Under the CDR regulations, banks are required to share data when an eligible consumer provides consent. The ability to provide consent varies depending on the type of consumer.
First, let's go through who are eligible consumers based under CDR:
Only Individuals over 18 are eligible consumers. Accounts owned by minors are not considered eligible, but a secondary user appointed by the account owner may be able to share data on their behalf.
The consumer must have at least one open account with the bank to be considered eligible. While closed accounts are typically not required to be shared, some banks may allow customers with closed accounts to consent to data sharing.
Eligible consumers must have enrolled or registered for online access through a digital platform, such as a website or mobile app. Consumers who have not registered for online access cannot share their data. All accounts, including closed or "offline" accounts, should be available for sharing, even if not accessible through the bank's online platform.
Here are the different types of users recognised by CDR regulations that can give consent to share bank data:
Individual: An individual account owner can share their bank data with Accredited Data Recipients (ADRs) like SISS. The ability to share data is typically enabled by default for individual account owners.
Joint: In the case of joint accounts owned by multiple individuals, any joint account owner can give consent. Banks may have functionality to configure data sharing permissions for joint accounts.
Nominated Representative: This category applies to non-individual account owners such as companies, trusts, SMSFs, and corporate partnerships. Banks may consider all "business" accounts as nominated representatives. The nominated representative is responsible for sharing data, and banks may require a nomination process to enable consent from authorised users.
Secondary Users: Some banks allow account owners to grant specific functionality to external parties, such as bookkeepers, accountants, or lawyers. CDR regulations require banks to allow account owners to authorise secondary users to give consent for data sharing with ADRs. Enabling this role for secondary users typically involves following the bank's process, such as accessing the online portal, submitting a form, or visiting a local branch.
It's important for account owners to understand their bank's specific processes and requirements for enabling data sharing consent based on their account type.