Consumer Data Right (CDR): What Teams Must Ship
Updated 23 Mar 2026
What is the Consumer Data Right?
Consumer Data Right (CDR) is Australia’s legislated framework for secure, consumer-directed data sharing. It requires designated data holders to share product and consumer data with accredited recipients when a customer authorises the transfer. For product and engineering teams building financial, energy, or lending platforms in Australia, CDR compliance is not a policy exercise: it is an architecture decision that touches APIs, consent management, data storage, and audit logging.
CDR is governed by the Competition and Consumer Act 2010, enforced jointly by the ACCC and OAIC, with data standards published by the Data Standards Body within Treasury. Unlike voluntary open banking initiatives in other jurisdictions, CDR is mandatory, sector-specific, and backed by civil penalties.
Who it applies to in Australia
CDR is being rolled out sector by sector. Banking obligations have been live since 2020. Energy followed. Non-bank lenders join in 2026, with Buy Now, Pay Later (BNPL) products explicitly covered under the expanded rules.
Sector
Product data sharing
Consumer data sharing
Status
Banking (major ADIs)
Live since July 2020
Live since July 2020
Active
Banking (non-major ADIs)
Live
Live (phased 2021–2022)
Active
Energy (major retailers)
Live since October 2022
Live since November 2022
Active
Energy (smaller retailers)
Live
Phased from May 2023
Active
Non-bank lenders (initial providers, >$10B)
13 July 2026
9 November 2026
Pending
Non-bank lenders (large providers, >$1B, >1,000 customers)
13 July 2026
10 May 2027
Pending
Key dates for non-bank lenders: product data sharing from 13 July 2026; consumer data sharing from 9 November 2026 (initial providers) and 10 May 2027 (large providers); full rollout through 13 September 2027.
The de minimis threshold: total resident loans and finance leases exceeding $1 billion, and more than 1,000 customers. Entities below may voluntarily opt in. BNPL products are explicitly covered. Niche products (asset finance, consumer leases, reverse mortgages, margin loans) have been removed from mandatory scope.
CDR obligations: Data Holders vs Accredited Data Recipients
The CDR framework creates two primary roles with distinct obligations:
Data Holder obligations
Registration with ACCC
Mandatory before data sharing commences
Product data sharing
Publish standardised product reference data via conformant APIs
Consumer data sharing
Respond to authorised data requests within mandated timeframes
Consent management
Authenticate customers through CDR-compliant authorisation flows
API conformance
Implement APIs meeting Consumer Data Standards (currently v1.36.0)
Data quality
Ensure shared data is accurate, complete, and current
Security requirements
Meet information security obligations prescribed in CDR Rules and Standards
Reporting
Notify ACCC of metrics, incidents, and changes to data holder status
Accredited Data Recipient (ADR) obligations
ADRs must obtain and maintain ACCC accreditation, comply with all 13 Privacy Safeguards, collect and manage consents per CDR Rules, and destroy or de-identify CDR data when no longer needed. Incident reporting to OAIC is mandatory for eligible data breaches.
Both roles require API infrastructure meeting the Consumer Data Standards: OAuth 2.0/OpenID Connect authentication, standardised endpoints, prescribed data payloads, and error handling. For teams building cloud-hosted platforms, these requirements intersect with Privacy Act obligations and APRA CPS 234.
CDR implementation checklist
1. Regulatory scope assessment: Determine data holder/ADR classification, identify covered products, confirm provider tier (initial, large, or below threshold).
2. API infrastructure: Build conformant APIs meeting Consumer Data Standards. Integrate with the CDR Register for participant discovery and certificate management. Implement Pushed Authorisation Requests (PAR) and Holder of Key (HoK) mechanisms.
3. Consent and authorisation: Build CDR-compliant authentication flows. Implement consent collection, amendment, and withdrawal. Support bundled consents (permitted under recent rule changes) while keeping marketing and de-identification consents separate.
4. Data extraction and mapping: Map internal data models to CDR payload specs. Identify required product and consumer data for covered products. Implement quality checks before sharing.
5. Security: Implement mutual TLS for all API communications. Deploy certificate management aligned with CDR Register PKI. Conduct penetration testing against CDR threat models.
