Federal Register of Legislation - Australian Government

Primary content

Designations as made
This instrument designates the non-bank lending sector as subject to the consumer data right.
Administered by: Treasury
Registered 25 Nov 2022
Tabling HistoryDate
Tabled HR28-Nov-2022
Tabled Senate29-Nov-2022
Table of contents.

EXPLANATORY STATEMENT

Issued by authority of the Assistant Treasurer and Minister for Financial Services

Competition and Consumer Act 2010

Consumer Data Right (Non-Bank Lenders) Designation 2022

Subsection 56AC(2) of the Competition and Consumer Act 2010 (the Act) provides that the Minister may, by legislative instrument, designate a sector of the Australian economy to be subject to the consumer data right. The consumer data right (CDR) is set out in Part IVD of the Act.

Under the CDR, individuals and businesses may authorise secure access to specified data that relates to them and is held by specified data holders. There is also the capacity for individuals and businesses to access this data themselves. In addition, the CDR requires businesses in designated sectors to provide access to publicly available information on specified products that they offer.

The CDR is designed to enhance consumers’ control over their own information, maximise consumer choice and facilitate management of their finances and product services. It is intended that the CDR in the non-bank lending sector will support better comparison services by taking into account Australian consumers’ actual circumstances and promoting more convenient switching between products and providers.

The purpose of the Consumer Data Right (Non-Bank Lenders) Designation 2022 (the Designation) is to designate the non-bank lending sector as subject to the CDR. Non-bank lending is the fourth sector of the Australian economy to which the CDR will be applied, following designation of the banking, energy and telecommunications sectors.

The Designation sets out, in relation to the non-bank lending sector, the classes of information that are subject to the CDR, the persons who hold this information (or on whose behalf the information is held), and the earliest date that the information must have begun to be held to be subject to the CDR. This information will be CDR data, in accordance with section 56AI of the Act. The definition of ‘CDR data’ in that section also covers information directly or indirectly derived from information specified in a designation instrument. Data holders will be required to disclose CDR data in accordance with the Competition and Consumer (Consumer Data Right) Rules 2020 (the consumer data rules). The consumer data rules may also authorise data holders to voluntarily disclose this data, subject to appropriate controls.

The classes of information specified for the non-bank lending sector are data about the users of non-bank lending products, data about the use of non-bank lending products, and data about non‑bank lending products. Certain information is excluded from these classes; more detail is set out in Attachment A.

The Designation does not specify any information as being subject to fees for disclosure or use for the purposes of paragraph 56AC(2)(d) of the Act.

Subsection 56AD(1) of the Act requires the Minister to consider a range of factors when exercising the power to make a designation instrument. These factors include the effect of the instrument on the interests of consumers, the efficiency of the telecommunications markets, the privacy of consumer data, the promotion of competition and the public interest. In making the Designation, the Minister has considered each of the factors required by the Act.

Subsection 56AD(2) of the Act requires the Minister, before making a designation instrument, to be satisfied that the Secretary to the Treasury has arranged for analysis, consultation and a report in relation to the making of the instrument, and to wait at least 60 days after publication of that report.

The Minister has complied with these requirements. The Government released the non-bank lending sectoral assessment consultation paper for consultation from 15 March 2022, and published its final report on 19 August 2022. Starting from that date, the Government conducted a four-week consultation on the draft Designation. The submissions received did not raise any issues necessitating changes to the draft Designation.  

Subsection 56AD(3) of the Act requires the Minister to consult the Information Commissioner about the likely effect of making the instrument on the privacy or confidentiality of consumers’ information. The Minister has complied with this requirement, including by considering the Information Commissioner’s report on the draft Designation.

Details of the Designation are set out in Attachment A.

A Statement of Compatibility with Human Rights is at Attachment B.

The non-bank lending sectoral assessment consultation paper and final report have been certified as a process and analysis equivalent to a Regulation Impact Statement. These documents are at Attachment C and D. The non-bank lending sector is expected to face regulatory costs of an estimated $15.7-$18.6 million per year. The Government will explore further options to reduce regulatory burden at the rule-making stage.

The Designation is a legislative instrument for the purposes of the Legislation Act 2003.

The Designation commences on the day after registration.

 

 


 

ATTACHMENT A

Details of the Consumer Data Right (Non-Bank Lenders) Designation 2022

Section 1Name

This section provides that the title of the Designation is the Consumer Data Right (Non-Bank Lenders) Designation 2022.

Section 2Commencement

This section provides that the Designation will commence on the day after it is registered.

Section 3Authority

This section states that the Designation is made under subsection 56AC(2) of the Competition and Consumer Act 2010 (the Act).

Sections 4 and 5Definitions

The Designation includes a number of definitions. These are:

Act means the Competition and Consumer Act 2010.

Associate has the same meaning as in section 318 of the Income Tax Assessment Act 1936. A person’s associate includes a natural person’s relatives such as a spouse, children and siblings, and a company’s parents and subsidiaries. This definition of ‘associate’ is also embedded in the definition of ‘CDR consumer’ in section 56AI of the Act. Its adoption in the Designation means that if a non-bank lending product is supplied to a person and their associates, information about each of those persons and their use of the product is Consumer Data Right (CDR) data. For example, if a product has more than one account holder, and the non-primary account holders are the primary account holder’s associates, information relating to those other holders is CDR data.

Product means a good or service that is or has been offered or supplied to a person in connection with any of the following:

·         taking money on deposit;

·         making advances of money (for example, providing a mortgage or credit card); 

·         letting goods on hire, including on hire-purchase;

·         another financial activity prescribed by regulations for the purposes of the definition of ‘banking business’ in the Banking Act 1959.

This definition is intended to cover buy now pay later (BNPL) products. One such product involves a debt being applied to a specific item, which is provided directly to the customer at the time of entering a contractual arrangement. BNPL companies pay the merchant the advertised cost of the item (minus a merchant fee) and the customer pays the item off in a series of agreed-upon instalments with no interest incurred.

The element of the definition of ‘product’ relating to the hire of goods is intended to capture a lease of the following kinds:

·         a consumer lease;

·         an equipment operating lease;

·         a finance lease (for either a vehicle or equipment);

·         a novated lease (used for car financing: the lessor contracts the lease with an  employer on behalf of an employee, who salary sacrifices to cover the lease and car running costs);

·         vehicle fleet leasing;

·         asset finance or ‘asset purchase’ (the provider buys and owns the asset, and the business customer buys it from the provider in instalments over an agreed period, with ownership transferring to the business customer upon final payment).

The intention is to capture a lease whether or not the lessee has a right or obligation to purchase the goods to which the lease relates.

A ‘product’ also includes a purchased payment facility that is or has been offered or supplied to a person.

Purchased payment facility means a facility, other than cash, which:

·         is purchased by a person from another person; and

·         is able to be used as a means of making payments up to an amount available under the conditions applying to the facility; and

·         involves the provider of the facility making payments.

These criteria mirror those in section 9 of the Payment Systems (Regulation) Act 1998. However, the Designation does not replicate the exclusion in subsection 9(3) of that Act in relation to facilities covered by a declaration made by the Reserve Bank of Australia.

Relevant non-bank lender means a corporation that is a registrable corporation under section 7 of the Financial Sector (Collection of Data) Act 2001, but without the minimum threshold in that Act applying.

The minimum threshold in the Financial Sector (Collection of Data) Act 2001 excludes a corporation from being a registrable corporation if:

·         the sum of the values of the corporation’s assets in Australia that consist of debts due to the corporation resulting from transactions entered into in the course of the provision of finance by the corporation does not exceed $50 million; and

·         the sum of the values of the principal amounts outstanding on loans or certain other financing does not exceed $50 million.

It is likely that a threshold of $50 million or higher will be imposed via the sector-specific amendments to the consumer data rules to establish the substantive rights and obligations for data sharing in this sector. This would recognise that the introduction of CDR obligations, and associated compliance burdens, may have an impact on smaller players and start-ups attempting to bring innovative products and business models to market.

The effect of omitting the threshold at the designation stage and imposing it at the rulemaking stage is that entities under the threshold could participate in the CDR voluntarily, but only those entities who exceed it will be compelled to participate.

Section 6Designation of sector subject to the consumer data right

This section sets out the following:

·         the classes of information that are specified and therefore subject to the CDR (see the detailed explanation for sections 7, 8 and 9);

·         that the information mentioned in sections 7, 8 and 9 is specified unless it falls within the scope of section 10;

·          that non-bank lenders are specified as the persons that hold this information, or on whose behalf the information is held;

·         that the earliest date that the classes of information can become subject to the CDR is 1 January 2020.

The Designation is intended to capture ‘white-labelled’ products. These are products typically supplied by one entity (a white-labeller) and branded and retailed to consumers by another entity (a brand owner).

For securitisation arrangements in the non-bank lending sector, the intention is that CDR data sharing obligations generally apply to loan originators (the brand owners), as the entities with whom consumers have the lending relationship, rather than the special-purpose entities providing the funding.

Setting the earliest holding day as 1 January 2020 is consistent with arrangements in the banking sector. The banking designation, made in September 2019, specified its earliest holding day as 1 January 2017. This backcapture period is intended to maximise the amount of data that can be brought into the CDR to benefit consumers without imposing excessive burdens on data holders.

The note to section 6 clarifies that the information specified in the Designation will not be ‘chargeable data’. That is, a fee cannot be charged for disclosing CDR data covered by the Designation.

Sections 7 to 9Classes of information

Sections 7 to 9 specify the three classes of information that is subject to the CDR.

Information about the user of the product – Section 7

The first type of information covered by the Designation is ‘customer’ information.  This is information about the person to whom the product has been or is being supplied, or about the person’s associates where the product has also been, or is also being, supplied to the associates.

The information must have been either:

              provided directly by the person or their associates when acquiring or using a product (for example, the provision of names and addresses); or

              otherwise obtained by or on behalf of the non-bank lender (or the entity that holds information on the non-bank lender’s behalf).

In the second case, information is obtained externally by the non-bank lender. For example, information may be received from another non-bank lender, mortgage broker or employer with the consent of the relevant customer.

Subsection 7(2) sets out a non-exhaustive list of specific information covered by subsection 7(1). The reference, in paragraph 7(2)(b), to information ‘relevant to the eligibility of the person or associate to acquire or use a product’ is intended to cover details such as a customer’s membership of a particular group or association where membership is a precondition of accessing a product or service.

Information about the use of the product – Section 8

Subsection 8(1) of the Designation specifies information about the use of a product by a person or an associate who is also supplied with the product. This includes the type of information that a customer would typically see on a financial statement, such as the occurrence of loan repayments or amounts of interest charged or fees incurred.

Information about the use of a product also includes information about the authorisations attached to a product. Authorisations may govern use or access to information about an account or permit the making of payments to third parties from the account.

The specification of product use information is subject to exclusions. Materially enhanced information, defined in subsection 8(4), is excluded by subsection 8(3). A more detailed explanation is given below in the commentary on exclusions.

Section 8 is intended to capture information about the use of BNPL products. Information relating to the profile of a customer’s future instalments is one example. However, only information relating to the customer side of the BNPL transaction is intended to be covered (and not information relating to the merchant side).

Information about a product – Section 9

The third type of information specified by the Designation is information about a product. This is information to which section 9 applies.

This would include information such as information identifying or describing a product, the price of a product, including fees, charges or interest rates, terms and conditions, and eligibility criteria that a customer needs to meet to be supplied with the product. For example, specified information may include the type of information typically set out in a Key Facts Sheet (see, for example, Division 2 of Part 3-2A of the National Consumer Credit Protection Act 2009).

Product information is not necessarily generic information about a particular product. It could include information about a certain type of product for a particular customer or group of customers. For example, a consumer might be on a special rate that differs from the advertised rate for a product, or use a legacy product that is no longer publicly offered but continues to be provided to existing customers.

Sections 8 and 10Exclusions from specified classes of information

Information that is materially enhanced – Section 8

Subsection 8(3) excludes information about the use of a product that has been materially enhanced.

Materially enhanced information, defined in subsection 8(4), is information to which insight or analysis has been applied, resulting in its useability and value being significantly enhanced in comparison to the source material. The insight and analysis may be conducted by a human, a machine, or a combination of both, but must not have been undertaken in order to meet a regulatory requirement. For the purposes of the material enhancement test, source material is information to which subsection 8(1) applies. This means that while materially enhanced information may have been derived either entirely from information to which subsection 8(1) applies, or from a combination of information covered by subsection 8(1) and other information, the test only requires the enhanced information to be significantly more valuable than the subsection 8(1) inputs.

The material enhancement test is intended to exclude information whose value has been largely generated by the actions of the data holder. Materially enhanced information may include: the outcome of an income, expense or asset verification assessment; assessments of a customer’s ability to meet loan repayments (also known as loan serviceability); or inferences that a customer has recently experienced a life event such as a house purchase.

Although materially enhanced information is excluded from the class of information to which subsection 8(1) applies, it may still be CDR data due to paragraph 56AI(1)(b) of the Act, which captures information wholly or partly derived from information within a class of information specified in a designation instrument. This means that:

              the CDR applies to materially enhanced information, and

              while data holders are not required to disclose materially enhanced information under the CDR, customers can still authorise data holders to disclose this information, where this is authorised under the consumer data rules.

Subsection 8(5) gives examples of information that is not materially enhanced. The purpose of this list is to both avoid any doubt in relation to these items, and to set out cases where derived information would not be significantly enhanced, clarifying the use of the material enhancement test. These examples are the following:

·         a calculated balance;

·         an amount of interest earned or charged;

·         a fee charged;

·         a reference number, including a routing number, a clearing house number or a swift code;

·         information identifying a person, body, product, transaction or account;

·         information about authorisations;

·         the categorisation of source material based on a feature of the product to which it relates, including categorisation by the fees or interest rates applicable to the product;

·         information that results from filtering or sorting source material by reference to a date, period, amount or categorisation.

Information that is not information about the user of a product – Section 10

As noted above, any information to which section 7, 8 or 9 applies is not specified by the Designation if section 10 applies to the information.

Part IIIA of the Privacy Act 1988 regulates the privacy of information relating to consumer credit reporting in Australia. It does this by regulating the handling of personal information about individuals’ activities in relation to consumer credit. In particular, Part IIIA of the Privacy Act 1988 sets out:

·         the types of personal information that credit providers can disclose to a credit reporting body for the purpose of that information being included in an individual’s credit report; and

·         which entities can handle that information; and

·         the purposes for which that information may be collected, used and disclosed.

The Privacy Act 1988 excludes the CDR and associated subordinate legislation as Australian laws that would permit the use or disclosure of credit reporting information or credit eligibility information under Part IIIA.

Under the Privacy Act 1988, credit providers may also disclose credit information to other credit providers where the customer consents to the disclosure. To reduce overlap between the regulation of credit information and the consumer data right, the Designation excludes the following information relating to non-bank lending:

·         a statement that an information request under Part IIIA has been made for the individual by a credit provider, mortgage insurer or trade insurer (consistent with paragraph 6N(d) of the Privacy Act 1988);

·         new arrangement information about serious credit infringements (consistent with subsection 6S(2) of the Privacy Act 1988);

·         court proceedings information about the individual (consistent with paragraph 6N(i) of the Privacy Act 1988);

·         personal insolvency information about the individual (consistent with paragraph 6N(j) of the Privacy Act 1988); and

·         the opinion of a credit provider that the individual has committed a serious credit infringement (consistent with paragraph 6N(l) of the Privacy Act 1988).

 

 

 

 

 

 


ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Consumer Data Right (Non-Bank Lenders) Designation 2022

The Consumer Data Right (Non-Bank Lenders) Designation 2022 is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Treasury Laws Amendment (Consumer Data Right) Act 2019 amended the Competition and Consumer Act 2010 to establish a consumer data right.

The consumer data right provides individuals and businesses with a right to authorise secure access to data relating to them by accredited third parties. There is also the capacity for individuals and businesses to access this data themselves. In addition, the consumer data right requires businesses in designated sectors to provide public access to information on specified products that they offer.

The consumer data right is designed to enhance consumers’ control over their own information, maximise consumer choice and facilitate management of their finances and product services. It is intended that the consumer data right in the non-bank lending sector will support better comparison services by taking into account Australian consumers’ actual circumstances and promoting more convenient switching between products and providers.

Subsection 56AC(2) of the Competition and Consumer Act 2010 provides that the Minister may designate a sector of the Australian economy to be subject to the consumer data right, by making a legislative instrument.

The Consumer Data Right (Non-Bank Lenders) Designation 2022 designates the non‑bank lending sector as a sector that is covered by the consumer data right. It does this by specifying the classes of information that are subject to the consumer data right, the persons who hold this information (or on whose behalf the information is held), and the earliest date that the information must have begun to be held to be subject to the consumer data right.

Human rights implications

The Consumer Data Right (Non-Bank Lenders) Designation 2022 engages the right to protection from arbitrary or unlawful inference with privacy under Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It does so because it creates the potential for a person to directly access personal information about themselves or to direct another person or entity to disclose personal information about themselves to a third person or entity.[1]

In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The UN Human Rights Committee has interpreted the requirement of ‘reasonableness’ in terms of proportionality and necessity: any interference with privacy must be proportional to the end sought and necessary in the relevant circumstances.

The consumer data right is a right for consumers to authorise data sharing and use. Under the consumer data right, the disclosure of personal information is generally only permitted with the express consent of the individual. The exception to this, set out in the Competition and Consumer (Consumer Data Right) Rules 2020, relates to situations where seeking express consent from another account holder in relation to a joint account could cause physical, psychological or financial harm or abuse to a person.

The Competition and Consumer Act 2010 protects against arbitrary interference with privacy by establishing a set of consumer data right specific privacy safeguards, modelled on the existing Australian Privacy Principles but with additional obligations. The privacy safeguards included in the consumer data right are the following:

              restrictions on the use, collection and disclosure of information received through the consumer data rules, including information derived from this information (in general, the consumer’s express consent is required);

              requirements to have in place privacy policies that easily accessible and clearly set out a complaints handling process;

             obligations on data holders and accredited data recipients to correct information;

             obligations on data holders and accredited data recipients to notify the consumer when information is disclosed;

             requirements to destroy information that is purportedly shared under the consumer data rules but has been disclosed in error;

              strong powers for regulators, including the Office of the Australian Information Commissioner (OAIC);

              restrictions on direct marketing;

              remedies for breaches, including through external dispute resolution arrangements.

