Compliance
Updated February 1, 2026
12 min read
The Consumer Data Right (CDR) is Australia's open banking and open data framework, enabling consumers to share their data with accredited third parties. This comprehensive guide covers everything businesses need to know about CDR compliance, accreditation, and implementation.
The Consumer Data Right is an Australian government initiative that gives consumers greater control over their data. Launched in 2020 for banking and expanded to energy in 2022, CDR enables consumers to direct businesses to share their data with accredited third parties. This creates opportunities for innovation, competition, and better consumer outcomes across designated sectors.
To access CDR data, businesses must obtain accreditation from the Australian Competition and Consumer Commission (ACCC). There are three tiers of accreditation: Unrestricted (full read and write access), Restricted (read-only access), and Trusted Adviser (limited scope for specific use cases). Each tier has different requirements for governance, security, privacy, and technical capabilities.
Unrestricted accreditation allows businesses to collect, use, and disclose CDR data for any purpose permitted under the CDR Rules. Requirements include: information security program, privacy framework, external dispute resolution, insurance coverage, and comprehensive technical capabilities including FAPI 2.0 security standards.
Restricted accreditation is suitable for businesses that only need read access to CDR data. This tier has lower compliance requirements while still maintaining strong security and privacy standards. Many fintech startups and data analytics companies pursue restricted accreditation initially.
CDR technical standards are based on international Financial-grade API (FAPI) security profile 2.0. Data holders (banks and energy retailers) must provide APIs that comply with Consumer Data Standards published by the Data Standards Body. Key technical requirements include: OAuth 2.0 with PKCE, mutual TLS authentication, JWT-secured authorization, and 128-bit AES encryption for data at rest.
Banking CDR covers accounts, transactions, balances, direct debits, scheduled payments, payees, and product information from all Australian Authorised Deposit-taking Institutions (ADIs). Energy CDR includes account details, billing history, usage data, meter information, and plan details from electricity and gas retailers. Additional sectors including telecommunications are planned for future rollout.
CDR consent must be explicit, informed, and time-limited. Consumers must authorize specific data clusters for specific purposes with defined expiry periods (maximum 12 months). Businesses must implement dashboards showing active consents, provide easy revocation mechanisms, and respect withdrawal of consent immediately. Consent cannot be bundled with terms and conditions for other services.
Achieve CDR compliance by following these steps: 1) Determine appropriate accreditation tier for your business model. 2) Engage legal counsel familiar with CDR Rules and Privacy Act. 3) Implement information security program meeting ISO 27001 or equivalent. 4) Develop CDR privacy policy and consent management systems. 5) Build or integrate technical infrastructure meeting Consumer Data Standards. 6) Establish complaint and dispute resolution processes. 7) Obtain required insurance coverage. 8) Submit accreditation application with supporting evidence. 9) Undergo ACCC assessment process (typically 3-6 months). 10) Maintain ongoing compliance reporting and audits.
The CDR accreditation process typically takes 3-6 months from application submission to approval, depending on the completeness of your application and the accreditation tier sought. Restricted accreditation is generally faster than Unrestricted.
Ongoing CDR compliance costs include annual ACCC accreditation fees ($10,000-50,000 depending on tier), information security program maintenance, privacy compliance staff, external dispute resolution membership, insurance premiums, and technical infrastructure costs. Budget $100,000-500,000 annually for full compliance.
Yes, foreign companies can obtain CDR accreditation if they establish an Australian business entity, appoint Australian officers, and meet all compliance requirements including data sovereignty requirements for storing Australian consumer data.
Yes, CDR is mandatory for designated data holders including major banks (designated in 2020) and large energy retailers (designated in 2022). Smaller institutions may be designated over time as the regime expands.
CDR breaches can result in significant penalties. The ACCC can impose infringement notices, enforceable undertakings, or court action seeking pecuniary penalties up to $2.5 million for corporations. Serious or repeated breaches may result in accreditation suspension or revocation.
CDR is sector-specific and focuses on data portability and consumer empowerment, while GDPR is economy-wide privacy regulation. CDR includes mandatory participation for designated data holders, prescriptive technical standards, and accreditation requirements that go beyond typical privacy laws.
CDR data can only be used for purposes explicitly consented to by the consumer. Marketing use requires specific consent and must be clearly disclosed during the consent process. Businesses cannot use CDR data for marketing to third parties or for purposes beyond the original consent scope.
Explore our APIs and start building secure, compliant financial data integrations today.
Products
© Fiskil 2026. All rights reserved.