Products
© Fiskil 2026. All rights reserved.
Regulatory Comparison
Updated 30 January 2026
Australia's Consumer Data Right (CDR) and the UK's Open Banking framework are two of the world's most advanced open banking implementations. While both enable consumers to share their financial data with third parties, they differ significantly in scope, governance, technical implementation, and regulatory approach. This comparison examines both frameworks across key dimensions.
Australia's economy-wide data portability framework, launched for banking in 2020 and energy in 2022.
Official SourceThe UK's banking-specific open data framework, launched in 2018 by the Competition and Markets Authority.
Official SourceScope: CDR is economy-wide (banking, energy, future sectors) while UK OB is banking-only
Accreditation: CDR requires rigorous ACCC accreditation; UK OB has lighter enrollment
Governance: CDR is government-led; UK OB is industry-led through OBIE
Security: CDR mandates newer FAPI 2.0; UK OB uses FAPI 1.0 Advanced
Payment Initiation: UK OB includes PISPs; CDR is read-only (write access planned)
Consent Duration: CDR allows 12-month consent; UK OB uses 90-day rolling consent
Launch Timeline: UK OB launched 2018; CDR banking 2020, energy 2022
Criterion | CDR | UK OB |
|---|---|---|
Launch Date | July 2020 (Banking), November 2022 (Energy) | January 2018 |
→ UK Open Banking launched earlier but CDR has broader sector scope. | ||
Sectoral Scope | Economy-wide framework: Banking, Energy, Telecommunications (planned) | Banking sector only |
→ CDR is designed as an economy-wide right, while UK OB is banking-specific. | ||
Mandatory Participation | Major banks and energy retailers designated by regulation | Nine largest UK banks (CMA9) mandated |
→ Both require large institutions to participate; smaller institutions can opt in. | ||
Accreditation Requirements | Three tiers: Unrestricted, Restricted, Trusted Adviser. ACCC accreditation required. | OBIE enrollment. Lighter-touch compared to CDR. |
→ CDR accreditation is more rigorous with higher compliance requirements. | ||
Technical Standards | Consumer Data Standards (CDS) mandated. FAPI 2.0 security profile required. | Open Banking UK Standards. FAPI 1.0 Advanced profile. |
→ CDR uses newer FAPI 2.0 providing enhanced security. Both use OAuth 2.0. | ||
Data Included | Account data, transactions, direct debits, payees, product info (banking). Usage data, billing, metering (energy). | Account data, transactions, direct debits, standing orders, product info. |
→ Similar banking data coverage. CDR extends to energy data. | ||
Consent Duration | Maximum 12 months, renewable | Maximum 90 days ongoing consent (renewable indefinitely) |
→ CDR allows longer initial consent periods. | ||
Write Access | Payment initiation not yet implemented (planned) | Payment Initiation Service Providers (PISPs) supported |
→ UK OB includes payment initiation; CDR currently read-only. | ||
Governance | Government-led: ACCC, OAIC, Data Standards Body, Treasury | Industry-led: Open Banking Implementation Entity (OBIE) |
→ CDR is government-controlled while UK OB has industry governance. | ||
Authentication | OAuth 2.0 with PKCE, FAPI 2.0, mTLS required | OAuth 2.0, FAPI 1.0 Advanced, mTLS required |
→ Both use strong authentication; CDR implements newer FAPI version. | ||
Data Holder Obligations | Must provide APIs, manage consents, provide dashboards, report to ACCC | Must provide APIs to CMA9 standards, manage consents |
→ CDR has more extensive reporting and governance requirements. | ||
Consumer Protections | Privacy Act 1988, CDR Rules, strict liability for data breaches | GDPR, Data Protection Act 2018, liability through regulation |
→ Both have strong consumer protections; CDR includes specific breach liability. | ||
Both use OAuth 2.0 with FAPI security profiles for authentication
Both require mutual TLS (mTLS) for API security
Both mandate participation for large institutions
Both provide consumer consent dashboards and revocation rights
Both include account data, transactions, direct debits, and product information
Both have strong consumer protection and privacy frameworks
Both enable third-party innovation through standardized APIs
Australia's CDR and UK Open Banking represent two successful but distinct approaches to open banking. UK Open Banking launched earlier and includes payment initiation, making it more mature for transactional use cases. CDR takes a broader economy-wide approach with more rigorous accreditation and newer security standards (FAPI 2.0), positioning it for long-term expansion beyond banking. Organisations operating in both jurisdictions must understand these differences to ensure compliance and optimise their implementations.
Both frameworks are highly secure. CDR implements the newer FAPI 2.0 security profile providing enhanced protection against token theft and other attacks, while UK Open Banking uses FAPI 1.0 Advanced. Both require mutual TLS, OAuth 2.0, and strong consent management. Security differences are incremental rather than fundamental.
No, UK Open Banking accreditation does not transfer to CDR. Companies must obtain separate ACCC accreditation to operate in Australia, as the requirements, standards, and governance frameworks are different.
Not currently. CDR is read-only for banking data. Payment initiation (write access) is planned for future implementation but not yet available. UK Open Banking has supported Payment Initiation Service Providers (PISPs) since 2018.
UK Open Banking generally has lower barriers to entry with lighter accreditation requirements and more mature tooling/infrastructure. CDR's rigorous accreditation and newer technical standards create higher initial implementation costs but provide stronger long-term benefits.
Yes, for banking data. Both frameworks provide access to similar banking information (accounts, transactions, direct debits, products). CDR additionally covers energy data (electricity and gas usage, billing) which UK Open Banking does not include.
CDR allows consent for up to 12 months (renewable), while UK Open Banking uses 90-day ongoing consent that automatically renews unless revoked. CDR's approach requires explicit re-consent annually, while UK OB consent continues indefinitely with proper notifications.
Countries are adopting elements from both. Singapore and New Zealand have drawn inspiration from Australia's economy-wide CDR approach. Brazil and India have studied both models. The trend favors broader scope (like CDR) with sector-specific implementation timelines.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and Europe's Payment Services Directive 2 (PSD2) represent two different regulatory approaches to open banking. PSD2, implemented across the European Union, focuses on payment services and competition in financial services. CDR, Australia's economy-wide framework, takes a broader data portability approach. This comparison examines both frameworks across regulatory, technical, and implementation dimensions.
Regulatory Comparison
Australia's Consumer Data Right (CDR) and the United States' Section 1033 (CFPB final rule) represent two distinct approaches to consumer financial data access. While both enable consumers to share their data with third parties, they differ significantly in regulatory philosophy, technical prescriptiveness, and implementation approach. This comparison examines both frameworks to help organisations understand compliance requirements in each jurisdiction.
Technical Comparison
For years, screen scraping (using consumer credentials to log into bank websites) was the primary method for third parties to access financial data. Open banking APIs represent a fundamental shift, providing authorized, secure access without credential sharing. This comparison examines both approaches across technical, security, and business dimensions to understand why regulatory frameworks worldwide are phasing out screen scraping.
Our team can help you navigate regulatory compliance and determine what you need to meet your open banking obligations.
Products
© Fiskil 2026. All rights reserved.