Consumer Data Right access expanded to ‘trusted advisers’
Important changes have been made to the Consumer Data Right (CDR) Rules that enable ‘trusted advisers’ to access consumer data via the CDR regime, including suitably accredited financial advisers, lawyers, qualified accountants and mortgage brokers.
The CDR regime was introduced and commenced its rollout to the banking sector in July 2020 and will also be rolled out to new sectors including energy and telecommunications in coming months. The CDR is intended to give consumers greater access to and control over their data. It allows consumers to direct a business to transfer their data to certain recipients, ideally making it easier for consumers to manage their finances and access more suitable products and services.
Initially, consumers were only able to transfer their data to ‘accredited data recipients’, which are accredited by the Australian Competition and Consumer Commission (ACCC). However, in an effort to facilitate greater participation in the CDR regime, the Government has expanded the CDR regime to allow accredited data recipients to on-share consumer data with certain ‘trusted advisers’ from 1 February 2022. Additional pathways to access CDR data that have been introduced include the ‘CDR representative model’ and the ‘sponsored accreditation model’.
In this article, we explain some important CDR words and phrases, plus the key requirements relevant to ‘trusted advisers’ who want to participate in the CDR regime, including:
- Types of trusted advisers
- Confirming your trusted adviser status
- Consumer consent and warnings
- Conditions on supply of goods or services
- Record keeping and reporting
- Overlap with existing privacy and professional obligations
Key words and phrases
There are a number of key words and phrases used in the CDR regime. These are best illustrated using a hypothetical example of how the CDR regime works in practice:
Galaxy Corporation is a data intermediary, which operates an online platform that receives and discloses CDR data. Galaxy Corporation is accredited by the ACCC under the CDR regime. Bianca is a customer of ABC Bank and is looking to buy her first home. Bianca decides to use a mortgage broker to help her find a home loan. Bianca provides consent to Galaxy Corporation to collect her account information from ABC Bank for the purposes of comparing home loan products. ABC Bank gets authorisation from Bianca to share this information, then discloses the data to Galaxy Corporation. Bianca also nominates her broker as a ‘trusted adviser’ and provides consent to Galaxy Corporation to disclose her account information to her broker. The broker uses this information to better understand Bianca’s financial situation and assist Bianca to compare suitable refinancing options.
In the above scenario:
- Galaxy Corporation is an accredited data recipient
- Bianca is a CDR consumer
- Bianca’s account information is the CDR data
- ABC Bank is the data holder
- Bianca’s mortgage broker is a trusted adviser
Types of trusted advisers
Under the amended CDR Rules, consumers can consent to an accredited data recipient disclosing their CDR data to one or more nominated trusted advisers.
Trusted advisers include:
- Financial advisers
- Mortgage brokers
- Qualified accountants
- Registered tax agents and tax (financial) advisers
- Financial counsellors
Trusted advisers must belong to one of the specified professions listed in the CDR Rules.
Confirming your trusted adviser status
An accredited data recipient must take reasonable steps to confirm that a nominated trusted adviser is a member of one of the professions listed above. Reasonable steps might include searching publicly available registers (such as ASIC licencing registers) or asking the adviser to provide proof they are a registered member of the profession. The steps required are scalable, so will vary depending on the circumstances.
Consumer consent and warnings
An accredited data recipient must have the consumer’s consent before disclosing CDR data to a trusted adviser. There are strict requirements related to consent. The consent must be voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn. The process for asking the consumer for consent must also comply with the relevant consumer experience data standards, which includes warning the consumer that the trusted adviser is not regulated under the CDR laws and providing information about making complaints.
While trusted advisers are not required to obtain consumer consent or provide any particular disclosures under the CDR regime, it is important to remember that existing obligations under the Privacy Act 1988 relating to the collection, use and disclosure of personal information will still apply, as will other regulatory obligations. Coercing or applying pressure to a client to provide consent to an accredited data recipient or failing to be transparent about how you will use and disclose data, is likely to fall foul of other regulatory requirements.
Conditions on supply of goods or services
An accredited data recipient cannot tell a consumer that they will only provide goods or services if the consumer nominates a particular adviser or consents to sharing their CDR data with an adviser.
There is no corresponding prohibition on trusted advisers under the CDR regime. However, such similar conduct (e.g. only providing services where the client agrees to apply for a particular product), is likely to contravene other regulatory obligations that apply to trusted advisers. For example, the requirement for mortgage brokers and financial advisers to act in the best interests of their clients, and the general prohibitions against unconscionable and misleading or deceptive conduct in the Australian Consumer Law.
Record keeping and reporting
Accredited data recipients must keep records about disclosures made to trusted advisers. This includes who the trusted adviser is, steps taken to confirm the adviser is a member of a trusted adviser profession and disclosures of data. Accredited data recipients are also required to make regular reports to the ACCC and Office of the Australian Information Commission (OAIC), including information about the number of consents received to disclose data to trusted advisers, and the number of trusted advisers in each class they disclosed data to.
There are no specific record keeping and reporting requirements for trusted advisers under the CDR regime. However, trusted advisers will still need to comply with their existing regulatory obligations in relation to record keeping and privacy.
Overlap with existing privacy and professional obligations
Trusted advisers do not need to be accredited by the ACCC and are not subject to the CDR laws. However, as noted above, your existing regulatory obligations and relevant professional standards will continue to apply when you access CDR data.
Relevant regulatory obligations might include:
- Privacy and data breach reporting requirements – CDR data will generally be ‘personal information’, which means you need to comply with requirements under the Australian Privacy Principles relating to the collection, use and disclosure of personal information, direct marketing, and the security and integrity of personal information;
- General conduct obligations – financial services and credit licensees will still need to comply with their general conduct obligations including those related to training and competence of representatives, managing conflicts of interest, risk management, adequacy of resources, dispute resolution and compensation arrangements;
- Requirements related to providing advice – this might include responsible lending obligations, the duty to act in your client’s best interests, fiduciary obligations and record keeping; and
- General consumer law obligations – including prohibitions against unconscionable conduct, misleading and deceptive conduct and unfair contract terms.
You should review and update your existing compliance policies and procedures, and relevant client and commercial arrangements, ideally before you start accessing CDR data. For example, financial advisers and mortgage brokers should consider updating their best interests duty procedures to demonstrate how CDR data should be used when formulating and providing advice to clients. From a legal perspective, the extent to which the statutory best interests duty impacts the trusted adviser’s CDR activities will depend on the extent to which the CDR activities form part of the conduct to which the duty applies. For mortgage brokers, the conduct to which the duty applies is the provision of credit assistance and, for financial advisers, it is the provision of personal advice to retail clients.
CDR data will contain important personal information about your clients, and you should consider carefully how you will keep this data secure, and ensure that it is collected, used and disclosed appropriately. We note that recently the ACCC and the Australian Securities and Investments Commission (ASIC) have flagged consumer and fair-trading issues relating to the digital economy and cyber security as current regulatory focus areas.
Have any questions?
If you are accessing CDR data as a trusted adviser, or thinking about doing so in future, speak to our lawyers about what steps you can take to help ensure you comply with your privacy and other regulatory obligations.
Holley Nethercote Lawyers are experienced in assisting with all aspects of privacy, credit and financial services regulatory issues. Please contact us at [email protected] if you require our assistance.
Author: Katherine Temple (Senior Associate)