The Consumer Data Right framework promises to be a gamechanger for financial services.

Once described as “the first new human right for the digital age”^[1], the Consumer Data Right (CDR) is an economy wide reform, officially launched in July 2020 and intended to give consumers more control over their data, enabling them to access and share their data with accredited third parties in order to:

• compare products and services
• access better value and improved services
• assist financial and cashflow management.

As well as giving consumers more power in the use of their data, the CDR has been hailed as a potential game changer, capable of driving significant efficiencies and innovation.

Financial Services was the first sector to rollout the CDR (with energy companies and telcos to follow), and there was certainly a great sense of anticipation amongst many participants – including financial advice providers – about the opportunities that the CDR presented.

However, according to some sources, adoption by financial advisers has, to date, being lower than expected, perhaps driven by low awareness amongst consumers and financial advisers.

And now, following the Optus data breach, that inertia may be compounded by reluctance, as both consumers and businesses re-assess their behaviours and practices with regards to the provision and protection of their valuable data.

In this article, we will look at the CDR through the lens of recent cyber incidents, with the intent to provide advisers an overview of CDR opportunities and practicalities, as well as a timely reminder of obligations with regards to data collection, retention, and protection.

Background to the Consumer Data Right

The Consumer Data Right (CDR) was introduced in response to several government reviews.

The Murray, Harper, Coleman and Finkel inquiries all recommended that Australia develop a right and standards for consumers to access and transfer their information in a usable format. This was given a formal focus following a 2017 report by the Productivity Commission, which recommended the creation of an economy wide ‘comprehensive data right’^[2].

After several delays, legislation brought the CDR into effect as part of the Open Banking regime in February 2020, kicking off a phased implementation that started with major banks and will eventually extend to other sectors including energy (gas and electricity) in November 2022, followed by telecommunications^[3].

In early 2022 the then Federal Government announced the broader finance sector (including insurance superannuation and non-bank lenders) would be the ‘fourth cab off the rank’ for CDR^[4]. (Other sectors are yet to be announced).

How does CDR work?

The CDR is an opt-in system, under which consumers can authorise their service provider in a particular sector to share their data with other authorised parties.

Initially constructed as a data sharing framework, in early 2022 the CDR was subsequently expanded through the addition of an ‘action initiation’ power^[5], allowing accredited data recipients to both read and act on data, with their customer’s consent.

This effectively empowers consumers and small businesses to take their data‑sharing rights one step further by initiating actions like opening and closing accounts, making payments, and applying for services. The convenience and efficiency benefits are obvious, especially in the context of products like mortgages, with lengthy and complex application processes.

Protecting consumers – through accredited recipients and ‘trusted advisers’

In order to protect consumers, these other parties must satisfy certain criteria, being either an ‘accredited data recipient’ or a ‘trusted adviser’.

An ‘Accredited Data Recipient’ (ADR) must meet rigorous privacy and data security requirements specified under the CDR rules. A common example of an ADR is an online accounting software provider.

Financial Advisers can apply to become ADRs via the process set out at the CDR website^[6].

Initially, ADRs were the only body to whom consumers could authorise data transfer. However, in an effort to facilitate greater participation in the CDR regime, the scheme was extended^[7] to allow accredited data recipients to on-share consumer data with certain ‘trusted advisers’ from 1 February 2022.

Trusted advisers

Trusted advisers under CDR rules must belong to a specified profession. These currently include:

• financial advisers
• mortgage brokers
• qualified accountants
• lawyers
• registered tax agents and tax (financial) advisers
• financial counsellors.

Obligations on ADRs and trusted advisers

An accredited data recipient must take reasonable steps to confirm that a nominated trusted adviser is a member of one of the professions listed above. Such steps could include searching publicly available registers (such as the Financial Adviser Register) or asking an adviser to provide proof they are a registered member of the profession.

