Consumer Data Right
Australia’s Consumer Data Right (CDR) gives Australian consumers greater access to and control over their data. It improves consumers’ ability to compare and switch between products and services. It encourages competition between service providers leading to better prices for the customers and more innovative products and services. CDR is rolled out industry-sector-wise with the banking sector taking the lead, followed by the energy sector, telecommunications sector, and more.
To build an ecosystem out of data shared from these industries, we need a standardized ecosystem of data sharing agreements. Historically, there have been data sharing agreements with selected parties, hidden in fine prints and buried deep in terms and agreements. With CDR, it is brought forth explicitly and consumer consent is requested before such data access is provided. The momentum gaining worldwide with the “Open Banking” initiative is now being replicated across the world in other industries as well. Financial institutions and other sectors are looking to use open APIs to share customer data with accredited third parties securely. Most of these are officially legislated into APIs in Europe, the UK, Australia, etc. The legislation translated the need for the sectors to open secure application programming interfaces (APIs) for third parties to access customer data within their industry like bank account transactions, energy bills, energy payments, telecom bills, telecom payments ,etc., with the customer’s consent.
Financial institutions within the industry sectors that own the consumer data are also referred to as Data Holders. The Consumer Data Right (CDR) aims to provide greater choice and control for Australians over how their data is used and disclosed. CDR requires all Australian Data Holders to:
- Open up the consumer data they hold to accredited third parties
- Attain consent of the consumer before sharing their data with accredited third parties
- Apply Strong Customer Authentication (SCA)
These industries, for example, need to open secure application programming interfaces (APIs) for accredited third parties to access customer data with the customer’s consent.
Secure & Trusted Data Sharing in OpenAPI Economy
Using standardized APIs and then enabling access to those with consumer consent using established industry-standard secure protocols including OAuth 2.0 and OIDC, banks, and authorized third-parties can develop innovative products and solutions for consumers and businesses. It’s a new era for Security, Privacy, and Consent in all industries that hold customer-generated data sets.
Cloudentity as CDR enabler
Cloudentity provides the capabilities required by Data Holder organizations to meet the CDR Security profile requirements and securely authenticate end users, collect required consents, onboard accredited third parties to request data, manage the consumer consent, and verify the consumer authorization before data is shared with accredited Data Recipients. Cloudentity also facilitates Data Holders to allow its consumers to manage their data sharing consent agreements securely. In a nutshell, the Cloudentity platform facilitates and accelerates the Data Holder organization’s journey to expose their data APIs securely with consumer consent as required by Consumer Data Right.
The CDR Security profile builds upon the foundations of the Financial-grade API Read Write Profile FAPI-RW-Draft, Financial-grade API Advanced Profile FAPI-1.0-Advanced and other standards relating to Open ID Connect 1.0 OIDC. Keeping up with the evolving advanced specifications in OIDF space can be a challenge for any organization and Cloudentity takes on this challenge. It allows organizations to completely focus on the business data APIs for banking and energy that need to be exposed as per CDR specifications.
Adopting Cloudentity accelerates the entire effort to achieve CDR-compliance drastically and allows faster time to market. Cloudentity solution offers a highly performant, multi-tenant advanced FAPI compliant and certified authorization server built on open standards and compatible with advanced OAuth 2.0 & OIDC specifications. Cloudentity also provides a rich set of APIs that facilitates consent collection & management for the Data Holder to implement the CDR recommended safe and secure customer journey experiences using various digital channels.
With Cloudentity, your organization:
- Can achieve CDR compliance faster
- Has faster time to market for data sharing capabilities
- Offloads the security profile requirements completely
- Lowers the overall CDR implementation cost
CDR security profile
CDR security profile conformance and Financial Grade API (FAPI) compliance can be enabled in the Cloudentity platform with a single click security profile for meeting the CDR regulations. You get a FAPI grade authorization server configured to meet all CDR requirements for Financial Grade API (FAPI) compliance.
Choosing an industry allows you to tailor the Authorization scopes that gets added automatically to the security profile within Cloudentity. For example, energy sector data sharing permission definition (
energy:electricity.usage:read) is different from that of the banking sector(
CDR security profile provides security requirements for participants in the CDR ecosystem to expose and access the APIs securely using open standards. Cloudentity automatically configures all the security profile requirements when a CDR workspace is created. Some of the highlights in the configuration include:
Enable Data Recipients to register within the Data Holder using OAuth 2.0 Dynamic Client Registration and software statement assertions(SSA)
Cloudentity dynamic authorization platform seamlessly integrates with other components to allow consumers to have a safe and secure data sharing journey.
Integrates with any of your existing identity providers seamlessly
Integrates with API gateways to enforce data sharing conformance checks]
Cloudentity provides a quickstart with sample applications for developer and
integrators to get
an experience of how Cloudentity accelerates and enables CDR implementation journey.
Checkout the CDR quickstart article and take it for a spin!
You can, for example, check out how consent flow works and use the project as a reference to build your consent application, consents self-service portal, or consent administrator portal.
CDR Integration guides
Feels like diving deep into all the CDR specifics and integrations? We have detailed guides to help you navigate the CDR journey with ease.
- CDR participants overview
- Consumer Data Recipient application registration
- Consumer consent for data sharing with data recipient
- Consumer consent amendements
- Consumer consent withdrawals
- Consumer consent dashboards
- Consumer data API access & protection
Jump start the CDR journey
Pick your style - SaaS vs non SaaS
Cloudentity has a SaaS region dedicated for Australia. If you want to host the solution yourself, we offer the same binary and tools that we use to run our SaaS infrastructure to your DevOps team. Your team can run our high scale solution on the infrastructure of your choice. Read about all the offered deployment models here
Register for free to get access to a Cloudentity tenant and experience the CDR journey with us!