The bodies responsible for compliance and enforcement of the new Consumer Data Right have put the industry on notice that they will target organisations that frustrate the process of disclosure, operate without valid consents, make improper disclosures or have inadequate security controls.
The ACCC and the Office of the Australian Information Commissioner have jointly released their compliance and enforcement policy for CDR, which clarifies the regulatory obligations of participants.
They will work with participants to implement compliance strategies and will use administrative means and formal enforcement action to ensure compliance.
CDR is designed to give people greater choice over how their personal data is used and disclosed. It allows consumers to access particular data and transfer it to an accredited person.
Open banking is the first step, with CDR to be progressively expanded to cover other industries. The major banks have been sharing open banking product reference data (information about a bank’s rates, fees and product features) since July last year.
Smaller financial institutions will join the system in October.
The ACCC and OAIC said their aim is to build consumer confidence in the security and integrity of the system. The two organisations will work together on monitoring and enforcement.
The bodies describe their approach to compliance as a “strategic risk-based approach”, which means they will focus resources on matters that have the potential to cause significant or widespread harm.
They will also take into account the level of co-operation the participant has demonstrated during compliance processes.
Monitoring tools include stakeholder intelligence and complaints, mandatory reporting, audits and information requests.
They will target data holders that repeatedly refuse to disclose consumer data, or frustrate the process of disclosure, by intentionally circumventing the system’s rules or data standards.
They will also target improper disclosure, such as “intentional misuse or improper disclosure of CDR consumer data by an accredited data recipient, which is inconsistent with the consent provided by a CDR consumer, particularly where consent has been withdrawn.
“This would include conduct that deliberately seeks to circumvent the ‘data minimisation’ principle.”
They will be on the lookout for misleading or deceptive conduct, including “a person creating or fostering the perception that they are an accredited data recipient, when they are not”.