The OAIC will advise on and enforce privacy protections, and provide complaint handling for breaches of the Privacy Safeguards. Consumers will have a range of avenues to seek remedies for breaches of their privacy or confidentiality including access to internal and external dispute resolution and direct rights of action.

The Competition and Consumer Act 2010 also creates an accreditation process that provides protection against arbitrary or unlawful interference with privacy. Only trusted and accredited third parties will be able to access data from data holders at the customer’s direction. The ACCC is responsible for accrediting entities. The requirements that need to be met, set out in the Competition and Consumer (Consumer Data Right) Rules 2020, address matters such as:

              having systems, resources and procedures in place which enable an entity to comply with their consumer data right obligations including the security of information; and

              having internal dispute resolution procedures in place and being a member of a recognised external dispute resolution body.

These limitations are consistent with the prohibition on arbitrary interference with privacy as they seek to achieve legitimate objectives and are reasonable, proportionate and necessary to the attainment of those objectives.

Conclusion

The Consumer Data Right (Non-Bank Lenders) Designation 2022 is compatible with human rights because, to the extent that it may limit human rights, those limitations are reasonable, proportionate and necessary.

 

 


ATTACHMENT C

GOV CDR RGB COLOUR

 

Consumer data right: Non‑bank lending sectoral assessment

 

Final report

 

August 2022

 

 

 

 

 

 

 

 

© Commonwealth of Australia 2022

This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence, with the exception of the Commonwealth Coat of Arms, the Treasury logo, photographs, images, signatures and where otherwise stated. The full licence terms are available from http://creativecommons.org/licenses/by/3.0/au/legalcode.

Title: Creative Commons icon - Description: Creative Commons attribution licence 3.0 icon.

Use of Treasury material under a Creative Commons Attribution 3.0 Australia licence requires you to attribute the work (but not in any way that suggests that the Treasury endorses you or your use of the work).

Treasury material used ‘as supplied’.

Provided you have not modified or transformed Treasury material in any way including, for example, by changing the Treasury text; calculating percentage changes; graphing or charting data; or deriving new statistics from published Treasury statistics - then Treasury prefers the following attribution:

Source: The Australian Government the Treasury.

Derivative material

If you have modified or transformed Treasury material, or derived new material from those of the Treasury in any way, then Treasury prefers the following attribution:

Based on The Australian Government the Treasury data.

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are set out on the Department of the Prime Minister and Cabinet website (see http://www.pmc.gov.au/government/commonwealth-coat-arms).

Other uses

Enquiries regarding this licence and any other use of this document are welcome at:

Manager
Media and Speeches Unit
The Treasury
Langton Crescent
Parkes  ACT  2600
Email: media@treasury.gov.au


Table of Contents

1.     Executive summary 3

2.     Designating a sector under the CDR. 4

2.1. The Consumer Data Right 4

2.2. The CDR sectoral designation process 4

2.3. Effect of designation. 5

3.     Non-bank lending sectoral assessment 5

3.1. Open Finance. 5

3.2. Consultation. 6

3.3. Overview of stakeholder views 6

4.     Impact of designating non-bank lending data for individual and business consumers 7

4.1. Benefits of designation. 7

5.     Approach to designation. 16

5.1. Recommended datasets 16

5.2. Data not recommended for designation. 18

5.3. Intellectual property 18

5.4. Defining data holders 19

5.5. Application of a de minimis threshold. 20

5.6. Securitisation models and special purpose funding entities 21

6.     Privacy and confidentiality 22

6.1. Impact of non-bank lending designation on privacy and confidentiality 22

7.     Regulatory impact assessment 23

7.1. Estimate of regulatory impact 24

7.2. Other regulatory costs 26

8.     The public interest 27

9.     Matters recommended for consideration relating to the CDR rules 27

9.1. Eligible CDR consumers 27

9.2. Phasing of data sharing obligations 27

Glossary 29

Attachment A – Privacy Impact Assessment 31

1.  Executive summary

Following the release of the Strategic Assessment Outcomes report on 24 January 2022 (which identified the non-bank lending sector, merchant-acquiring services and key datasets in the general insurance and superannuation sectors as the next priority areas to expand the consumer data right (CDR)), Treasury conducted a public consultation to inform its sectoral assessment for applying the CDR to the non-bank lending sector. Informed by stakeholder feedback, this sectoral assessment report outlines Treasury’s analysis of the costs and benefits associated with expanding the CDR to non-bank lending and serves to inform the Minister’s decision on designating the sector.

Having regard to the statutory factors and feedback received during consultations, Treasury recommends the non-bank lending sector be designated. Extending the CDR to non-bank lending is likely to result in significant benefits for individual and business consumers – namely better service and greater potential for innovation.

To maximise the benefits of data sharing and deliver the use cases identified during consultation, Treasury proposes the designation support data sharing similar to that in the banking, energy and telecommunications sectors.

Accordingly, Treasury recommends designating generic and publicly available information about non-bank lending products, information about a CDR customer (such as contact information) and information about the use of a non-bank lending product.

Combining non-bank lending datasets with other ‘Open Banking’ datasets already being shared through the CDR will support consumers to easily access and share a complete picture of their lending information and make more informed decisions about which products suit their needs. By streamlining non-bank lending application processes, the CDR may also help lenders make more accurate and efficient lending decisions, while reducing the administrative burden of receiving consumers’ financial information.

Further, a cross-sectoral data pool that combines consumers’ datasets from non-bank lending, energy, telecommunications and other proposed Open Finance areas may encourage industry to develop innovative products and services. For example, entities could use cross-sectoral data to help consumers make informed decisions during significant life events such as buying and setting up services to a house. They could also use cross-sectoral data to provide advice on sound financial management so consumers can plan for their future.

Stakeholders noted the potential regulatory impacts on non-bank lenders of implementing and complying with the CDR, particularly the cost of compliance on smaller, less resourced lenders, which could have adverse flow-on effects for innovation and competition in the sector. Treasury is also aware there may be enhanced privacy risks for vulnerable consumers sharing their financial information through the CDR, given the non‑banking sector serves different demographics, functions and purposes to the banking sector[2] However Treasury notes the CDR is a safer alternative to other data sharing mechanisms currently being used outside of the CDR, such as email and screen scraping, because of its increased privacy protections and data security requirements. 

Treasury considers the privacy and adverse regulatory impacts raised during consultations can be appropriately mitigated by the rules and standards, which are likely to closely mirror those currently in operation in the banking sector. Treasury recommends the rules:

                  apply a de minimis threshold, which would have the effect of excluding non-bank lenders below a certain threshold from mandatory data sharing obligations

                  consider whether there are additional consent protection mechanisms that could apply to high‑cost products, such as further direct marketing restrictions.

Further consultation will inform design and implementation decisions, such as the phased commencement of data sharing obligations and the prescribed list of products within scope of mandatory sharing obligations. Consultation will also occur on changes to the Banking Rules which will be required to facilitate the sharing of information relating to buy now, pay later products.

2.  Designating a sector under the CDR

2.1.            The Consumer Data Right

The Consumer Data Right is a pioneering economic reform that gives consumers the right to use the data businesses hold about them for their own benefit. It is a foundation stone of the digital economy, designed to allow Australians to safely and securely unlock the value of information held about them by businesses. It is also the first of its kind in the world.

CDR places consumers at the centre of a data sharing system that protects their privacy and gives them the ability to opt in and determine when and how they share their data with other businesses and professionals of their choosing.

CDR is an interoperable online system governed by rules, standards and protocols to protect privacy and data security and allow different IT systems to communicate seamlessly.

Businesses who want to receive and use a consumer’s information must be accredited. Accreditation is a rigorous process that ensures businesses in the CDR system can meet the strict legal, technical and compliance obligations. There are penalties that apply to any participant who does not meet the obligations set or who mishandles a consumer’s data.

Over time, we expect more and more accredited participants will begin to offer CDR-powered products and services that will help consumers extract value from their information by offering entirely new ways of doing things, solving problems, making administration more convenient or simplifying complex decisions.

2.2.            The CDR sectoral designation process

The Minister may designate a sector of the Australian economy to be subject to the CDR under section 56AC of the Competition and Consumer Act 2010 (the Act). A sector is designated by legislative instrument, which specifies the broad classes of information (or data) subject to the CDR and the class or classes of persons who hold the designated information (data holders). The Act provides that before a sector can be designated, certain matters under section 56AD(1) (collectively, the statutory factors) must be considered by the Minister. These statutory factors include:

 

                  the interests of consumers

                  promoting competition

                  the efficiency of relevant markets

                  promoting data-driven innovation

                  the privacy or confidentiality of consumers’ information

                  any intellectual property in the information

                  the public interest

                  the likely regulatory impact of designation.

Before designating a sector, the Minister must be satisfied that the Secretary of the Department (Treasury) has arranged for consultation and analysis about designation and published a report about that analysis and consultation[3] – this report meets that requirement for the proposed designation of the non-bank lending sector. As part of its consultation on the non-bank lending sector, Treasury consulted with the Australian Competition and Consumer Commission (ACCC), Office of the Australian Information Commissioner (OAIC), and the Australian Securities and Investments Commission.[4] The Minister cannot designate the non-bank lending sector until 60 days after Treasury publishes this report. Prior to designating the non-bank lending sector, the Minister must also consult the OAIC about the likely effect of the designation on the privacy and confidentiality of consumers’ information.[5]

2.3.            Effect of designation

Once a sector has been designated, CDR rules and standards for that sector can be made in accordance with statutory processes and consultation requirements.

The designation instrument specifies broad ‘classes of information’ or data that may be subject to CDR data sharing obligations. The designation of a sector does not itself impose substantive obligations. Requirement to share data sits in the CDR rules, which establish within the broad ‘classes of data’ what is ‘required’ CDR data that must be shared in response to a valid request, as well as what information data holders may share on a voluntary basis. In turn, the sector-specific data standards specify the technical fields and formats for data sharing.

The CDR rules have been developed to apply universally across sectors to the extent possible, with sector-specific provisions and modifications catered for within sector-specific schedules. Once designation of a sector occurs, sector-specific issues (for example, external dispute resolution arrangements specific to that sector) are considered, as well as the development of sector-specific data standards.

3.         Non-bank lending sectoral assessment

3.1.            Open Finance

On 24 January 2022, Treasury released the CDR Strategic Assessment Outcomes report, identifying ‘Open Finance’ as the next priority area to expand the CDR.[6] Open Finance will build upon banking data that is already available, and energy and telecommunications data which is being brought into the CDR ecosystem.

Open Finance includes the phased assessment and designation of sub-sectors including non-bank lending, merchant acquiring services, and key datasets in the general insurance and superannuation sectors. Taking a phased approach to Open Finance sub-sectors will enable Government to designate key datasets in a more rapid and targeted manner.

This sectoral assessment covers the proposal to expand CDR to non-bank lending, while considering the possibility of cross-sector use cases that may flow from the sharing of non-bank lending data. Treasury will progressively assess the other sub-sectors of Open Finance over the coming year, commencing with superannuation.

3.2.            Consultation

On 15 March 2022, Treasury published a consultation paper as part of the Open Finance non-bank lending sectoral assessment.[7] The paper requested feedback and comments on the proposed designation of non-bank lenders including, the potential regulatory impacts.

Consultation closed on 15 April 2022 and Treasury received 29 submissions. The consultation process included a roundtable and bilateral meetings with industry stakeholders, consumer groups and government departments.

3.3.            Overview of stakeholder views

Stakeholders’ submissions contained different perspectives on the potential designation of non-bank lending and its role within the broader Open Finance sector. Most stakeholders recognised the benefits that would come from designating the non-bank lending sector, namely that it would:

         complement Open Banking data already shared in the system

         result in non-bank lending data being pooled with soon-to-be-added energy and telecommunications data

         provide valuable use cases for both consumers and industry.

Feedback supported taking a broad approach to designating non-bank lenders to ensure it captures all entities providing lending products to consumers.

Numerous stakeholders noted that the non-bank lending sector includes many small businesses, which play a useful role in bringing innovation and competition to the lending market. These small businesses may not have the capacity to absorb CDR compliance costs. As such, stakeholders noted the importance of ensuring mandatory obligations target entities only to the extent to which they are capable of complying.

Stakeholders that self-identified as a potential ‘data holder’ generally supported the datasets proposed by the consultation for designation – essentially those already being shared through Open Banking. However, they noted that the CDR would need to be adaptable via bespoke or tailored arrangements, particularly in the small business space.

Regulators and consumer groups noted the non-bank lending sector typically has a higher proportion of vulnerable consumers (people who are unable to access credit through banks). As such, they stated it was important for the CDR to meet vulnerable consumers’ needs.

Submissions consistently mentioned:

         the importance of giving industry sufficient time to comply with the new obligations

         the need to balance the overall speed of rolling out the sub-sectors within Open Finance against other potential enhancements to the framework that were recommended by stakeholders

         the need to ensure the quality of data being shared. 

4.         Impact of designating non-bank lending data for individual and business consumers

This section analyses the benefits of designating non-bank lending datasets, informed by submissions received to the non-bank lending consultation. It combines the assessment of 4 separate but interrelated statutory factors:

         the interests of consumers

         the efficiency of relevant markets

         promoting data-driven innovation

         promoting competition.

Treasury considers that the designation of non-bank lenders to the CDR will result in significant benefits for individual and business customers. The extension of the CDR to non‑bank lending has the potential to improve outcomes for individual and business consumers by unlocking consumer-centric innovation, encouraging competition between lenders and giving consumers greater control over their financial lives. Extending the CDR to non-bank lending would complement the CDR banking rollout and allow consumers to easily access and share a complete picture of their lending information.

4.1.            Benefits of designation

Empowering individual and business consumers to make more informed decisions about non-bank lending products

By providing access to consumer data held by non-bank lenders, as well as digitalised and standardised data about products offered by non-bank lenders, the CDR can reduce information asymmetries.[8] It can also facilitate more informed consumer participation in the lending sector, leading to better outcomes for individuals and businesses.

Merging non-bank lending data with banking data already being shared through the CDR can improve product comparison by enabling consumers to compare a broader range of lending products and obtain personalised product recommendations from accredited lenders and third parties. For example, an accredited lender could use a consumer’s data to assess whether they could provide a prospective borrower with a better product suited to their needs and/or for a lower cost.[9] Comparator websites expressed a desire during consultation to use CDR non-bank lending data to power lending product recommendations and noted this data could support a use case where an accredited data recipient (ADR) alerts the consumer to any suitable lower cost products on the market via its website or app.[10] Better product comparison can encourage the development of more innovative and competitive lending products across both the bank and non-bank sectors.[11] 

The CDR can improve the utility of existing comparison websites in the market by eliminating the need for consumers to manually input their own data, potentially risking errors, and by promoting greater standardisation and transparency around lenders’ product pricing. As product and consumer data from more sectors is added into the CDR, ADRs providing comparison tools will be able to recommend personalised bundles which bring together products and services that span multiple sectors. This may be particularly beneficial for business consumers that typically have more complex needs than individual consumers and can find it difficult to find products and services tailored to their specific business needs and circumstances.

Reducing barriers to switching and improving lending decisions

Extending the CDR to non-bank lending could reduce the friction for consumers associated with switching between lenders or applying for new lending products. Stakeholders emphasised the potential for the CDR to streamline and improve the lending application process.[12]

To obtain a new lending product or refinance a loan, customers are typically required to provide past transaction and savings account information and loan repayment data to a prospective lender. These documents are often manually provided by the consumer to the lender via unsecure methods such as screen-scraping or email.

Designating Open Finance datasets to the CDR, including non-bank lending, would provide consumers with access to a broader range of financial data. It would enable consumers to share their financial information safely and quickly with a chosen accredited lender, which may result in more efficient and accurate credit assessments.[13] Extending the CDR to the non-bank lending sector can help consumers to overcome the time and effort associated with manually transferring copies of documents, as well as limiting security concerns that can result from screen scraping.[14]

Smaller businesses typically also have less evidence and shorter financial histories, which can make it harder and more costly for authorised deposit-taking institutions (ADIs) and non-bank lenders to acquire the required information to make accurate assessments of small businesses’ creditworthiness. Improved access to small business data could support lenders with more streamlined and cost-effective loan assessment processes.

Stakeholders also stated that providing lenders with a comprehensive view of a consumer’s finances, including all liabilities, would support efficient lending decisions[15] and improve the accuracy of lender’s responsible lending decisions.[16] FinTech Australia submitted:

Non-bank lending information, combined with ADI information, enables a more comprehensive assessment of a consumer's credit profile and risk. Combining this data with CDR data from other sectors, such as telecommunications and energy data, provides further scope for building a well-rounded picture of a consumer's circumstances.[17]

Most stakeholders noted the importance of including buy now, pay later (BNPL) information in the CDR to ensure use cases requiring a comprehensive view of a consumer’s financial situation, such as this, could be fully realised. For example:

The Mortgage & Finance Association of Australia (MFAA) states that “as part of responsible lending obligations, lenders are increasingly requiring information from customers about their BNPL use and commitments to assess loan applications, and accordingly is of the view that the true value of the CDR in Open Finance will only be realised when comprehensive datasets, including BNPL, are within the system that give a whole of finance view of the customer”.[18]

The Financial Data and Technology Association (FDATA) noted “their [buy now pay later] inclusion in Open Finance will be critical to enforcing responsible lending frameworks and creating enhanced use-cases for consumers across all market segments”.[19]

Brighte sees the inclusion of BNPL consumer and product data as “instrumental from a consumer benefit perspective to both facilitate the creation of new business models, and help existing businesses strengthen their own processes and procedures”.[20]

While Afterpay owner Block noted that BNPL transaction data is largely visible in bank accounts that are already subject to the CDR[21], that visibility is limited. There is not the same information available if the purchase were made on a credit or debit card, such as the total amount for the purchase (and therefore the term of the arrangement) and source of individual purchases. The additional information regarding the transaction or transactions behind the BNPL amount could be of use to ADRs and not including this detail could create a hole in an ADR’s analysis of a consumer’s financial activity.

