organisation because CDR is not just a technology project. 

Compliance requires changes to policies & procedures, internal controls and governance frameworks, particularly for data governance and privacy. 

Non-bank lenders unable to meet the timelines should apply to the ACCC for a deferral. 

An exciting time for Australias ground-breaking CDR regime

At Envestnet® | Yodlee®, we are excited by the opportunities for expansion of Australias CDR into open finance because it increases the availability of data and encourages fintech innovation for the benefit of consumers.   

With so much opportunity in CDR, it can be hard to know where and how to start, so if youd like more information, please reach out to our team.


The information, analysis and opinions expressed herein are for informational purposes only and do not necessarily reflect the views of Envestnet. These views reflect the judgment of the author as of the date of writing and are subject to change at any time without notice. Nothing contained in this piece is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.

FOR INVESTMENT PROFESSIONAL USE ONLY ©2023 Envestnet. All rights reserved.