A Recipe to Optimize the Technology and Costs of Complying With Your CDR Deadlines
- Anisha Yasaratne
- Associate Director & Head of BFSI Practice - WSO2
Image credits: Mike from Pexels
Which CDR Deadlines Apply to Non-Big Four Banks?
The deadlines for banks to comply with the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) published by the Australian Competition and Consumer Commission (ACCC) have been spread out over a timetable of six stages. Under these rules, banks are required to share information on (a) specified products and (b) specified types of information they possess on their consumers upon receiving requests to do so. A progressively wider range of banks and products are to come under these data sharing obligations over a two-year period leading up to February 1, 2022.
The deadlines that would apply to you depends on the following:
- Type of bank (whether your bank is a Big Four bank or not),
- Type of the request made (categorized in the rules as product data requests made by any person, consumer data requests made by consumers themselves, and consumer data requests made on behalf of consumers by third parties authorized to do so), and
- Type of the product that data is being requested on (categorized under the 3 product “phases”.)
The proposed phasing timetable applicable to non-Big Four banks is currently under consultation, with a revised version to be published in early 2020. However, It’s important to note that even with the latest proposed changes the following has remained unchanged for non-Big Four banks:
- You will be required to start sharing product data requests starting 1 July 2020.
- You will be required to reach full compliance with CDR data sharing obligations (covering all product, request and data types) by 1 February 2022.
What Technology Do You Need to Implement With Each Stage?
As you may have guessed, with your data sharing obligations becoming effective only in stages, the technology required to comply with those obligations could also be implemented in stages. This means the administrative effort and costs associated with compliance with the CDR rules and the open banking technical specifications can be phased in as well.
The key impact on the technology required to comply with the different stages is in the type of CDR data required to be shared - meaning, whether it is either product data or consumer data. For example, under the CDR Rules and the Consumer Data Standards published by Data61, the technology for sharing product data doesn’t require the higher degree of security required with the technology for sharing consumer data (e.g., FAPI R/W compliance through OAuth2 and OIDC for accredited third party disclosure, consent management). Flowing from this, the CDR Rules have identified two distinct “service” types banks are required to implement under the CDR - the Product Data Request Service and the Consumer Data Request Service. In the implementation, the technology required for the Product Data Request Service forms a base on which further technology required for the Customer Data Request Service may be added.
These two distinct service types translate into two distinct technology phases, with non-Big Four banks like you first providing the Product Data Request Service by July 1, 2020, and only subsequently, the Consumer Data Request Service from July 1, 2021 (as of the proposed timeline.) It’s important to note that if you have opted to become an accredited ADI or a voluntarily participating ADI under the CDR Rules, you are required to provide the Consumer Data Request Service from February 1, 2021.
This is why the purpose-built WSO2 Open Banking solution for Australia can be deployed either:
- In one full-stack deployment, or
- In a phased deployment matching the specific technology requirements of the Product Data Request Service phase and the Consumer Data Request Service phase.
| Full-stack deployment | Phased deployment | |
| What you get | Delivers early compliance and the ability to exploit the full potential of the broadest set of open banking use cases from day one. Here, either as an accredited ADI or by opting into the voluntarily participating ADI scheme under the CDR, you could begin to share consumer data by February 1, 2021. In terms of exploring the business use cases of open APIs for consumer data, this would provide you with a 5-month head start on your non-Big Four competition who opt to adhere to the mandated July 1, 2021 deadline. | Allows banks to spread out the implementation based on the specific technology components required to meet their incremental obligations under the two distinct technology stages of the CDR. |
| Fit | Suits banks choosing to explore the business opportunities opened up by the CDR head-on with the requisite budget, organizational buy-in, and digitization strategy. | Suits banks adopting an open banking strategy focused on compliance first, with room to explore the full benefits of the open data ecosystem as the market develops. |
| Resource allocation benefits | Reduces the overall time spent on the implementation by your team, owing to efficiencies in grouping the tasks under a single project. | Allows you to spread out the effort and cost over a longer time period. This allows you to fine tune your overall open banking architecture and digital banking architecture with each implementation to better match your evolving market and business needs. |
| Concerns | Requires full resource commitment upfront and may reduce your ability to respond to changing market and business dynamics as the CDR develops. | Could add to your resource commitment in the long run as deployment is broken into a series of non-consecutive sprints. |
How Much Would Each Deployment Type and Each Technology Phase Cost?
The technical breakdown and costs associated with each approach are set out in this table to help you choose an approach suiting your budget and business goals. We hope this gives you a clearer picture of how to comply with your CDR obligations without breaking the bank.
Get in touch with us to learn how you can comply on your terms.