BNPL products represent a growing way for consumers to finance their purchases in Australia,[22] therefore including BNPL products under the CDR is recommended as the relevance of such data will increase over time.

Extending the CDR to Open Finance could also make it easier for certain cohorts of consumers, such as consumers without credit history and consumers with unstable incomes, to demonstrate their creditworthiness.[23] The Australian Finance Industry Association (AFIA) stated:

An up-to-date view of a potential borrower’s financial data would allow lenders the opportunity to make accurate, tailored decisions about a borrower’s suitability for a loan. It would mitigate against the negative impact of the traditional credit reporting regime on young consumers’ access to finance. It would allow them to demonstrate their financial suitability for credit despite lacking the opportunity to build credit history.[24]

Spurring innovation, improving financial planning and capability

The CDR ecosystem continues to grow, with new ADRs entering the system and existing ADRs offering innovative new services to more participants under recently introduced data access models.[25] These innovations are leveraging existing data and new datasets that are planned for rollout under the CDR framework. CDR growth is facilitating new business models, with more data holders choosing to become ADRs and some expanding into new sectors in anticipation of their inclusion in the CDR framework.

Access to non-bank lending data combined with data already being shared by banks could support ADRs to provide a more complete view of consumers’ liabilities, borrowing and spending behaviour, which can assist consumers to make more financially capable decisions and enable further innovation.[26] Block stated:

Pooling financial information from multiple sources gives consumers - and accredited third parties - an enhanced understanding of individual financial circumstances in more detail – helping provide tailored solutions to empower consumers to take control of managing their money, such as by supporting better budgeting and financial literacy.[27]

As more sectors are designated under the CDR, the availability of cross-sector data can encourage innovation in financial technology, which can help consumers plan for their future, prepare for life events and understand their finances.[28] For example, the CDR will support budgeting and personal finance tools that allow consumers to bring together information about the energy, telecommunications and financial products they hold with different providers, providing consumers with a comprehensive picture of their day‑to‑day finances and enabling them to better manage their household services.[29] As the range of CDR datasets expands, the associated CDR data standards will continue to provide flexibility so that they don’t restrict the range of products available in a particular sector, just as Open Banking data standards have not prevented new products development in the financial services sector.

Allowing new datasets to be combined with existing datasets also creates opportunities for further innovation as network effects take shape. Brighte stated that access to BNPL data would:

facilitate the innovation of use cases that give customers greater oversight over their finances, thus preventing them from overextending themselves. For instance, a BNPL account aggregation platform that allows customers to see all their BNPL accounts in one place. This will become even more beneficial once ‘write-access’ is implemented and said account aggregation apps are able to initiate payments.[30]

The CDR can also facilitate consumers to share their financial data with trusted advisers, such as financial advisers and financial counsellors. This could reduce the administrative burden of receiving informed financial advice and assist consumers to make more financially capable decisions. The Association of Financial Advisers (AFA) stated the extension of the CDR to Open Finance, including non-bank lending, will improve the efficiency of the fact-finding process for providers of financial advice, noting:

The completion of the fact find process is typically a very challenging exercise as clients often do not have ready access to documentation on all their assets and liabilities. Often, they do not have a complete understanding of their sources of income and particularly their spending practices. Extracting information from product providers can also often be time consuming for financial advisers.[31]

The AFA added that by providing access to real-time client specific data, the CDR can reduce the time and cost to provide financial advice, for both the provider and client, and enhance the value of financial advice services.[32]

As well as making existing processes smoother, CDR data can be used to innovate. Further examples of financial data innovations that could leverage Open Banking and non‑bank lending data include:

                  Financial wellbeing or financial health check tools that independently analyse an individual’s or small business’ available financial data to determine their eligibility for further finance, providing useful information to inform decision making before consumers, including vulnerable consumers, are offered additional credit.

                  Financial advisory tools that go beyond fact‑finding to make comparisons and recommendations on available products from the financial and non-financial sectors. These advisory tools can also facilitate the transition into products offered later in the individual or business life cycle, such as retirement annuities or loans for business expansion.

                  Tools that allow lenders to bid for pricing on products, based on financial data shared with a third party that brings lenders and brokers together.

To support these innovations, entities need a comprehensive picture of a consumer’s financial situation. Stakeholders noted this will not be possible unless the full range of non-bank lending data is available for analysis from non-bank lenders with the largest customer bases. Proposed enhancements to CDR will enable “action initiation”. Action initiation will allow consumers to instruct an accredited third party to initiate actions on their behalf and with their consent. Expanding the CDR to enable action initiation will increase opportunities for consumers using the CDR and for businesses offering innovative consumer services. Use cases could include making payments and switching products. Non-bank lending consumers will only benefit from the potentially new services if their data is included in the system.

While the inclusion of lenders in CDR is intended to support innovation, it is recognised that some lenders are already innovating. Introducing CDR obligations, and associated compliance burdens, may have an impact on smaller businesses and start-ups as they attempt to bring innovative products and business models to market to disrupt the incumbents.

It is important to support innovation where possible, including through the operation of proportional or scaled regulatory arrangements, while still facilitating the objectives of the CDR. For this reason, Treasury will consider the application of de minimis thresholds at the rule making stage. Firstly, ensuring start-ups and small businesses are still able to innovate will inform consideration of a de minimis threshold to exclude smaller players from mandatory obligations.

Block also noted the possibility of applying a de minimis threshold to specific products, regardless of entity size, allowing companies to:

…experiment and innovate in established product categories and build customer momentum, without the pressures of regulatory compliance where there is little consumer benefit. Incorporating such thresholds has the potential to mirror the success of ASIC’s enhanced regulatory sandbox, which allows businesses to test certain innovative financial services or credit activities without first obtaining an Australian financial services licence or Australian credit licence.[33]

The concept of a de minimis threshold on new products, essentially allowing lenders some time to trial a new product prior to mandatory CDR obligations applying, will also be considered further at the rules-stage. For example, a threshold could apply based on the number of customers on a product.

Promoting competition

The non-bank lending sector can support economic growth by providing an alternative form of funding for individuals and businesses, thereby providing an important source of competition to the banking sector.[34] TrueLayer similarly submitted that non-bank lenders will play an important role in using the CDR to compete with banks in providing lending and credit products to consumers and doing so with innovative and differentiated offerings.[35] The ACCC noted:

Effective competition requires informed purchasing decisions by consumers. Extending the CDR to non-bank lenders would help overcome barriers to consumers’ access to information relevant to their purchasing decisions. At present, consumers can use the CDR to compare different loan products from banks. The inclusion of non-bank lenders in the CDR will improve consumers’ ability to assess whether a bank or non-bank loan would best suit their personal circumstances and broaden competition across providers.

As outlined above, the extension of the CDR to non-bank lending may make it easier for consumers to identify and ultimately switch to better value lending products. The ACCC considers borrowers in the non-bank lending market could benefit from easier switching due to the changing market dynamics that occur from having a credible threat of customers switching lenders.[36]

Several submissions noted that bringing non-bank lenders into the CDR would foster a more competitive environment, by levelling the regulatory playing field between banks and non-bank lenders that provide similar products and hold similar data.[37] However, submissions also raised concerns that the introduction of the CDR to non-bank lending could have an adverse impact on competition in the sector if small and less‑resourced lenders are required to participate as data holders.[38] As noted by TrueLayer:

Determining the scope and timetable for extension of the CDR to non-bank lending will require an appropriate balance to be found between encouraging competition through mandatory provision of data by non-bank lenders, and ensuring that the ability of non‑bank lenders to compete in the lending market is not unduly impaired by CDR compliance costs.[39]

The impact of imposing data sharing obligations on smaller providers, and the possible implications for competition in the non-bank lending sector, is discussed further in the Regulatory impacts section of the report.

Supporting vulnerable consumers’ market participation

Extending the CDR to non-bank lending has the potential to lead to the development of new financial products and services for vulnerable consumers experiencing financial hardship which are better tailored to their needs and circumstances and support these consumers to better manage their debt.[40] The ACCC noted:

The CDR could enable a consumer to consent to a third party, such as a financial counsellor, accessing their data from multiple different sectors where the CDR has been rolled out to get a more holistic picture of a consumer’s financial hardship and the support available to them. The financial counsellor could use this data to provide advice on options or liaise with providers on the consumer’s behalf to manage the debt. [41]

 

Not-for-profits are using CDR data to get a deeper understanding of a consumer’s financial situation to support those in financial hardship to manage their debt; they can access the CDR data under the new CDR representative model.[42]

 

Some stakeholders noted that a broad designation capturing all of a consumer’s financial commitments would help support these types of services. The Australian Banking Association (ABA) supported ‘…a broad approach to the non-bank lending designation that includes a wide source of datasets, including data from BNPL lenders and fringe credit providers (also known as payday lenders)’.[43] It asserted that a broad designation could enable industry to create additional tools that help educate and assist individuals and consumers experiencing financial hardship, further noting Government could be enabled ‘to reach out to these individuals more effectively’ to provide appropriate support.[44]

 

The CDR may also enable the lender to process hardship applications and aid customers more quickly. Data sharing may also benefit vulnerable consumers who cannot readily access documentation to support their hardship request.[45]

 

However, a few stakeholder submissions raised concerns about the potential for misuse of CDR data to contribute to harm for vulnerable consumers, because the non‑banking sector serves different demographics, functions and purposes than the ADI banking sector, and specialises in providing loans for ‘non-conforming borrowers’.[46] Non‑conforming borrowers are those with credit profiles that do not meet banking-sector standards, such as:

…those who may be self-employed, have a poor credit history or are experiencing financial hardship, and who struggle to obtain finance from the banking sector. Such consumers may also be more likely to obtain high interest, short term credit products, such as payday loans, which can trap them in difficult to escape debt cycles.[47]

Consumer groups raised concerns that including non-bank lending data was likely to lead to high and untenable rates of credit for these types of consumers:

The speed and analytical power that the CDR can bring to – and is core to mooted benefits of the regime - will concurrently play a central role in increasing risk segmentation and the targeting of financial hardship through inappropriate price discrimination and high-cost credit. The CDR has the potential to widen the gap between the credit-haves and the credit-have-nots.[48]

Lenders will seek information from borrowers for a range of reasons, including to meet regulatory requirements such as responsible lending obligations or to assess the risk of the borrower. This may happen currently, with information shared through less secure means, such as emails and screen-scraping. It may also mean lenders make decisions on less complete information, such as that contained in the credit reporting system, which makes it difficult for some borrowers to demonstrate their creditworthiness.

As such, Treasury considers there is a role for the CDR in supporting lenders to make more informed lending decisions, by providing easier and secure access to the information needed to make accurate credit assessments and ensure consumers are not accessing credit they cannot afford. As noted by AFIA, it will also allow those who have had periods of hardship to demonstrate they are back on their feet more quickly.[49]

Some stakeholders also raised concerns about the possible interactions between CDR and comprehensive credit reporting (CCR), specifically that CDR will allow the sharing of information to entities that would not otherwise have received it through the CCR. Stakeholders noted the potential for CDR data, namely transaction data, to indicate when a consumer is demonstrating signs of financial hardship.[50] However, Treasury considers there is overall benefit in this information being available in the system as consumers are in control of what data they share and for what purpose. For example, consumers experiencing financial hardship should be able to opt-in to share their information to support financial counselling or budgeting services.[51]

For the reasons set out above, Treasury recommends not explicitly excluding financial hardship information in the designation instrument. This recognises that as the CDR ecosystem evolves, there may be possible use cases to support these consumers where this information is valuable. However, at this time Treasury did not find sufficient use cases and therefore recommends this information, in particular financial hardship information as defined by the CCR regime, be excluded at the rule-making stage. This is consistent with the approach taken in Energy and the approach being consulted on in Telecommunications.

While not an issue specific to the designation of non-bank lending sector, a couple of stakeholders noted the potential for ADRs to use information in the CDR to facilitate poor lending practices and target those in financial hardship - behaviours seen by some predatory non-bank lenders.[52] For example, it was recommended Treasury give consideration at the rule-making stage on to how to mitigate the risk of vulnerable consumers being exploited by data recipients obtaining access to consumer data and misusing that data for their own benefit, for example to upsell inappropriate products or set discriminatory pricing or interest rates.[53]

In addition to regulatory obligations on credit providers under the National Consumer Credit Protection Act 2010 (the Credit Act), including recently announced Government reforms,[54] there are also other existing mechanisms within the broader regulatory framework which specifically seek to address these types of issues. For example, ASIC’s design and distribution obligations[55] or their product intervention power[56]. However to the extent that any gaps remain, Treasury will consider at the rule making stage the need for additional consumer protection measures, such as considering options for direct marketing consents on certain high-cost products.

Importantly, at a high level, the CDR is an alternative and secure means for consumers to share their personal information for the purpose they intend, such as to support a loan application. The CDR seeks to operate alongside the applicable regulatory frameworks for the relevant sectors, such as the  Credit Act, but does not seek to impose additional regulatory obligations outside of those required to facilitate the CDR. Treasury considers the CDR should not be seen as a means of bringing about regulatory reform in a sector, where the sector’s regulatory framework is more appropriate to give effect to reform. Further examination and Treasury’s response to this issue is outlined below in the Privacy section of the report.

Complementary government datasets

Stakeholders noted the potential for government datasets to support CDR use cases, such as streamlined applications for consumer and small to medium-sized entity (SME) lending.

The other core financial data that would help unlock SME lending is tax data held by the Government (ATO tax debt, ATO notices of assessment, tax returns, tax statement of accounts and BAS returns). This would help streamline the application process with both bank and non-bank lenders.[57]

To inform the rollout of the CDR to government datasets, the Treasury is considering the benefits and risks of including such government datasets in consultation with relevant agencies. This process will be informed by alignment of the potential use cases for individuals and SMEs including those raised during the non-bank lending sectoral assessment consultation with the objectives of the CDR.

 

 

5.         Approach to designation

5.1.            Recommended datasets

Consistent with banking, energy and telecommunications, designation of the non-bank lending sector that would support data sharing is recommended with:

                  information about products that is already publicly available

                  information about the user of a product

                  information about the use of a product.

Treasury recommends that the designation instrument closely mirrors what occurred in banking, essentially a broad inclusion of datasets, given the expected similarities in data sharing between the two sectors and that consultation did not identify any unique arrangements to be supported. For example, the energy designation was required to facilitate a different model of data sharing arrangements, given a third party to the retailer holds some of the consumer information to be included in CDR. In telecommunications, while the three broad classes of information were included, the designation instrument explicitly excluded particularly sensitive datasets in the sector which were considered not suitable for CDR at the time, for example location data.

The recommended designation could support I the following data sharing examples at the rule-making stage:

Table 1 – Classes of information proposed for designation

Class of information

Scope of class

Relevant data holder/s of the information

Potential required datasets in CDR rules for non-bank lending sector

Product information[58]

Information about products

Information about products including information that:

                  identifies or describes such products

                  is about the price of, including a fee, charge or interest rate associated with the product

                  is about the terms and conditions of such products

                  is about the term or duration of such products

                  is about a feature or benefit of a product, e.g. a discount or bundle offered in connection with the product

provider of finance[59]

 

Designating this class of information would enable the CDR rules to impose mandatory obligations for data holders to share what is commonly referred to in the CDR as ‘generic product reference data’.

 

In the non-bank lending sector, product data is likely to include the type of information typically included in a Key Facts Sheet[60].

Consumer information

Information about the user of the product

Information about a customer or borrower from a non-bank lender, including information that person has provided to the supplier of the product (or another person on behalf of the supplier) in connection with the supply or use of the product.

provider of finance 

Designating this class of information would enable the CDR rules to impose mandatory obligations for data holders to share what is commonly referred to in the CDR as ‘customer data’.

 

In the banking and energy sectors, at the rule-making stage, this has included basic contact details like name, address and phone number.

 

Under the current CDR rules, date of birth has not been included.

Information about the use of the product

Information about a consumer’s use of a product including:

                  information about accounts such as account numbers and product usage relating to the account

                  information about transactions, current and previous balances, due dates, and details of how to make payments

                  information about arrangements for payments to be made (such as direct debit details, details about online payments and BPAY details)

 

Also, bespoke product information described above relevant to the consumer.

 

 

provider of finance 

Designating this class of data would enable the CDR rules to impose mandatory obligations for data holders to share information typically available to consumers.

It also allows for the sharing of what is commonly referred to in the CDR as ‘product-specific data’.

 

Product specific data enables product data to be shared as a type of consumer data. For example, if a consumer is on a particular rate that differs from the advertised rate for a product, or uses a product that is no longer publicly available, that specific product information that relates to the product a consumer uses could be shared as consumer data.

Most stakeholders agreed that supporting a broad designation would capture all credit products, using a broad definition of credit, offered to both individuals and small business, and that would capture new credit offerings in the future.[61] As such, Treasury recommends using a consistent definition of ‘product’ in the banking and non-banking designations, to ensure it covers the breadth of products needed. This will also help ensure consistency with data that is currently being, or may be, shared in banking.

At a high-level, Treasury proposes that the non-bank lending designation extend to the ‘making of advances of money’ and goods and services that have been supplied in connection with the letting on hire of goods (leases), including on hire-purchase. The rules-stage will consider the prescribed list of products within scope of mandatory sharing obligations, although it is expected to include the types of lending products being shared through Open Banking.

5.2.            Data not recommended for designation

Treasury considers the same datasets designated for Open banking should apply to non-bank lenders. As in Open Banking, there will be exclusions for materially enhanced data[62] (discussed below) and credit information[63] where its disclosure is regulated by the Privacy Act 1988. The exclusion of specified types of credit information will reduce regulatory overlap between the CDR and the Privacy Act.

