Disruption in Banking & Finance roundtable – CDR and GDPR

Europe has particularly stringent requirements to protect consumer data at a time when we’re seeing even more attacks and instances where data is being exposed. In Europe, they implemented GDPR a few years back to really legislate and enshrine data security requirements and some hefty fines, if not followed. Here in Australia, we’ve seen CDR, Consumer Data Right, really start to open up open banking. We’re a little bit silent on the rights of customers. The important issue here is consumer trust. Will they trust sharing their data?


Open banking for me is, I put my telco and security hat on and it’s very much like porting over a SIM from say Vodafone to Telstra. There is a point where there is a no man’s land who is actually responsible for that piece of data. So, if I put that hat on and we have a hyper-connected data control plane that sits across and controls that and regulates that. Now, my concern with open banking is there are challenges with that. Give for instance something similar which would be crypto. It is an entity that holds funds however, it’s very limited regulation. So, we’ve seen that trust has waned, people have withdrawn funds. So, if open banking were to succeed it does need some stringent regulations around it to protect the data and the data sovereignty of the consumer but also to highlight who exactly is accountable when information is being transferred from one bank to the other.


On consumer trust. So, I think going back to when Scott Farrell was doing the consultation process, this is late 2017, evolved into the CDR when the ACCC was looking at ways on how they’re going to govern and control open banking, and again, taking lessons learned from the UK. I think the approach that the CDR took was really based on building consumer trust. It took very much a consumer lens, but also a principle focused approach to this new regime. Trust is fairly complicated, but you can kind of break down into maybe three things. There’s consumer trust that the system is secure. There’s consumer trust that the law will protect them if something was to go wrong, such as there’s a data breach. And also consumer trust that the third parties will deliver safe, fair, and high quality products and services to those consumers as well. So, if you kind of look back at some of those points, trust that the system is secure, the CDR, they’ve built a really robust, secure network to control it with the central registry system, heart security standards that control that ecosystem as well. But it doesn’t just stop there. If you think about to become an accredited data recipient as well, they have to demonstrate that they have all controls in place to ensure that they have a safe working environment. And it’s not very easy to get those certifications as well. Looking at the next points that the law will protect them, we’ve all seen the Optus breach. And I think there’s definitely a big crackdown on the misuse of data. So, I think there’s definitely a lot of regulation that’s coming into force, serious penalties for organisations that are breaching those policies as well. So, I think there will be a lot of, there’s obviously consumers that it hasn’t worked in favour with the Optus breach, but I think what the government’s doing at the moment around penalising organisations is definitely the right step. And yeah, I think that, as Peter was saying earlier, it’s still an evolving space. I think there’s still a lot to be done in the space. I think action initiation is going to be fairly big as well. That’s opened up to a whole new set of use cases as well. Some of that’s payment initiation in the UK. Is that going to…what are things going to look like when we have action initiation because now we’re actually instructing banks to kinda … behalf, which is also could be a concern to consumers. But again, I think it’s the training that really needs to be centred around that for consumers to really build trust around the system.

Link to Video: 

Latest Insights

Liberty IT Consulting Group
ABN: 83 614 846 098


"*" indicates required fields

Full Name*
This field is for validation purposes and should be left unchanged.