Consumer Data Right (CDR) Regulatory Update for Non-Bank Lenders: What you need to know

On 21st November CDR regulators shared important updates for non-bank lenders (NBLs). Here are the key takeaways and what they mean for your CDR programme:

1. Compliance dates are fixed

13 July 2026, 9 November 2026, and 10 May 2027 remain the regulatory milestones. Your lending volumes will determine your tier. Given the complexity of scope and technology, start your design now.

2. Version 9 of the rules – minimal impact for NBLs

The new rules mainly affect de-minimus and complex requests, which are out of scope for NBLs. Use current rules for programme design.

3. No change to NBL tiers

Banking consultations on de-minimus do not affect NBL inclusion. Continue using current standards.

4. Exemption requests take 3 months

Decisions are unlikely before February, leaving only two months before the first compliance date. Plan your exemption and a “Plan B” now.

5. Clarification on asset finance

‘Standard on-road vehicles’ are confirmed as in-scope. Review your product set and data sourcing approach.

6. Covered product data must still be shared

Even without digital customers, product reference data must be published unless exempt. Assess your products carefully.

7. CDR latency must match digital access

APIs should reflect up-to-date data like your online experience. Legacy platforms and integrations may pose challenges - plan your data architecture and flow now.

8. White-label branding consistency

Branding must be applied consistently across consent flows. If you have multiple white labels, choose your CDR vendor carefully.

9. Authentication consultation coming soon

Expected before year-end. While vendors will handle much of this, keep progressing on the remaining majority of your programme.

AegisIQ helps non-bank lenders accelerate and de-risk CDR delivery with proven expertise and tools. If you’d like to explore how we can support your programme, let’s talk.