Australia Consumer Data Right - Banking (CDR)
The Australian Consumer Data Right (CDR) for banking, mandated under the Competition and Consumer Act 2010 (amended by the Treasury Laws Amendment), gives consumers the right to share their banking data with accredited third parties. Administered by the ACCC (accreditation), OAIC (privacy), and Data Standards Body (technical standards). Effective July 2020, covering transaction accounts, credit cards, and lending products. Expanding to energy and telecommunications sectors.
Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.
Visit legislation.gov.auFramework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (3)
CDR Rules Obligations
Accreditation, consent, transparency, deletion, records and reporting obligations under the CDR Rules.
| Code | Title |
|---|---|
| AUCDR-OB-1 | Accreditation as an accredited data recipient |
| AUCDR-OB-2 | Consent requirements |
| AUCDR-OB-3 | Data minimisation |
| AUCDR-OB-4 | CDR policy publication |
| AUCDR-OB-5 | Deletion or de-identification of redundant data |
| AUCDR-OB-6 | Records of CDR data |
| AUCDR-OB-7 | Reporting to ACCC and OAIC |
| AUCDR-OB-8 | Complaints handling |
| AUCDR-OB-9 | Outsourced service provider and representative arrangements |
Information Security (Schedule 2)
The minimum information security controls for accredited data recipients (CDR Rules Schedule 2).
| Code | Title |
|---|---|
| AUCDR-IS-1 | Limit risk of unauthorised access to the CDR data environment |
| AUCDR-IS-2 | Secure the network and systems within the data environment |
| AUCDR-IS-3 | Securely manage information assets over their lifecycle |
| AUCDR-IS-4 | Formal vulnerability management program |
| AUCDR-IS-5 | Limit, prevent, detect and remove malware |
| AUCDR-IS-6 | Information security training and awareness program |
Privacy Safeguards
The 13 CDR Privacy Safeguards (Part IVD, Competition and Consumer Act 2010).
| Code | Title |
|---|---|
| AUCDR-PS-1 | Privacy Safeguard 1 - Open and transparent management of CDR data |
| AUCDR-PS-10 | Privacy Safeguard 10 - Notifying of the disclosure of CDR data |
| AUCDR-PS-11 | Privacy Safeguard 11 - Quality of CDR data |
| AUCDR-PS-12 | Privacy Safeguard 12 - Security of CDR data and destruction or de-identification of redundant CDR data |
| AUCDR-PS-13 | Privacy Safeguard 13 - Correction of CDR data |
| AUCDR-PS-2 | Privacy Safeguard 2 - Anonymity and pseudonymity |
| AUCDR-PS-3 | Privacy Safeguard 3 - Seeking to collect CDR data from CDR participants |
| AUCDR-PS-4 | Privacy Safeguard 4 - Dealing with unsolicited CDR data |
| AUCDR-PS-5 | Privacy Safeguard 5 - Notifying of the collection of CDR data |
| AUCDR-PS-6 | Privacy Safeguard 6 - Use or disclosure of CDR data |
| AUCDR-PS-7 | Privacy Safeguard 7 - Use or disclosure of CDR data for direct marketing |
| AUCDR-PS-8 | Privacy Safeguard 8 - Overseas disclosure of CDR data |
| AUCDR-PS-9 | Privacy Safeguard 9 - Adoption or disclosure of government related identifiers |
Your Compliance Coverage
If you comply with Australia Consumer Data Right - Banking (CDR), you already cover:
Australian Privacy Principles (APPs)
64%
18 controls mapped
Compare →APRA CPS 234
25%
7 controls mapped
Compare →GDPR
25%
7 controls mapped
Compare →+ 4 more: NIST SP 800-53 Rev 5 (21%), NIST Cybersecurity Framework 2.0 (21%)
See all 7 mapped frameworks ↓Maps to 7 other frameworks
Frequently Asked Questions
What is Australia Consumer Data Right - Banking (CDR)?
Australia Consumer Data Right - Banking (CDR) is a compliance framework from Australia with 3 domains and 28 controls. The Australian Consumer Data Right (CDR) for banking, mandated under the Competition and Consumer Act 2010 (amended by the Treasury Laws Amendment), gives consumers the right to share their banking data with accredited third parties. Administered by the ACCC (accreditation), OAIC (privacy), and Data Standards Body (technical standards). Effective July 2020, covering transaction accounts, credit cards, and lending products. Expanding to energy and telecommunications sectors. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Australia Consumer Data Right - Banking (CDR) have?
Australia Consumer Data Right - Banking (CDR) has 28 controls organised across 3 domains. The largest domains are Privacy Safeguards (13 controls), CDR Rules Obligations (9 controls), Information Security (Schedule 2) (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Australia Consumer Data Right - Banking (CDR) map to?
Australia Consumer Data Right - Banking (CDR) maps to 7 other compliance frameworks. The top mapping partners are Australian Privacy Principles (APPs) (64% coverage), APRA CPS 234 (25% coverage), GDPR (25% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Australia Consumer Data Right - Banking (CDR) compliance?
Start your Australia Consumer Data Right - Banking (CDR) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Australia Consumer Data Right - Banking (CDR) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 28 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required