AU: Consumer Data Right (CDR) — Open Banking
|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The Consumer Data Right (CDR) is Australia's open banking framework, established under the
Competition and Consumer Act 2010 (Part IVD) and the Consumer Data Right Act 2019. It requires
accredited Data Holders (ADIs) to share customer data with Accredited Data Recipients (ADRs) on
valid consumer consent. Phase 1 covered product reference data (no consent required); Phase 2
consumer account data (with consent); Phase 3+ extensions to business accounts and payment
initiation are ongoing. The ACCC administers CDR Rules; OAIC handles privacy aspects under the
Privacy Safeguards; the Data Standards Body (DSB) maintains the Consumer Data Standards (CDS).
The CDR API must meet FAPI 1.0 Advanced security profile (OAuth 2.0 / OIDC). Data Holders must
verify ADR accreditation status before sharing data. CDR complaints are handled through AFCA.
Remedies for CDR non-compliance include enforceable undertakings, civil penalties, and ACCC
enforcement action.
Platform CDR status: CDR implementation is not yet within the current platform build scope.
All platform obligations below are marked ❌ Gap — no attributed modules exist. CDR implementation
will be a dedicated project tracked in the platform roadmap when the ACCC registration timeline
requires it. The consent management infrastructure (MOD-049) provides foundational components but
is not currently configured for CDR-compliant data sharing.
Compliance register
This register maps every material obligation under the CDR to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Data sharing obligations
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| CDR Rules r.1.14 |
Share product reference data (rates, fees, product terms) without requiring consumer consent |
❌ Gap |
CON-007, PAY-010 |
No module attributed. CDR product reference data API endpoint not yet built. |
❌ |
| CDR Rules r.1.15 |
Share consumer account data with ADRs on valid, in-scope consumer consent |
❌ Gap |
CON-007, PAY-010 |
No module attributed. MOD-049 (open banking consent management) provides consent storage infrastructure but is not yet configured for CDR data-holder obligations. CDR data sharing API not built. |
❌ |
| CDR Rules r.4.6 |
Verify ADR accreditation status via ACCC register before sharing any consumer data |
❌ Gap |
CON-007 |
No module attributed. ADR accreditation verification not built. |
❌ |
| CDS |
CDR API must conform to Consumer Data Standards (FAPI 1.0 Advanced / OpenID Connect); 99.5% monthly availability |
❌ Gap |
PAY-010 |
No module attributed. CDR-compliant API endpoint not built. MOD-061 (open banking API platform) is not currently CDR-certified. |
❌ |
Consent management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| CDR Rules r.4.1 |
Obtain consumer consent before sharing account data; consent must be granular (data clusters), time-limited, and revocable at any time |
❌ Gap |
CON-007, PRI-006 |
No dedicated CDR consent module attributed. MOD-049 provides a consent management infrastructure; CDR-specific consent schema (data clusters, duration, purpose) is not yet configured. |
❌ |
| CDR Rules r.4.12 |
Allow consumers to withdraw consent at any time; cease data sharing immediately on withdrawal |
❌ Gap |
CON-007, PRI-006 |
No module attributed for CDR consent withdrawal. |
❌ |
| CDR Privacy Safeguards |
Comply with CDR Privacy Safeguards (aligned to Privacy Act 1988); handle CDR data only for the consented purpose |
❌ Gap |
PRI-006 |
No CDR-specific privacy controls attributed. See au-privacy-act for general privacy platform controls. |
❌ |
Complaints and dispute resolution
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| CDR Rules r.7.7 |
Handle CDR-related consumer complaints through the IDR process; AFCA is the EDR for CDR disputes |
📊 Evidenced |
CON-007 |
MOD-053 (LOG) — complaint case management is available for CDR disputes when implementation occurs; CDR-specific complaint categorisation not yet configured. See au-afca-rules for AFCA obligations. |
🔨 |
The following CDR obligations are the responsibility of the institution, not the platform.
| Obligation |
Owner |
Platform evidence input |
| ACCC Data Holder registration and ongoing accreditation |
Chief Technology Officer / General Counsel |
— |
| CDR implementation timeline and project delivery |
Chief Technology Officer |
— |
| Consumer data request scheme participation |
Chief Technology Officer |
— |
| CDR policy documentation and privacy safeguard compliance |
Privacy Officer |
— |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
Gap ❌ |
| Data sharing |
4 |
0 |
0 |
0 |
4 |
| Consent management |
3 |
0 |
0 |
0 |
3 |
| Complaints |
1 |
0 |
1 |
0 |
0 |
| Total |
8 |
0 (0%) |
1 (12%) |
0 |
7 (88%) |
CDR platform implementation is not yet in scope. All data-sharing and consent obligations have no attributed modules. This is a deliberate platform boundary choice pending ACCC registration and CDR implementation project initiation.
| Policy |
Title |
| CON-007 |
Consumer Data Right (CDR) Policy |
| PAY-010 |
Open Banking & API Access |
| PRI-006 |
Customer Data Access & Correction Policy |
Official documentation
Policies referencing this standard
- CON-007 — Consumer Data Right (CDR) Policy
- PAY-010 — Open Banking & API access
- PRI-006 — Customer Data Access & Correction Policy
Compiled 2026-05-22 from source/entities/regulations/au-cdr.yaml