ACCC & DSB | CDR Implementation Call Agenda & Minutes | 19 March 2026 - ConsumerDataStandardsAustralia/standards GitHub Wiki

imp-call_header

Agenda

Sign up: Sign Up
When: Third Thursday of the month at 3pm-3:45pm (Canberra time)
Location: Microsoft Teams (dial in details are below)

Join on your computer, mobile app or room device
Click here to join the meeting
Meeting ID: 487 742 173 354 95
Passcode: AN6KY2Lp
Dial in by phone
+61 2 9161 1229,,665346196# Australia, Sydney
Find a local number
Phone conference ID: 665 346 196#

Agenda

  1. Introductions
  2. House Keeping
  3. CDR Stream updates
  4. General Updates
  5. Presentation
  6. Q&A
  7. Any other business

Introductions

imp-call_intro

  • 5 min will be allowed for participants to join the call.
  • This call is jointly facilitated by the ACCC and the DSB, and we welcome observers from APRA, OAIC and the Treasury.

Acknowledgement of Country

We acknowledge the Traditional Custodians of the various lands on which we meet today and pay our respects to their Elders past and present.

House Keeping

imp-call_house-keeping

Recording

The Consumer Data Right Implementation Calls are recorded for note taking purposes only. Recordings and transcripts are kept securely. No identifying material is provided without the participant's consent. Participants may email [email protected] with any questions or a request to have material redacted from the record.

Community Guidelines

By participating in the Consumer Data Right Implementation Call you agree to the Community Guidelines. These guidelines intend to provide a safe and constructive space for members to discuss implementation topics with other participants and members of the ACCC and Data Standards Body.

CDR Stream Updates

imp-call_stream-updates
Provides an update on the activities of CDR streams.

Organisation Topic Member Minutes
AEMO AEMO will provide an update on upcoming changes to the CDR end point.

In response to the question on notice from the February Implementation call:
Regarding Energy Industry, we've recently been made aware of changes that AEMO have planned to make. Our reading of this is that there is no impact to the CDR. Specifically, some of their endpoints scheduled changes. Is this view shared amongst this group?
 Ian There are no changes to the actual CDR itself. The only change that we're making for CDR is the front door into AEMO. Currently you're using apis.preprod.aemo.com.au:9319 (pre-production address) and apis.prod.aemo.com.au:9319 (production address).

They will change to nem-apis.preprod.wgw.aemo.com.au (pre-production) and nem-apis.wgw.aemo.com.au (production).

These are available in the API Technical Specification on page 9 in relation to CDR and CDR common. There are no further changes.
ACCC Update on the Register and Accreditation Application Platform Christian A major release was released late last week preparing for NBL tranche 1. The participant portal is now ready for NBL Data Holders to register product reference data, put in their brands and ACCC can facilitate through self-service on the portal to meet the tranche 1 obligation dates. There is User Guides which covers PRD only data holders obligations. This release also aligns with the standards in relation to the public base URI split and whitelabelling.

General Updates

imp-call_updates

⭐ indicates change from the last call.

Type Updated Links
Standards ⭐ CDR Data Standards v1.36.0 was published 4 December 2025. The release contains changes from Decision 376 (White label brand arrangements).

There are 2 Future Dated Obligations approaching on 13 July 2026:A reminder that the below 3 specific sections of the standards came into effect on March 16
General ⭐ CDR Future Plan board
The Data Standards Body (DSB) has retired the CDR Future Plan board previously published on GitHub.

The board was introduced to provide early visibility of upcoming areas of work across the DSB. Based on recent stakeholder feedback, the DSB is reviewing how forward work information is communicated. We are also exploring more streamlined ways of sharing information about upcoming focus areas and priorities to ensure it remains clear, useful and aligned with broader program communications.

Information about upcoming consultations, Consumer Data Standards release timing, and future obligations will continue to be published through existing channels, including the DSB website and DSB newsletter.