5.3.            Intellectual property

CDR data is ‘data outlined in the instrument designating a sector and any information that is derived (wholly or partly) from that data’.[64] The designation instrument for the banking sector excludes ‘materially enhanced information’ about the use of a banking product from the specified classes of information subject to required data sharing.[65] The concept of ‘materially enhanced information’ refers to data that is the result of the application of insight, analysis or transformation to significantly enhance its usability and value in comparison to its source material.[66] Data holders cannot be required to disclose materially enhanced data about the use or sale/supply of products under the CDR but may be authorised to disclose it through the CDR on a voluntary basis.

The consultation paper outlined examples of materially enhanced information in the banking context[67], and requested input from stakeholders on possible non-bank lending specific examples. The ACCC’s submission recognised that non-bank lenders may hold data that has been generated following a process of innovation or ‘value add’ by the lender themselves. It cited the example of detailed customer and property data generated in the process of assessing a non-conforming borrower that reveals proprietary information about the lender’s credit risk assessment process and that this type of data may be subject to legitimate intellectual property rights.[68]

With the exception of those examples already contemplated by the banking designation instrument, no additional examples of materially enhanced information were identified during consultation.

5.4.            Defining data holders

Open Banking identified ADIs as data holders. There is currently no such equivalent for non‑bank lenders that neatly captures the relevant entities, therefore existing statutory definitions need to be leveraged to identify non-bank lender data holders.

Through consultation stakeholders were asked to provide views on two existing definitions that could be drawn on to define data holders or to identify a suitable alternative: ‘credit facility’ found in the Australian Securities and Investments Commission Act 2001 (ASIC Act)[69]; or the definition of a registrable corporation (RFC) in section 7 of the Financial Sector (Collection of Data) Act 2001 (Collection of Data Act).[70]

Given stakeholders supported a broad designation capturing a wide range of credit products, this also requires capturing a broad range of data holders. However, there were diverging views among stakeholders regarding the most appropriate way this could be achieved — some supported drawing on existing definitions,[71] while others considered it would be more appropriate to develop a bespoke definition for the specific purpose of the CDR.[72]

Based on the balance of consultation against the intended objective of the designation, Treasury recommends using the Collection of Data Act definition. This will ensure the definition is sufficiently broad to cover the range of credit products currently available, and future products that could develop in this space. Entities are currently aware of, and engage with, this definition though their business removing the complexity that would come from creating a new definition. This definition is preferred to the definition of ‘credit facility’ in the ASIC Act, which stakeholders noted is too open-ended and would capture significantly more data holders than just those offering the types of products intended for CDR. However, the $50 million entity size limb will be removed to ensure the Collection of Data Act definition is sufficiently broad to cover the credit-product–providing non-bank lenders intended to be captured by the CDR.

If the Collection of Data Act definition is used as the definition of ‘data holder’ in the non-bank lending designation instrument, not every entity subject to this Act would necessarily be required to participate in the CDR and comply with mandatory data sharing obligations. Rather, the designation instrument specifies the broad class or classes of persons that hold the designated data (the data holders). It is the rules that establish what is ‘required CDR data’ that must be shared and by whom.

The CDR rules can narrow the scope of data holders required to share CDR data by applying a de minimis threshold, which would have the effect of excluding data holders below a certain threshold (e.g. using a metric such as business type, customer level or revenue) from mandatory data sharing obligations. While the $50 million entity size limb is being removed to ensure all entities are captured by the designation, that is to guarantee that entities no matter their size can participate in CDR on a voluntary basis.[73] The possible application of a de minimis threshold in the non-bank lending sector is explored in further detail later in the report.

Entities within scope

The designation is intended to be broad in order to capture all the entities that are providing finance, or ‘credit-like’ products. Specifically, the designation is intended to capture providers of products generally known as BNPL.

The current CDR rules do not mandate the sharing of data about BNPL products, meaning banks are not able to share information about these products. However, if non‑bank lender data holders were mandated to share this data Treasury recommends the rules applying to ADIs should also be amended to include this as a mandatory dataset for sharing. This would ensure consistent treatment between banks and non-banks and ensure the full realisation of the use cases detailed above.

5.5.            Application of a de minimis threshold

Encouraging start-ups and facilitating growth of smaller non-bank lenders

As noted above, when considering the CDR’s role in the sector, it is important to assess proposed obligations and compliance costs (discussed in more detail under Regulatory impact) against the potential benefits of CDR. This recognises that there are benefits to consumers, competition and innovation from small businesses or start-ups. It also recognises that the imposition of regulatory obligations at a time when they could not absorb the costs would stifle their potential to grow their business or generate these benefits.

Treasury considers the obligations should commence at a time when small businesses and start-ups are better placed to absorb the cost. For example, once they have achieved some scale. Alternatively, small businesses and start-ups may choose to engage sooner if they decide it is in their best interest to do so.

The non-bank lending sector, unlike the banking sector, has a very long tail of small players where mandatory CDR would not be appropriate. Accordingly, a de minimis threshold is recommended for the non-bank lending sector, as has been implemented in energy and is being considered in telecommunications. The rule-making stage will consider the appropriate metric and threshold for the de minimis in further detail, however the following summarises initial views from stakeholders received during consultation.

Customer-level threshold

The energy sector adopted a threshold using customer numbers reported to regulators, however no equivalent reporting exists in the non-bank lending sector. While there is scope to gauge the number of products a lender provides to customers, it may be a challenge to standardise how this is measured where multiple products are bundled.

Balance-sheet threshold

Given non-bank lenders will accumulate balances on their balance sheets[74] as their loan books grow, balance sheet size is one proxy for entity size that could be used to apply a de minimis threshold for data-holder obligations. There are existing reporting obligations that could be leveraged to achieve this, such as those applying to Registered Financial Corporations (RFCs) that must report financial data to the Australian Prudential Regulation Authority (APRA) under the Collection of Data Act and its reporting standard.

A balance-sheet threshold of between $50 million to $500 million could apply. This would give smaller entities some time to grow their business before facing data-holder obligations, while still imposing obligations on approximately 30-40 lenders (and those with a similar sized operation to banks). Given that the CDR applies to data for Australian residents, Treasury considers it would be suitable for the balance-sheet threshold to apply to resident loan balances only. This metric is already reported to APRA under current obligations applying to RFCs.

Revenue threshold

Revenue reporting is another measure that may help identify those entities more suitable for data holder obligations. There is a correlation between revenue size and the size of the balance sheet used to generate interest margin. However, the margins that apply to different types of lenders and the operating costs applying to entities at different stages of their life cycle does mean that revenue is not always an accurate indication of an entity’s ability to absorb further costs.

5.6.            Securitisation models and special purpose funding entities

The non-bank lending sector uses a diverse range of sources to receive funding for its lending activities. One such model is via securitisation of loans they originate. Securitisation can come about via the conversion of receivables on the balance sheet to asset-backed or mortgage-backed securities, or by converting receivables held by a special purpose funding entity (SPFE) to securities. As noted by the Australian Securitisation Forum:

The non-bank lender who provides a product to a consumer is the primary entity that receives the consumer’s information. Therefore, the non-bank lender who sells the products to a consumer should be the designated data holder, not a corporate trustee who, although named as the lender in documentation, performs an ancillary role in the financing structure. A trustee of a securitisation SPFE is also exempt as a credit provider under the Credit Act regime.[75]

Treasury notes that the data holder should only be the originator of the loan, not any other entity established to support a securitisation model. The rules-stage will consider whether further clarifications are required.

6.         Privacy and confidentiality

6.1.           Impact of non-bank lending designation on privacy and confidentiality

A privacy impact assessment (PIA) that considers the privacy impacts of designating the non-bank lending sector on the privacy and confidentiality of consumers is at Attachment A.

PIAs were previously conducted on the proposed implementation of the CDR in the banking, energy and telecommunications sectors. The non-bank lending designation PIA supplements and builds upon the analysis contained in these reports and focuses on privacy issues specific to designating non-bank lenders. The PIA considers the privacy impact of designating the non-bank lending data holders and datasets proposed for designation, as well as other general privacy considerations regarding the designation of non-bank lenders that are not specific to datasets.

As required by the Privacy (Australian Government Agencies – Governance) APP Code 2017, the PIA considers the potential impact that designation of the non-bank lending sector may have on individuals’ privacy. The requirements do not apply to business data. However, where the sharing of business data could impact individual privacy, this has been considered as part of the PIA. The overall security of CDR data, including business data, is protected by the CDR’s strong privacy and security protections, including the 13 Privacy Safeguards under the Competition and Consumer Act, and the CDR rules relating to the privacy and confidentiality of CDR data.

As outlined above, the implementation of the CDR to non-bank lending can be viewed as a logical extension of Open Banking as the datasets proposed for designation are the same datasets to those currently being shared by bank data holders. The consultation paper noted that the privacy risks of sharing banking data are currently being appropriately mitigated by the banking CDR rules and standards and outlined Treasury’s view that sharing of non-bank lending data as a result of designation is likely to be appropriately managed through these existing mitigation strategies. Several stakeholders provided support for this proposition[76], with TrueLayer noting:

There are no additional privacy considerations for non-bank lending datasets that have not already been thoroughly considered in the course of implementation of Open Banking in the CDR.[77]

The ACCC noted that the non-bank lending sector would enhance the privacy protections available to consumers by ensuring that CDR privacy safeguards apply when consumers’ CDR data is shared. It added that these additional privacy protections already apply to consumers sharing CDR data in the banking sector.[78]

As outlined in the Benefits of Designation section, some stakeholders raised concerns about non-bank lenders accessing and using consumer data to facilitate poor lending practices and target consumers in financial hardship.[79]  The designation instrument specifies which data holders can be required to share data by the CDR rules. Accordingly, these concerns are relevant to non-bank lenders becoming ADRs or accessing CDR consumer data via CDR’s accreditation access models, and not necessarily to non-bank lenders being designated as data holders. However, before a non-bank lender can receive and use CDR consumer data, it must be accredited by the ACCC or become a representative of someone who has been accredited. Further, the CDR operates alongside regulatory frameworks for a particular sector and does not seek to introduce regulatory reform where a sector’s regulatory framework is more appropriate. For example, in the non-bank lending sector the Credit Act contains a range of protections to prevent lenders from targeting consumers with inappropriate lending products.

While this issue is not related specifically to the designation of the non-bank lending sector, the PIA does examine the privacy impact of accredited non-bank lenders having access to customer data and the possible implications for vulnerable consumers.

For the reasons outlined in the PIA, Treasury considers the privacy risks associated with the non-bank lending datasets and the data holders proposed for designation are not of a nature that should prevent those datasets or data holders from being designated. This PIA also identifies privacy issues that will be given further consideration at the rule-making stage.

7.         Regulatory impact assessment

The benefits of designating the non-bank lending sector need to be balanced against the expected regulatory impacts of designation– essentially determining the net benefits.[80]  While the benefits of designating non-bank lending are provided earlier in the report, this section contains analysis on the potential costs of designation.

To assess the potential regulatory impact for data holders of extending the CDR to non-bank lending, Treasury conducted a regulatory impact assessment.  Information was gathered through bilateral meetings with a range of stakeholders, including prospective data holders and IT service providers that help data holders comply with their CDR obligations.[81] Treasury sought information to determine the nature and extent of compliance costs. The following regulatory impact analysis was informed by information provided during these bilateral meetings as well as in stakeholder submissions to the consultation paper.

Stakeholders that participated in the regulatory impact discussions were asked to assume several variables:

                  IT upgrades will be required to meet the requirements of the CDR, including authenticating consumers, support the sharing of CDR data through APIs, and providing consumers with a dashboard to maintain consents.

                  There will be costs associated with ongoing compliance with the CDR, including meeting data sharing obligations and reporting requirements.

                  Sector-specific obligations, such as the scope of datasets to be shared and consumers eligible to use the system, would be broadly consistent as that applied in Open Banking.

7.1.   Estimate of regulatory impact

Treasury has made quantitative estimates of the regulatory impact of the CDR on data holders, based on discussions with prospective data holders and IT service providers. The estimates were made using inputs from businesses of different size, age, digital maturity, and customer type. As such, the estimates provided are for a representative business and may not represent the experiences of a particular business. They may vary based on a range of factors, including those outlined below. The below estimates are made assuming that a de minimis threshold would be introduced in the rule-making stage, as recommended by this report. Therefore, a cost estimate for small non-bank lenders has not been included.

Table 2 – Estimated compliance costs of implementing CDR

 

Medium non-bank lender

Large non-bank lender

Year 1: implementation

$750,000

$3,000,000

Year 2+: ongoing[82]

$300,000

$1,000,000

Average annual cost (PV)

$285,707

$1,002,358

Stakeholders noted a number of factors that would have an impact on cost – both implementation and ongoing costs. While some factors can be addressed by taking decisions at the rules stage to reduce compliance costs, other factors are outside the scope of influence of the rules, for example those decisions which relate to internal decision making of entities. The types of regulatory impacts outlined below are not an exhaustive list and may not apply to each business. They represent the types of regulatory impacts businesses expect to face.

Technical infrastructure

The greatest direct cost to data holders is likely to involve the need to upgrade and transform internal systems to enable data sharing to occur. Businesses generally hold data in multiple different systems, which would be required to be centralised for the purposes of data sharing. For businesses where the functionality doesn’t already exist to centralise information, such as through business intelligence systems, stakeholders noted that substantial technological upgrades would be required to comply with CDR. Many of those engaged during consultation believed that they would need to upgrade existing functionality if they were subject to data sharing requirements. Some noted they would seek to perform other system upgrades alongside CDR-specific upgrades, while one stakeholder noted it had been preparing for the CDR under a broader digital transformation project. Complementary or simultaneous upgrades may be synergistic with CDR-specific transformations and could support broader innovation and improve services.  The extent to which CDR data sharing would require upgrades is a function of the designated datasets and the CDR rules.

Use of intermediaries

Whether to use intermediaries or in-house expertise to adapt internal IT systems to the CDR is an important decision for prospective data holders. Stakeholders provided a range of responses to this question. Consultation suggested costs may be higher by opting for in-house expertise over external parties. Internal teams may need to upskill and overcome knowledge barriers regarding the CDR that an external IT service provider specialising in CDR data compliance may be able to provide more efficiently. However, there may be benefits from completing the work in-house. In-house implementation would give the business greater control over how it interacts with CDR and provide greater control over the data, both within and outside of the CDR. In-house teams may be able to address other IT issues or complete complementary projects that enhance other processes. Internal staff will be upskilled and better able to handle ongoing maintenance and compliance issues without the need for a subscription to an external provider. There may be positive spillovers to the business of conducting the work in‑house.

On the other hand, outsourcing to a service provider may provide a faster and more cost-effective solution, by using the existing expertise of experienced CDR specialists. Ready-made solutions may be integrated into a business’s systems, providing a relatively efficient solution. While outsourcing may reduce upfront costs, it may require an ongoing subscription, which may increase costs into the future.

A high proportion of stakeholders consulted indicated they would complete the work in-house because of the additional benefits that may result. Some also noted their willingness to become an ADR, for which there may be synergies by completing the work internally. Larger businesses may have a greater willingness and ability to complete the work internally.

Industry readiness

Stakeholder consultation revealed that, in general, non-bank lenders have greater awareness of the CDR relative to other sectors. They demonstrated greater knowledge of technical aspects of the CDR, and some had commenced investigation into how they may choose to comply with CDR data holder obligations. Some had considered becoming an ADR under the CDR and would be more likely to do so if they were designated as data holders.

There is a great disparity within the non-bank lending industry with respect to readiness to undertake the digital transformation required of becoming a data holder. The sector has a range of participants, from larger businesses with sophisticated in-house teams to smaller players with limited capabilities. Some businesses have legacy systems that will require substantial upgrading, while some of the relatively new entrants are using more nimble systems. The industry is carrying out preliminary assessments of a general nature on how to adapt its systems to the CDR. Some stakeholders noted that recent or current technical advancements being made to systems driven by non-CDR considerations, such as greater agility in their IT systems and greater functionality for consumers, would assist with meeting potential future obligations. Further, more technical work can only be carried out once the scope of datasets has been determined.

Scope of datasets and customers

The non-bank lending sector consists of different businesses serving many types of customers. Some businesses cater to large corporate customers, to whom they offer complex, bespoke products. Given the nature of these arrangements, this type of customer is not expected to be heavy users of CDR. However, these products would present a high degree of complexity in terms of creating CDR rules and standards. As such, the benefit of including these types of arrangements, relative to their cost of inclusion, is not sufficient at this stage to justify mandatory data sharing arrangements. For this reason, the regulatory impact assumes that decisions will be taken at the rule-making stage to appropriately balance the benefit of including information on these types of customers with the cost of its inclusion.

AFIA noted that a targeted approach to designating the sector would ensure the CDR does not ‘capture emerging or novel products which would have the potential to stifle competition and innovation’.[83]

Timing and implementation

The timeframe for implementing the CDR in non-bank lending may affect the overall cost of complying as a data holder. The interval between designation and rollout affects the demand for skilled workers and IT service providers that are required to carry out the work. A faster rollout may increase monetary costs and result in key milestones being delayed. Staging the rollout by entity size or product type may reduce demand for workers and has been suggested by some stakeholders. However, other stakeholders have noted that this approach can be inefficient; it is more efficient for businesses to share all required datasets in one discrete project.

While timing and implementation considerations affect regulatory impact, they are best considered at the rule-making stage.

Labour market constraints

Stakeholders almost uniformly noted the lack of available skills required to transform their IT systems, which would increase the costs and timeframes of complying with data sharing requirements. It was noted that the labour market is very tight, there is strong demand for the very specific set of skills involved in adapting IT systems to the CDR, and foreign labour was not currently abundant to fill domestic labour shortages. It was noted that these factors have pushed up labour costs and pushed out timeframes for completion in the near term. There were suggestions to delay the implementation, or rollout the sector in phases, to manage demand for scarce labour.

