The Albanese government has quietly applied the handbrake to the expansion of Coalition’s signature competition architecture project, the Consumer Data Right (CDR), with the expansion of the scheme into the superannuation, insurance and telecommunications sectors put on pause.
The latest CDR newsletter to stakeholders reveals that of the $88 million over two years allocated to the CDR under the May Budget, almost all will be dedicated to attempting to get existing sectors up and running, including the activation of so-called third-party “action initiation” that will allow proxies to open and shut accounts and potentially make payments.
“In line with recommendations from the independent Statutory Review that further time is needed to allow the CDR to mature, the Government has made the decision to pause expansion into superannuation, insurance and telecommunications,” Treasury said in its newsletter.
“This will allow time to focus on ensuring that the CDR in banking is working as effectively as possible, extending into the non-bank lending sector and continuing with the energy rollout as planned.”
The government and Treasury will not even consider any timelines for the side-lined industries until 2024.
Banks have invested billions in becoming CDR compliant, but privately detest the scheme because it threatens to dilute their margins, make customers less sticky and lets in fintechs that use dangerous screen scraping software that requires bank account holders to share their access credentials in direct violation of bank information security conditions.
Labor had not indicated a position on the future of the CDR during the election campaign; however, Minister for Financial Services Stephen Jones later expressed to the payments industry his support for the scheme.
Banks have wanted screen scrapers shut down for years, but the fintech sector is so reliant on the technology it would probably be decimated without a long sunset period to find alternatives that would cost a lot more to implement.
The superannuation industry has good reason to be wary of the CDR because of the huge amounts of capital at risk if user accounts are fraudulently switched and cleaned out. Remote access to super funds via action initiation is a particularly worrying scenario for providers.
Similarly, telecommunications carriers are worried about the CDR because if misused, it could be used to take control of a person’s mobile account, with account takeover hijacking now rife in executing on bank accounts, payment cards, government transactions and identity credentials.
The CDR legislation now making its way through the parliament was also drafted well before the Optus, Medibank and Latitude hacks that transformed data hoarding from a lucrative asset to a strict liability overnight, as insurers rewrote the rulebook on data risk overnight.
Banks, although saddled with billions in sunk costs, are putting the boot into CDR action initiation, recently warning the cyber risk landscape could mean costs outweighed benefits for consumers.
Treasury remains adamant action initiation is a happening thing.
“The expansion of the CDR to allow action initiation will continue to be progressed. The assessment and development of a robust framework to support the future implementation of action initiation will occur in close consultation with stakeholders,” the Treasury newsletter said.
“Funding has also been allocated to increase consumer awareness of the CDR by developing a trust brand strategy. This will help consumers identify where they can access CDR-powered providers, products and services.
“The Government also plans to undertake a strategic assessment of the CDR towards the end of 2024 to inform future expansions.”
This article was first published by The Mandarin.