Sign up: Sign Up
When: Third Thursday of the month at 3pm-3:45pm (Canberra time)
Location: Microsoft Teams (dial in details are below)

Join on your computer, mobile app or room device
Click here to join the meeting
Meeting ID: 487 742 173 354 95
Passcode: AN6KY2Lp
Dial in by phone
+61 2 9161 1229,,665346196# Australia, Sydney
Find a local number
Phone conference ID: 665 346 196#

---

1. Introductions
2. House Keeping
3. CDR Stream updates
4. General Updates
5. Presentation
6. Q&A
7. Any other business

• 5 min will be allowed for participants to join the call.
• This call is jointly facilitated by the ACCC and the DSB, and we welcome observers from APRA, OAIC and the Treasury.

We acknowledge the Traditional Custodians of the various lands on which we meet today and pay our respects to their Elders past and present.

The Consumer Data Right Implementation Calls are recorded for note taking purposes only. Recordings and transcripts are kept securely. No identifying material is provided without the participant's consent. Participants may email [email protected] with any questions or a request to have material redacted from the record.

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

Provides an update on the activities of CDR streams.

Organisation	Stream	Member	Minutes
All	2026 Implementation Call Welcome	Rob	Welcome to the first CDR Implementation Call of the year, it is great to get the CDR community together again for another year. These calls are an opportunity for participants to share ideas, and work through problems together. It also provides an opportunity for you to connect with the subject matter experts in the ACCC and the Data Standards Body. Our aim is to help you better understand how to interpret and implement the rules, standards and requirements and also gives us an opportunity to provide updates on the work we are doing. We have made a change to the implementation calls this year in response to the level of stability in the ecosystem. We will now hold these calls monthly but we have only scheduled these until April while we monitor the level of queries we receive between calls, especially with the non-bank lending (NBL) sector coming into the CDR in the middle of the year. So there is a possibility we increase the frequency of calls or start a separate one specifically for the NBL sector. But for the time being we will run these on the 3rd Thursday of each month.
ACCC	Update on Certificate Signing Request Profile Consultation Draft 376 (White label brand arrangements)	Peter	An update on the certificate signing request profile changes recently made to the standards. The ACCC are not planning any system changes or process changes for the time being. Please reach out to the participant engagement team or to the tech ops team ([email protected]) if you have questions or concerns.

⭐ indicates change from the last call.

Type	Updated	Links
Standards ⭐	CDR Data Standards v1.36.0 was published 4 December 2025. The release contains changes from Decision 376 (White label brand arrangements). A reminder that there are 3 Future Dated Obligations approaching on 16 March 2026: Get Products v4 Get Product Detail v6 Get Account Detail v4	Change log Future Dated Obligations
DSB Newsletter ⭐	The DSB Newsletter will now publish on the Friday following the implementation call and will include a summary of discussions from the call.	6 February 2026 Newsletter Subscribe

Guide: Participant on-boarding guide
Presenter: Anwar Tariq, ACCC
Contact: [email protected]
Download: Presentation



Questions on the presentation

Question	Answer
Do existing data holders with existing brands need to retest?	No. This is only for new brands seeking to be activated in the ecosystem now. So if you were seeking to activate a new brand, this is when it would apply for. So for any existing brands, no real impact.
When non-bank lending comes on, would we have to onboard a new brand under under our existing data holder. So that'll be against the new CTS?	Yes, if you have completed CTS already on the latest applicable test plan for one of your active brands, you can use that. Basically for all new brands.
Can we still assume that for the non bank lenders for the first milestone where it's just product reference data, there's no CTS requirements for that milestone? It's still the November and May milestones require the CTS?	Yes, there is no CTS required for PRD obligations.

Questions will be received by the community via Microsoft Teams chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

To view questions and answers from previous CDR Implementation Calls, click here.