7.2.            Other regulatory costs

Businesses, especially small businesses, spoke of the opportunity cost that CDR compliance would represent to them. Many are in a growth stage, expanding into new products, markets and geographies. They noted the opportunities that would be foregone if they were required to comply with the CDR as a data holder. Businesses are capital-constrained; investments would be postponed and expansion plans deferred in order to allocate capital to CDR compliance. Many small businesses experience high rates of growth and take many years to achieve financial stability and profitability, suggesting the opportunity costs for these types of businesses are especially high. The ABA argued that a ‘participation threshold to exclude small firms’ be considered[84], while AFIA noted that many of its members ‘have less scale to absorb new compliance hurdles’.[85]

While these costs are hard to discern, they are real and substantial, and must be considered, especially at the rules stage where any decision on de minimis thresholds is made. In addition to a de minimis threshold based on business size, a de minimis threshold is also recommended for new products, where compliance with the CDR would be required only when the number of customers exceeds a threshold.

8.         The public interest

The CDR gives consumers and businesses the ability to harness information about themselves for their own benefit. For the CDR to be in the public interest by bringing maximum benefit to consumers, it should not exclude financial data from entities competing in the same lending market based on an arbitrary factor external to the CDR, such as whether an entity is an ADI or not.

The CDR’s value will continue to grow as consumers are provided with a more comprehensive view of their financial situation from which to then gain value. From a data sharing perspective, this means including new datasets relating to products that have grown in popularity since the most recent scoping of the product schedule. While expanding, the CDR should not raise barriers to entry or disproportionally impact smaller competitors and product innovators in the same market. Achieving a balance between these factors will require an approach that prioritises common datasets and use cases without imposing costs on data holders that ultimately exceed the aggregate value for consumers.

9.         Matters recommended for consideration relating to the CDR rules

Stakeholders commented on a broad range of issues relating to the implementation of the CDR in the non-bank lending sector in submissions and discussions that will be appropriately addressed (and consulted on further) in the rule-making stage. This is consistent with the role of the designation instrument and CDR rules in the CDR regulatory framework and the current approaches applied in considering similar issues in the banking and energy sectors.

Treasury will hold further public consultations at the rule-making stage (which is expected to occur concurrently with development of data standards for the sector) to inform implementation design and obligations in the CDR rules.

9.1.            Eligible CDR consumers

The concept of an 'eligible' CDR consumer refers to consumers who can make consumer data requests to access or transfer their data. The CDR rules contain a sector-neutral definition of ‘eligible’ CDR consumer, however this can be modified as required on a sector-specific basis. A consumer for Open Banking is ‘eligible’ if they are an account holder or a secondary user for an account that is open and accessible online. The CDR-eligible consumer can be an individual (18 years or older) or a business customer.

Given the complementary nature of the Open Banking and non-bank lending datasets proposed for designation, Treasury expects the definition of ‘eligible’ CDR consumer in the non-bank lending rules to align with the banking sector definition.

9.2.            Phasing of data sharing obligations

The specific datasets required for sharing and the timeline for sharing will be set out in the CDR rules. Data holder obligations were phased in Open Banking, with major ADIs required to provide consumer data earlier than non-major ADIs, and data sharing prioritised for home and personal loans ahead of less common types of finance. Similarly, non-bank lenders of various sizes or product types could be introduced to the CDR in a staggered manner if the benefits of such an approach are apparent.

Given that the designation of non-bank lenders is (in some respects) an extension of the obligations already established under Open Banking, Treasury expects implementation to be more efficient and require less phasing. However, the resourcing constraints mentioned in the Regulatory Impact section are also a factor that may support some form of phasing, if only to ensure there are sufficient implementation resources available in the CDR ecosystem to support non-bank lenders with the rollout.

Phasing by data or product type

Some submissions favoured the prioritisation of data sharing for more common or standardised products ahead of those products that are either more recently introduced or less commonly used. This approach can help introduce data for more common use cases earlier, but it could also risk prolonging implementation for data holders that might be more efficiently handled as a single project. AFIA went further to recommend:

A phased designation of data sets within product classes would also reduce regulatory burden, by allowing firms a measured pace to develop the institutional knowledge and systems required. We suggest that product data be designated in the first instance, followed by consumer data and then transaction data as has been the case for Open Banking.[86]

The introduction of product data could be expedited due to the reduced security requirements involved. Phasing of consumer data sharing may no longer be necessary given that most datasets have already been established and standardised in Open Banking.

Phasing by entity size

Introducing data holder obligations for larger entities earlier would most likely capture the largest customer cohorts earlier. It could also have adverse competition effects if data relating to smaller entities was not available for comparison until later. However, this effect may be reduced if product data sharing obligations were imposed for all designated entities at the same time, allowing consumers to compare products across all providers.

It is important to note that the banking sector did not have a de minimis threshold, as is recommended for the non-banking sector, which meant the whole industry was subject to mandatory obligations. As such, phasing based on entity size may be less appropriate when a de minimis is operational.


Glossary

ACCC

Australian Competition and Consumer Commission

Act

Competition and Consumer Act 2010 (Cth)

ADI

Authorised deposit-taking institution, commonly referred to as a bank

ADR

An accredited data recipient is a person accredited by the ACCC to receive CDR data with a consumer’s consent

API

An application programming interface is software designed to help other software interact with an underlying system

ASIC

Australian Securities and Investments Commission

BNPL

Buy now, pay later enables consumers to delay payment when making purchases

CCR

The Comprehensive Credit Reporting Regime

CDR

The Consumer Data Right is a right for Australian consumers – individuals and businesses – to access data held about them, and the framework that facilitates such access

CDR consumer

The term ‘CDR consumer’ is defined at section 56AI(3) of the Act and includes natural persons and businesses. An eligible CDR consumer can give consent to an accredited person to collect their CDR data from a data holder

CDR rules (rules)

Competition and Consumer (Consumer Data Right) Rules 2020

Consent

Communication to an accredited person of the datasets and actions that the consumer is allowing them to access or perform, and the purposes for which the consumer agrees to their data being used and actions being initiated on their behalf

Credit Act

National Consumer Credit Protection Act 2009 (Cth)

Data holder

A party that holds and must share data upon a consumer’s request

Data / Datasets

Data is information translated into a form for efficient storage, transport or processing, and is increasingly synonymous with digital information. It includes product data (data related to the product/service advertised for example: descriptions, prices, terms, and conditions) and consumer data (data related to the consumer of the product/service for example: consumer contact details, or information relevant to their eligibility for a service)

Data sharing

The transfer of product and consumer data, usually referring to sharing under the CDR framework with consent

Designation

Designation refers to the inclusion of a dataset or data holder in a designation instrument, as defined below

Designation instrument

A legislative instrument made by the Minister under section 56AC of the Competition and Consumer Act 2010 (Cth)

De minimis

A threshold below which mandatory data sharing obligations do not apply

Materially enhanced

The concept of materially enhanced information refers to data that is the result of the application of insight, analysis or transformation to significantly enhance its usability and value in comparison to its source material

OAIC

Office of the Australian Information Commissioner

Open Banking

As the first designated sector, Open Banking was launched in July 2020 and gives consumers the ability to share banking data with third parties that have been accredited by the ACCC through APIs

Open Finance

The next priority area for expansion of the CDR which encompasses general insurance, superannuation, merchant acquiring and non-bank lending service providers

Standard/s

The technical data standards made by the Data Standards Chair for the purpose of the Consumer Data Right

 

 


Attachment A to the Consumer data right: Non bank lending sectoral assessment Final report

Privacy Impact Assessment

Context

The non-bank lending PIA supplements and builds upon the analysis contained in the energy, telecommunications and in particular, the banking PIAs and focusses on privacy risks specific to non-bank lenders.

Treasury released a consultation paper which sought stakeholder views on a range of factors associated with designating the non-bank lending sector, including the privacy risks associated with this sector (noting that the type of information to be shared is consistent with that already being shared through Open Banking). The privacy risks examined in the PIA were identified through consultation with stakeholders, as well as engagement with the OAIC and specialist privacy consultants. The PIA also examines privacy risks that were raised by stakeholders to related CDR consultations, such as the telecommunications sectoral assessment consultation, where it was considered they would also be applicable to the non-bank lending sector. The PIA outlines the existing mitigation strategies contained in the CDR rules and standards, and comments on the adequacy of these strategies for reducing or eliminating any negative privacy impacts. The PIA makes several recommendations for Treasury to consider at the rule making stage, including that the rules examine certain privacy issues in further detail and consider the appropriateness of additional privacy protections which are specific to the non-bank lending sector.

Analysis of risks

Part I: Privacy impacts associated with the proposed scope of designation

No.

Item

Privacy impact 

Existing mitigation strategies

Gap analysis and recommendation regarding designation with respect to privacy 

Designation of information about the user of the product

1.       

Information about a user may encompass a broad class of data including information that identifies an individual, such as contact details, and other information that an individual has supplied to a data holder about themselves. 

While this information (categorised as ‘customer data’ under the CDR rules for banking and energy) is often required to be shared to identify or contact a consumer, if the information is accessed by an unauthorised person it could be misused and impact an individual’s privacy; for example, for direct marketing purposes.

The risk of customer data being used inappropriately is mitigated by the CDR accreditation process, under which third parties must meet rigorous privacy and security requirements before they can receive and use CDR data from data holders. These requirements must be maintained when a person has become accredited, and include implementing a security governance framework, maintaining a comprehensive information security capability, managing and reporting security incidents, and strict requirements around who has access to data within an ADR’s CDR data environment. There are also strict requirements around who an ADR can disclose CDR data to, including outsourced service providers and trusted advisers of consumers in particular circumstances.

 

Under the Competition and Consumer Act 2010 (the Act), ADRs must comply with the 13 privacy safeguards which relate to collection, management, disclosure and use of CDR data. The privacy safeguards prohibit ADRs from direct marketing to consumers unless they have specific consumer consent (as required by the CDR rules) to do this. A breach of the privacy and security protections in the framework can result in enforcement action being taken against the relevant ADR for non-compliance of civil penalty obligations. The ACCC and OAIC have a joint CDR Compliance and Enforcement Policy and complaints about data handling can also be lodged with the OAIC. The OAIC also has a statutory function to promote compliance with the privacy safeguards, including by making guidelines for the avoidance of acts or practices that may breach the privacy safeguards and undertaking educational programs for the purposes of promoting the protection of CDR data.[87]

 

Strong individual authentication requirements are embedded in the CDR data sharing process with strong customer authentication required for data holders to authenticate CDR consumers, before they can disclose CDR data to an ADR.

Customer data has been designated under the banking, energy and telecommunications designation instruments and is currently being shared in the banking sector (it is required data for the purpose of mandatory data sharing obligations). Treasury considers the privacy impact of including customer data in a non-bank lending designation (with a view to customer data being required data under the rules) would be appropriately mitigated by the CDR’s rigorous accreditation process and ongoing obligations on accredited persons, which ensure that ADRs have robust privacy and security measures in place to protect against the unauthorised access to or misuse of customer data.

 

 

Designation of information about the use of a product

2.       

Information about the use of a product by the person or an associate of the person who is also supplied with the product.

 

This includes the type of information that a customer would typically see on a statement or account, such as the current balance, loan repayment data and transaction data (including debits and credits on the account and when these occurred, and to whom payments were made).

 

 

Information about the use of a product could reveal sensitive insights about a consumer, including a consumer’s financial capacity, which could lead to price discrimination and/or impact the goods and services subsequently offered to them. Stakeholders consider this privacy risk may be enhanced for vulnerable consumers.

 

Submissions considered there is a risk of vulnerable consumers being exploited by data recipients obtaining access to consumer data and misusing that data for their own benefit, as non-bank lenders have a higher proportion of vulnerable consumers compared with banks.[88] The joint consumer group, ACCC and PwC submit that consideration should be given to whether the extension of the CDR to the non-bank lending sector could support and increase poor non-bank lender behaviour, by enabling non-bank lenders to use financial data, such as balance and loan repayment data, to target those in financial hardship with inappropriate and unsuitable products or set discriminatory pricing or interest rates.[89]

 

The OAIC submitted that as the consumer segment that opts for NBLs are potentially more vulnerable, there may be limitations in relying on consent-based frameworks. Where vulnerable consumers feel reliant on services or payment, they may be unable to make meaningful choices about the collection and disclosure of their data.[90] The OAIC recommends consideration be given to whether particular NBL products such as those provided by non-bank lenders with poor businesses practices should be excluded from scope and to whether more safeguards are required to support vulnerable consumers.[91] Stakeholders considered these consumers require additional resources and support in order to meaningfully understand and provide consent that is fully informed and freely given to the sharing of their consumer data in the CDR.[92]

The joint consumer group does not consider that the Privacy Safeguards (in particular PS3) and other mechanisms in the rules surrounding the collection of solicited personal information are not sufficient to protect against possible abuse of the consent provisions and consider the rules do not sufficiently prevent lenders from selling or providing this information to other related or unrelated businesses who target people in financial hardship such as debt management firms.[93]

 

Relatedly but not relevant to the non-bank lending designation, the ACCC and the joint consumer group recommended Treasury consider whether there is a need for a fiduciary interest test, which would require CDR participants to use consumers’ CDR data in the consumer’s best interest.[94]

Before a non-bank lender can receive and use CDR consumer data, it must be accredited by the ACCC or become a representative of someone who has been accredited. The risk of customer data being used inappropriately is mitigated by this accreditation process under which third parties must meet rigorous privacy and security requirements before they can receive and use CDR data. These requirements must be maintained when a person has become accredited, and include implementing a security governance framework, maintaining a comprehensive information security capability, managing and reporting security incidents, and requirements around who has access to data within an ADR’s CDR data environment. ADRs are also bound by the 13 privacy safeguards which relate to how an ADR uses and handles CDR data. A breach of the privacy and security protections in the framework can result in enforcement action being taken against the relevant ADR.

 

The consent rules ensure that ADRs are required to obtain informed consent from CDR consumers in relation to the collection and use of their data, and this includes actively selecting which data they share and for what purposes. ADRs are restricted in how they can use CDR data and only permitted to use the data in accordance with a consumer’s consent.

 

Privacy Safeguard 7 prohibits ADR from using or disclosing CDR data for direct marketing, unless the consumer consents and such use or disclosure is required or authorised under the CDR rules. Direct marketing in the CDR context involves the use or disclosure of CDR data to promote goods and services directly to a consumer, such as by sending an email to a consumer promoting financial products using the consumer’s data.

 

In addition, the rules include a ‘data minimisation principle’ which ensures CDR data is only collected and used if it is necessary to provide the good or service a consumer has requested. Therefore, information about a called party cannot be collected and used if it is superfluous to the good or service ultimately being delivered to the consumer.   

 

 

 

Information about the use of a product has been designated and is currently being shared in the banking sector (it is required data for the purpose of mandatory data sharing obligations). Mechanisms within the rules, such as the consent collection, use and disclosure obligations and the accreditation process the exist to mitigate the risks associated with sharing this information for both vulnerable and non-vulnerable consumers. Treasury recommends further consideration be given to whether, in addition to existing mitigation strategies in the framework, supplementary rules or particular consumer experience standards for consent to mitigate against any sector specific risks, particularly for vulnerable consumers.

 

In particular, Treasury recommends the rules examine the operation of direct market consents and consider whether addition restrictions are required in relation to certain high-cost products.

 

We also recommend the rules consider whether there are particular non-bank lending products that should be excluded from the CDR system for privacy reasons.

 

More generally, as outlined in the report, submissions identified a number of use cases supported non-bank lending data which could improve outcomes for consumers experiencing vulnerability, such as tools provided by financial councillors to help consumers manage their debt. The report also notes that to obtain a new lending product from either a bank or a non-bank lender, consumers are typically required to provide past transaction information and loan repayment data to the new lender to support their loan application. Currently outside of the CDR, this information is shared via unsecure methods such as emailing PDF statements or sharing login credentials with companies that screen scrape this data and provide it to the lender. Designating this information to the CDR will enable consumers to securely transfer this email to accredited lenders with informed consent, which represents a general uplift in privacy protections relative to other data sharing methods. [95]

 

Additionally, the National Consumer Credit Protection Act 2001, which regulates the provision of credit to individuals, contains a range of protections to ensure that consumers do not land up in products that they cannot afford. In particular, the responsible lending obligations which puts the onus on lenders to consider the circumstances of the borrower before providing credit.[96] The Government regularly reviews the operation of the Credit Act to ensure it remains fit for purpose. For example, the Government has announced its intention to introduce additional consumer protection measures for payday lending and to consider the regulation of buy now, pay later products.[97]

 

Accordingly, having regard to the range of statutory factors, including the benefits to consumers and vulnerable consumers outlined in the report, and the existing regulatory framework in the sector, Treasury considers the privacy impact of sharing information about a use of a product is not sufficient to necessitate the exclusion of this information from designation.

With respect to the ACCC’s and the joint consumer group’s recommendation regarding the need for a fiduciary duty, Treasury will consider this recommendation in the context of the broader CDR framework.

3.       

Consumer datasets held by government entities (for example, tax information held by the ATO).[98]

 

 

The OAIC raised concerns about the potential designation of government held datasets. The OAIC considers that privacy risks are heightened in government-held personal information, which is often collected on a compulsory basis[99] as such data is often sensitive or can become sensitive when linked with other datasets.[100]

Government held datasets are not proposed for designation as part of the proposed extension to non-bank lending. Should government datasets be proposed for designation in the future, a separate assessment examining the impact of designating those datasets on the privacy of consumers will be conducted at that time.

 

Designation of ‘registrable corporations’ as data holders

4.

‘Registrable corporations’ as defined in section 7 of the Financial Sector (Collection of Data)[101] Act 2001, are proposed for designation as data holders.

 

This definition captures entities that are engaged in the provision of finance in the course of carrying on business in Australia. 

The OAIC considers privacy risks could arise in the NBL sector due to the level of technological sophistication, privacy and data security awareness and governance maturity of certain non-bank lenders.

The OAIC notes the potential NBL data holder cohort appears to engage in a broader range of activities and practices than the data holder cohort in the banking sector and potentially interacts with consumers who are unable to access the banking sector.[102]

The OAIC also notes that the potential data holder cohort for NBL is likely to contain a higher proportion of entities that have fewer resources and less capability to comply with regulatory frameworks such as the CDR. The NBL sector may have greater variation in regulatory capability when compared to the banking sector.