Whilst ADRs are subject to strict guidelines and reporting requirements in relation to the receipt, holding and transfer of consumer data, trusted advisers do not need to be accredited by the ACCC and are not subject to the CDR laws^[8].  However, as noted above, your existing regulatory obligations and relevant professional standards as a financial adviser will continue to apply when you access CDR data.

These include:

• Privacy and data breach reporting requirements: as CDR data will generally be ‘personal information’, advisers must comply with requirements under the Australian Privacy Principles, relating to the collection, use, disclosure, and security of that of personal information
• Requirements related to providing advice and record keeping: including the duty to act in your client’s best interests, and record keeping (FASEA Standard 8) and professional association guidelines (e.g., the FPA requirements around document administration and confidentiality
• General conduct obligations: financial services licensees will still need to comply with their general conduct obligations including those related to training and competence of representatives, conflicts of interest, risk management, and dispute resolution
• General consumer law obligations: including those governing misleading and deceptive conduct and unfair contract terms.

Benefits to advisers

Although banking is the only sector that is currently ‘open’, it is one of the most important from a financial advice perspective, with information about cashflow, spending and saving fundamental inputs into the advice process. Information gathering processes which are currently manual, either when onboarding, or ongoing, can now be automated.

A small number of advisers were quick to seek ADR status, citing benefits in both the client engagement process, “being able to have deeper and more valuable conversations about cash flow and goals”^[9], and in the richness of the data and the insights it could provide.

A more recent example can be seen in the partnership between Lumiant and Envestnet|Yodlee, in which Lumiant will become the first company to leverage Envestnet|Yodlee’s Consumer Data Right (CDR) accreditation to power their Your Wealth module.

The new integration will power Lumiant’s financial data collection and aggregation, allowing clients and financial professionals to see the overall net worth of a household in one place.

Rather than clients having to provide their financial details and balances using manual data entry forms, advisers can now collect this information directly from their client’s financial institutions, reducing the time spent meeting Know Your Customer requirements.

According to the media release announcing the partnership, “clients simply connect their financial institutions to their financial plan and seamlessly share their information with their adviser”^[10].

Recognising that the cost and value proposition of advice are common pain points for non-advised consumers, the FPA included a section on CDR in its submission^[11] to the Quality of Advice Review (QAR). But, notwithstanding these benefits, overall take up by advisers has been slow.

Slow take-up by financial advisers

More than 2 years after the CDR was first launched, some industry observers, including EY Oceania Partner Andrew Parton, believe advisers as a whole are not leveraging the benefits of the data sharing framework.

Telling Professional Planner magazine there was absolutely no reason financial planners shouldn’t be thinking about becoming an ADR, Parton said: “are advisers taking advantage of it? Not that I’ve seen in the market at the moment. Should they be? I think so.”^[12]

“Having a look at the breadth of [financial advisers] could access from their customers and the potential that would give them, there’s a whole bunch of benefits – there’s quite a lot of discovery and data required in financial planning.”

Will the Optus incident see inertia be compounded by reluctance?

The Optus data breach of September 2022, which saw the personal data of nearly half the Australian population compromised by a hacker, is clearly a watershed moment for Australian individuals, businesses, and governments alike.

Amongst the potential responses immediately flagged by the Federal Government were a significant increase in fines for this type of data breach, changes to privacy measures, and a requirement for banks and other institutions to be informed earlier of the occurrence of data breaches in order to prevent compromised personal data being used to access bank accounts^[13].

But whilst the sheer magnitude of the breach guarantees a sense of notoriety, occurrences of cyber incidents involving personal data are nothing new and should not come as a surprise. There have been plenty of other wake up calls, many in the last year alone, and some particularly close to home for financial advisers.

The RI advice case, known to most advisers, was commenced by ASIC in 2020, and concluded in May 2022. Following numerous cyber incidents – including one where a cybercriminal gained unauthorised access to the servers of an RI practice and was able to stay logged onto those servers for close to week – a settlement was reached, under which RI Advice was ordered to conduct a cybersecurity audit and contribute $750,000 towards ASIC’s costs^[14] (a fraction of the penalty that could have been imposed).

