Consumer Data Standards – CDS

The Consumer Data Standards Program, part of The Commonwealth Scientific and Industrial Research Organisation (CSIRO).

Australia

A set of principles are the basis for the development of the standards for Consumer Data Right. They include:  

• The security of customer data 

• APIs using open standards 

• Simple, informed, and trustworthy data sharing 

• Easily written code should be facilitated by the API standards. 

• Consistency in patterns, structure, security mechanisms and user experience across sectors 

• To be as simple, with as much capability, as possible.

The consumer experience principles put accessibility, use and comprehension of the standards at the fore.

Consent is granted at a point in time and is only as current as the consumer’s original intent.

A compelling case for the development and adoption of data standards and interoperability in the Australian aged care sector (White Paper): White Paper

v1.36.0

The standards are open source.  

The Consumer Data Right confers obligations for users to comply with the standards, and for standards specified as binding standards they apply as under contract between a data holder and an accredited data recipient.  

Data holders must meet IT requirements under Consumer Data Right and fulfil information security controls, consent guidelines and API standards, as well as the Consumer Data Right Register design, which defines client registration requirements.  

Participants must pass the Conformance Test Suite before they receive an ‘active’ status on the Consumer Data Right Public Register.

Mandated for Data Holders (Banks/Energy Retailers) and regulated for Accredited Data Recipients (ADRs).

• Action Initiation: The standard is evolving beyond “read-only” data sharing to allow Action Initiation, enabling third parties to initiate payments or switch providers on behalf of the consumer.

• Mandatory CX Standards: High-fidelity requirements for consent screens and dashboards to ensure consumer comprehension and control.

• Joint Account Support: Specialized standards for managing data sharing in joint account scenarios.

• Direct & Indirect Data Sharing: Support for both direct connections and “Sponsor/Affiliate” models for smaller participants.

• Action Initiation: The standard has expanded beyond data sharing (Read) to Action Initiation (Write). This enables Accredited Action Initiators to perform tasks like Payment Initiation, Account Switching, and Updating Personal Details across banking and energy sectors.

• Banking: Accounts, Balances, Transactions, Payees, and Scheduled Payments.

• Energy: Electricity and Gas data including Service Points, Usage/Metering, Distributed Energy Resources (DER), Billing, and Plan Details.

• Non-Bank Lending: (New) Extension of banking-style data sharing to non-bank lenders for mortgages and personal finance.

• Telecommunications: (Coming Soon) Plan data and usage metrics are the next priority in the implementation schedule.

• eIDAS-like Verification: While not using eIDAS (European), it uses a centralized CDR Register managed by the ACCC for real-time validation of participants.

• Dynamic Client Registration (DCR): Mandatory for all Accredited Data Recipients (ADRs) to register with Data Holders via a standardized API.

• Digital ID Integration: Alignment with the Australian National Digital ID framework for consumer authentication.

• Utilizes a ‘Sponsor-Affiliate’ model and ‘CDR Representative’ model to allow smaller fintechs to participate in the ecosystem without full ADR accreditation.

Consent requirements will be communicated between the Data Recipient Software Product and Data Holder via the authorisation request object. The primary mechanism for capturing consent will be scopes and claims under [OIDC].

Other patterns for the establishment of consent MAY be considered in the future, including the incorporation of fine-grained consent for specific use cases.

Consent – Consumer Data Standards

Data recipients must notify consumers of consent redirection prior to authentication.

As of September 16th 2022 the information security profile builds upon the foundations of the Financial-grade API Advanced Profile [FAPI-1.0-Advanced] and other standards relating to Open ID Connect 1.0 [OIDC]. Uses Pushed Authorization Requests (PAR) and JWT Secured Authorization Response Mode (JARM).

For information on the specific normative references that underpin this profile, refer to the Normative References section.

From late 2025/early 2026, JARM encryption is required for ADR authorization responses to further harden the security profile.

Mandatory adherence to CX Standards, including standardized ‘Data Language’ and ‘Consent Dashboards’ to ensure consumer comprehension.

Consumer Data Standards Australia
Consumer Data Standards Australia Introduction

Partial certification process in place

On November 26th 2017, the Australian Government introduced Consumer Data Right (CDR) in Australia after years in the making. 

The need for ‘data portability’ was contemplated in various reports as early as 2015. Draft legislation was first introduced in 2018, with the Treasury Laws Amendment (Consumer Data Right) Bill 2019 passed in August 2019. 

CDR will give consumers greater access to and control over their data and will improve consumers’ ability to compare and switch between products and services.

The Consumer Data Standards is strictly regulated by the Government with all providers accredited. The Treasurer has appointed CSIRO (The Commonwealth Scientific and Industrial Research Organisation) as the Data Standards Body (DSB) to support the delivery of the Consumer Data Right. 

Government organisations involved in establishing the Open Data ecosystem and its governance include the ACCC (Australian Competition and Consumer Commission), which is the lead regulator together with OIAC (Office of the Australian Information Commissioner), CSIRO (Commonwealth Scientific and Industrial Research Organisation), and its subsidiary Data 61, which Consumer Data Standards Team is responsible for developing the standards for CDR (Consumer Data Right), APRA (Australian Prudential Regulation Authority), ASIC (Australian Securities & Investments Commission), the Australian Government Productivity Commission and the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. 

Data Recipients are expected to design their services to minimise traffic with Data Holders and to be resilient in the case of the rejection of a call by a Data Holder due to traffic threshold breaches. 

The service availability requirement for data holders and secondary data holders is 99.5% per month. 

Planned outages should be commensurate in length and frequency to other primary digital channels offered by the data holder, published to Data Recipient Software Products with at least one week lead time for normal outages, yet may occur without notification if the change is to resolve a critical service or security issue. 

All providers must be accredited recipients of data. The Data Availability and Transparency Bill provides for two types of accreditation – Accredited User and Accredited Data Service Provider. 

Data holders must submit reports twice a year to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). 

Consumer Data Right (CDR)