top of page

CDR Expansion: What Non-Bank Lenders in Australia Need to Know

  • Writer: Mike Booth
    Mike Booth
  • Mar 13
  • 5 min read

Updated: Mar 27

Why is the Government expanding CDR to Non-Bank Lenders (NBL)?

The Australian government has recently announced a significant expansion of the Consumer Data Right (CDR) framework to include non-bank lenders. This marks an important evolution in the country’s open banking journey.


This expansion aims to promote competition, enhance consumer data portability, and foster innovation within the broader financial services landscape. The move represents a strategic step to ensure consumers can benefit from data-driven financial services beyond the banking and energy sectors.



Regulatory Framework and Recent Amendments

The Competition and Consumer (Consumer Data Right) Amendment (2025 Measures No. 1) Rules 2025 were officially registered on March 3, 2025, as signed by Stephen Jones, Assistant Treasurer and Minister for Financial Services.


These rules formalise the extension of CDR to the non-bank lenders sector (NBL sector), which is defined as “the sector of the Australian economy that is designated by the NBL sector designation instrument”—specifically the Consumer Data Right (Non-Bank Lenders) Designation 2022.


This amendment represents a significant regulatory development, creating comprehensive provisions for the application of data-sharing obligations to financial institutions beyond traditional banks. The regulations establish a structured approach to determining which non-bank lenders will be subject to CDR obligations and under what timeframe.


Do I need to comply with CDR?

As a non-bank lender this can be a complex area to interpret. The CDR Legislation comprises of over 130 pages, and there are additional CDR Standards to consider.


In-scope NBLs and milestone delivery dates

The recent consultation increased the levels and criteria to be included in CDR. All providers need to publish Product Data Requests, essentially an API of product reference data in CDR format, by 13th July 2026. Following this, Initial Providers must publish Consumer Data Requests (customer, account and transactional data) by 9th November 2026. Large Providers must publish Consumer Data Requests by 10th May 2027.

Category

Criteria for Inclusion

Classification

Timeframes

Covered Products

Customer Thresholds

Other Relevant Criteria

Initial Providers

NBLs with resident loans & finance leases over $10 billion

Initial Providers

Tranche 1: 13 July, 2026 (Product Data Requests) Tranche 2: 9 Nov, 2026 (Consumer Data Requests, excluding complex requests)

Loans (personal, home, investment, business), credit cards, BNPL, mortgages, overdrafts, asset finance

$10 billion+ resident loans & finance leases (aggregated for lender and its affiliates)

Must comply with external dispute resolution via AFCA

Large Providers

NBLs with resident loans & finance leases over $1 billion and more than 1,000 customers

Additional Providers

Tranche 1: 13 July, 2026 (Product Data Requests) Tranche 3: 10 May, 2027 (Consumer Data Requests, excluding complex requests)

Same as Initial Providers

$1 billion+ resident loans & finance leases AND 1,000+ customers

If also accredited, earlier application may apply

Other NBLs

NBLs that do not meet Initial or Large Provider thresholds

Voluntary Opt-In

N/A (Only applies if they elect to participate)

Same as above

No fixed threshold

Must notify the ACCC to voluntarily participate

Excluded NBLs

Registered religious bodies, foreign ADIs, foreign branches of Australian ADIs, and restricted ADIs

Excluded

N/A

N/A

N/A

Not required to comply with CDR obligations


What NBL Products need to be shared?

The recent 'CDR Reset' reduced the number of specialised NBL products which must be shared through CDR. The following products must be shared. This is either as product reference data (as part of the Product Data Requests tranche), or as part of account transaction data (during the Consumer Data Requests tranche):

  • Personal Credit or Charge Card Accounts

  • Business Credit or Charge Card Accounts

  • Residential Home Loans

  • Home Loans for Investment Properties

  • Mortgage Offset Accounts

  • Personal Loans

  • Business Finance

  • Investment Loans

  • Lines of Credit (Personal & Business)

  • Overdrafts (Personal & Business)

  • Asset Finance (Including Standard Vehicle Financing & Leases)

  • Consumer Leases

  • Reverse Mortgages

  • Buy Now, Pay Later (BNPL) Products


Key Obligations

Complying with CDR is challenging, involving extensive legal, compliance, data, cyber, integration, technology, product, process, and vendor considerations.


As data holders, non-bank lenders must:

  1. Deliver a technical implementation: Develop or procure secure APIs compliant with CDR standards

  2. Enable data sharing: Source product, account and customer transaction data in real-time, and enable secure sharing of customer data when authorized

  3. Establish consumer consent management: Implement robust consent collection and management systems

  4. Provide consumer dashboards: Implement a digital interface for consumers to review and adjust data sharing

  5. Establish security measures: Establish strong data protection and encryption standards

  6. Enable integrated authentication: Implement multi-factor authentication for data sharing

  7. Perform adequate record keeping: Maintain comprehensive records of all data sharing activities

  8. Establish dispute resolution: Establish processes for handling customer complaints

  9. Establish privacy safeguards: Comply with CDR privacy protections beyond standard privacy laws

  10. Perform CDR regulatory reporting: Establish and regulatory report key information to the regulator for monitoring and assurance purposes


Optionally, NBLs can become Accredited as a Data Recipient. This allows customers to consent to share other banks' transaction data with them. Whilst this requires additional technology and compliance, it allows the NBL to use this data to offer additional high-value services to customers - and receive value from CDR.



Lessons Learned

I have worked extensively with the regulator, banks, energy companies and data recipients to successfully comply, deliver, run and operate their CDR capability. There are many lessons I've learned.


  • Start early: Organisations that began preparations well ahead of deadlines delivered quicker and more cost-effectively. Start with a discovery, design and planning phase, and be clear what you will buy, partner, or develop in-house and the phasing to integrate this ahead of the compliance date

  • Establish a program: Delivering CDR is rarely less than 8 months, and typically longer (banks took around 18 months). Therefore establishing a project is essential to coordinate efforts, simplify governance and identify efficiencies and cost savings

  • Engage specialists: Technical expertise in CDR is specialised and valuable. There are over 130 pages of rules, 30 APIs, 300 data elements and a wide range of legal, compliance, data and technology considerations

  • Cross-functional teams: Successful implementation requires collaboration across IT, data, cyber, legal, compliance, and customer experience departments

  • Phased approach: Organisations who implemented in stages had smoother transitions

  • Leverage existing resources: Treasury, ACCC and Data Standards Body and other support materials can accelerate decision-making

  • Vendor management: Selecting, procuring and integrating tools is essential to cost-effective compliance. Establishing clear needs and ways of working is essential for successful and timely delivery

  • Technical challenges: Prepare for complexity obtaining CDR performance targets (includes sub-second) when integrating across legacy and partner systems. API development and testing is typically more complex than anticipated and needs to be instrumented

  • Operational challenges: Build expertise on the CDR standards early in technology, project and customer support functions. Recognise that product and transactional data will now be visible externally and require ongoing data quality and remediation work


Want to know more?

I have worked extensively with regulators, banks, energy companies, and data recipients to successfully comply, deliver, run, and operate their CDR capabilities.


If you want to reduce the cost to comply, or identify areas to compete using CDR, contact us to find out more about our solutions and accelerators.


AegisIQ is passionate about making technology a transformation enabler, ensuring it is human-centric and seamlessly integrated into your business. Connect with us today to see how we can help you become future-fit.

Comments

bottom of page