The OAIC also raised a related concern about the capability of entities that are not subject to the Privacy Act 1988 Cth and the Australian Privacy Principles[103] to meet data handling-related CDR obligations in the event these entities are able to participate in the CDR using other pathways that allow for “lower levels of accreditation”, for example through sponsored accreditation.[104]

The designation instrument specifies the broad class or classes of persons who hold the designation data (the data holders) and the rules specify what is ‘required’ CDR data that must be shared and by whom. The rules can narrow the scope of data holders required to share CDR data by applying a de minimis threshold, which would have the effect of excluding data holders below a certain threshold (using a metric like business type, customer level or revenue for example) from mandatory data sharing obligations. A de minimis threshold has been implemented in the energy rules and is being considered in telecommunications. Entities under the de minimis threshold are not subject to mandatory data sharing obligations, however they are able to elect to share CDR data on a voluntary basis.

 

A data holder must comply with privacy obligations relating to:

Privacy Safeguards 1 (open and transparent management of CDR data), 10 (notifying of the disclosure of CDR data), 11 (quality of CDR data) and 13 (correction of CDR data). Entities that fall under the threshold who voluntarily elect to participate in the CDR as data holder would be subject to these same privacy obligations.

Regarding the OAIC’s concern about entities not subject to the Privacy meeting data-related CDR obligation, entities accessing CDR data through either a CDR representative or sponsorship arrangement are still required to comply with the CDR’s information security and data privacy safeguard requirements. A person with sponsored accreditation, as an accredited person, is required to fulfil the same obligations as other accredited persons, including the obligations to comply with the CDR’s information security requirements, privacy safeguards and consent rules. The CDR representative model enables unaccredited persons to provide goods and services to consumers using CDR data in circumstances where they are in a contractual arrangement with an unrestricted accredited person who is liable for them. A CDR representative’s principal ADR breaches the CDR rules (and potentially face enforcement action) if its CDR representative does not comply with the privacy safeguards and other mandatory requirements. Treasury also notes the OAIC’s concern is not specific to the non-bank lenders, a separate PIA (and agency response) considering the privacy impact of entities accessing CDR data through new accreditation pathways was conducted at the time these rules changes were being contemplated.

As outlined in the Report, feedback received during consultation supported taking a broad approach to designating non-bank lenders to ensure the designation instrument captured all entities that provided lending products to consumers. A broad approach means that entities that provide lending products to consumers but which are excluded from mandatory data sharing obligation through the application of a de minimis threshold would still be able to share their data with ADRs on a voluntary basis, should the entity see commercial value in doing so.

 

If the Collection of Data Act definition is ultimately leveraged as the definition of data holder in the non-bank lending designation instrument as is proposed, not every entity subject to this act would necessarily be required to participate in the CDR and comply with mandatory data sharing obligations. The report recommends that the rules impose a de minimis threshold excluding smaller non-bank lenders from designation. When considering the appropriate metric and threshold for the de minimis at the rule-making stage, Treasury recommends the rules take into account the regulatory maturity, technological sophistication and privacy and data security awareness of potential NBL data holders, as well as the size.

 

Part II: general privacy impacts of designation

No.

Item

Privacy impact 

Existing mitigation strategies

Gap analysis and recommendation regarding designation with respect to privacy 

5.

Extension of the CDR to non-bank lending may enable non-bank lenders to circumvent the Comprehensive Credit Reporting (CCR) Regime

 

The ACCC and the joint consumer group have raised concerns about the potential for non-bank lenders to use the CDR to circumvent the limitations on sharing information about a consumer’s credit history imposed by the Comprehensive Credit Reporting (CCR) Regime, which may enable financial hardship information to be used to disadvantage consumers and impact their ability to obtain credit, and potentially discouraging consumers from seeking out hardship arrangements with their lenders.[105]

The Comprehensive Credit Reporting Regime

Lenders in Australia share information about consumers’ credit accounts, including consumers’ repayment history with credit reporting bodies under the CCR regime. The regime enables lenders to have detailed and contextual information about how an individual interacts with credit, including positive financial behaviour. The scheme is mandatory for the big four lenders and voluntary for other lenders including non-bank lenders.

Only license credit providers can share and receive repayment history information under the CCR regime. The regime restricts the use of repayment history information and financial hardship information, and limits are in place to restrict what a lender can do with such information when they do find out. For instance, a lender cannot use the information as the sole basis for closing a credit card or reducing a limit. Additionally, financial hardship information cannot be included in the calculation of any credit scores developed by credit reporting bodies and is deleted from credit reports after 12 months.

The joint consumer group submits that the application of CDR to the non-bank lending sector, however, has the real potential to undermine these policy settings and limitations by enabling financial hardship information to be used to disadvantage consumers and circumvent these limitations. The joint consumer group stated that this can occur by CDR providing greater access to a consumer’s entire financial history, such that lenders will be able to undertake analysis that provides insights in line or equivalent to that captured under the credit reporting system. Without the CCR-imposed restrictions, the joint consumer group suggests that consumers may be discouraged from proactively seeking out hardship arrangements due to fear of affecting their credit rating.[106]

As previously noted, the consent rules ensure that ADRs are required to obtain informed consent from CDR consumers in relation to the collection and use of their data, and this includes actively selecting which data they share and for what purposes. ADRs are restricted in how they can use CDR data and only permitted to use the data in accordance with a consumer’s consent. Data sharing arrangements are to be time-limited, with the consumer also able to choose to end data sharing arrangements at any time and to require the ADR to delete their data.

 

In addition, the rules include a ‘data minimisation principle’ which ensures CDR data is only collected and used if it is necessary to provide the good or service a consumer has requested.

 

 

 

Concerns raised by submissions relate to the sharing of transaction data and the potential insights that could be gained from looking at a consumer’s transaction data. The interaction with CCR was considered at the time of establishing CDR. The Privacy Act ensures that credit reporting bodies cannot use CDR to receive information other than that allowed in CCR. This ensured CCR continued to operate as originally intended.

 

As outlined above, consumers’ transaction information is already being shared through Open Banking. The rules contain various mechanisms to ensure consumers, including vulnerable consumers, are empowered and informed in choosing which data to record, store and share and for what purpose, and require ADRs to only use CDR data in accordance with consents received from consumers. As noted above, this information is shared via unsecure methods outside of the CDR. Designating this information to the CDR will enable consumers to securely transfer this information to accredited lenders with informed consent, which represents a general uplift in privacy protections relative to other data sharing methods.

‘Hardship information’ is a specific type of information in the CCR regime, to become available from 1 July 2022. While serving a very important function, ensuring that lenders do not pre-emptively rule out consumer from accessing credit because they have faced a period of stress, lenders are encouraged to seek further information from the consumer to ensure they can service the credit they are applying for – this is a standard part of the credit application process.[107]

Further, the existing consent framework ensures the consumer controls when to share their information and, importantly, has to power to cease sharing information. A consumer may choose to consent to share their information when they are experiencing periods of financial stress as it will support accredited third parties providing financial counselling or budget management services which would be highly valuable at such a time.

Having regard to all the statutory factors required for designation, Treasury considers this information is appropriate for designation and that no further mitigation strategies are required.

6.

Cumulative privacy and security risk associated with combining datasets from multiple sectors

While not a specific issue raised by stakeholders during the non-bank lending consultation, stakeholders have previously raised concerns about the privacy and security risks of data recipients collecting consumer data from multiple sectors. These include security risks associated with the creation of data ‘honeypots’ attractive to cyber-criminals and privacy risks associated with increasingly detailed information about individuals being brought together and analysed.[108]

 

The OAIC previously submitted that combining data from different sectors means richer and more granular insights may be derived about individual CDR consumers, meaning the sensitivity of the data and the overall privacy risks for consumers may increase.[109] Consumers may be unaware of the potential for sensitive conclusions to be drawn from combining their CDR data related to several sectors for example, banking data with telecommunications data, and these risks may be exacerbated for vulnerable consumers.[110]

These risks are mitigated by the strong privacy and consumer protections in the CDR framework. In order to become accredited under the CDR, an ADR must first meet, and maintain, robust information security requirements. ADRs must also comply with safeguards around the deletion and de-dentification of CDR data, requirements that restrict an ADR’s use of data in accordance with a consumer’s informed consent (including how long it can be used for and the purposes for which it can be used) and the principle of data minimisation.

 

Privacy safeguard 12 and the CDR rules set out the minimum steps that ADRs must take to protect CDR data and ensures that data is protected to a high standard and the capability of an ADR’s security posture is regularly reviewed.

The CDR is intended to be an economy wide reform legislative framework and as such, the CDR’s security and privacy framework was developed to ensure the safe and secure handling of data from multiple sources and sectors. As the CDR matures and considers technological developments, additional requirements in relation to information security will be managed at the rule and standards making stages as appropriate.

 

The OAIC, as the regulator of the privacy aspects of the CDR, has a range of investigative and enforcement powers under the Act which can be utilised in the event a consumer’s data is mishandled. The OAIC also has a statutory guidance function to educate CDR participants about their privacy obligations and to promote compliance.

 


ATTACHMENT D

 

GOV CDR RGB COLOUR

 

Consumer Data Right

Open Finance Sectoral Assessment

Non-bank lending

 

March 2022

 

 


 

Table of Contents

Consultation Process 4

1.     Introduction: Expansion to Open Finance. 6

1.1. The process for assessing and designating sectors and datasets 9

1.2. The effect of designation. 10

2.     Non‑bank lending in Australia. 11

2.1. Non‑bank lending products 11

2.2. Potential to improve individual and small business outcomes 12

2.3. What non‑bank lending data should be included in the designation? 14

Intellectual property 15

2.4. What data holders might be suitable for designation? 16

2.5. Privacy and regulatory burden considerations 17

Privacy and confidentiality 17

Regulatory impact 17

3.     Examples of rules considerations 21

3.1. Eligible customers 21

3.2. Phasing of data sharing obligations 21

Glossary 22

 

 

 

 

 

 

 

 

 

 

© Commonwealth of Australia 2022

This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence, with the exception of the Commonwealth Coat of Arms, the Treasury logo, photographs, images, signatures and where otherwise stated. The full licence terms are available from http://creativecommons.org/licenses/by/3.0/au/legalcode.

Title: Creative Commons icon - Description: Creative Commons attribution licence 3.0 icon.

Use of Treasury material under a Creative Commons Attribution 3.0 Australia licence requires you to attribute the work (but not in any way that suggests that the Treasury endorses you or your use of the work).

Treasury material used ‘as supplied’.

Provided you have not modified or transformed Treasury material in any way including, for example, by changing the Treasury text; calculating percentage changes; graphing or charting data; or deriving new statistics from published Treasury statistics — then Treasury prefers the following attribution:

Source: The Australian Government the Treasury.

Derivative material

If you have modified or transformed Treasury material, or derived new material from those of the Treasury in any way, then Treasury prefers the following attribution:

Based on The Australian Government the Treasury data.

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are set out on the Department of the Prime Minister and Cabinet website (see www.pmc.gov.au/government/commonwealth-coat-arms).

Other uses

Enquiries regarding this licence and any other use of this document are welcome at:

Manager
Media and Speeches Unit
The Treasury
Langton Crescent
Parkes  ACT  2600
Email: media@treasury.gov.au


 

Consultation Process

Request for feedback and comments

Interested parties are invited to comment on the issues raised in this paper by 12 April 2022.

While submissions may be lodged electronically or by post, electronic lodgement is preferred. For accessibility reasons, please submit responses sent via email in a Word or RTF format. An additional PDF version may also be submitted.

Publication of submissions and confidentiality

All information (including name and address details) contained in formal submissions will be made available to the public on the Australian Treasury website, unless you indicate that you would like all or part of your submission to remain confidential. Automatically generated confidentiality statements in emails do not suffice for this purpose. Respondents who would like part of their submission to remain confidential should provide this information marked as such in a separate attachment.

Legal requirements, such as those imposed by the Freedom of Information Act 1982, may affect the confidentiality of your submission.

Consultation process to support the sectoral assessment

Treasury’s consultation process for the sectoral assessment will involve consulting broadly with representatives from the non-bank lending industry, industry associations, start-ups, consumer and privacy advocates and other interested parties.

Feedback received during this process will inform a final report, which will make a recommendation to the Minister on whether to extend the Consumer Data Right to non‑bank lending. The sectoral assessment consultation process will also incorporate consultation activities including a stakeholder roundtable and targeted bilateral meetings.

Closing date for submissions: 12 April 2022

Email

data@treasury.gov.au

Mail

 

 

Sectoral Assessments

Consumer Data Right Division

The Treasury

Langton Crescent

PARKES ACT 2600

Enquiries

Enquiries can be initially directed to data@treasury.gov.au

Phone

Claire McKay, Director, 02 6263 2124

Media enquiries should be directed to media@treasury.gov.au

 

The principles outlined in this paper have not received Government approval and are not yet law. As a consequence, this paper is merely a guide as to how the principles might operate.


1.  Introduction: Expansion to Open Finance

Australia’s future prosperity will depend on how it adapts to changes in technology and the digital frontier. The potential benefits of the digitalisation of the Australian economy have been estimated at $315 billion over the next decade,[111] and will benefit all aspects of Australian society. The Consumer Data Right (CDR) is a key aspect of Australia’s Digital Economy Strategy 2030. The CDR is a new pillar of competition policy, aiming to enhance competition and innovation in key industries, especially service industries, which comprise a large share of the economy but may struggle with productivity growth. The CDR is also a fundamental right for Australian consumers and businesses to have power over data generated about them, to share and extract value from this data and help to access the many benefits of progress in digital infrastructure and capability.

On 24 January 2022, the Minister for Superannuation, Financial Services, the Digital Economy and Women’s Economic Security and the Treasurer announced that the next priority area for the economy-wide implementation of the CDR is expansion to ‘Open Finance’ data, building on banking data that is already available, and energy and telecommunications data which is being brought into the CDR. Expansion to Open Finance will be delivered in a phased approach to facilitate a more rapid and targeted approach to designating the key datasets across each of these subsectors that build-on and complement existing designated datasets. Phase 1 expansion will also explore the extent to which there are complementary consumer datasets held by government and the benefits for consumers having access to these datasets through the CDR.

As announced, phase 1 of Open Finance will include the assessment and designation of the non‑bank lending sector, merchant acquiring services, and key datasets in the general insurance and superannuation sectors. This consultation paper invites feedback on the proposal to expand CDR to non-bank lending for the purpose of informing Treasury’s sectoral assessment report.

Separate consultation processes will specifically explore the scope and merits of expansion to merchant acquiring services, general insurance and superannuation datasets. These consultation processes have been designed to work together to facilitate feedback on the combined effect of datasets across the four subsectors to deliver phase 1 of Open Finance, with particular regard to unlocking consumer-centric innovation while balancing the cost of implementation and supporting accelerated ecosystem growth.

In providing feedback, stakeholders are encouraged to consider how datasets across all four areas along with data already in the CDR system could together support product innovation, streamline business processes and improve consumer outcomes. The assessment and designation of phase 1 of Open Finance will be completed in 2022. The timing and focus of any future phases will depend on the implementation of phase 1 and will likely consider a broader range of datasets from the merchant acquiring services, superannuation and insurance subsectors.

Why Open Finance?
Open Finance has been identified as the next priority area for expansion based on a strategic assessment conducted by Treasury in 2021 that explored how to best prioritise and sequence economy-wide implementation. The findings of the assessment were informed by extensive consultation and published by Treasury on 24 January 2022. The report concludes that:
•	Future expansion should be based on identifying key datasets that either alone or combined with other datasets contribute to concrete consumer outcomes and benefits.
•	To support rapid growth of the innovation ecosystem the immediate focus should be on datasets that build-on and complement existing datasets to support a broader range of use cases.
•	Expansion of the CDR should be data holder agnostic and consider both consumer data held by businesses and government as appropriate.
Application of the CDR to Open Finance, including non bank lending, can enhance the economic wellbeing of Australians by assisting individuals and businesses to switch to better-value deals that match their needs in products that fall within some of the most fundamental areas of one’s life – banking, insurance and superannuation. Providing more information about financial products reduces information asymmetries and can help consumers search for and compare a full set of financial products, and have greater confidence when dealing with the financial sector.
Non-bank lending
Non bank lending has clear parallels with the already designated banking sector, and could provide consumers with a more complete view of their liabilities and borrowing and facilitate comparison of the full suite of lending products on the market, spurring more competitive and personalised products and services across both the banking and non bank lending sectors.
Merchant acquiring services
Merchant acquiring services facilitate merchants to process payments and therefore are critical to running a small business. Extension of the CDR to merchant acquiring services could improve transparency of product information and support product comparison, particularly for card transaction data. The Reserve Bank of Australia (RBA)’s Review of Retail Payments Regulation found that this may address market inefficiencies, and reduce merchants’ search and switching costs. 
Cont. on next page


 

General insurance
The lack of standardised information about general insurance products and services makes it difficult for consumers to understand and assess the value and relevance for them of competing product and services offerings, which can lead to consumers either paying for products and services not well suited to their circumstances, underinsurance or actions on their part that unwittingly invalidate their insurance policy. There are many potential use cases that could support expansion of the CDR to a range of general insurance and other insurance type products and datasets. A phased approach to expansion has been proposed based on early feedback about the potential for immediate benefit from enhancing consumer access to an equivalent form of generic product data.
Superannuation
Superannuation often represents an individual’s most significant personal asset and therefore is a significant element of consumer financial wellbeing. Enhanced access to key consumer information such as superannuation account balances has been highlighted as an efficient way to increase consumer engagement with and knowledge of their superannuation. When combined with other financial datasets, access to key account information through the CDR could improve consumer’s understanding of their finances and support life-span wealth management.
Government-held consumer data
Expanding the CDR to complementary government-held datasets may also significantly enhance the user experience and utility of the CDR. Treasury is exploring the potential for the CDR to expand to government-held consumer datasets as part of Open Finance.

Combining Open Finance with banking datasets already in the CDR could support the creation of new and innovative services such as personal finance and life administration apps to take the time, cost and complexity out of everyday tasks and make big financial decisions less risky for consumers. Banking and non‑bank lending data can be used for financial planning and loan assessment purposes, and an even richer picture of someone’s financial circumstances can be revealed when banking data is combined with superannuation and insurance data.

