Introduction
I would like to acknowledge the Gadigal people of the Eora Nation as the traditional custodians of the land on which we gather today.
I pay my respects to their Elders past and present, and I acknowledge any First Nations Australians in attendance.
Thank you to Diane, Melinda and the team at CEDA for the opportunity to share some remarks.
The digitisation of the economy has fundamentally changed our world.
It has brought with it tremendous benefits.
We can make retail purchases from a broad selection of goods in a global marketplace.
Financial transactions are done almost exclusively online at a time and place of convenience.
And we transmit information and communication across the world in an instant.
While the productivity and trade benefits have lifted standards of living, the digital economy also brings with it new risks.
Data is the indispensable commodity of the digital economy.
But consumers need to be able to trust that government and business will protect their data and keep it secure.
There is a whole‑of‑government effort to ensure that consumers get the benefits that come from the digital economy – while ensuring that the rails of modern commerce are safe and secure.
Privacy concerns are front of mind for Australians given episodes of cybercrime, data breaches, frauds and scams.
Which is why we are looking at the way businesses store data.
What data they collect –
Why they collect it –
And how/how long they store it.
The review of the Privacy Act seeks to bring it into the digital age.
It will bring higher standards on business to ensure they are keeping customers’ data safe.
Our Digital ID System establishes a safe, simple and secure means for how consumers verify their identity.
It will also reduce the quantity of data that businesses and government need to hold on Australians.
Our National Cyber Security Strategy is helping to strengthen our whole‑of‑economy cyber resilience, and improving our defences against cybercriminals.
We are modernising the regulation payments system.
So that it is safe and trusted.
And drives innovation and productivity.
We are building stronger defences against the criminals scamming Australians billions of dollars.
All of these initiatives are designed to ensure that there is trust in our digital infrastructure.
And that Australians earn more and keep more of what they earn.
The value of consumer data
Protecting the privacy of consumers’ data is core economic policy.
But it is only half the job.
The other half is ensuring consumers benefit.
Unlocking the value of consumers’ data for their benefit.
There are 3 clear benefits:
- It can drive competition
- Foster innovation to deliver better goods and services for consumers, and
- Streamline time‑consuming processes.
Businesses have been quick to recognise the value of consumer data.
As they tailor their offerings and market strategies based on the information they receive.
But consumers haven’t realised the same value yet.
Even though they are the ones creating the data source.
This hinders competition and protects the status quo.
It restricts the ability for innovative businesses to create competitive choice for consumers.
And it leads to worse outcomes for consumers.
The state of play in the consumer data right
I want to say from the outset that the Albanese government believes in the right of consumers to access and unlock the value of their data.
The CDR was supposed to deliver this. It hasn’t.
CDR Products in use and under development
It is pleasing that there are already promising industry‑led products and use cases under development that are drawing on the CDR which are benefiting consumers.
Financial counsellors are piloting using the CDR to pull together a complete picture of their clients’ financial positions quickly and easily.
WeMoney is helping Australians pay down their debts faster by offering a holistic view of their finances.
It’s encouraging to see early strides in lending, particularly around home loans.
Some banks are integrating the CDR into their digital home loans, making the loan application or refinancing process quicker and easier.
This is reducing unnecessary friction and helping Australians find better deals to support home ownership.
With the CDR now implemented in the energy sector, there is an untapped potential to deliver better outcomes for consumers.
Shopping around currently requires an investment of time and research.
Innovative companies are starting to leverage a consumer’s data through the CDR to make it quick and easy to switch to a better deal.
This will be particularly valuable in areas of non‑discretionary spending to ease cost‑of‑living pressures.
As good and beneficial to consumers that these products and use cases are – we need to do much more to justify the substantial public and private investment in the CDR.
The CDR has the potential to be a transformational piece of economic reform and drive better outcomes for consumers.
However, the design of the CDR established by the previous government is not delivering.
It’s a good idea, badly executed.
Four things are obvious:
- The regulatory burden and compliance costs are too high.
