No reward for banks risking CDR non-compliance

James Riley

“I love deadlines. I love the whooshing noise they make as they go by,” said Douglas Adams, the iconic author of The Hitchhiker’s Guide to the Galaxy. But for executives and project teams at many of Australia’s banks, the July 1 deadline for complying with the Consumer Data Right (CDR) is likely to be invoking much less joy.

While some have obtained limited time exemptions from the date, many are still grappling with technology issues. At risk is the threat of ACCC penalties, or the FOMO factor of being non-compliant when their customers attempt to share data with a CDR accredited data recipient.

It’s debatable which of these two risks is more embarrassing. No risk and compliance officers I’ve talked to welcome adverse attention from the ACCC. And while the take-up of the CDR by consumers is embryonic right now, it’s only a matter of time before a fintech, a Neobank, or a more established bank, creates a buzz-worthy app that entices consumers to link their bank accounts using the CDR’s standardised APIs and security flows.

Mark Perry: Compliance to the CDR regime should be a competitive advantage

To give you an example of what this means, one major bugbear that could be streamlined by a CDR-accredited organisation is loan origination.

Consent-enabled, time-bound data sharing could see the end of downloading and scanning paper statements and emailing that sensitive information, where it sits in the consumer’s Sent folder forever, hopefully never to be accessed by a cyber-criminal.

The competitive advantages of CDR compliance are clear and the ACCC has said it’s not granting any new exemptions to the banks. But unsurprisingly, many have found that the road to CDR compliance is not an easy one.

Wrestling with CDR uncertainty

In many cases, the banks are not to blame for their tardiness. For sure, I’ve heard the usual tech stories of project overruns and developer hubris over the last two years once the race to CDR compliance began in earnest.

But banks and others looking to become accredited have had to battle with a constantly changing specification that has diverged from international open standards in some areas.

They’ve also faced a scenario where there’s been no reference implementation for them to test against.

Nor is the ACCC’s test regime comprehensive enough to prove full interoperability before going into production. So let’s be fair: it’s been a tough ask.

Many vendors have stepped up with CDR solutions of varying completeness, but they have also had to wrestle with the uncertainty of the CDR process. In their cases, there have been a mishmash of successes and stumbles to date.

I’ve heard a number of horror stories from customers.

There was the CDR solution provider who asked their customers to inform them when the CDR specification changes, rather than track any changes themselves.

Another failed all of the information security tests but was still promising their customers a working solution “in a couple of weeks”.

And a third vendor hadn’t implemented data exfiltration controls in their hosting environment while acknowledging that the CDR APIs were publicly available on the internet.

To buy or to build

It’s instructive that, as of June 30, more than 75 per cent of the active CDR Data Holders have implemented CDR solutions rather than developed their own.

The CDR specification is extensive and, in the case of InfoSec, requires detailed knowledge, beyond the open standards it’s designed around.

Most organisations that have made it to production before the deadline have engaged CDR experts to help them meet compliance.

As the specification changes and new capabilities, like payment and action initiation, are introduced, it will be interesting to see which vendors have designed for the future or have merely implemented their CDR solution to meet the current coarse-grained data sharing requirements.

The risk for Data Holders is a major upgrade with a potential impact on their production service.

Once they’ve crossed the first finish line, the burning questions for most banks and non-ADIs are: How do I deliver business value beyond compliance with my shiny new CDR platform?

Will it be a springboard for the business to deliver new, innovative customer services? Or will it become a silo, to be upgraded occasionally, but shaded by more established digital architecture?

Those who can create a compelling strategy as both a Data Holder and a Data Recipient and use the impost of CDR compliance as a catalyst for transformation will be the ones to watch in the coming years.

Mark Perry is the chief customer officer at and has more than 30 years’ experience in the Information Technology industry. He was a member of the Australian Government advisory committee for Consumer Data Right, Australia’s Open Banking standards body, from 2018–2020, and continues to be involved in the ongoing definition of those data sharing standards.

Do you know more? Contact James Riley via Email.

Leave a Comment