More convenient data-driven services like budgeting and financial management apps can help consumers spend less time on ‘life admin’ and reduce transaction costs. Combining banking and Open Finance datasets has the potential to support consumers to plan for and better manage significant financial events, such as applying for a home loan or making longer-term decisions about retirement.

As more sectors are designated to the CDR, the possibilities from combining datasets grow, presenting greater opportunities for innovation and enhancing benefits to consumers. Accredited data recipients (ADRs) offering account aggregation services could bring together information about energy, telecommunications and financial services products their customers hold with different providers in one place, providing consumers with a holistic Ellyse manages her finances
Ellyse has accounts with multiple banks and non bank lenders so she can get competitive interest rates on her loans and the best reward schemes from her credit card providers. The implementation of Open Finance datasets means Ellyse can use CDR enabled budgeting apps to bring the data from her different accounts into one easy-to-use dashboard. She uses the dashboard to compare loans and credit card deals across different bank and non bank providers. 
As well as finding the best loan and credit card rates, Ellyse can use data from energy and telecommunications providers to find better phone or electricity plans, which helps her to meet her loan repayment goals faster. Ellyse can also have her scheduled payments included in the app, so it notifies her when payments are due or when she should move funds between her loan and deposit accounts to reduce interest payments.


picture of their finances and enabling consumers to better manage their household services. This could help consumers achieve savings goals, get better deals and change their consumption behaviours to better suit their lifestyle and needs.

 

Account management tools are another way the data could be used, allowing a consumer to be notified by an ADR when their upcoming payments to both bank and non‑bank lenders are due, and to forecast when there may be difficulties making these payments ahead of any amounts becoming overdue.

1.1.            The process for assessing and designating sectors and datasets

The process for expanding the CDR to cover new sectors and datasets involves a formal assessment and designation process that is specified in legislation. Section 56AC of the Competition and Consumer Act 2010 (the Act) empowers the relevant minister (the Minister for the Digital Economy) to make a legislative instrument designating a sector of the Australian economy to be subject to the CDR, and the specific classes of information (data) and the class or classes of persons who hold the designated information (data holders). In doing so the Minister must consider the following factors:

               the interests of consumers;

               promoting competition;

               the efficiency of relevant markets;

               promoting data-driven innovation;

               the privacy or confidentiality of consumers’ information;

               any intellectual property in the information;

               the public interest; and

               the likely regulatory impact of designation.

 

To inform the Minister’s consideration of these factors, the Secretary of the Department (the Treasury) must provide a report addressing each of these factors informed by public consultation and consultation with the Australian Competition and Consumer Commission (ACCC), Office of the Australian Information Commissioner (OAIC), and the primary regulator of the relevant sector (section 56AE(1)(c)). The Minister is also required to consult the OAIC about the likely effect of the instrument on the privacy and confidentiality of consumers’ information (section 56AD(3)).

1.2.            The effect of designation

The making of a designation instrument enlivens the rule-making power in relation to the sector by specifying the parameters for the classes of information that may be required to be shared under the CDR in a particular sector, as well as who is required to share it.  Once a sector has been designated, CDR rules and standards for that sector can be made in accordance with statutory processes, including extensive consultation requirements.

Designation involves specifying ‘classes of information’ or data to be designated, but designation of a sector does not itself impose substantive obligations. Rather, the requirement to disclose particular data arises from the CDR rules, which establish what is ‘required’ CDR data that must be shared in response to a valid request, as well as what information data holders are ‘authorised’ to share on a voluntary basis. More information on the operation of the CDR regulatory framework is available at Attachment A.

2.         Non‑bank lending in Australia

A non‑bank lender and financier is a business that offers consumers – both individual and business customers – loans, mortgages, personal finance, credit cards and other types of finance, but does not hold a banking license or accept deposits. Non‑bank lending in Australia continues to grow in both balance sheet size and range of products, in many cases offering specialised products to consumer segments that are not prioritised by banks.

Non‑bank lending products are an increasingly important source of credit for individual consumers and businesses. Consumers engage with a range of non‑bank lending products including credit cards, home loans, personal and business loans on a regular basis instead of, and as well as, banking products supplied by authorised deposit‑taking institutions (ADIs; commonly referred to as banks).

Non‑bank lenders are also active in the small business lending space. Approximately 40 per cent of non‑bank lenders’ loan volumes are sourced from business customers.[112] Adding non‑bank lending data into the CDR system could complement datasets already being shared in the banking sector and consumers including businesses will benefit from the ability to access and share CDR data in relation to the full range of credit and lending products available in the market.

2.1.            Non‑bank lending products

Non‑bank lenders offer a range of products, including:

               Home loans: Typically the largest item on the balance sheet of non‑bank lenders. In some cases, the loans originated by these large non‑bank lenders are securitised and sold to investors.

               Credit cards: Credit cards remain a common form of credit for Australian individual and business consumers; 19 per cent of Australian transactions are paid using a credit card.[113],[114] Credit cards incur monthly interest charges on outstanding balances, as well as potentially other fees, such as an annual fee.

               Personal loans: Non‑banks are prominent in the personal loan segment, sometimes offering specialised lending products to customers whose circumstances make them less suitable for banking products. These loans could be used to pay for smaller items such as cars, holidays or home renovations and can be secured or unsecured. This category includes payday lenders or cash advance providers, who can quickly provide consumers with short-term loans, but with high levels of fees attached that make them more expensive than conventional personal loans.

               Consumer leases: A consumer lease lets consumers rent an item, often a household appliance, for a set amount of time. The customer makes regular rental payments, typically weekly or fortnightly, until the lease ends. At the end of the lease the leasing company still owns the item but may offer the customer the option to purchase it. Compared to other non‑bank finance providers, consumer leasing operators generally are smaller in size.

When the consumer is making a decision on the product, they are making a decision on both the credit product and the asset; this means there may be limited value from incorporating only the credit component into CDR.

               Margin loans: A margin loan lets a consumer borrow money to invest in shares, exchange-traded-funds (ETFs) and managed funds. Usually these loans come with requirements to keep the loan to value ratio (LVR) below an agreed level; once it goes above the agreed level the investor must pay a margin call or sell some investments. Providers of margin loans are typically ADIs, however some non‑bank lenders offer this product.

               Business finance: Non-banks are large providers of business financing. The market is diverse covering traditional loans, interest free products, invoice financing, and asset finance and leasing. Some non‑banks may target their products to a particular segment of the market, such as small business, or particular loan sizes.

Given the diverse range of offerings which fall within business finance, some products may be more approporiate for inclusion in CDR than others once factors such as potential use cases, standardisation of datasets across industry and costs of inclusion to lenders are considered.

2.2.            Potential to improve individual and small business outcomes

Empowering consumers to make more informed decisions about non‑bank lending products

For customers, it can be a complex task to differentiate between available lending products offered by banks and non‑banks to determine which best suits their needs. The ACCC’s 2020 Home Loan Price Inquiry found that switching a home loan from one lender to another is more complex than switching between suppliers of many other products and services, due to the large number of home loan products on the market (nearly 4,000 in 2019) and the multi-stage process required to switch between lenders.[115] Faced with complexity, many customers base their decisions on ‘rules of thumb’ or shortcuts, such as choosing a well-known institution or an institution with which they have an existing banking arrangement.[116] This can place non‑banks at a competitive disadvantage, as consumers may be more likely to seek credit solutions from banks even if a better value deal is offered by a non‑bank.

Consumers who do not take advantage of more competitive offers in the market can be negatively impacted in the longer term. The RBA has shown that as borrowers’ loans get older, the gap between what they pay and what borrowers with new loans pay widens, with older loans typically having higher interest rates than new loans, even for borrowers with similar characteristics.[117]

The CDR could make it easier for consumers to identify, compare and ultimately switch to more personalised lending products.

As the CDR ecosystem develops and consumers become more aware of the services provided by ADRs, this will likely drive both non‑banks and banks to offer more personalised and competitive products and services by improving access to information. It may also reduce the prevalence of practices that hinder competition, and therefore switching, such as discretionary discounts which customers can only become aware of through discussions directly with the lender.

Spurring innovation, reducing barriers to switching and streamlining existing application processes

The time and effort required to change arrangements can deter some customers from switching. The CDR can reduce barriers to switching and further streamline lending application processes by giving consumers the ability to safely access and share data about them that is held by banks and non‑banks. For example, as part of a home loan application, prospective borrowers are typically required to provide to the lender their transaction history, credit card and personal loan statements as well as details of other accounts or loans, over a certain period of time.[118] These documents are often manually provided by the consumer to the lender via unsecure methods like screenscraping or email. Consumers could benefit from the ability to securely transfer sensitive information through the CDR to an accredited lender or third party in a fraction of the time it would take to provide this information through channels outside of the CDR.

The designation of non‑bank datasets will look to complete the information available on customers lending accounts through CDR – currently only accounts with banks can be shared. Authorised lenders, or trusted advisers such as mortgage brokers, would have immediate visibility of the total obligations consumers have with other banks and non‑banks (for example, whether a customer has a personal loan), which can support a lender’s assessment of a customer’s credit worthiness and in turn assist lenders with credit licences to comply with responsible lending obligations. Oversight of a customer’s complete financial position could streamline the application process for both the lender and consumer, resulting in faster assessment times. The 2020 Australian Competition and Consumer Commission (ACCC) Home loan price inquiry recognised the important role the CDR has in addressing the impediments to switching between lenders of home loan products.

Businesses also typically have more complex needs than individual consumers, and it can be difficult to find lending products tailored to their specific business needs and circumstances. Smaller businesses typically also have less documentation and shorter financial histories, which can make it harder and more costly for ADIs and non‑bank lenders to acquire the required information to make accurate assessments of small businesses’ creditworthiness.[119] Improved access to small business data could support lenders with more streamlined and cost-effective loan assessment processes.

2.3.            What non‑bank lending data should be included in the designation?

As in previous CDR sectors, both ‘generic’ product data and consumer specific data are proposed for designation in non‑bank lending. Product data has tended to include the kind of information that is generally available about a product, for example, in a disclosure document (terms and conditions, fees, charges, contract length). Consumer data has tended to include information about consumers, as well as information about their use of a particular product or service.

Datasets held by non‑bank lenders cover the broad range of products they offer and the customer interactions with those products as factors such as payments, charges, rates and repayment schedules are updated. Where the same products are offered, the data is expected to be the same as that held and provided by bank data holders under the CDR (these are  outlined broadly in the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019).

These datasets are defined in the banking designation as information about the user of a product, information about the use of a product and information about a product. The CDR Rules break these down into the following categories:

 

Designation of classes of information (data)

Category of data under the rules:

Broadly what it supports sharing of: 

Information about products

Product data

Publicly available generic product information including name, type, price, and terms and conditions. May also include publicly available product performance data.  

Information about customers/users

Customer data

Information about a customer, such as general contact information including a name, address, and phone number.

Account data

Information about an account, such as account identifying information.

Information about use of products

Transaction/billing data

Information about use of a service, including information about transactions and amounts due or charged.

Product specific data

Information about a product that a particular consumer uses, including bespoke rates a customer may be subject to.

 

The broad range of lending products offered by bank lenders is covered under schedule 3 to the Competition and Consumer (Consumer Data Right) Rules 2020 (the CDR Rules), which include:

               Personal and business credit or charge card accounts

               Home loans, residential and investment

               Personal loans

               Business finance

               Investment loans

               A line of credit, personal and business

               Asset finance

               Consumer leases

It is expected that the rules and standards applying to non‑bank lender datasets would leverage those already implemented in the CDR. If a product offered by a non‑bank lender varies significantly from the bank equivalent, the rules and/or standards applying to this data can be updated to accommodate it where necessary. Similarly, should this process consider, and identify for sharing through CDR, products that were not considered at the time of Open Banking, changes to the banking schedule in the Rules will be made to ensure there is consistent information being shared across both banks and non‑banks.

Intellectual property

CDR data is data outlined in the instrument designating a sector and any information that is derived (wholly or partly) from that data. The designation instrument for the banking sector excludes ‘materially enhanced information’ about the use of a banking product from the specified classes of information subject to required data sharing. The concept of materially enhanced information refers to data that is the result of the application of insight, analysis or transformation to significantly enhance its usability and value in comparison to its source material.

Data holders cannot be required to disclose materially enhanced data about the use or sale/supply of products under the CDR but may be authorised to disclose it through the CDR on a voluntary basis. For example, in the banking context, materially enhanced information may include: the outcome of an income, expense or asset verification assessment; or a categorisation of transactions as being related to groceries or rent; or significantly improved descriptions of transactions utilising geolocation or business name data from external sources.

A similar approach to excluding materially enhanced information is proposed if the non‑bank lending sector is designated.

2.4.            What data holders might be suitable for designation?

Generally, the entities that offer the products mentioned above are the entities that manage the relationship with the customer, and would be considered data holders for any proposed designation instrument. Where entity structures are less simple, such as for securitised loans or white labelled products, the general principle that the entity holding the legal relationship with the customer should be the data holder would still apply.[120]

The non‑bank lending sector includes a wide range of entities offering services that can sometimes complement or overlap with others. In some instances there may be more than one entity that holds a particular dataset that reveals how a product is used. Where this occurs it would be optimal for CDR data holder obligations to only be imposed on one entity to avoid duplication of effort.

The size of the non‑bank lending industry is partly demonstrated by the number of Australian Credit Licence (ACL) holders, which at approximately 1,015[121] represents only a component of the industry.[122] While some are large household names competing with banks, many ACL holders are smaller operators that offer the same lending products but are likely to have lower levels of technological sophistication or data security awareness. There are also many specialist non‑bank business lenders who aren’t required to hold an ACL, or other type of licence.

In Open Banking, ADIs were identified as data holders. There is no such equivalent for non‑banks that neatly captures the relevant entities, therefore a key issue for consideration in the assessment process is the scope of data holders that should be designated, and the potential to leverage existing statutory definitions. For example, to capture the broad scope of entities providing finance, a non‑bank lending data holder could draw on the definition of ‘credit facility’ in the Australian Securities and Investments Commission Act 2001 (ASIC Act) or be an entity that is engaged in the provision of finance in the course of carrying on business in Australia, as per the definition of a registrable corporation in section 7 of the Financial Sector (Collection of Data) Act 2001 (Collection of Data Act).[123] Once this scope has been set, exclusions could be made either in the designation instrument or at the rule-making stage based on various factors such as business type (for example, money market corporation, intra-group financier), product type or some other threshold using metrics such as balance sheet, revenue or customer level.

A key consideration will be striking the right balance between designating a broad scope of data to support product comparisons (for example), and the cost of making these datasets available across the broad spectrum of non‑bank lenders participating in the market. In energy, only a subset of designated data holders are required to share data through the application of a de minimis threshold, as for smaller retailers it was considered the cost of the CDR obligations would outweigh the benefits to consumers. Below the threshold, entities are not subject to mandatory data sharing obligations (unless they are subject to reciprocal arrangements as an ADR), but can choose to share data voluntarily.

2.5.            Privacy and regulatory burden considerations

In addition to identifying and considering the potential consumer benefits, competition and innovation outcomes that might flow from designating non‑bank lending data, the assessment will consider any associated potential risks, sensitivities and costs.

Privacy and confidentiality

An assessment of the privacy implications was initially conducted on the proposed implementation of the CDR regime in the banking sector, with further privacy assessments completed examining the impact of the proposed implementation of the CDR in the energy and telecommunications sectors.

Banking data is already shared in the regime and any risks appropriately mitigated in the rules and standards. Any sharing of non‑bank lending data (which is likely to be the same type of data as for banking loan accounts) as a result of designation is likely to be appropriately managed through these existing mitigation strategies.

Regulatory impact

Assessing regulatory impact involves considering potential compliance costs at a general and high level and using assumptions to produce estimates of those costs. The Minister can then weigh the estimated costs against the potential benefits for different datasets and data holders before making a decision on whether to designate them.

The CDR does not seek to create new sets of data for entities to collect, but instead creates a framework for existing datasets to be shared securely. Following the implementation of the CDR in the banking, energy and telecommunications sectors, non‑bank lending would be the fourth sector for which the CDR is activated. Accordingly, it is anticipated that the types of regulatory impacts would be similar to those experienced by previous participants, particularly those in the banking sector. Experience with implementation of the CDR to date may allow regulatory impacts for non-bank lenders to be reduced compared to earlier sectors. For example, third party vendors[124] with experience implementing the CDR in the banking sector will be able to draw on this for non-bank lenders.

Open Banking set the threshold for eligible consumers at the level where they are able to access their account online. While online account management is a common feature, smaller non‑bank lenders may not operate at the level required to fully meet CDR obligations in terms of data sharing, customer authentication and information security. These entities are likely to have a customer level small enough to make the marginal cost of compliance with CDR obligations prohibitive for their business. If suitable, a de minimis threshold can be applied to data holder obligations, however it would need to be able to be applied clearly and consistently across the spectrum of non‑bank lenders.

The sharing of CDR consumer and product data comes with different costs.

               Consumer data requires strict security and authentication controls that can be costly to implement.

               Product data reveals information about a product, not a consumer, and is shared through unauthenticated Application Programming Interfaces (APIs).

It may be possible to still impose product data sharing obligations on non‑bank lenders of a smaller size without the onerous responsibilities of being a consumer data holder. This would allow data recipients to compare the products of a wide range of non‑bank lenders with their competitors in both the non‑bank lending and banking segments. Extending product data sharing across the widest range of non‑bank lenders will give consumers more choice than ever before when comparing products, and can potentially provide lesser known non‑bank lenders with a low cost means of communicating the price and features of their new products.

Information on many consumer credit products is highly standardised due to obligations under the Credit Act to make available ‘key fact sheets’ and therefore is well suited for sharing through CDR. Required information for home loan fact sheets includes interest rates, applicable fees and monthly repayments. Required information for credit card fact sheets includes minimum repayment, interest rates to purchases, and any applicable fees.

