New CDR rules and ASIC notices

Background

The Consumer Data Right (CDR) is a data sharing framework overseen by the Australian government. Under the framework, the government specifies the types of entities that must share the product and consumer data it holds if requested by a consumer. These entities are the ‘designated data holders’. Under the CDR regime, with the consumer’s consent, businesses accredited by the Australian Competition and Consumer Commission (ACCC) can request a consumer’s data from a designated data holder so that they can offer products and services tailored to that consumer’s needs. The CDR regime also aims to save consumers time and money by promoting product switching and streamlining existing application processes.

The CDR regime and amendments

The CDR regime has already been rolled out in the banking and energy sectors. However, in 2023 Treasury released for consultation draft amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) that aimed to: 

• expand the CDR to Australia’s non-bank lending sector; and
•  narrow the scope of CDR data in banking.

The goal of the amendments was to further increase the availability of data about financial products, encourage innovation in financial technology, and facilitate more informed consumer engagement with financial products. Under the CDR regime, a data holder (which, due to the proposed amendments, would now include non-bank lenders) must, unless an exception applies, disclose required product and consumer CDR data to an accredited person who makes a request.

Under the CDR Rules, requests can be made in relation to two main types of CDR data: product data (information about a product) for which there are no CDR consumers, and consumer data (which is CDR data for which there is at least one CDR consumer). Complex data requests can also be made with the authorisation of the consumer. These are requests for data made on behalf of a secondary user or in relation to a joint account or a partnership account.

The new draft proposed rules

However, in response to the first consultation, Treasury updated the initially proposed amendments to the CDR Rules and released the updated version on 26 November 2024 for a second consultation. The new draft rules made several key updates, including:

• Updating the threshold that determines whether a non-bank lending data holder is required to implement CDR data sharing. The previous proposal outlined that entities with over $500 million in resident loans and finance leases, as well as over 500 customers, would be subject to these CDR obligations. However, the updated draft rules raise the monetary threshold to $1 billion and the threshold number of customers to 1000. The draft rules also specify that the CDR obligations will also apply to managers of loans that provide credit on behalf of a non-bank lender. However, under the proposed draft rules, a non-bank lending data holder that does not meet the threshold may still voluntarily elect to join the CDR scheme. 
• Narrowing the range of products for which CDR data sharing would be compulsory. This was done in response to concerns raised about the potential cost of compliance with CDR obligations. The narrowed scope avoids unnecessary costs for data holders that offer small target or niche products. The updated rules confirm that for products including consumer leases, foreign currency accounts, margin loans, reverse mortgages, asset finance (non-standard vehicle finance) and products that have not been supplied to 1000 or more eligible CDR consumers for at least one full financial year, data sharing would be voluntary. Similarly, the new proposals clarify that entities voluntarily sharing data in relation to these products will not be exposed to civil penalties.
• Reducing requirements to share historical consumer data. Under the new draft rules, entities will not be required to share consumer data for transactions that occurred more than two years before the time of the request.

The amending CDR Rules also exempt certain data holders in the banking and non-bank lenders sector from complying with the CDR Rules. Such data holders include registered religious bodies, foreign authorised deposit-taking institutions (ADIs), foreign branches of domestic ADIs, and restricted ADIs.

Timeline

The timeline for rolling out the new CDR Rules will depend on whether a non-bank lender is categorised as an ‘initial provider’ or a ‘large provider’. According to the draft CDR Rules, an initial provider is a data holder in the non-bank lending sector that has averaged over $10 billion in resident loans and finance leases over the past 12 months. However, a large provider is a lender that averages only $1 billion and has over 1000 customers.

Based on the explanatory materials released by Treasury, the proposed changes are scheduled to come into effect as follows:

• Tranche 1 of the rollout will begin on 13 July 2026. Tranche 1 relates to the product data request obligations for both initial and large providers.
• Tranche 2 of the rollout will begin on 9 November 2026. This tranche relates to the consumer data requests for only initial providers (excluding complex requests).
• Tranche 3 of the rollout will begin on 15 March 2027. Tranche 3 relates to the obligations of initial providers in relation to complex requests.
• Tranche 4 of the rollout will begin on 10 May 2027. Tranche 4 relates to the consumer data requests for large providers (excluding complex requests).
• Tranche 5 of the rollout begins on 13 September 2027. Tranche 5 relates to the obligations of large providers in relation to complex requests.

Submissions to Treasury regarding the recently updated draft CDR rules closed on 26 December 2024.

ASIC regulatory role and actions

ASIC is Australia’s corporate, markets, financial services and consumer credit conduct regulator. It regulates the conduct of entities, monitors compliance with the law, and often takes enforcement action when necessary. To enable ASIC to effectively fulfill this role, it has a range of powers under various pieces of legislation.  

Notices to produce documents

In the context of regulating the conduct and compliance of entities that offer private credit, ASIC may issue organisations with notices under section 30 of the Australian Securities and Investments Commission Act 2001 (Cth), requiring the production of books. This notice may require organisations to produce certain documents that evidence their fund’s and/or organisation’s compliance with the Corporations Act 2001 (Cth). Books that may be required to be disclosed may include the marketing material for the fund, valuation policies, related party transactions, and/or conflicts of interest policies, policies regarding on-lending arrangements and the assessment of borrower’s credit risk, as well as policies that illustrate how the assets and operations of the fund are managed.

Companies that receive such a notice are entitled to seek legal advice regarding their obligations under the notice. However, they will not be able to withhold books on the grounds that the books may incriminate the company or result in a penalty. 

Directions to disclose information

In addition to its powers to require organisations to produce certain documents, ASIC may also issue entities with a Notice of Direction under section 912(c) of the Corporations Act 2001 (Cth). This notice may direct the organisation to obtain and provide an audit report prepared by a person nominated by ASIC. However, it may also direct the entity to declare or provide certain information to ASIC through a written statement. Some of the information ASIC may direct entities to declare includes:

• Details of the fund, including the total principal amount of all outstanding loans, the number of borrowers, transactions or loans involving related parties of the licensee, details of the committees the licensee has established to oversee compliance with the Fund’s policies, particulars of how the fund determines the relevant interest rate payable to investors, as well as general information about how the origination team referenced in the fund’s PDS operates.
• Information relating to distribution, including how interests in the fund have been sold to clients during the relevant period, the channels through which interests in the fund are sold, the proportion of investments made through a financial advisor, and the assessment process entities have implemented to ensure investors are in the target market in accordance with the fund’s target market determination.
• The organisation’s due diligence and risk assessment procedures, including how the fund and underlying syndicates select borrowers and assess the borrower’s credit risk, as well as descriptions of the policies and procedures applicable to the fund about the loans to be made or securities to be invested in and the steps the licensee will take when funds do not conform to these policies.
• Details of how the licensee manages conflicts of interest, especially in regard to related party transactions.
• Information relating to credit risk and capital protections, including how the fund and underlying syndicates manage interest rate risk, whether the fund itself has entered into any borrowings, and any restrictions the fund has imposed on loans to be made.
• Particulars relating to liquidity/redemption, including how the fund will manage liquidity risks. This encompasses details on how limitations on withdrawals are determined and by whom, as well as the period required for withdrawals to be paid.

To avoid penalty and other potential enforcement action, licensees must ensure they remain compliant with all their obligations under the relevant laws and maintain appropriate records of their systems, policies, and procedures as evidence of their compliance with these obligations.  

This article was prepared with the assistance of Roger Miyumo, Law Graduate.