- The innovation has not come forward – businesses are not incentivised to use CDR data for key use cases like lending and energy switching.
- Restrictions on using and holding CDR data is a barrier to uptake.
- The consumer take‑up has been low.
You can’t look at these outcomes and think that if we do more of the same, we’ll get a different outcome – we won’t.
There have been lots of claims flying around about all of this.
I wanted independent information.
Understanding the challenges of CDR
I commissioned an independent review of CDR compliance costs by Heidi Richards.
Her report – which I am releasing today – found that the compliance costs of implementing the CDR on its current track are substantial.
The costs massively exceed original estimates.
There is an acute burden for small customer-owned banks – particularly in the ongoing investment required into compliance costs for standards and rules changes.
I wanted to know what was driving the costs and whether these drivers were avoidable.
The Richards’ report found scope of products and regular changes to data standards, were huge drivers.
Ms Richards noted in her report that ‘the data standards development process lacked a commercial focus, transparency and industry collaboration’.
And ‘implementation issues are not given adequate consideration, which have led to impractical changes and unnecessary costs’.
Ms Richards also confirmed low uptake of the CDR.
Clearly CDR is not the data‑sharing platform of choice for businesses.
This means screen scraping – with all its potential consumer harms – has continued to be used.
Ms Richards also identifies concerns that the scope of the CDR is too broad and imposes costly obligations to share data of limited value. For example, I am not sure how many CDR data requests there will be for wholesale bailment loan account information.
High costs – low uptake.
In addition to commissioning Ms Richards, I directed Treasury to undertake a consultation on screen scraping practices and whether the current CDR offering was a viable alternative.
Treasury consulted with stakeholders across industry to identify improvements and areas of focus.
Through this work, I asked Treasury to provide a strategic assessment of the way forward for the CDR.
More needs to be done to refocus the CDR to deliver the greatest benefits to consumers and rein in costs.
Which means we need to prioritise high value use cases as the ecosystem matures.
From the work of Ms Richards and Treasury, we have a clear set of actions to deploy that will enable the CDR to deliver for consumers.
The future direction of CDR – reducing compliance costs
So, to achieve the benefits that the CDR offers to consumers, we need a reset.
And today I am announcing the key elements of that reset.
We will reduce the obvious problems that are driving costs and limiting take‑up of the CDR.
We will change the consent and operational rules to streamline the consent process for consumers.
This will enable consumers to provide multiple consents in a single action.
We will also improve the experience for small businesses.
The feedback we have heard is that data holders – often the banks – have made it difficult for businesses to access their own data.
Which means they cannot access the benefits of the CDR, even when they want to.
So, we will make it an obligation on these data holders to provide a simple process for businesses to be able to access their data.
And we will also make it easier for banks to use data shared via the CDR, in recognition that banks handle this type of data every day.
The draft rules and explanatory memorandum on the proposed changes is being released for consultation by Treasury this morning.
There will also be a more structured and consultative approach for making standards changes.
Changes to the standards should, as recommended in the Richards’ review –
- Be limited to a small, fixed number of scheduled releases per year.
- Include longer lead times for industry.
- Include explicit cost and regulatory impact consideration.
- And follow a clear, transparent prioritisation process.
I have written to the Data Standards Chair outlining these expectations. Standards changes must consider:
- The benefits for consumers.
- The cost and regulatory impact on participants balanced against the consumer outcome.
- And provide sufficient lead times to participants.
They also need to be changed in collaboration and consultation with other CDR agencies and stakeholders.
A good example of the changes being implemented by the Data Standards Body is the new Standards Assessment Framework which was finalised by them this week.
The new framework will formalise how changes are assessed using the 4 key criteria of consumer benefit, customer take up, cost and regulatory impact and keeping the system safe and secure.
The framework has been developed in consultation with industry and the Data Standards Advisory Committee.
The framework will be implemented in coming weeks by the Data Standards Body.
We also will reduce costs on participants by focussing the scope of the CDR.
I have asked Treasury to examine the impact of narrowing the data included in the CDR –
Such as removing products never likely to be used.