Ticket #	Sector	Question	Answer
2609	Non-Bank Lenders	DH hosting the status and outage endpoints if only sharing PRD URI For PRD only participants, they will only have PRD related endpoints (products and product details), is there any additional benefit in maintaining the status and outage endpoints if they are only sharing PRD versus just keeping two "static" pages so that they are "compliant"?	Previous guidance and comments are here: Definition of 'status' and how health check status can be determined? The "status" is the state of the CDR implementation including all APIs and Information Security components. #367 - Consultation Draft 367 - March 2025 Rules - Draft Standards As suggested in another comment, Status and Outages detail may remain relevant for Data Holders that only provide product data. It should be noted that Get Status and Get Outages are included in the 'High Priority' performance tier for the purposes of Get Metrics reporting, and the Get Metrics endpoint itself is in the 'Unattended' tier.
2629	Banking (ADR)	Testing with Data Holders - Production How can a Data Recipient test each Data Holder brand connection to ensure it is working as expected without requiring a live test with a real bank account? What is the recommended approach for validating connections across multiple banks before moving into production?	We are not be able to provide specific guidance as to a recommended approach but general approaches are: For issues with bank connections, try contacting the banks for support, (Contact details are available on Current providers) Check whether banks have outstanding items on the rectification schedule that may explain any inconsistency in their implementations (See Rectification schedule - active data holders with implementation gaps) There is more detail on testing in the following sources: Information for accredited data recipients (in particular, see items 3-6 and 17-21, here) Testing tools DSB development tools and demos You may also find further insight into this situation on the following Standards Maintenance issue, where you can add comments to continue the discussion if you wish: #558 - The Data Holder PVT Problem
2631	General (ADR)	Consumer sharing their CDR data with a third party After collecting a consumer’s CDR data, it is disclosed to the consumer by showing it to them on screen. Our interpretation of this article is that, as a next step, we can ask the consumer to give us their consent (a non-CDR consent) to provide their data (being no longer CDR data because it has been disclosed to the consumer) to a third party. When asking for that consent we would make it clear to the consumer that in the hands of the third party their data will not be governed by the CDR Privacy Safeguards, but will instead be subject to the Privacy Act. Does this interpretation align with the Third party data sharing use cases article?	The example you provided appears similar to scenario 1(c) in the Third-party data sharing use cases article, whereby: the accredited data recipient (ADR) first discloses the CDR data to the consumer as is permitted by rules 7.5(1)(a) and (d) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules)), such as by presenting the CDR data to the consumer in the ADR’s app/tool the consumer then decides to share their CDR data with a third party. It is important that it is the consumer and not the ADR, who initiates this process and on-shares their CDR data with the third party. As the consumer is not regulated by CDR, they can decide to share their data to whoever they wish. While CDR consents are not relevant to the consumer’s sharing of their data, the article notes the following: Where a consumer shares CDR data outside of the ADR’s app/tool, it is critical that this be a result of an informed consumer choice. It is important that consumers understand the implications of this, and freely and voluntarily elect to that data being shared. ADRs should clearly explain to consumers that shared CDR data that leaves the ADR’s app/tool will be handled in accordance with any applicable privacy legislation such as the Privacy Act 1988, and that consumers should check the third party’s data handling policies such as their Privacy Policy. In addition to or as an alternative to this, an ADR can seek a CDR consent in accordance with the CDR Rules (noting rule 4.12 restricts the seeking of CDR consents in certain circumstances). If an ADR wishes to disclose a consumer’s CDR data based on a CDR consent, it would be limited to the permitted uses and disclosures set out in rule 7.5 of the CDR Rules, such as those made under a disclosure consent. Privacy In your example, we understand the consumer would be sharing the data in a way in which it is taken outside of the ADR’s app/tool and is sent to the third party. Generally, the CDR privacy safeguards would not apply to the data that is in the third party’s hands however, other privacy laws such as the Privacy Act may apply depending on the third party’s circumstances.
2634	General (DH)	Changing Data Holder Endpoint name When using the CDR portal to edit Production Details the only options are to "add" new endpoints, we cannot edit the existing endpoints. Does adding new endpoints replace the old endpoints?	The update will be visible to the user after it undergoes review and approval. Please add the new Authentication details using the "add" button on the endpoints configuration screen and then create a service request on the Management Portal (https://cdrservicemanagement.atlassian.net/servicedesk) or reach out to [email protected] for review and approval. Once the new Authentication details is approved, the old one will get deleted.
