top of page

What the latest CDR update means for non-bank lenders

  • Writer: Mike Booth
    Mike Booth
  • 6 days ago
  • 5 min read

Key takeaways

  • The Consumer Data Standards remain stable at version 1.36.0, but two future-dated PRD obligations, Get Products v5 and Get Product Detail v7, take effect on 13 July 2026.

  • The ACCC has released NBL-capable Participant Tooling and an updated PDMOC register. It is the on-ramp to Tranche 2 onboarding, expected from July or August, so testing should begin now.

  • Two open questions could affect your build: consent and account selection under the 4 March 2026 rule changes, and ID permanence across lapsed and renewed consents. Both are with the DSB for guidance.

  • Lenders weighing an early go-live may be able to seek an exemption from the first six-month reporting round. The ACCC is considering it.

  • The next implementation call is on 18 June 2026.



The Update

For non-bank lenders, the date that matters most right now is 13 July 2026. That is when the first future-dated Product Reference Data obligations take effect. The latest implementation call from the Data Standards Body (DSB) and the ACCC confirmed what many of us expected: the tooling, the timelines and the open questions are all converging on that single milestone.


Here is what has changed, what has not, and what we would advise non-bank lenders to do about it.


The standards are holding steady

There are no new standards to chase. The Consumer Data Standards remain at version 1.36.0. That stability is genuinely helpful, but it only works in your favour if your implementation has caught up to it.


Two future-dated obligations take effect on 13 July 2026:

  • Get Products v5

  • Get Product Detail v7


If your PRD build still targets older endpoint versions, that is a gap worth closing now rather than in July.


The ACCC has released updated tooling

The ACCC has released an updated version of its Participant Tooling. This release matters for two reasons.


First, it is now NBL-capable. The register includes the white-labelling fields and the latest APIs, and it conforms to the current standards. Second, it is the on-ramp to Tranche 2 onboarding, which the ACCC expects to begin around July or August.


The regulator's message was straightforward: download the latest version and begin testing. In our experience, the lenders who treat a tooling release as a prompt to start work, rather than a notice to file away, are the ones who reach go-live without a scramble.


Questions handled on the call

The call worked through a substantial Q&A, covering both written tickets submitted in advance and questions raised live. The three live questions are the ones we would put in front of your team first.

  • Consent and account selection (raised live). Since the CDR rules were amended on 4 March 2026, a consumer's consent must sit within the context of a "relevant account". Participants raised a possible inconsistency: if the standards still imply data can be shared without selecting an account, which interpretation governs? The DSB has taken this on notice. It is worth watching closely, because an overly narrow reading could limit customer-data-only use cases that are becoming more valuable as digital ID comes online across banking, energy and non-bank lending.

  • ID permanence across renewals (raised live). If a consumer lets a consent lapse and then re-consents months later, should the encoded resource identifiers, such as account and transaction IDs, remain stable? The DSB's position is that ID permanence was designed to hold across consents and sessions. If those identifiers change between a lapsed consent and a renewal, data recipients face a significant reconciliation problem. Guidance is being finalised. If your build regenerates IDs for new arrangements, it is worth confirming the approach before July.

  • Early go-live and reporting (raised live). Some non-bank lenders want to go live ahead of 13 July but are concerned that doing so triggers a six-month reporting obligation, covering a window in which their authenticated APIs may have been live for only a week or two. The resulting report would carry very little, yet the obligation would still apply, which is discouraging the early readiness everyone would prefer to see. The ACCC acknowledged the issue and indicated that an exemption may be possible for that first pre-13 July reporting round. Our advice is not to let an administrative reporting quirk set your go-live strategy: if an early launch is sound for your business, the exemption pathway is worth pursuing. Worst case is you will be ready before the mandatory go-live date.


The DSB also published written responses to a batch of support tickets, most of them from non-bank lenders working through Phase 1 PRD detail:

  • Lending rate ranges (2697). Rates across multiple LVR ranges cannot be summarised as a min and max. Holders must disclose all available rate information through the structured rate tier fields.

  • Risk-based pricing and isTailored (2692, 2696). Risk-based pricing on its own does not justify setting isTailored to true. The "highly bespoke products" guidance is the test to apply.

  • One URL, multiple brands (2690). Where a single Get Products URL serves multiple white-label brands, use the brand fields to differentiate, or run a separate URL per brand to avoid filtering issues.

  • Phase 1 scope (2655). Get Metrics is deferred to Phase 2, and Dynamic Client Registration, OIDC and JWKS are not required for Phase 1. The Products endpoint must still meet the performance targets.

  • BNPL category (2693). The BUY_NOW_PAY_LATER category is only mandatory for holders that actually offer BNPL products.

  • Direct debits for lease payments (2691). These are treated as transactions in the consumer's account, not as direct debits or scheduled payments.

  • HTTP status codes (2703) and redirect to app (2701). Guidance was given on status code sequencing for malicious traffic, and on when mobile flows must redirect to an app. Both are worth a read if they touch your build.

  • Solar Sharer Offer in energy PRD (raised live). A question on how the Solar Sharer Offer should be represented from 1 July 2026 was taken on notice, as the current time-of-use rate values cannot distinctly identify it. Relevant if you operate in energy.


The full minutes and ticket responses are published on the DSB standards wiki.


What we would do this month

  • Confirm your PRD data and APIs meets Get Products v5 and Get Product Detail v7 ahead of 13 July.

  • Download and begin testing the updated ACCC Participant Tooling.

  • Review your ID permanence and consent and account logic against the open questions above.

  • If you are considering an early go-live, explore the reporting exemption before deciding to wait.


Planning ahead

July 2026 is the first of three milestones, not the finish line. The full sequence for non-bank lenders is:

  • July 2026 — Tranche 1. Product data sharing (the PRD obligations discussed above).

  • November 2026 — Tranche 2. Consumer data sharing for non-bank lenders with more than $10 billion in assets.

  • May 2027 — Tranche 3. Consumer data sharing for non-bank lenders with more than $1 billion in assets and more than 1,000 customers.


The point worth absorbing now is the lead time. Consumer data sharing is a materially larger undertaking than product data, and in our experience a compliant build takes around twelve months to prepare for properly, allowing for design, vendor selection, testing and conformance. On that basis, an organisation in scope for Tranche 2 in November 2026 should already be underway, and one preparing for May 2027 should be scoping the work now rather than after July.



AegisIQ has worked on CDR with more than ten organisations since 2018, including regulators and major banks. If you are a non-bank lender mapping the road to July and beyond, we design the roadmap to get you compliant quickly. Get in touch.

Comments

bottom of page