What is Consumer Data Right?
The Consumer Data Right (CDR) has been designed to give consumers a secure way to control which businesses have access to their data, including financial information. It allows people to consent to give access to their information to accredited entities including Accredited Data Recipients (ADRs) – like NextGen – so we can offer products and service tailored to people’s needs.
CDR is an opt-in system. For example, your clients can choose to give us access to their data and they can withdraw their consent at any time. They control what data is transferred to us and how we can use it. They can also ask us to delete their data at any time. ssCDR is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). The ACCC and the OAIC make sure consumer rights and protections, including requirements around consent and privacy, are enforced. More information on the role of each regulator can be found on the government's website: https://www.cdr.gov.au/about
What is a Trusted Adviser?
Consumers can nominate certain people as their 'Trusted Adviser' and provide consent for an unrestricted Accredited Data Recipient (ADR) such as NextGen to share their data with that adviser.
Trusted Advisers are persons that belong to a number of defined classes listed in CDR Rule 1.10C(2) such as mortgage brokers (as defined in the National Consumer Credit Protection Act 2009), practising solicitors, qualified accountants, financial advisers, and registered tax agents: https://www.legislation.gov.au/Details/F2022C00187
A person that belongs to any of these professions could (with consent) receive CDR data from an ADR through the CDR without the need to be an ADR themselves. This could be used to streamline consumer onboarding and fact-finding, or to provide ongoing services and deliver more value to consumers.
Trusted Advisers do not have the same regulatory obligations that apply to an ADR under the CDR, however as members of a specified professional class, Trusted Advisers are subject to existing professional and/or regulatory oversight. Further info can be found here:
Trusted advisers in the Consumer Data Right system: https://www.oaic.gov.au/consumer-data-right/guidanceand-advice/trusted-advisers-in-the-Consumer-Data-Right-system
National Consumer Credit Protection Act 2009: https://www.legislation.gov.au/Series/C2009A00134
How much time does it take to set up and retrieve my client's Financial Passport?
Your clients will receive an email invitation to set up a Frollo account and provide their consent for NextGen (an ADR and provider of this service) to retrieve their data and their consent to disclose that information to you as their Trusted Adviser.
The Frollo account set-up process takes 10 minutes; once completed the data is retrieved from each connected bank account and your client’s Financial Passport will be generated.
Your client’s Financial Passport will be made available to you as their mortgage broker to retrieve via Mercury Nexus – all within a matter of minutes.
How does my client give consent to share their data?
Informed and voluntary consent is an important part of safeguarding privacy.
NextGen can only access your client’s data if they consent to share it with us. Within their Frollo account, we will present the information they need to make a decision in a clear and concise format.
Before your client gives us consent, you should make sure they understand how their data will be used and how they can share it with you as their Trusted Adviser. Your clients will always have control over whether they give consent to share financial data, and consent will always be for a specific use and time period (no longer than 12 months).
Consent can be withdrawn at any time and we will stop sharing data.
More information on how consent works can be found on the Australian Government's CDR website: https://www.cdr.gov.au/how-it-works
How does Open Banking compare to screen scraping?
Open Banking is a fast and secure method for sharing financial information, and is generally considered more secure than bank scraping technology for several reasons:
Consent Control: With Open Banking, clients must provide explicit consent before any data sharing occurs. This consent is like giving a special key to someone they trust, allowing access to data from specific bank accounts for a designated time period.
No Need for Login Credentials: In traditional bank scraping, customers often need to share their online banking login credentials (username and password) with third-party apps or services, increasing the risk of account compromise. In Open Banking, online banking passwords are not required. Instead, the bank provides an Open Banking-specific login page and a one-time password (OTP) via their communication method (e.g. SMS or the client's Banking App). This significantly reduces the risk of unauthorised access or data breaches, ensuring their sensitive information remains protected.
Regulatory Oversight and Standards: Open Banking operates under strict Federal Government regulatory guidelines and industry standards, ensuring the highest level of data security and privacy for clients' financial information. This adherence to standards is a crucial aspect that sets Open Banking apart from bank scraping.
Secure APIs and Encryption: Open Banking relies on secure APIs and encryption to transmit and handle financial data. It's like sending data through a protected tunnel that makes it difficult for unauthorised parties to intercept or access the information. This ensures that clients' financial data is safeguarded during transmission and storage.
Data Minimisation: Open Banking follows the principle of data minimisation. It means that only the necessary data required for the assessment is accessed, reducing the exposure of sensitive information. This approach further enhances the overall security of their financial data.
Easy Consent Revocation: Open Banking allows clients to revoke consent at any time. If they decide to stop sharing their data with you, they can easily do so from the Frollo platform. This level of control offers clients peace of mind and fosters trust in your services.
Note: once a client's financial data is downloaded from the Open Banking tab, it does not get deleted if a client revokes access. The retention and usage of their data will be governed by the privacy disclosure agreement they have signed. This agreement outlines how their data will be treated, stored, and used in strict accordance with data protection laws and regulations.
