Open Banking & Consumer Data Right (CDR)
Overviewโ
Open Banking in Australia is implemented through the Consumer Data Right (CDR) framework, which gives consumers the legal right to share their financial data with accredited third parties. It enables a new generation of financial services built on secure, standardised data sharing โ without sharing credentials.
- Legislation: Consumer Data Right Act 2019
- Regulator: ACCC (Australian Competition and Consumer Commission) + OAIC (privacy)
- Standards body: Data Standards Body (DSB), managed by Treasury
- API standard: CDR API (based on OpenID Connect / OAuth 2.0 + REST/JSON)
- Banking go-live: July 2020 (major banks); expanded to all ADIs
CDR Participantsโ
| Role | Description | Examples |
|---|---|---|
| Data Holder (DH) | Bank that holds the customer's data | ANZ, CBA, NAB, Westpac |
| Accredited Data Recipient (ADR) | Third party that receives data with customer consent | Fintechs, accountants, comparison sites |
| Consumer | The bank customer who owns the data | Individual or business |
| ACCC | Accreditation authority; maintains ADR register | |
| CDR Register | ACCC-maintained registry of participants |
CDR Data Scope โ Bankingโ
Phase 1 โ Product Reference Data (no consent needed)โ
Publicly available product information:
โโโ Account types available
โโโ Interest rates
โโโ Fees and charges
โโโ Features and eligibility
โโโ Available at CDR Register / Data Holder endpoints
Phase 2 โ Consumer Account Data (consent required)โ
With consumer consent, ADRs can access:
โโโ Account information
โ โโโ Account names and types
โ โโโ BSB and account number
โ โโโ Account status
โ
โโโ Transaction data
โ โโโ Transaction history
โ โโโ Merchant details
โ โโโ Transaction amounts and dates
โ โโโ Running balance
โ
โโโ Direct debit authorisations
โโโ Scheduled payments
CDR Consent Flowโ
Consumer uses Third-Party App (ADR)
โ
โผ
App requests consent:
"Share your CBA transaction history for 90 days?"
โ
โผ
Consumer redirected to their bank (Data Holder)
(OAuth 2.0 Authorization Code flow)
โ
โผ
Consumer authenticates at bank (existing credentials)
โ
โผ
Consumer reviews and approves consent
โโโ Which accounts to share
โโโ What data to share
โโโ Duration of access
โโโ One-time or ongoing
โ
โผ
Bank issues access token to ADR
โ
โผ
ADR calls CDR APIs with token
GET /cdr-au/v1/banking/accounts
GET /cdr-au/v1/banking/accounts/{id}/transactions
โ
โผ
Bank returns data in CDR standard format (JSON)
CDR API Endpoints (Banking)โ
| Endpoint | Description |
|---|---|
GET /banking/accounts | List consumer's accounts |
GET /banking/accounts/balances | Account balances |
GET /banking/accounts/{id}/transactions | Transaction history |
GET /banking/accounts/{id}/direct-debits | Direct debit authorities |
GET /banking/payees | Saved payees |
GET /banking/payments/scheduled | Scheduled payments |
GET /common/customer | Consumer identity details |
CDR Data Standards โ Transaction Object (JSON)โ
{
"accountId": "12345",
"transactions": [
{
"transactionId": "TX-ABC-001",
"isDetailAvailable": true,
"type": "PAYMENT",
"status": "POSTED",
"description": "NPP Payment to Jane Smith",
"postingDateTime": "2024-06-15T14:30:00+10:00",
"valueDateTime": "2024-06-15T14:30:00+10:00",
"amount": "-150.00",
"currency": "AUD",
"reference": "Invoice 12345",
"merchantName": null,
"merchantCategoryCode": null,
"billerCode": null,
"billerName": null,
"crn": null
}
]
}
Consent Managementโ
Consent Lifecycleโ
PENDING โ Consumer redirected to bank for approval
ACTIVE โ Consumer approved; data can be accessed
EXPIRED โ Consent duration elapsed (e.g., 90 days max)
REVOKED โ Consumer revoked consent (via bank or ADR)
WITHDRAWN โ ADR withdrew (stopped using the data)
Consumer Rightsโ
- View all active consents in their banking app
- Revoke consent at any time (takes effect within 5 minutes)
- Consent auto-expires; must be renewed
- Right to data deletion request
CDR vs Open Banking (UK/EU)โ
| Feature | AU CDR | UK Open Banking | EU PSD2 |
|---|---|---|---|
| Scope | Read + write (future) | Read + payment initiation | Read + payment initiation |
| Regulator | ACCC + OAIC | FCA + CMA | EBA + national regulators |
| Standard | CDR API (FAPI) | Open Banking Standard | Berlin Group / NextGenPSD2 |
| Payment initiation | Planned (Action Initiation) | โ Live | โ Live |
| Liability regime | CDR Rules | Open Banking Rules | PSD2 |
Action Initiation (CDR Phase 3 โ Future)โ
Australia is expanding CDR to include payment initiation (write actions):
Planned capabilities:
โโโ Initiate NPP payments via CDR API
โโโ Create/cancel direct debit authorities (PayTo)
โโโ Schedule payments
โโโ Account-to-account transfers
This would allow fintechs to initiate payments
without the customer needing to use their bank's app.
CDR Security Requirementsโ
| Requirement | Standard |
|---|---|
| Authentication | FAPI 1.0 Advanced (OIDC + OAuth 2.0) |
| Token binding | PKCE (Proof Key for Code Exchange) |
| Transport | TLS 1.2+ |
| Certificate management | CDR Certificate Authority |
| Token lifetime | Access token: short-lived (minutes) |
| Refresh token | Up to 90 days |
Java Spring Implementation (Data Holder)โ
@RestController
@RequestMapping("/cdr-au/v1/banking")
@RequiresConsent // Custom annotation to validate CDR consent
public class CdrBankingController {
@GetMapping("/accounts")
public ResponseEntity<AccountListResponse> getAccounts(
@AuthenticationPrincipal CdrConsumerPrincipal consumer,
@RequestParam(required = false) OpenStatus openStatus) {
List<Account> accounts = accountService
.getAccountsForConsumer(consumer.getCustomerId(), openStatus);
return ResponseEntity.ok(
AccountListResponse.builder()
.data(accounts.stream()
.map(cdrMapper::toAccountDetail)
.collect(toList()))
.links(buildLinks())
.meta(buildMeta(accounts.size()))
.build());
}
@GetMapping("/accounts/{accountId}/transactions")
public ResponseEntity<TransactionListResponse> getTransactions(
@PathVariable String accountId,
@AuthenticationPrincipal CdrConsumerPrincipal consumer,
@RequestParam @DateTimeFormat(iso = DATE_TIME) OffsetDateTime newestTime,
@RequestParam @DateTimeFormat(iso = DATE_TIME) OffsetDateTime oldestTime) {
// Validate consumer has consent for this account
consentValidator.validateAccountAccess(consumer, accountId);
List<Transaction> txns = transactionService
.getTransactions(accountId, oldestTime, newestTime);
return ResponseEntity.ok(
TransactionListResponse.builder()
.data(txns.stream().map(cdrMapper::toTransactionDetail).toList())
.links(buildPaginatedLinks())
.meta(buildMeta(txns.size()))
.build());
}
}
Related Conceptsโ
- account_types.md โ Account types exposed via CDR
- npp.md โ NPP PayTo is the CDR payment initiation mechanism
- direct_debit.md โ CDR will include direct debit authority APIs
- fis.md โ Data Holders are ADIs (financial institutions)
- aml_kyc.md โ Data sharing must respect AML/privacy obligations