The Consumer Data Right (CDR) and Open Banking
What is Open Banking?
In 2018, the Australian Competition and Consumer Commission (ACCC) announced the introduction of the Consumer Data Right (CDR). CDR has been introduced to give consumers (both individuals and small businesses) better access and control over their personal data.
Open Banking is the implementation of CDR in the banking sector. Within Open Banking, consumers can opt-in to share their personal banking data securely with accredited service providers. Service providers may include other banks, Fintechs or third party financial providers that have completed a rigorous, CDR accreditation process which is overseen by the ACCC.
What does Open Banking mean for me?
By giving clients the choice to share their personal financial data, Open Banking aims to give clients greater choice, control and convenience. It will enable clients to compare products and services quickly and easily, and access new products and offerings that are specifically tailored to them and their needs.
Frequently asked questions
Data Holder and data sharing
What is a Data Holder?
Data holders are data givers under the Consumer Data Right (CDR). These are the providers who currently hold consumer data. Registered Data Holders are required to share client data with a nominated accredited data recipient when a client directs them to.
What is an accredited provider?
An accredited provider is one which has successfully undergone the Australian Competition and Consumer Commission (ACCC)’s accreditation process to become an Accredited Data Recipient (ADR).
Data recipients are data receivers under the Consumer Data Right (CDR). These are the providers who receive a consumer’s data after the consumer has given their consent. The data recipient will then use this data to offer a service the consumer has requested (e.g. comparison of products).
Only accredited providers can operate within Open Banking and offer services under CDR.
Is BOQ becoming an Accredited Data Recipient?
BOQ becoming a Data Holder in late 2021 sets the foundations required for us to become an Accredited Data Recipient (ADR) in 2022. As an ADR, BOQ can realise the benefits of data sharing and analytics to obtain valuable insights, better understand our clients’ needs, and offer more tailored products and services. This supports our vision “to be a digital bank of the future with a personal touch”.
How do I know who is an accredited provider?
Consumers can confirm if a provider is accredited by looking for the logo on the right, or by viewing the list of current accredited providers on the official the Consumer Data Right (CDR) website.
As CDR has just been launched in Australia, there are currently only a limited number of accredited providers. As CDR grows over time, more and more providers will become accredited.
How safe is it to share my data?
Many precautions have been factored into the Open Banking data sharing environment, such as:
- The standards, format and process for data sharing under the Consumer Data Right (CDR) has been established by the Data Standards Body (DSB)
- Only providers that have met the Australian Competition and Consumer Commission (ACCC)’s accreditation process are able to participate in Open Banking as a data recipient. Providers must demonstrate that they meet technical and system requirements to receive data and comply with data standards, and adhere to many legal requirements
- Providers are only able to collect and use data as required to provide a product or service, in line with the client consent provided
- The CDR is co-regulated by the ACCC and the Office of the Australian Information Commissioner (OAIC), who jointly monitor compliance to CDR regulations. They work together to respond to issues, including taking enforcement action if needed. More information can be found in the ACCC/AIOC Compliance and Enforcement Policy for the Consumer Data Right.
Do I have to share my data?
There is no obligation for you to share your personal data. Open Banking is an opt-in service, so the choice is completely yours. When choosing to share your data, you have control over:
- Whether you want to share your information or not
- What information you wish to share
- The specific purpose for which your data will be used
- Who you share your information with
- When you want to stop sharing your information
Also, if you do decide to share your data, you are able to revoke your consent on this data sharing at any stage.
What data can I share?
Clients with individual and sole trader accounts are currently able to opt-in to share data for most savings and transactions accounts, term deposits, credit cards, home loans and mortgage offset accounts.
Other account and client types (including joint accounts and business products) will be made available progressively through 2022 according to CDR timelines.
The following products will be available to share from 7 March 2022, (excluding any transactions on the accounts prior to that date):
- Personal Loans
Any historical transaction data will be made available by the end of March 2022.
How do I share my data?
Please note that to be eligible to participate in data sharing, you must:
- Be at least 18 years of age, and
- Hold at least one open and online account with BOQ, BOQ Specialist, VMA or DDHG
- The process will start on an accredited provider’s website or app. The whole process takes less than two minutes.
Data sharing will start on an Accredited Data Recipient’s (ADR) website or app, where you may be asked if you wish to share your data while browsing for a service or product. If you consent to data sharing, your identity will need to be verified by BOQ Specialist (the Data Holder) before we share any data. You will be directed to BOQ Specialist's Data Holder services platform and prompted to enter your customer ID. You will then be sent a One Time Password (OTP) to your mobile or email. When the OTP has been successfully entered and your identity verified, you will be prompted to choose the specific accounts you consent for data sharing, before being linked back to the ADR site where you may begin using your shared data.
How do I manage data sharing for my account(s)?
Once you have authorised sharing of your personal data, you will receive access to your Customer Dashboard. Through this dashboard, you are able to view each of your data sharing consents, including the accredited providers that you have consented to share your data with, the specific accounts shared with each provider, and the time period you have nominated for each data sharing consent. You are able to and easily manage your consents through this dashboard.
Giving consent and the data sharing experience
I hold accounts with more than one BOQ brand. Do I need to complete a consent to share data for each brand?
Yes. You will need to provide a consent for each brand.
I want to give three banks access to my BOQ Data. Does this require three separate consents?
Yes. You will need to provide a consent for each Accredited Data Recipient (ADR).