For advisers, personal and sensitive data is essential to doing business

The whole topic of cybercrime is complex and challenging, and for some, even overwhelming. Cyber incidents continue to rise in number (67,500 incidents were reported in Australia in FY 21, a 13% annual increase^[15]) and sophistication (as a recent ABC News report into overseas based SMSF scammers reinforces^[16]). But for financial advisers, the collection, storage, and transfer of personal and sensitive client data is an essential part of doing business and can’t be avoided.

In terms of data retention, one of the most widely debated issues in the whole Optus case, financial advisers are subject to strict and lengthy data retention requirements (many of which are to satisfy Anti Money Laundering legislation).

ASIC Class Order (CO 14/923)^[17] requires that specified records are

• kept for 7 years after the day the personal advice was provided to the client, and
• are accessible by the licensee at all times during that period in a way that enables the licensee to produce the records.

This obligation continues to apply even if the financial services licensee ceases to be a financial services licensee during the period that the records are required to be kept and accessible. From an adviser perspective, this applies even if advisers change licensees, or leave the industry altogether.

Furthermore, the digitalisation of most aspects of our lives is irreversible. Relying on paper files and a locked filing cabinet as a defence against cybercrime is not a realistic or viable strategy.

Advisers have no options but to strengthen their cybersecurity game

Australian financial services businesses are key targets for data breaches, as the client, staff and commercial records held (including account details, tax and payroll data, passwords, and other sensitive personal information) can be used to commit a variety of crimes, including tax fraud, identity theft and superannuation related frauds.

Small to medium businesses, many of whom would lack the sophisticated cyber protection resources, are especially frequent targets. One survey^[18] of businesses by the Australian Cyber Security Centre found that half of sole trader/microbusinesses – and a staggering three quarters of small to medium sized businesses – had suffered a suffered a cyber incident at some point.

The good news is that there are practical steps even small advice firms can take to protect client data and build the cyber resilience of their business. These include:

1. Back up your data

It’s essential that you back up your most important data and information regularly. Fortunately, backing up doesn’t generally cost much and is easy to do.

It’s a good idea to use multiple back-up methods to help ensure the safety of your important files.

2. Secure your devices and network

Set up firewalls, use anti-virus software and spam filters. Consider vulnerability points with any external systems and vendors you are connected to, including platforms. Keep these protections up to date.

 3.Encrypt important information

You can turn on network encryption through your router settings. Avoid using public networks. If you or your staff work from home, ensure home routers are password protected, and not with the default ‘admin’ password most come with out of the box.

4. Ensure you use multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a verification security process that requires you to provide two or more proofs of your identity before you can access your account. For example, a system will require a password and a code sent to your mobile device before access is granted. Multi-factor authentication adds an additional layer of security to make it harder for attackers to gain access to your device or online accounts.

Multi factor authentication can be added to most of the hardware commonly used by advisers, including phones, laptops, Microsoft services and social media.

The Australian Cybersecurity Centre^[19] has step by step instructions on how use MFA across the following:

• Apple ID
• Gmail and Google
• Microsoft accounts
• Facebook and Facebook Messenger
• LinkedIn
• WhatsApp
• Instagram.

5. Manage passphrases

At a recent industry event, cybersecurity specialist Michael Connory showed how most advice practices could be hacked in half an hour. One of his key points was that many employees still have weak passwords.

“They’ve got five different versions of the same password. Somebody you love, your partner, your football team, your favourite food, a date,” he said. “If it has to have a capital letter it’s first and if it has to have a special character it will be an exclamation point at the end. Pretty easy to be able to guess.”^[20]

Passphrases – rather than passwords – can be easier to remember but harder for criminals to crack.

6. Monitor use of computer equipment and systems

Keep a record of all the computer equipment and software that your business uses. Make sure they are secure to prevent forbidden access.

7. Put policies in place to guide your staff and train them how to be safe online

A cyber security policy helps your staff to understand their responsibilities and what is acceptable when they use or share:

• data
• computers and devices
• emails
• internet sites.

