There are now five ways to use Consumer Data Right data; unrestricted, sponsored, operating as a representative or trusted advisor, or using CDR Insights only.

As a tech business looking to create or enhance a business model through the CDR, it's the full accreditation (unrestricted accreditation), Sponsor-Affiliate (sponsored accreditation), or CDR Representative (unaccredited operating as a representative of an accredited data recipient) that are the three access models to consider.

 

Initially the unrestricted route was the only way. When the Sponsor-Affiliate, and CDR Representative models were being drafted, there was a major problem with the cost and timeline for accreditation. The lowest cost audits were $60k+, and often much higher than that. It meant accreditation was not feasible for many businesses and limited the adoption of the consumer data right. 

 

But in the time it took to implement these new access models, the audits have become much more streamlined and competitive, leading to audits starting from $20,000. No matter which access model is chosen, the same compliance rules apply from Schedule 2. There's five governance steps and 26 security requirements. Aspiring data recipients generally need experts to help them navigate the compliance rules and security requirements. Rather than a simple checklist, these practices require interpretation and practical experience to fit the environment, scope of systems and business processes. It’s unlikely to get much lower than the $20,000 in costs to achieve and demonstrate this compliance, whichever access model is used.

 

Aside from cost, there are five benefits of going for full accreditation. 

 

 

Under the new access models, you’re tied to a sponsor or principal - eg. a data aggregator. That locks you in to fees higher than the audit costs, and makes it difficult to switch if you’re not happy with your choice of provider. It also limits what you can do with the data with use limitations and reporting obligations that apply under these models compared to the unrestricted data access model. 

 

 

The assurance reports required for the full accreditation path, are a valuable asset to prove your security practices meet good practice standards. ASAE 3150 is a well established standard, recognised globally. SOC 1/2 reports can also be issued in lieu of an ASAE 3150 that are leading global standards for proving your information security practices. These third party assurance reports, help you win large business customers, partnerships, build trust with investors and other stakeholders, satisfy global regulators, and give your own business confidence that you’re secure and doing things the “right” way.

 

 

As an unrestricted accredited data recipient, you’re listed on the official CDR Register. That creates broad awareness of your offering in the market. Treasury has also committed to spending millions in advertising for the CDR regime to educate consumers what it means for them. Instead of focusing on the regulation, that advertising will be highlighting the accredited offerings so that consumers can understand in “real terms” what the CDR offers them. This may be great publicity and free marketing for those accredited. 

 

 

The early feedback has been that full accreditation increases a companies valuation and may be preferable for startups looking to raise capital. The unrestricted accreditation reduces future risks and provides greater certainty to investors from a compliance standpoint and for future changes to the use case, data intermediary, and CDR rules.

 

 

The providers of ASAE 3150 reports, eg. AssuranceLab, are the most experienced in the CDR security compliance requirements. While compliance itself is a binary outcome - you’re either compliant or you’re not - there’s related parts you get more value out of doing it ”right”. Defining and implementing your CDR Data Environment the right way simplifies and reduces your compliance burden. There’s real benefits to be had by focusing on real security, with compliance that follows, compared to box-ticking compliance. That real security provides long term value and is best to get right from the start.