How do I share information on a new account?
You must provide consent to share data per account, including for any newly created accounts.
Where can I find more details on any ‘terms and conditions’ for data sharing?
This responsibility largely sits with the Accredited Data Recipient (ADR), who is required to provide a clear declaration of data usage. Please contact the relevant ADR for further information on this.
Note that the BOQ Specialist Customer Dashboard has been designed to meet Data Holder obligations of Open Banking.
What is my Customer ID? Is it the same for each brand?
The customer ID is the generic name given to the unique customer identifier you use to log into internet banking. The Customer ID is different for each brand, and are as follows:
- BOQ: If accessing your account(s) via BOQ Internet Banking: Customer Access Number (CAN)
- BOQS: Client number
- VMA: If accessing your account(s) via VMA Mobile App: Mobile Number
- DDHG: User Name
One Time Password (OTP)
I have been blocked due to too many failed login attempts. Can I be unblocked so that I can access the dashboard?
There is no ability to unblock a client before the 24 hour period. If you have failed the maximum login attempts to access your dashboard and are been blocked, you will need to wait 24 hours until the block is removed before you can try again.
Is there an autofill feature for the One Time Password (OTP) for mobile phones?
This feature is not available in our Data Holder solution.
Can the One Time Password (OTP) be emailed?
The OTP will be sent via SMS to customers who have a valid mobile number registered with BOQ. The OTP will only be sent via email in the instance that BOQ does not have a valid mobile number registered for a customer.
In what circumstances can BOQ Specialist (the Data Holder) refuse to share customer data in response to a request from an Accredited Data Recipient (ADR)?
Your bank (the Data Holder) may refuse to disclose required customer data in response to a request in the following instances:
- if BOQ Specialist (the Data Holder) considers this to be necessary to prevent physical or financial harm or abuse; or
- in relation to an account that is blocked or suspended; or
- in circumstances set out in the data standard
BOQ Specialist (the Data Holder) is required to inform any customer of such a refusal in accordance with the data standards.
Under what circumstances would BOQ Specialist (the Data Holder) manage consents on behalf of a customer?
Under the Consumer Data Right (CDR) rules:
- Customers can request that a Data Holder revoke a consent e.g. via a call centre. This may be as the customer is unable to do it themselves. A Data Holder has an obligation to revoke consents for customers who have requested the Data Holder to do so
- A Data Holder has an obligation to revoke consents for customers who are not eligible anymore e.g. no longer a customer
- An authorised staff member can suspend (i.e. temporarily block) a specific account from consent. e.g. for the prevention of harm and abuse
- In the event that a customer is deceased
- In the event that fraudulent activity has been detected
How immediately will changes to my data sharing consent(s) be reflected in the Customer Dashboard?
Updates to data sharing consents that are made via the Customer Dashboard will be reflected immediately.
How immediately will any data corrections / updates be reflected in the Customer Dashboard?
Please allow up to 24 – 48 hours for data corrections / updates to be reflected in your dashboard.
How long after revoking a consent will my data sharing stop?
Changes due to revoking consent are managed ‘real time’ and will be reflected immediately.
If I had revoked a consent but have now changed my mind, can this consent be reinstated?
No, you are unable to reinstate a revoked consent, as revoking a consent stops the sharing of data. You will need to grant a new consent via the Accredited Data Recipient (ADR).
Can I revoke a ‘pending’ consent?
Yes. You can revoke a pending consent.
Inactive and expired consents
How long can I view inactive consents under ‘Consent History’?
The Customer Dashboard will show 2 years of history, however BOQ will retain consent information for an additional 5 years.
What happens to data that I have shared with an Accredited Data Recipient (ADR) once the consented time period is over?
The data is either de-identified or deleted according to your preferences as captured at the time of granting consent.
My Customer Dashboard
How do I access my customer dashboard?
The Customer Dashboard can be accessed in the following ways:
- BOQ (Public Website): Home page log on menu > Manage Data Sharing
- VMA (Public Website): Home page login menu > Manage Data Sharing
- BOQ Specialist (Public Website): Internet Banking login page > Manage data sharing
- DDHG (Public Website): Home > BOQ Page > Manage data sharing
How will my account name(s) appear in the customer dashboard?
Your ‘account names’ will not be visible in the customer dashboard. Instead, the ‘product category’ will be displayed (e.g. ‘savings account’).
Where can I see the data that I have consented for BOQ Specialist (the Data Holder) to provide?
Your bank’s Customer Dashboard will provide you with visibility of the account(s) that you have shared, the provider’s you have shared your data with (Accredited Data Recipients), and the last 4 digits of these accounts. Transaction data is not displayed.
Why can’t I see all accounts that I have with my bank (the Data Holder) in the dashboard?
Customer dashboards are consent focussed. If there is no consent associated with an account, it will not be displayed in the dashboard. Additionally, not all products and account types are currently in scope (e.g. Joint Accounts). These will become in scope at a later date.
Is there a mobile phone app available for the customer dashboard?
Currently the customer dashboard is browser based and optimised for mobile and desktop devices. At this stage, a dedicated mobile app is not planned.
Is the customer dashboard designed with accessibility in mind?
Yes. Screens within the dashboard have been designed to meet accessibility requirements in the Consumer Data Right (CDR) standards, including colours, fonts and resizeability, to make sure we are meeting the needs of as many of our customers as possible.