How to become accredited to use open banking in Australia
If your business wants to engage with Australia's open banking data scheme, you need to become accredited or work with intermediaries who are. This means all participants are working to the same guidelines, rules and regulations when it comes to handling consumer data. There are several accreditation pathways open to businesses interested in engaging with open banking data in Australia.
The basics of accreditation
Under the Consumer Data Right (CDR) rules, all businesses requesting access to consumer banking data must be accredited or have access to a party that has been accredited by the Australian Competition and Consumer Commission (ACCC). These companies are called Accredited Data Recipients (ADRs), all of which are listed in the ACCC's public registry of current open banking providers. Banks and other Authorised Depository Institutions (ADIs) such as credit unions are called Data Holders. ADRs access consumer data by connecting their APIs (application programming interfaces – the software that connects your system to others) to those owned by Data Holders.There are five ways to access open banking data, not all of which require accreditation.
- Your business can become an ADR itself.
- You can be sponsored by an ADR, which collects data and handles consent management on your behalf, and helps you with compliance.
- You can be named as an ADR's representative. The ADR collects data, handles consent management, and helps you with compliance. You can only be a representative of one ADR.
- You could be a trusted advisor, such as an accountant or lawyer, who has been nominated /allowed by a consumer to view certain open banking data.
- Or you can access CDR insights, which are limited datasets about a customer, but don't require you to have any open banking accreditation.
How can I become accredited as an open banking ADR?
Obtaining ADR accreditation is lengthy and can take as long as 4-6 months. It costs about $50,000 for legal and assurance reports alone. You may also be required to improve some internal processes, prior to obtaining your Australian Competition and Consumer Commission (ACCC) approval. We recommend considering the ADR requirements and starting your accreditation process as early as possible. You can also refer to the ACCC CDR Page together with the ACCC Guidelines, and read our guide below on the steps you need to take.Please reach out to us should you wish to discuss your accreditation and how we might be able to assist you in your accreditation process.ReadinessTo get ready to launch an accreditation application, the ACCC has collated a series of documents to help you understand whether you're ready. Before launching your application, you should review the Accredited data recipient support package, Accreditation checklist and the sample application forms below and read the Consumer Data Right Participant Portal user guide.ApplicationThe application to the ACCC outlines the specific purpose for which you intend to use consumers' financial data, identifies the key people involved, and shows you have the right processes in place to participate as an Accredited Data Recipient (ADR). You must prove you can meet minimum security requirements. This includes demonstrating you have:You must also prove your business is prepared to take on the responsibility of handling consumer data within the open data framework. This means showing you have a:AssessmentThe ACCC will assess the application and may ask for more information or even consult with other Australian and overseas government authorities, such as the Office of the Australian Information Commissioner (OAIC), Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC).CTS / onboardingOnce accredited by the ACCC, you can commence onboarding, the process that prepares newly accredited ADRs to participate in the CDR ecosystem. This process consists of several stages:The Conformance Test Suite is an important part of the Consumer Data Right onboarding process. It allows participants to test their compliance with the Consumer Data Standards and Consumer Data Right Register design. This testing takes place in a secure environment without exposing consumer data, nor interfering with live software products and brands.Participants must pass the Conformance Test Suite before they receive an ‘active’ status on the Consumer Data Right Public Register.You are ready to begin conformance testing when you have:Active statusOnce you've received accreditation and passed the final testing, you will have 'active' status on the Consumer Data Right Public Register and be ready to offer your customers access to open banking services.
Well designed and implemented security controls- CDR-compliant digital infrastructure that ensures customer data is safe
- The right CDR information security controls in place
- Information security governance policies
- Consumer-facing CDR policy
- Fit and proper policy and ongoing attestations for the individuals involved
- Chart that shows the people and processes within the wider business that can access open banking data
- Outline of the company's organisation
- Disputes resolution policy
- Accept the PKI Certificate Subscriber Agreement and Relying Party Agreement.
- Login to the CDR Participant Portal to confirm and add missing information for participation details.
- Before beginning conformance testing, ensure that you satisfy the checklist which includes submitting your CTS enrolment form and completing the CTS test preparation tasks, following successful enrolment.
- Complete CTS conformance testing (more on this below).
- Generate a certificate signing request for your production environment in accordance with the Certificate Management guidance [R18] and add these details via the Participant Portal, as well as any other missing information. These might include authentication details, software product details, software product authentication details, or software product endpoints.
- Confirm production environment and readiness. Once the production PKI certificate is received, confirm production readiness by sending an email to CDRTechnicalOperations@accc.gov.au.
- After confirming that the onboarding steps have been completed, the ACCC activates the participant on the Consumer Data Right Register.
- Participation.
- passed accreditation as an ADR
- a production-ready ADR software product that follows the CDS and the Register design
- access to the CDR Participant Portal
- completed and submitted your CTS enrolment form
- performed the tasks outlined in the CTS test preparation section
How do I get sponsored by an open banking ADR?
Under this type of arrangement you need to be accredited as a Sponsor by the ACCC and enter a sponsorship arrangement with an unrestricted ADR, such as TrueLayer.TrueLayer, as the Sponsor ADR, is responsible for:
- connecting to Data Holder APIs
- collecting all open banking data from your customers on your behalf
- handling consent
- helping with compliance
How do I become a CDR representative of an ADR?
The CDR representative model means you do not need to be accredited at all, but limits the kinds of product or service you can offer via open banking. An unrestricted ADR like TrueLayer appoints you as their representative and acts as your intermediary, collecting all open banking data that you will use to offer your goods and services to your customers.They support you with compliance, data consent and collection, and they are fully liable for all of the actions you take with open banking data. You can only be a CDR representative of one ADR and, because they are fully liable for your actions with open banking data, you have to comply completely with their open banking policies and practices.
How do I become an open banking trusted advisor?
Trusted advisors, such as accountants and lawyers, are able to access open banking data from businesses with the consent of consumers, without needing to be accredited. To be allowed to access open banking data, the advisor must have a relationship with the consumer and have been nominated as one of their trusted advisors, and they must fall within the trusted advisor 'class', eg:
- qualified accountants
- persons who are admitted to the legal profession
- registered tax agents, BAS agents and tax (financial) advisers
- financial counselling agencies
- financial advisers or financial planners
- mortgage brokers
How can I use open banking unaccredited insights?
The insights model lets consumers consent to sending an insight created from their open banking data to an unaccredited party. These types of insights include verifying whether the person making a payment owns the account, or alerts to merchants that an upcoming payment will fail. Companies wanting to access these types of insights need to work with an accredited ADR, like TrueLayer, which can collect and analyse the data and share the Insight with the company – all with the permission of the consumer.While these insights are considered open banking data, the usual privacy safeguards don't apply, so the data can be held by the unaccredited company that made the request.
