Products
© Fiskil 2026. All rights reserved.
Regulatory Comparison
Updated 28 January 2026
Australia's Consumer Data Right (CDR) and Europe's Payment Services Directive 2 (PSD2) represent two different regulatory approaches to open banking. PSD2, implemented across the European Union, focuses on payment services and competition in financial services. CDR, Australia's economy-wide framework, takes a broader data portability approach. This comparison examines both frameworks across regulatory, technical, and implementation dimensions.
Australia's economy-wide consumer data portability framework, implemented through Competition and Consumer Act 2010.
Official SourceEuropean Union directive regulating payment services and opening bank APIs, implemented across EU member states from 2018.
Official SourceScope: CDR is economy-wide data portability; PSD2 is payment services focused
Technical Standards: CDR mandates CDS and FAPI 2.0; PSD2 is market-driven
Geography: CDR covers Australia; PSD2 covers 27 EU countries
Payment Initiation: PSD2 includes PISPs; CDR is read-only (planned future)
Governance: CDR centralized in Australia; PSD2 distributed across EU
Objectives: CDR about consumer data rights; PSD2 about payment competition
Licensing: CDR uses accreditation; PSD2 uses payment institution licensing
Implementation: CDR prescriptive standards; PSD2 principles-based
Criterion | CDR | PSD2 |
|---|---|---|
Legal Framework | Australian federal law, Competition and Consumer Act 2010 | EU directive transposed into member state laws |
→ CDR is single Australian law; PSD2 implemented differently across 27 EU countries. | ||
Geographic Scope | Australia only | All 27 EU member states plus EEA countries (Iceland, Liechtenstein, Norway) |
→ PSD2 covers much larger geographic area with ~450 million consumers. | ||
Sectoral Scope | Economy-wide: Banking, Energy, Telecommunications (future) | Payment services only (banking and payment institutions) |
→ CDR has broader sector scope; PSD2 limited to payment services. | ||
Implementation Date | July 2020 (Banking), November 2022 (Energy) | January 2018 (directive effective); September 2019 (APIs mandatory) |
→ PSD2 launched earlier but CDR has broader scope. | ||
Primary Objective | Consumer data portability and empowerment across economy | Payment services competition and consumer protection |
→ Different foundational goals: data rights vs payment competition. | ||
Licensing Requirements | ACCC accreditation (three tiers: Unrestricted, Restricted, Trusted Adviser) | Payment Institution or Electronic Money Institution license; TPP registration |
→ PSD2 uses payment licensing; CDR uses specific data accreditation. | ||
Read Access (AIS) | Account data, transactions, balances, direct debits, payees, products | Account information via Account Information Service Providers (AISPs) |
→ Similar read access capabilities; both provide account data. | ||
Write Access (PIS) | Not yet implemented (planned for future) | Payment initiation via Payment Initiation Service Providers (PISPs) |
→ PSD2 includes payment initiation; CDR currently read-only. | ||
Technical Standards | Consumer Data Standards (CDS) mandated by DSB. FAPI 2.0 security. | No mandated technical standard. NextGenPSD2 framework recommended. Strong Customer Authentication (SCA) required. |
→ CDR has mandatory standards; PSD2 allows market-driven technical approaches. | ||
Authentication | OAuth 2.0 with FAPI 2.0, mutual TLS mandatory | OAuth 2.0 recommended, Redirect, Decoupled, or Embedded SCA approaches |
→ CDR prescribes specific security; PSD2 allows multiple authentication approaches. | ||
Consent Management | Explicit consent required, maximum 12 months, must specify data clusters | Explicit consent required, 90-day access for AIS (renewable indefinitely) |
→ Both require explicit consent; different duration approaches. | ||
Mandatory Participation | Designated data holders (major banks and energy retailers) | All payment service providers (banks, payment institutions) in EU |
→ PSD2 applies to all payment providers; CDR designates specific institutions. | ||
Strong Customer Authentication | Part of FAPI 2.0 requirements, prescriptive approach | SCA mandated by PSD2 RTS, multiple implementation options |
→ Both require strong authentication; PSD2 more flexible on implementation. | ||
Data Holder Obligations | Provide APIs, consent dashboards, security standards, ACCC reporting | Provide APIs, SCA, no screen scraping blocking allowed (with exceptions) |
→ CDR has more prescriptive obligations; PSD2 focuses on access rights. | ||
Governance | Australian government (ACCC, OAIC, Treasury, Data Standards Body) | EU Commission sets directive; national regulators oversee in each country |
→ Centralized governance in Australia; distributed across EU member states. | ||
Both enable consumer-authorized third-party access to financial data
Both use OAuth 2.0 for authorization and consent
Both require strong customer authentication
Both mandate access for consumers to their own data
Both aim to increase competition and innovation
Both provide read access to account information
Both require explicit, informed consumer consent
Both prohibit charging consumers for data access
CDR and PSD2 represent fundamentally different regulatory philosophies. PSD2 is a payments directive enabling competition through APIs, with flexibility for market-driven technical implementation. CDR is a comprehensive consumer data right with prescriptive standards designed for economy-wide expansion. PSD2's payment initiation capabilities make it more mature for transactional use cases, while CDR's standardized approach and broader scope position it for long-term evolution across sectors. Neither is inherently "better"—they reflect different regulatory cultures and objectives in Australia versus Europe.
No, PSD2 licensing does not transfer to Australia. Companies must obtain separate ACCC accreditation to access CDR data. The licensing frameworks, requirements, and governance are completely separate.
CDR is generally more technically challenging due to prescriptive Consumer Data Standards and FAPI 2.0 requirements. PSD2's market-driven approach allows more flexibility in technical implementation, though SCA requirements add complexity.
No, PSD2 only covers payment services (banking and payment accounts). Energy data is not included. CDR uniquely covers both banking and energy sectors with plans for telecommunications.
Both have strong protections. CDR includes strict liability for data breaches and comprehensive Privacy Act protections. PSD2 provides payment security, consumer rights, and GDPR privacy protections. The frameworks protect consumers differently based on their objectives.
No, CDR requires compliance with Consumer Data Standards published by the Data Standards Body. While both use OAuth 2.0, the specific implementations, data schemas, and security requirements differ significantly.
Most countries are blending elements from both. Many adopt CDR's economy-wide data rights approach but implement sector-by-sector like PSD2. Brazil, India, and Singapore have studied both models extensively.
CDR requires specific consent for defined data clusters with maximum 12-month duration. PSD2 allows 90-day access for AIS that renews indefinitely. CDR consent is more granular and time-limited; PSD2 consent is more continuous.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and the UK's Open Banking framework are two of the world's most advanced open banking implementations. While both enable consumers to share their financial data with third parties, they differ significantly in scope, governance, technical implementation, and regulatory approach. This comparison examines both frameworks across key dimensions.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and the United States' Section 1033 (CFPB final rule) represent two distinct approaches to consumer financial data access. While both enable consumers to share their data with third parties, they differ significantly in regulatory philosophy, technical prescriptiveness, and implementation approach. This comparison examines both frameworks to help organisations understand compliance requirements in each jurisdiction.
Technical Comparison
For years, screen scraping (using consumer credentials to log into bank websites) was the primary method for third parties to access financial data. Open banking APIs represent a fundamental shift, providing authorized, secure access without credential sharing. This comparison examines both approaches across technical, security, and business dimensions to understand why regulatory frameworks worldwide are phasing out screen scraping.
Our team can help you navigate regulatory compliance and determine what you need to meet your open banking obligations.
Products
© Fiskil 2026. All rights reserved.