Consumer Data Right (CDR) was introduced in response to several government reviews, all with the common need to develop standards for consumers to access and transfer their information in a usable format.

The Australian Government designed and oversees the Consumer Data Right system, to ensure it is safe and secure for consumers, and the Australian Competition and Consumer Commission (ACCC) manages the process.


CDR enables consumers the ability to easily:

  • compare products and services;
  • access better value and improved services; and
  • assist financial and cashflow management.

To date, CDR has been introduced into the banking and energy sectors, where providers of these services must adhere to the rigorous requirements set by the ACCC to become an accredited provider. Accreditation is a complex process, and providers are required to meet certain information security requirements to demonstrate their ability to protect consumer data. 

RSM Australia’s CDR information security accreditation assurance and advisory experience is second to none. We have completed CDR information security audit reports for over 50% of the current Accredited Data Recipients (ADRs), including Frollo, Intuit, Adatree, Finder, Basiq, Zepto and TrueLayer, just to name a few

Our CDR services for ADR applicants include:

  • Access to our free CDR Information Security Accreditation Toolkit with examples from successful accreditations
  • ADR application advisory support based on seeing what has been accepted and not accepted by the ACCC
  • CDR Security by Design & Gap Assessment, to ensure the scope of the CDR data environment boundary is correct and you understand the information security requirements
  • CDR Pre-audit/Readiness Assessment to determine whether you are ready for accreditation
  • Independent reasonable assurance audit report (ASAE 3150 or SOC 2) for the unrestricted ADR application
  • Assurance to a sponsor or principal that an affiliate or representative agent complies with the CDR information security requirements
  • CREST accredited Penetration Testing as per CDR Schedule 2 Part 2 - Vulnerability Management (optional)
  • CDR Control Assessment Program or ISO 27001 Lead Auditor internal audit (where we are not the independent assurance provider)

We have extensive experience in PCI DSS, ISO 27001, AWS, GCP and Azure, with team members holding PCI, ISO 27001, AWS Security Specialty and Azure Security Associate certifications, Certified Information Systems Auditor (CISA) and Certified Data Privacy Solutions Engineer (CDPSE). 

We have already provided assurance over all the complex areas in the CDR Rules, including: 

  • Derived data
  • De-identification
  • Third party providers
  • Outsourced service providers
  • Intermediaries
  • Managed service providers
  • Multi-cloud environments
  • Complex group structures with multiple legal entities
  • Overseas based applicants; and 
  • Leveraging of other security frameworks/certifications.

We are confident that our engagement will result in a cheaper total cost for your accreditation due to our knowledge of the Rules, our experience with different technologies and processes that can effectively demonstrate compliance, and our more efficient end-to-end accreditation process.

Are you interested in learning more about CDR? Or perhaps looking for a successful, flexible, and experienced partner to take you on your CDR journey? Reach out to RSM. 
 

Organisations within the banking and energy sectors who wish to become an accredited provider will benefit from our experience and specialist CDR knowledge. Though still in the early stages, CDR will soon take off and expand to other industries in the near future too. 

The benefit of RSM’s wealth of experience is our ability to work closely with your organisation to understand your CDR objectives and provide you with the support you need to meet these. Our team provides an iterative and collaborative audit approach to ensure you obtain timely feedback to remediate control weaknesses and meet your project timelines. Nothing makes us happier than celebrating your accreditation with you after working together. 

KEY CONTACTS