As the CDR ecosystem expands, organisations are asking what models are available to access the Consumer Data Right (CDR) Open Banking data. A summary of options available for product owners is outlined below.
Accredited Data Recipient (ADR)
Standard approach to CDR Rules and accreditation, with the ADR enabling consumers to access Open Banking Data.
Outsourced Service Provider (OSP)
The OSP information security controls will be assessed as part of the ADR’s accreditation (carve-in approach to the ASAE 3150 information security assurance report).
- Schedule 2 to the rules sets out detailed steps for privacy safeguard 12. These steps are also relevant to persons who receive CDR data under a CDR outsourcing arrangement.
- An accredited person must ensure that, if they disclose CDR data to another person under a CDR outsourcing arrangement, the recipient complies with its requirements under the arrangement.
- The Outsourced Service Provider (recipient) must take the steps in Schedule 2 to protect that CDR data, and any CDR data that it directly or indirectly derives from that CDR data, as if it were an accredited data recipient.
- The recipient must, when so directed by the discloser, do any of the following:
- Return to the discloser CDR data that the discloser disclosed to it
- Delete CDR data that it holds in accordance with the CDR data deletion process
- Provide, to the discloser, records of any deletions that are required to be made under the CDR data deletion process
- Direct any other person to which it has disclosed CDR data, to take corresponding steps.
Software-as-a-Service
Accredited persons may utilise SaaS and other software products provided by non-accredited persons, to collect Consumer Data Right data, where the accredited person controls its Secrets Manager component, and does not permit the third party to access its security artefacts. Where the accredited person does not disclose Consumer Data Right data to these unaccredited providers, a Consumer Data Right outsourcing arrangement is also not required.
Combined Accredited Person (CAP)
Draft Rules to enable this accredited intermediary model are currently being considered (potentially approved Nov/Dec 2020).
In the draft Rules currently being considered, a CAP Provider (accredited intermediary) would collect CDR data on behalf of one or more CAP Principals from the data holders. The CAP Principal is the organisation that gains consent from consumers to access their CDR data. In this model, both the CAP Provider and CAP Principal need to be ADRs, and the CAP Provider needs to ensure data segregation so that a CAP Principal can only access their consented data.
HOW CAN RSM HELP?
If you would like to discuss the options available, and the impact on your CDR application to become an Accredited Data Recipient, please contact Darren Booth.