As such, were non‑bank lender product data designated for consumer credit products it may only be an incremental increase in regulatory cost to require the same information to be made available in a digital, machine-readable format via APIs.  

 

Questions:
Benefits and use cases
•	How could sharing non bank lending data encourage innovation or new use cases for CDR data? Are there cross-sectoral use cases that non bank lending data can support, in particular with Open Finance/Banking?
•	May the benefits of sharing non bank lending data vary across particular consumer groups; for example, vulnerable consumers? 
•	Would the designation of non bank lending improve competition between lenders, including leveling the playing field with banks, or lead to greater market efficiencies?
Data holder and datasets 
•	If non bank lending is designated, which entities should be designated as data holders?
•	How should data holders be described in a designation instrument? Is there potential to leverage existing definitions (for example, the definition of ‘registrable corporation’ in the Collection of Data Act or ‘credit facility’ in the ASIC Act)?
•	Where lending is securitised or provided to a brand owner by a white labeller, does the same entity retain the legal relationship with the customer, as well as hold the data on the loan?
•	Are there differences in the data held by non banks and banks that would require adapting  the rules and standards that apply to banks so that those rules and standards would apply to non bank lenders?  If so, why?
•	Are there products offered by non bank lenders that aren’t covered by the existing rules and standards applying to banking data in the CDR? Are there CDR rules and standards that apply to banking data that warrant exclusion for non bank lenders?
•	Are there any government-held datasets that would be complementary to privately-held datasets and could support possible use cases in non bank lending?
•	What is the level of standardisation across products within business finance? Are there key datasets that are common across different types of business finance products that could be usefully compared? What are the key attributes of a product that would be useful for comparison services?
Privacy considerations and intellectual property
•	Are there privacy concerns specific to non bank lending that should be taken into account when considering the designation of the sector?
Cont. on next page
 

•	Do you consider the existing privacy risk mitigation requirements contained in the banking rules and standards are appropriate to manage the privacy impacts of sharing non bank lending data?
•	Are there other examples of materially enhanced information specific to the non bank lending industry?
Regulatory burden and cost considerations 
•	Feedback is sought on the potential costs or regulatory burden implications across the spectrum of potential data holders and scope of product types and datasets that could be captured. 
•	What datasets would cost more for a data holder to share securely, and why?
•	Which entities, defined either by size or product offering, would be less suitable for CDR data holder obligations from a cost or technological sophistication point of view, and why?
•	What would be the likely cost of implementation and ongoing compliance with CDR data sharing obligations for your entity? Please provide detail where possible.
•	What barriers to product data sharing exist for your entity or product offering? Please provide information on the types of systems you use and whether there is the potential to limit access to information, such as where data storage obligations are outsourced to third-parties.
•	Does your business have consumers that are unable to access their account and transaction information online and, if so, what proportion of your customers are ‘offline’?


3.         Examples of rules considerations

A range of issues relating to the implementation of the CDR in non-bank lending are appropriately addressed (and consulted on further) at the rule-making stage. This is consistent with the role of the designation instrument and CDR rules in the CDR regulatory framework, and approaches applied to considering similar issues in the banking, energy and telecommunications sectors.

While further public consultation will occur at the rule-making stage (which is expected to occur concurrently with development of data standards) to inform implementation design and obligations in the rules, to the extent feedback is provided on these issues as part of the sectoral assessment consultation, it will be considered in developing rules should the sector be designated.

3.1.            Eligible customers

Non-bank lenders service a broad range of customers, from individuals (or sole traders) to small to medium sized enterprises and large corporations. Data sharing obligations relating to these different customer types may be of varying utility depending on the nature of the relationship between these customers and service providers. For example, particularly large and complex businesses may acquire services in light of extensive negotiation, and may be unlikely to require the services of CDR accredited apps which are marketed to individuals or small to medium businesses. The CDR rule making stage offers an opportunity for stakeholders to comment on which types of customers should be covered by the CDR in a particular sector.

The CDR rules include the economy-wide concept of an ‘eligible’ CDR consumer, being a consumer eligible to initiate data sharing requests. The generic eligibility requirements include that a consumer is over 18 (if they are an individual) and has an open account with the relevant data holder. Sector-specific eligibility requirements are possible in addition to the economy-wide definition. For example, in the banking sector, consumers are required to have an online account to be eligible.

Relatedly, the rules deal with how data sharing requests can be initiated in the context of business partnerships, joint accounts, and companies.

3.2.            Phasing of data sharing obligations

The rules specify when mandatory data sharing obligations commence for data holders. Based on existing precedents in banking and energy, which may also be considered in telecommunications, commencement of obligations may apply in phases by reference to different data holders, different datasets or by reference to particular functionality. For example, in the banking sector, the four major banks were required to commence sharing data earlier than other authorised banks, and commencement dates for sharing datasets have been phased. This is a mechanism that enables sector participants to manage implementation and technical build programs, resources, and delivery risks.

Glossary

 

ACCC           

Australian Competition and Consumer Commission

ACL

An Australian Credit Licence is required of finance companies covered by the National Consumer Credit Protection Act 2009

Act     

Competition and Consumer Act 2010 (Cth)

ADI

Authorised deposit-taking institution, commonly referred to as a bank

ADR

An accredited data recipient is a person accredited by the ACCC to receive CDR data with a consumer’s consent

API

An application programming interface is software designed to help other software interact with an underlying system

ASIC

The Australian Securities and Investments Commission

CDR

The Consumer Data Right is a right for Australian consumers – individuals and businesses – to access data held about them, and the regime that facilitates such access

CDR consumer         

 

The term ‘CDR consumer’ is defined at section 56AI(3) of the Act and includes natural persons and businesses. An eligible CDR consumer can give consent to an accredited person to collect their CDR data from a data holder

CDR rules (rules)

Competition and Consumer (Consumer Data Right) Rules 2020

Consent

Communication to an accredited person of the datasets and actions that the consumer is allowing them to access or perform, and the purposes for which the consumer agrees to their data being used and actions being initiated on their behalf

Credit Act

National Consumer Credit Protection Act 2009 (Cth)

Data holder 

A party that holds and must share data upon a consumer’s request

Data / Datasets 

Data is information translated into a form for efficient storage, transport or processing, and is increasingly synonymous with digital information. It includes product data (data related to the product/service advertised for example: descriptions, prices, terms, and conditions) and consumer data (data related to the consumer of the product/service for example:

consumer contact details, or information relevant to their eligibility for a service)

Data sharing             

The transfer of product and consumer data, usually referring to sharing under the CDR framework with consent

Designation  

Designation refers to the inclusion of a dataset or data holder in a

designation instrument, as defined below

Designation instrument    

A legislative instrument made by the Minister under section 56AC of the Competition and Consumer Act 2010 (Cth)

Materially enhanced

The concept of materially enhanced information refers to data that is the result of the application of insight, analysis or transformation to significantly enhance its usability and value in comparison to its source material

OAIC

Office of the Australian Information Commissioner

Open Banking

As the first designated sector, Open Banking was launched in July 2020 and gives consumers the ability to share banking data with third parties that have been accredited by the ACCC through APIs

Open finance

A CDR sector including general insurance, superannuation, merchant acquiring and non-bank lending service providers

Standard/s

The technical data standards made by the Data Standards Chair for the purpose of the Consumer Data Right

 

 

 



[1] Note that the Designation does not have this effect independently of the sector-specific amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 that will be made following the designation of the non-bank lending sector.

[2] For example, the non-bank lending sector includes buy now, pay later products and payday lending (or small amount credit contracts). In July 2022, the Government announced its intention to strengthen consumer protection safeguards for pay day lending and consider the overall regulation of buy now, pay later products.

[3] S56AE(1) of the Act

[4] S56AE(1)(c) of the Act.

[5] S56AD(3)

[7] The Treasury, CDR Sectoral Assessment for the Open Finance sector – Non-Bank Lending, 15 March 2022 – 15 April 2022.

[8] Customer Owned Banking Association submission (COBA), p.1.

[9] ACCC submission, p.4.

[10] Some comparator websites do not hold a credit license as they are not currently engaging in a credit activity, however it may be that they would need a credit license if they used CDR data to assist an individual consumer with a particular product.

[11] COBA, p.1; ACCC submission, p.8.

[12] CitoPlus submission, p.1; Australian Retail Credit Association (ARCA) submission, p.3; Australian Finance Industry Association (AFIA) submission, p.5; ACCC submission, p.7

[13] Cuscal submission, p2.

[14] ACCC submission, p.7.

[15] TrueLayer submission, p.3.

[16] Joint submission by the Financial Rights Legal Centre (FRLC), Financial Counselling Australia (FCA) and Consumer Action Law Centre (CALC), p.1.

[17] FinTech Australia submission, p.5.

[18] MFAA submission, p.3.

[19] FDATA submission, p.14.

[20] Brighte submission, p.3.

[21] Block submission, p.4.

[22] Australian Competition and Consumer Commission submission, p.10.

[23] Block submission, p.7.

[24] AFIA submission, p.5.

[25] Recent amendments to the CDR rules provide new pathways for industry participation in the CDR by allowing CDR participants that are accredited to sponsor other parties to become accredited or allow them to operate as their representative. Consumers are also able to share their data with certain trusted professional advisers (such as their accountant or tax agent) and to disclose limited data insights outside the CDR for a specific purpose if they choose (such as to verify their bank account balance).

[26] PwC submission, p.3.

[27] Block submission, p.7.

[28] TrueLayer submission, p.3.

[30] Brighte submission, p.3.

[31] AFA submission, p.2.

[32] AFA submission, p.2.

[33] Block submission, p.7.

[34] Reserve Bank of Australia (RBA), Financial Stability Review – April 2019 Box D: Non-bank Lending for Property, April 2019, p. 51.

[35] TrueLayer submission, p.3.

[36] ACCC submission, p.5.

[37] COBA submission, p.1; ACCC submission, p.7.

[38] AFA submission, p.4; Joint submission by CPA Australia, Chartered Accountants Australia and New Zealand, and the Institute of Public Accountants submission, p.2.

[39] TrueLayer submission, p.3.

[40] Block submission, p.7.

[41] ACCC submission, p.5.

[42] A Sridharan, ‘Basiq announces five new customers to access Open Banking’, FinTech Australia, 2 May 2022

[43] ABA submission, p 1.

[44] ABA submission, p 1.

[45] AFIA submission, p.5.

[46] Joint submission by FRLC, FCA, and CALC, p.6; ACCC submission, p.4; OAIC submission, p.6.

[47] ACCC submission, p.4.

[48] Joint submission by FRLC, FCA, and CALC, p.6; ACCC submission, p.6.

[49] AFIA submission, p.5.

[50] Joint submission by FRLC, FCA, and CALC, p.5; OAIC submission, p.6.

[51] Refer to Attachment A - Privacy Impact Assessment for more information on the interaction between the CCR and CDR.

[52] Joint submission by FRLC, FCA, and CALC, p.5; OAIC submission, p.6.

[53] ACCC submission, p.5.

[54] In July 2022, the Government announced its intention to strengthen consumer protection safeguards for payday lending and consider the overall regulation of buy now, pay later products.

[55] Design and distribution obligations require firms to design financial products to meet the needs of consumers and to distribute their products in a more targeted manner.

[56] The product intervention power is a regulatory tool available to ASIC to improve consumer outcomes. It allows ASIC to temporarily intervene in a range of ways, including to ban financial products and credit products when there is a risk of significant consumer detriment.

[57] CitoPlus submission, p.2.

[58] Product data is subject to limitations set out in section 56BF of the Act and is data for which there are no CDR consumers.

[59] As per the definition of a registrable corporation in section 7 of the Collection of Data Act.

[60] The Credit Act requires most lenders to provide consumers with a ‘Key Facts Sheet’ on certain products when requested, including information about loan terms, rates and ongoing costs.

[61] For example, ARCA, ABA, TrueLayer, Commonwealth Bank of Australia.

[62] As per s10 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[63] As per s9 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[64] Section 56AI of the Act.

[65] Section 10 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019

[66] Explanatory statement, Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[67] The examples provided were: the outcome of an income, expense or asset verification assessment; or a categorisation of transactions as being related to groceries or rent; or significantly improved descriptions of transactions utilising geolocation or business name data from external sources.

[68] ACCC submission, p.8.

[69] The definition of credit facility, as defined in Regulation 2B to the Corporations Act, is generally accepted to be broad and open-ended, including the provision of credit for any period and a facility for making non-cash payments.

[70] The Collection of Data Act definition covers those entities that are engaged in the provision of finance in the course of carrying on business in Australia.

[71] For example, COBA and ACCC.

[72] For example, AFIA and Brighte.

[73] An entity must fall within the scope of the definition of data holder in a designation instrument of the CDR to share data within the CDR.

[74] Entities that use securitisation models to fund their loans may also accumulate balances in special purpose funding entities, these balances will also need to be captured in any de minimis calculation.

[75] Australian Securitisation Forum submission, p.3.

[76] TrueLayer submission, p.6; AFIA submission; p.8; Bright submission, p.6.

[77] TrueLayer submission, p.6.

[78] ACCC submission, p.7.

[79] Joint submission by FRLC, FCA, and CALC, p.5; ACCC submission, p.4-5.

[80]  This is consistent with the Government’s Regulatory Impact Statement (RIS) framework as set out by the Office of Best Practice Regulation. A RIS (or equivalent) is required for any decision by the Government that is likely to have a more than minor impact. A report can be certified as ‘RIS-like’ if it contains analysis that is equivalent to a RIS.

[81] Outsourced service provides help entities, such as data holders and ADRs, to meet their CDR needs by providing specialised capacity or expertise in areas

[82] Ongoing estimates are make using OBPR’s present value method, using the standard discount rate of 7 per cent.

[83] AFIA submission, p. 2.

[84] ABA submission, p 2.

[85] AFIA submission, p. 2.

[86] AFIA submission, p.2.

[87] Section 56EQ of the Act.

[88] ACCC submission, p.4; OAIC submission, p.3. As noted in the report, the non-banking sector serves different demographics, functions and purposes than the ADI banking sector, specifically in the non-bank lending sector, a range of lenders specialise in providing loans for “non-conforming borrowers”, such as those who may be self-employed, have a poor credit history or are experiencing financial hardship.

[89] ACCC, p.5; Joint submission by FRLC, FCA, and CALC, p.2; PWC submission, p.6.

[90] OAIC submission, p.8-9.

[91] OAIC submission, p.9.

[92] OAIC submission, p.3.

[94] ACCC submission, p.5.

[95] While the CDR does not prevent screen scraping occurring, it is anticipated that as the CDR develops, entities will phase out screen scraping in favour of the CDR.

[96] Buy now, pay later products are not regulated by the Credit Act. However, BNPL is subject to the Government’s design and distribution obligations which are intended to help consumers obtain appropriate financial products, as well as the majority of the BNPL market is subject to  AFIA’s BNPL Code of Practice which sets best practice standards for the sector and strengthens consumer protections

[97] https://ministers.treasury.gov.au/ministers/stephen-jones-2022/speeches/address-responsible-lending-and-borrowing-summit-sydney

[98] Australian Retail Credit Association submission, p.5; Australian Securitisation Forum submission, p.5.

[99] For example, under the Income Tax Assessment Act 1936 (Cth) or to enable individuals to receive a statutory entitlement or government benefit.

[100] OAIC submission, p.9.

[101] However, to ensure it is sufficiently broad to cover the range of non-bank lenders that provide credit products intended to be captured by CDR, the $50 million entity size limb will be removed.

[102] OAIC submission, p.6.

[103] As they may fall within the small business exemption (which generally applies where an entity’s annual turnover is less than $3 million).

[104] OAIC submission, p.6.

[105] ACCC, p.5; Joint submission by FRLC, FCA, and CALC, p.6.

[106] Joint submission by FRLC, FCA, and CALC, p.6-7.

[107] See Explanatory Memorandum to National Consumer Credit Protection (Mandatory Comprehensive Credit Reporting and Other Related Measures) Amendment Bill 2019 which states “The Government intends that financial hardship information prompts a credit provider to make further enquiries in order to make a holistic assessment of a consumer’s financial situation”.

[108] Australian Information Security Association submission made to telecommunication sectoral assessment consultation, p.2.

[109] OAIC submission made to the telecommunication sectoral assessment consultation, p. 5.

[110] OAIC submission made to the telecommunication sectoral assessment consultation, p.5.

[111] Australian Government. Australia’s Digital Economy. 2021. Accessed June 2021 at: https://digitaleconomy.pmc.gov.au/strategy/executive-summary

[112] Reserve Bank of Australia, RBA Statistical table: B10 Finance Companies and General Financiers, RBA, n.d., accessed February 2022.

[113] RBA, How Australians Pay, accessed February 2022.[113] RBA, How Australians Pay, accessed  February 2022.

[114] These transactions also incur fees for the merchant. These merchant acquiring services are also subject to a CDR sectoral assessment.

[115] ACCC (Australian Competition and Consumer Commission), Home loan price inquiry - final report, ACCC, 2020,  February 2022, p 18.

[116] The Treasury, Review into Open Banking in Australia; Final Report, Treasury, 2017,  February 2022, p 6.

[119] The Treasury, Review into Open Banking in Australia; Final Report, Treasury, December 2017, accessed February 2022, p 8.

[120] White label products are typically created and operated by one entity (a white labeller), then branded and retailed to consumers by another entity (a brand owner). A consumer’s contract is typically with the white labeller and the white labeller is typically responsible for complying with all financial services regulatory obligations, and for operational delivery of the product to the consumer. Under existing banking rules, the bank (white labeller) has the CDR obligations as the entity that holds the contractual relationship with the customer.

[121] As of 15 February 2021. Source: ASIC.

[122] Not all finance companies are required to be ACL holders, for example business lenders are not covered by the National Consumer Credit Protection Act 2009 and therefore do not need to hold an ACL

[123] In general, the Collection of Data Act applies to any corporation which engages in the provision of finance in the course of carrying on business in Australia. Corporations which are not registrable corporations include corporations whose assets in Australia do not exceed $50,000,000 in aggregate value.

 

[124] Such as software providers, IT contractors, compliance specialists and advisers and intermediaries.