6. Monitoring and incidents: Set up API monitoring for availability and error rates per CDR thresholds. Establish breach response plans covering OAIC notification. Implement transaction logging for ACCC reporting.
7. Testing: Execute conformance testing via ACCC’s test suite. Complete end-to-end testing with at least one counterparty. Document results for audit trail.
Data minimisation under CDR
The CDR framework enforces data minimisation at multiple levels. Engineering teams must build this into data request handling from the start.
Collection: ADRs may only request data reasonably needed for the consented service. Requesting broader data sets is a breach.
Use limitation: CDR data collected for one purpose cannot be repurposed without separate consent, including for internal analytics.
Retention: Under the CDR reset, retention has been reduced from seven years to two years. Data holders only need to hold and share the most recent two years of customer data.
Destruction: When CDR data is no longer needed or consent is withdrawn, the ADR must destroy or de-identify it per Privacy Safeguard 12 timelines.
Disclosure: The data minimisation principle now extends to disclosure of CDR data, not just collection and use.
Implement automated data lifecycle management: tag CDR data at ingestion, enforce retention policies programmatically, and log destruction events.
Evidence and audit trail requirements
CDR compliance is evidence-based. Regulators examine logs, not intentions.
Record type
Required detail
Retention
Consent events
Granted, amended, withdrawn, expired. Timestamp, scope, consumer ID.
Consent duration + 2 years
Data requests
Request ID, requesting ADR, data categories, response status.
2 years minimum
Authentication events
Attempts, successes, failures. Method used.
2 years minimum
Data disclosures
What was shared, to whom, when, under which consent.
Consent duration + 2 years
Security incidents
Type, detection time, response actions, notifications.
7 years
System availability
Uptime, response times, error rates vs CDR benchmarks.
2 years minimum
Logs must be tamper-evident and producible on request. Invest in a centralised audit log system that produces compliance reports without manual extraction. Data holders must also submit periodic metrics to the ACCC covering API performance and incident reports.
Frequently Asked Questions
- What is the Consumer Data Right in plain terms?CDR is a government-mandated system giving Australian consumers the right to direct their bank, energy provider, or lender to share their data with an accredited third party through secure, standardised APIs.
- When do non-bank lenders need to comply with CDR?Product data sharing for all non-bank lender data holders commences 13 July 2026. Consumer data sharing follows from 9 November 2026 for initial providers (>$10 billion), and 10 May 2027 for large providers (>$1 billion, >1,000 customers). Full rollout completes 13 September 2027.
- Are BNPL providers covered by CDR?Yes. Version 8 CDR Rules explicitly include Buy Now, Pay Later products. BNPL providers meeting the de minimis threshold ($1 billion in resident loans, >1,000 customers) must comply on the same timeline as other non-bank lenders.
- How does CDR differ from Open Banking?CDR is broader. Open Banking covers bank data sharing. CDR spans banking, energy, and non-bank lending. CDR also includes action initiation (passed into law 2024), enabling consumers to instruct third parties to act on their behalf. See Open Banking for details.
- What are the penalties for CDR non-compliance?The ACCC and OAIC jointly enforce CDR with civil penalties under the Competition and Consumer Act. The ACCC can issue infringement notices, accept enforceable undertakings, and seek injunctions. Penalties for serious breaches reach millions of dollars.
Related Terms
Open Banking: the banking-specific layer of CDR, focused on deposit and lending product data sharing.
Consent Management: systems and processes for collecting, storing, and managing consumer authorisations under CDR.
Data Privacy (Australia): the broader privacy framework under the Privacy Act 1988 that intersects with CDR Privacy Safeguards.
Audit Logs: the technical infrastructure required to capture and retain CDR compliance evidence.
API Security: mTLS, OAuth 2.0, and certificate management requirements specific to CDR API communications.
FinTech: the sector context for CDR adoption, particularly non-bank lenders and BNPL providers.
Ready to assess your CDR readiness?
If your platform will be a CDR data holder or you are building an accredited data recipient service, the compliance clock is ticking. A structured readiness review identifies your technical gaps, maps your obligations, and produces a prioritised implementation plan.
Request a compliance-readiness review