8. Get updates on the latest risks

Keep up with the latest scams and security risks to your business. The Australian Cyber Security Centre (ACSC) provides up-to-date information on cyber security issues and how to deal with them.

Insurance and recovery plans

Businesses should have a plan which includes communication with clients, regulators, and vendors, and which works towards the timely reinstatement of systems and services impacted by a cybersecurity event. A plan should also ensure lessons are learned and applied so that overall cyber resilience can be improved.

The financial consequences of a cyber-attack can be devastating, including immediate and longer-term revenue loss (due to brand damage), the cost of fixing and/or replacing hardware and software, remediating customers, and even paying fines. Some of these costs can be offset by appropriate cyber risk insurance (although experts are predicting both the price, and underwriting hurdles, to increase in the wake of the Optus breach^[21]).

Conclusion

The Consumer Data Right framework promises to be a gamechanger for financial services, giving consumers more transparency, more access, and more actionability of their own data, and acting as a catalyst for both efficiency and innovation.

There are benefits to financial advisers too, but to date the number of advisers leveraging these benefits has been small and recent high profile data breach cases, such as RI Advice and Optus, may make advisers even more risk averse on client data related matters.

But the nature of financial services and our increasingly digitalised world leave financial advisers little choice but to strengthen their cybersecurity game and embrace the opportunities for improved client engagement that the CDR regime provides.

———–

References:
[1] https://www.adviservoice.com.au/2018/12/data-bill-will-usher-in-human-rights-for-the-digital-age/
[2] https://www.cdr.gov.au/about
[3] https://www.cdr.gov.au/rollout
[4] https://www.professionalplanner.com.au/2022/01/open-finance-launch-to-give-consumers-holistic-view-treasury/
[5] https://www.afr.com/companies/financial-services/expanded-consumer-data-right-to-help-customers-switch-20211214-p59haq
[6] https://www.hnlaw.com.au/consumer-data-right-access-expanded-to-trusted-advisers/
[7] http://www.cdr.gov.au
[8] https://www.hnlaw.com.au/consumer-data-right-access-expanded-to-trusted-advisers
[9] https://www.professionalplanner.com.au/2020/07/race-on-for-advisers-to-reap-open-banking-benefits/
[10] https://www.financialstandard.com.au/news/lumiant-partners-with-envestnet-yodlee-179796907?q=cdr
[11] https://fpa.com.au/news/fpa-makes-submission-to-quality-of-advice-review/
[12] https://www.professionalplanner.com.au/2022/05/advisers-not-taking-advantage-of-cdr-ey/
[13] https://www.dacbeachcroft.com/en/gb/articles/2022/september/recent-australian-cyber-and-privacy-developments-july-september-2022/
[14] https://www.afr.com/companies/financial-services/insignia-wealth-firm-failed-to-fend-off-cybercrime-court-finds-20220505-p5aite
[15] https://www.insurancebusinessmag.com/au/news/cyber/which-australian-industries-are-most-targeted-by-cyberattacks-418390.aspx#:~:text=During%20the%20period%2C%20the%20agency,associated%20with%20Australia’s%20critical%20infrastructure
[16] https://www.abc.net.au/news/2022-10-04/elaborate-scam-allegedly-used-leading-finance-app-trick-victims/101496000
[17] https://www.legislation.gov.au/Details/F2016C00928
[18] Cyber Security and Australian Small Businesses, Results from the Australian Cyber Security Centre Small Business Survey, July 2020, Australian Government.
[19] https://www.cyber.gov.au/mfa
[20] https://www.professionalplanner.com.au/2022/08/advisers-a-hot-target-for-cyber-risk/
[21] https://www.accountantsdaily.com.au/business/17639-cyber-hack-insurance-harder-to-get-in-wake-of-optus-scam

The post Consumer Data Right – adviser consumer protection – opportunities and obligations in a post-Optus world appeared first on AdviserVoice.