Facilitating participation of intermediaries in the CDR regime

February 2020: This submission is in response to the ACCC consultation on facilitating participation of intermediaries in the Consumer Data Right (CDR) regime. Finder continues to be very supportive of the introduction of CDR in Australia. Visit our government submissions hub for more Finder submissions to government consultations and inquiries.

We agree with the government that the CDR will empower Australians to take control of their personal data and equip them with the information they need to make better financial decisions. We believe this will increase consumer confidence, market participation and economic growth.

As our business sits across many of the impacted verticals, we look forward to helping Australians connect the dots between their newly available datasets. In recognition of this, we have been proactively supporting the development of the CDR by working closely with the Treasury, the ACCC and Data61 on different parts of the legislation, including a bespoke report to test the product reference data released in July 2019 against the data in our product database.

Consultation questions: Intermediaries

• Do you intend to use an intermediary to only collect CDR data, or to collect and use CDR data?
• How should intermediaries be provided for in the rules?
• What obligations should apply to intermediaries?
• How should the use of intermediaries be made transparent to consumers?
• How should the rules permit the disclosure of CDR data between accredited persons?
• Should the creation of rules for intermediaries also facilitate lower tiers of accreditation?

Finder is supportive of the introduction of an accredited intermediary role into the CDR regime and recommends that accredited intermediaries should be required to meet the same standards as accredited data recipients. Finder is seeking to become an accredited data recipient (ADR) across the various iterations of the CDR regime and this means that currently we do not have the intention of becoming an accredited intermediary should this role be introduced.

When it comes to how intermediaries are addressed in the CDR Rules, our view is that a clear differentiation needs to be made between "accredited intermediaries" and "outsourced service providers". We recommend that any third party that is actively engaging with the CDR data (i.e. accessing directly, collecting or using CDR data) should be required to become an accredited intermediary.

As above we recommend that accredited intermediaries should be obliged to meet the same criteria required for the current "unrestricted" level. Specifically, we are referring to the fit and proper person test as well as meeting minimum standards when it comes to information security and insurance. We also believe that an accredited intermediary should take on liability for CDR data whilst it is in their possession.

In contrast, if the "outsourced service provider" role remains part of the rules, we recommend that this role should only be available for third parties that are not actively collecting or using the CDR data in any way. In this scenario, we recommend that the ADR should remain liable for CDR data while it is in possession of the outsourced service provider.

When it comes to transparency for consumers, we believe that in most scenarios the consumer will have a relationship with the ADR (rather than the intermediary) and, as such, consent requests should still come from the ADR. Consent requests from intermediaries that the consumer is not familiar with will create confusion and possibly slow the uptake of CDR in Australia. We are open to the concept of co-authored consent requests but we would recommend that the ADR should also have greater prominence in these requests to help avoid the confusion discussed above. We also recommend that customer-facing terms and conditions alongside associated privacy notices could and should be used to increase transparency about the use of intermediaries to CDR consumers.

Consultation questions: Non-accredited third parties

• As an accredited person who discloses CDR data to non-accredited third parties, please explain the intended goods or services you intend to provide and how they may benefit consumers?
• What types of non-accredited third parties should be permitted to receive CDR data?
• What privacy and consumer protections should apply where CDR data will be disclosed by an accredited person to a non-accredited third party?
• What degree of transparency for CDR consumers should be required where an accredited person discloses CDR data to a non-accredited third party?

Finder currently has no plans to disclose CDR data to non-accredited third parties.
However, we do note that Part 3 of the Competition and Consumer (Consumer Data Right) Rules states that consumers who have directly requested CDR data from a data holder are then able to use this "human-readable" data as they see fit. Our interpretation of this is that it will be possible for consumers to request "human-readable" CDR data directly from their bank and then share this with any third party (or individual) that they see fit – accredited or otherwise.

This scenario highlights that the decisions made as a result of this part of the consultation risk becoming redundant if this model for data-sharing were to become commonplace in the CDR regime. It is our view that CDR consumers will be better protected if data is shared between accredited parties and that introducing an accredited intermediary role will help to make this the preferred route for consumers. We hope that the above scenario is taken into consideration when making decisions on how non-accredited third parties should be treated within the CDR regime.