Can data from joint accounts be included?
Yes, Frollo account holders can select joint accounts to share data for.
However, before getting started they may need to enable data sharing through their bank's online banking portal. They should contact their bank directly for more information.
It is important to highlight that the client's Financial Passport is created at an individual consumer Frollo account holder level. Where the user has indicated that the account linked is joint, Frollo will present the account type and use 100% of that account’s transaction data in the income and expense categories summary for that client (i.e. Frollo does not divide the transaction data by two to use 50%).
What information does CDR provide?
‘CDR data’ is made up of the following classes of bank data, which can be obtained and held by NextGen with your clients’ consent, and used to inform and enhance lending application services:
Account information
• Name of account
• Type of account
• Account balance
• Account numbers
• Interest rates
• Fees
• Discounts
• Account terms
• Account postal address.
Transaction details
• Incoming and outgoing transactions
• Amounts
• Dates
• Descriptions of transactions
• Who you have sent money to and received money from (Name, BSB, Account number).
Contact details
• Name
• Occupation
• Phone
• Email address
• Postal address
• Residential address
Will I know if my client has not linked all their bank accounts?
Yes, if transactions from an account which is not linked are identified, a message will appear at the top of the ‘Accounts Linked’ section in the Financial Passport.
Will my client be required to share their online banking password?
No, your clients will never be asked to provide their online banking password to us.
How do I resend the Open Banking invite?
Click the three dot menu top right of the Open Banking contact card and click Re-send invite.
Will I receive a notification once the financial passport has been received in an opportunity?
Not at this stage. This will come during the second phase.
How long Frollo hold my client’s data and what else can it be used for?
The data is deleted after 14 days. It is a one time consent. It can be used for assisting the finance conversation to inform a loan application. It is not approved for any other use case.
What lenders and financial institutions are linked to Frollo?
You can find the list of Frollo financial institutions here.
Who is Frollo?
Frollo is a FinTech business who is an accredited data recipient. NextGen purchased Frollo in July 2020. For this solution, Frollo is the service provider, and allow NextGen to provide the Open Banking service.
Can data from joint accounts be included?
Yes, Frollo account holders can select joint accounts to share data for.
It is important to highlight that the client's Financial Passport is created at an individual consumer Frollo account holder level. Where the user has indicated that the account linked is joint, Frollo will present the account type and use 100% of that account’s transaction data in the income and expense categories summary for that client (i.e. Frollo does not divide the transaction data by two to use 50%).
However, before getting started they may need to enable data sharing through their bank's online banking portal. They should contact their bank directly for more information.
Will I know if my client has not linked all their bank accounts?
If transactions from an account which is not linked are identified, a message will appear at the top of the ‘Accounts Linked’ section in the Financial Passport.
What happens if it’s been a while and I need an updated Financial Passport?
Generate another Open Banking request. You client will now have an account, so they will just need to consent to information access again. Access is only granted once per request to ensure the client has the ability to consent to share further data.
How is the data in the excel spreadsheet catagorised?
Based on ApplyOnline categories. The statements can be used as relevant support documents when submitting an application to the lender.
How many months worth of data is collated?
It’s defaulted by the product type and employment type as the data consent is consumer driven. NextGen are working on whether a broker can nominate how much months worth of data is shared.
Can I access company account information?
Not at this stage. The suitable applications for this solution is PAYG clients.
Can Open Banking access de-centralised banking providers such as Crypto currency and AMEX?
These providers aren’t currently mandated to participate in CDR. There are 114 data holders that are participating in CDR. The CDR.gov.au website provides a list of those.
Can I request a six-month statement via Open Banking?
Yes, you can request transaction history for 3, 6 or 12 month period.
Will an Open Banking request notify lenders and potentially trigger a ‘retention’ strategy?
No, lenders are not alerted when a client uses their Consumer Data Right (CDR) to share bank data. The data can be retrieved for various purposes, such as personal finance management tools, and is not exclusively tied to pre-loan assessments. This makes Open Banking valuable for other scenarios, like FASTRefi, without triggering lender retention actions.
Will brokers be notified if a client refuses the request?
Yes, brokers can receive notifications based on their settings, including when:
The invite is sent (pending).
The request expires after 15 days.
The process is in progress.
The request is completed or encounters an error.
Additionally, notifications are sent for consent status changes, such as 7 days before expiration, when it expires, or if it’s withdrawn by the client.
Will refreshing Open Banking data send a new notification to clients?
No, clients will not receive any notifications when their broker refreshes Open Banking data within the consent period. They do not need to take any further action during this time.
What happens to statements if I don’t download them before consent expires?
Even if consent expires, the Open Banking insights PDF, transaction spreadsheets, and account statements will remain accessible via the ‘View’ option in Mercury. However, you will need to re-establish client consent to refresh the data.
Why do I get an error trying to access Open Banking in an Opportunity?
If you are a user operating from a Virtual Branch at your Partner Group and the listed Broker in the Opportunity is from the Main Branch you will not have permission to the Open Banking requests linked to the Contacts.