Products
© Fiskil 2026. All rights reserved.
Regulatory Comparison
Updated 31 January 2026
Australia's Consumer Data Right (CDR) and the United States' Section 1033 (CFPB final rule) represent two distinct approaches to consumer financial data access. While both enable consumers to share their data with third parties, they differ significantly in regulatory philosophy, technical prescriptiveness, and implementation approach. This comparison examines both frameworks to help organisations understand compliance requirements in each jurisdiction.
Australia's comprehensive consumer data portability framework established under Competition and Consumer Act 2010.
Official SourceUS consumer financial data access rights under Dodd-Frank Act, finalized by CFPB in October 2024.
Official SourceAccreditation: CDR requires ACCC accreditation; Section 1033 has no federal licensing
Technical Standards: CDR mandates CDS/FAPI 2.0; Section 1033 is market-driven
Scope: CDR economy-wide; Section 1033 financial services only
Prescriptiveness: CDR highly prescriptive; Section 1033 principles-based
Governance: CDR government-led; Section 1033 market-driven with CFPB oversight
Consent Duration: CDR 12-month max; Section 1033 no specified limit
Screen Scraping: Section 1033 explicitly phases out; CDR doesn't address
Implementation Status: CDR operational since 2020; Section 1033 phasing 2026-2029
Criterion | CDR | Section 1033 |
|---|---|---|
Legal Foundation | Competition and Consumer Act 2010, CDR Rules made by regulation | Dodd-Frank Wall Street Reform Act Section 1033, CFPB implementing regulations |
→ Both are federal laws but implemented through different regulatory mechanisms. | ||
Sectoral Scope | Economy-wide: Banking, Energy, Telecommunications (planned) | Consumer financial products and services only |
→ CDR broader in scope; Section 1033 limited to financial services. | ||
Implementation Timeline | Banking: July 2020, Energy: November 2022 | Phased: April 2026 (largest banks), April 2029 (all covered institutions) |
→ CDR already operational; Section 1033 phasing in over 3 years. | ||
Covered Institutions | Designated data holders (major banks, energy retailers) | All depository institutions, credit card issuers, other consumer financial product providers |
→ Section 1033 has broader institutional coverage within finance sector. | ||
Third-Party Accreditation | Mandatory ACCC accreditation (three tiers) | No federal licensing requirement for authorized third parties |
→ Major difference: CDR requires accreditation; Section 1033 does not. | ||
Technical Standards | Consumer Data Standards (CDS) mandated by Data Standards Body. FAPI 2.0 required. | No mandated technical standard. Market-driven API development. |
→ CDR prescriptive; Section 1033 principles-based on technical implementation. | ||
Data Coverage | Accounts, transactions, balances, direct debits, payees, products (banking). Usage, billing (energy). | Transaction data, account terms, upcoming payments, basic account information. |
→ Similar core data coverage for financial accounts. | ||
Screen Scraping | Not addressed directly; CDR APIs replace need for screen scraping | Explicit phase-out period once APIs available. Screen scraping allowed during transition. |
→ Section 1033 directly addresses screen scraping transition; CDR doesn't. | ||
Consent Management | Explicit consent required, 12-month maximum, granular data cluster consent | Explicit consent required, no maximum duration specified, purpose-limited |
→ CDR has time limits on consent; Section 1033 allows ongoing consent. | ||
Consumer Revocation | Consumers can revoke at any time through data holder or recipient dashboards | Consumers can revoke at any time; must take effect promptly |
→ Both provide strong revocation rights with similar requirements. | ||
Payment Initiation | Not currently implemented (planned for future) | Not included in Section 1033 scope |
→ Neither currently includes payment initiation capabilities. | ||
Data Format Requirements | Specific JSON schemas defined in Consumer Data Standards | Must be machine-readable and enable portability; no specific format mandated |
→ CDR prescribes exact formats; Section 1033 allows flexibility. | ||
Performance Standards | Uptime, response time, and availability standards defined in CDR Rules | APIs must meet performance standards but specific metrics not prescribed |
→ CDR has quantitative performance requirements; Section 1033 more general. | ||
Fees to Consumers | Prohibited - data access must be free to consumers | Prohibited - covered institutions cannot charge consumers or authorized third parties |
→ Both prohibit charging consumers for data access. | ||
Governance Model | Government-led: ACCC, OAIC, Treasury, Data Standards Body | CFPB oversight and enforcement; market-driven standards development |
→ CDR centralized government control; Section 1033 more market-driven. | ||
Both establish consumer rights to access their own financial data
Both enable consumer-authorized third-party data sharing
Both use OAuth 2.0 for authorization
Both require explicit, informed consumer consent
Both provide consumer revocation rights
Both prohibit fees for data access
Both require secure API access
Both aim to increase competition and innovation
CDR and Section 1033 reflect fundamentally different regulatory philosophies. CDR represents a comprehensive, government-led approach with prescriptive technical standards, mandatory accreditation, and economy-wide ambitions. Section 1033 takes a more market-driven, principles-based approach without licensing requirements, relying on market forces to develop technical standards. CDR provides more regulatory certainty but higher barriers to entry. Section 1033 offers more flexibility but potentially less standardization. Organisations operating in both jurisdictions must implement different compliance approaches for each framework.
CDR accreditation does not apply in the United States. However, Section 1033 does not require third-party licensing, so companies can access consumer data in the US without formal accreditation (subject to other US financial regulations).
Section 1033 generally has lower barriers to entry because it doesn't require third-party licensing and allows market-driven technical approaches. CDR's prescriptive standards and accreditation requirements create higher initial costs but provide clearer technical guidance.
While both use OAuth 2.0, CDR's Consumer Data Standards and FAPI 2.0 requirements are specific to Australia. US institutions may use different technical approaches under Section 1033's flexibility. Separate implementations are typically required.
Different regulatory philosophies. Australia chose mandatory accreditation to ensure consumer protection and data security. The US opted for a lighter-touch approach, relying on existing financial regulations, competition, and CFPB oversight rather than creating new licensing.
Both provide strong protections through different mechanisms. CDR uses accreditation and strict liability for breaches. Section 1033 relies on CFPB enforcement, existing financial regulations (GLBA, etc.), and consumer rights under Dodd-Frank. Neither is objectively "stronger."
Unknown. The CFPB explicitly chose not to require licensing in the final rule, favoring market-driven approaches. Future rulemakings could change this, but current framework intentionally avoids accreditation requirements.
Yes, for core financial data. Both provide access to transaction history, account information, balances, and product details. CDR additionally covers energy data (not in Section 1033 scope). The data types for banking are broadly similar.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and the UK's Open Banking framework are two of the world's most advanced open banking implementations. While both enable consumers to share their financial data with third parties, they differ significantly in scope, governance, technical implementation, and regulatory approach. This comparison examines both frameworks across key dimensions.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and Europe's Payment Services Directive 2 (PSD2) represent two different regulatory approaches to open banking. PSD2, implemented across the European Union, focuses on payment services and competition in financial services. CDR, Australia's economy-wide framework, takes a broader data portability approach. This comparison examines both frameworks across regulatory, technical, and implementation dimensions.
Technical Comparison
For years, screen scraping (using consumer credentials to log into bank websites) was the primary method for third parties to access financial data. Open banking APIs represent a fundamental shift, providing authorized, secure access without credential sharing. This comparison examines both approaches across technical, security, and business dimensions to understand why regulatory frameworks worldwide are phasing out screen scraping.
Our team can help you navigate regulatory compliance and determine what you need to meet your open banking obligations.
Products
© Fiskil 2026. All rights reserved.