2640	Non-Bank Lenders	Voluntary Data Sharing for non-individual accounts Complex accounts are currently out of scope for Non-Bank Lenders. This includes business (non-individual) accounts. As such it is not defined who can initiate data sharing for non-individual/business accounts. Given this, is a non-bank lender able to voluntarily share consumer data for our business customers by allowing users with existing online access to initiate data sharing?	Currently non-bank lenders (‘NBL’) are not required to respond to complex requests, or to provide services needed to be able to respond to complex requests. That is, the implementation date for complex requests in the non-bank lending sector has not been set in the CDR Rules. Treasury is actively considering the timing for commencement of obligations in relation to complex requests for non-bank lenders and is expected to consult on proposed rule changes in 2026. Relevantly, we note Treasury has previously consulted with industry on proposed changes to nominated representative rules. Treasury has advised that the policy intent of carving out complex requests for now is to avoid unnecessary or duplicative compliance burden for how NBLs may be required to comply with this obligation in the future. Therefore, there could be a risk of unnecessary build for NBLs bringing in capability to respond to complex requests (including requests on behalf of non-individuals) early. Once there is a commencement date available for complex requests in non-bank lending, it would be open to you to comply with these obligations early.
Verbal Question 1	General (DH)	Gathering metrics separately for product versus consumer request implementations In the recent changes to the product API as V7, which introduced the brand name for the white labelling change. We also got new product based URI which is being split from the public based URI which allows for separate technical implementations for product versus consumer requests. But the metrics in getMetrics are still tied together (unauthenticated and authenticated), there's no separate product invocation metrics. Is the ACCC going to make any allowance for data holders that are actually having physically separate implementations or different product brands that don't align with consumer request brands?	ACCC request that this be raised in the CDR Support Portal for a response post meeting.
Verbal Question 2	Energy	Planned AEMO changes Regarding Energy Industry, we've recently been made aware of changes that AEMO have planned to make. Our reading of this is that there is no impact to the CDR. Specifically, some of their endpoints scheduled changes. Is this view shared amongst this group?	ACCC will follow this up with AEMO
Verbal Question 3	Non-Bank Lenders	Risk based pricing guidance For NBLs with personal loans that have risk based pricing the guidance we had for PRD was to emulate CBAs personal loan product where min/max/indicative rates are all included. The standards have no way to separate these rates systematically. They all simply look like optional rates making the use of the data impaired. Will there be a change to the standards considered to fix this?	ACCC and DSB have been talking about some of these issues and are looking at what the standards say at the moment and what guidance we might be able to provide that might set out some options for some of these scenarios. There is a plan to have a NBL workshop in March, so there should be some information coming out about that soon to talk through some of these issues. After the workshop we will gather more information from the industry to understand it further before hopefully putting out some guidance.
Verbal Question 4	General	Maintenance Iteration changes Maintenance Iterations 23 & 24 were no longer proceeding. Is there any more news on how change will be managed in future?	This has been looked at inside the DSB in terms of our long term cadence behind managing change. We are planning on a consultation to work out the future state of that, we are looking to reduce the frequency of standards changes just to make it a bit easier for industry to manage change. MI23/24 is no longer proceeding but the items have been added back in to the backlog for future consideration. Participants can still raise changes using the regular process via GitHub maintenance which will be considered by the DSB

Attendees are invited to raise topics related to the Consumer Data Right that would benefit from the DSB and ACCCs' consideration.

Thursday, 3:00pm (Canberra Time)

Minutes from the previous Implementation Call (4 December 2025): https://github.com/ConsumerDataStandardsAustralia/standards/wiki/ACCC-&-DSB-%7C-CDR-Implementation-Call-Agenda-&-Minutes-%7C-4-December-2025

View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.

Data Standards Body	Consumer Data Right	Digital ID	Contact & Media
Chair	Standards	Accreditation Standards	Website
News	Maintenance Iteration	AGDIS Standards	Email
Advisory Committee	CX Guidelines		Calendar
	Support Portal		LinkedIn
			YouTube
			GitHub
			Newsletter