This will remove unnecessary costs on businesses to hold and maintain a CDR enabled repository of shareable data that is highly unlikely to be used.
The future direction of the CDR – increasing uptake
It is also clear that we need to ensure the CDR is consumer‑focused and delivering genuine value.
There are investment costs for businesses engaging with the CDR.
So we need to avoid spending time on areas where the costs outweigh the benefits and demand of consumers.
Use cases that are the highest priority are:
- Consumer finance and borrowing.
- Energy switching.
- And accounting services to small businesses.
However, uptake overall remains low and slow.
This is why I want to focus on unlocking use cases that consumers want and find valuable.
We continue to encourage industry to bring forward specific use cases. We will assess where obstacles exist within the framework and rules.
I have asked Treasury to assess framework changes that could be made in 2025 to reduce costs and facilitate high value use cases.
Industry can support this work by identifying barriers to adoption.
Our approach moving forward will also emphasise the role of experimentation and evaluation.
The Data Standards Body will conduct experiments that explore how potential use cases can operate under the existing data sharing framework.
And identify where changes can enable uptake.
These experiments will map out the potential use cases from concept through to delivery for consumers.
This means collaborating with industry to identify pain‑points and solutions.
It will ensure we understand the costs and benefits of potential interventions before we make any changes to the system.
And help us to identify high value use cases.
We want to embed good processes now so that the expansion of the CDR builds on the lessons learnt to date.
The CDR will expand to non‑bank lending data early in the new year with the intent to be operational by the middle of 2026.
This will provide non‑bank lenders with a sufficient transition period.
This new data will play an important part in developing valuable use cases in the financial services sector.
Treasury is finalising consultation with industry now to ensure the rollout is effective.
I know there has been a lot of interest in the Action Initiation Bill currently in the Senate.
It is important to note that this Bill does not identify nor enable types of actions under the CDR.
It is simply the first step.
After passage of the Bill, further work will be required before we determine what actions have value.
I will ensure that digital modernisations that the government is implementing such as Digital ID and our payment system modernisations are utilised in conjunction with CDR – not replicated under any CDR specific action initiation.
I will also ensure that we do not undermine ANY enhancements and protections that have been put in place by the banking system to protect consumers from scams and fraud.
The experiments of the Data Standards Body will inform any potential action types under the action initiation.
Declaring any action types in the CDR requires getting the existing CDR framework on more sustainable footing.
And embedding the necessary rules and standards to support action initiation, while maintaining strong consumer protections and understanding the cost and regulatory impact on data holders.
The foundations must be right before we ask CDR participants to invest further.
The future direction of the CDR – ensuring safety for consumers
Consumers need to be able to trust that it will be safe and secure.
And we will seek to build on the common elements of our approach to the Privacy Act and the Digital ID.
To ensure a consistency of approach.
And help consumers realise the benefits safely.
I also want to make clear that industry needs to move away from screen scraping.
By backing in the CDR, the government is sending a strong signal that this should be the system of choice.
Industry can do better than screen scraping.
It is fundamentally unsafe.
I have asked Treasury to advise me over the next 12 months on a way forward for a full and formal ban of screen scraping.
If businesses continue to ask consumers to share their bank passwords, putting them in harm’s way, it is only a matter of time before it has a severe consequence.
We all have a stake in maintaining the benefits of the digital economy.
However, that requires consumers to have trust that their valuable data will be transmitted and stored safely.
I cannot stand by while consumers are being put in danger.
Conclusion
Because ultimately it is consumers that I am focused on.
I recognise that the implementation of the CDR by my predecessors was poorly executed.
Costs are high. Uptake is low.
It’s a good idea, poorly executed.
And so we need to reset.
We need to be purposeful and focus our efforts where we know there is consumer benefit.
The government believes in the CDR and the opportunities it offers to drive greater competition in our economy, protect user data, and foster innovation that benefits consumers.
Resetting requires commitment from government, which I have outlined today, providing a clear path forward for industry.