Submission on version three of the Consumer Data Right Rules amendments

July 2022: In response to version three of the Consumer Data Right Rules amendments, Finder prepared the following submission. Visit our government submissions hub for more Finder submissions to government consultations and inquiries.

Finder.com.au​ ​("Finder", "we") is Australia's most visited comparison website and helps Australians make better decisions about a range of complex products and services. More than 2.5 million Australians use our services, decision engines and educational material each month¹. Finder compares over 1,800 brands across more than 100 product categories, including credit cards, home loans, transaction accounts, savings accounts, insurance products, superannuation, telecommunications, energy and shopping deals. From our "startup" roots to our current global success, Finder has remained an innovative and proudly independent Australian business. Our shareholders – Fred Schebesta, Frank Restuccia and Jeremy Cabral – have never lost sight of the transformative capacity of technology.

Thank you for the opportunity to provide input into this consultation on the proposed changes to the Consumer Data Right (CDR) Rules. Finder continues to be very supportive of the CDR, which we believe will empower Australians to take control of their personal data and use this information to make better financial decisions.

On the following pages we have provided feedback on specific sections, but as a summary:

• Finder is supportive of increasing pathways to participation, provided there is adequate consideration of the information security and privacy risks in the new models.
• Finder is supportive of expanding data sharing arrangements, provided there are mechanisms that allow for flexibility on the specific details of these arrangements.

Increasing pathways to participation

We continue to believe that the CDR is valuable to consumers. The greater access and control consumers have over their data, the more informed they are and the more opportunity they have to find products and services that truly meet their needs. This directly supports Finder's mission to empower Australians to make better financial decisions and we welcome the opportunity for the benefits of CDR to be accessible more widely. As such, Finder supports increasing pathways to participation to encourage greater uptake.

While expanding pathways to participation, we are conscious that information security has to remain a top priority under any new model. One data breach will undermine the entire regime for the years to come, so any changes that lower the requirements to become accredited for the regime need to be carefully balanced against privacy and information security considerations.

As an organisation that has been through the accreditation process for the CDR, Finder knows first-hand that the assurance process is a valuable tool for helping potential participants ensure that their information security approach is compliant. Thus, we would welcome additional measures to ensure compliance with the standards from unaccredited entities accessing CDR data in the new models where the assurance report is not required beyond just self-assessments and attestations. To date, the ACCC has set high standards of compliance for parties to become accredited and we believe that it should continue to remain as robust as possible, while also allowing for greater participation. One option that could be explored here is for the ACCC (or another third party) to run compliance "spot checks" on a randomised sample of unaccredited entities operating under the new models on a regular basis.

Finder would also welcome more clarity on how these proposed arrangements would be communicated to consumers. This might be fleshed out in the CX Standards rather than the Rules, but it will be important for consumer comprehension of the framework. For example, under the representative model, it would be good to get clarity on whether an unaccredited CDR representative would have to disclose who their principal is in a data sharing consent request. The consumer should be informed of which entity is taking liability for their data, particularly if it is not the entity that runs the service they are engaging with or signing up to. But it could also create confusion. This transparency around liability is helpful for consumers and the parties involved in receiving the data.

We'd also recommend absolute clarity on whether the CDR information security controls are applicable to an outsourced service provider (OSP) that is doing data collection for an accredited entity under the new version of the Rules. Our reading of the Rules suggests that this is the case, but we would suggest that this is made clear in supporting documentation.

Expanded data sharing arrangements

Finder is broadly supportive of expanding data sharing arrangements. We would, however, welcome additional consumer protections alongside formalised mechanisms to be introduced, which would create flexibility for use cases for these models that may arise in the future.

Trusted adviser

Finder is supportive of being able to share data from the CDR with trusted advisers. We acknowledge the long-standing work that many of these advisers have done to help Australians make better-informed decisions with their finances over the years. Consumers already regularly share information with these trusted advisers. Allowing this to occur via CDR strengthens information security and allows for a more seamless process.

Although the current list of advisers covers most current use cases that we can think of, we would welcome a formalised mechanism for adding or removing professionals to this list. We want to avoid a scenario where adding or removing classes of trusted advisers has to go through the full process for changing a legislative instrument like the CDR Rules.

On a separate note, while we also acknowledge that these professions are "sufficiently regulated", Finder would also welcome a Code of Conduct (or something similar in nature) specific to the expectations of trusted advisers in the CDR regime, which has to be signed before data can be accessed. This Code of Conduct could be developed with the professional organisations impacted and would outline specific expectations of how the data can be used by trusted advisers beyond their day-to-day regulations.

CDR insights

Finder is broadly supportive of the amendments to allow a consumer to consent to an ADR sharing certain limited "CDR insights" using their CDR data to any person, provided the disclosure is for one of the specified purposes in the CDR Rules. We recognise that some parties that have very specific use cases might still benefit from insights acquired by the CDR, while not necessarily needing to become accredited themselves. As such, we support the implementation of a CDR insights model as a means of expanding the CDR ecosystem and opening up a variety of use cases.

Again, Finder would welcome a formalised mechanism for adding or removing these specified purposes. In restricting these specified purposes, the Rules risk closing the CDR off to future innovation and use cases. We want to avoid a scenario where adding or removing specified purposes has to go through the full process for changing a legislative instrument like the CDR Rules.

Joint accounts

Finder is broadly supportive of the "pre-approval" option applying to a joint account by default. This is the logical approach when all users of a joint account could access the data through means other than the CDR. We anticipate that a significant majority of consumers will be happy to remain with the default setting and allow for data access to all users of a joint account.

It is also worth noting that in the banking sector, many joint accounts are used by married couples or those in de facto relationships. For many of these people, household bills such as mortgage repayments, rent, energy bills and telco bills are paid from their joint account. One key potential benefit of the data that comes from the CDR is that it can be used to help keep track of these kinds of bills. Currently, this is not available to those who use joint accounts for these purposes. We posit that joint accounts should be brought in before April 2022 to allow more consumers to experience the full benefits of the CDR.

Finder does recognise the need for consumer protections for joint accounts (particularly in relation to the risk of financial abuse). As such, we fully support the ability for data holders to treat joint accounts as individually held accounts in cases where the data holder considers it necessary to prevent physical or financial harm or abuse. These considerations will become even more prominent under an action-initiation CDR that includes things like payment initiation, and we think this conversation around joint accounts should be resurfaced at that stage.

¹ 2.5 million average unique monthly audience (Aug 2019 – Jul 2020), Nielsen Digital Panel