We will keep stakeholders informed and provide an update once a revised approach is finalised. If you have any questions, please contact us at [email protected].
General ⭐ Upcoming DSB Reforms Consultation Paper
The DSB plans to release a consultation paper for public feedback in late April (indicative timing). The paper will outline proposed changes to how we plan, prioritise and deliver standards and related work.
We'll be seeking input from participants to help ensure the proposed approach is practical, clear, and supports the needs of the broader ecosystem.
Stay tuned for further details on the consultation and how to get involved.
Guidance ⭐ CX Guidelines update: Data holder brands
Minor updates have been made to the CX Guidelines website. Guidelines have been added for data recipients and data holders on surfacing data holder brands during consent, authentication and authorisation. An additional section has been added to demonstrate how data recipients can surface brand names and brand groups for Provider selection for white labeled brands.

These updates can be referenced alongside the recently updated ACCC guidance on Brands in the CDR ecosystem and White Labelled brands in the CDR, which are available on the CDR Support Portal.

See the change log on the CX Guidelines website for more details.
DSB Newsletter ⭐ The DSB Newsletter publishes monthly on the Friday following the implementation call and will include a summary of discussions from the call.

Presentation

None this month.

Q&A

imp-call_q+a

Questions will be received by the community via Microsoft Teams chat before the questions are opened to the floor. Participants can submit questions outside of the CDR Implementation Call to the CDR Support Portal.

In regards to topics for questions, we ask the participants on the call to consider the Community Guidelines when posing questions to the subject matter experts.

To view questions and answers from previous CDR Implementation Calls, click here.

Answers provided

Ticket # Sector Question Answer
2632 Non-Bank Lenders Merchant Names: How transaction information can be managed

There is one specific scenario that is both very important to NBLs and also appears to be in a grey area. It is as follows:
  • NBL wishes to use merchant information (which is not customer specific) to categorise the transaction
  • To identify the merchant the merchantName and merchantCategoryCode are passed to an Large Language Models (LLM) to make a recommendation on the likely type of transaction that would be made with that merchant
  • The LLM can make can initiate a web search to find information on that merchant to assist in the recommendation
The concern is not with the LLM, as models are available that can be run in jurisdiction and with no opportunity for the data provided to be shared with a third party. The concern is with the web search that the LLM might perform as this will end up using external web search engines with T&Cs that are not always conducive to the handling of CDR Data as per the rules.

By the time the web search occurs, the search query is going to be exclusively data that is essentially public (MCC and Merchant Name) and is in no way personal to, or attributable to, the customer.

Would the use of an LLM with the web search capability be acceptable under the CDR rules?		 We have provided general information below which may assist.

An accredited data recipient (ADR) is required to comply with privacy safeguard 6 (PS 6) in relation to CDR data for which there are one or more CDR consumers (section 56EB of the Competition and Consumer Act 2010 (the Act) and see section 56AI(3) for the meaning of ‘CDR consumer for CDR data’).

PS 6 only permits an ADR to disclose CDR data for which there is a CDR consumer to third parties in certain cases – for example, through an outsourced service provider (OSP) arrangement (see rule 7.5(1)(f) of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) and Chapter 6 of the OAIC’s Privacy Safeguard Guidelines which provide guidance on the meaning of ‘disclose’).

An OSP arrangement is not required if no CDR data is disclosed to a third party.

An OSP arrangement is generally required when an ADR discloses CDR data to an external party (such as an external web search engine), and a person is identifiable or reasonably identifiable from the CDR data or other information held by the ADR (see section 56AI(3)(c) of the Act). For more information on the relevant considerations when making this assessment, see the Explanatory Memorandum to the bill which introduced the Consumer Data Right, particularly from paragraph 1.103 and [B.97] – [B.105] of Chapter B of the OAIC's CDR Privacy Safeguard Guidelines.

We understand that some ADRs have implemented use cases that involve use of LLMs. You can refer to the Find a Provider page which provides a list of ADRs and their websites. The page also provides a link to each ADR’s CDR policy which may detail any OSPs the ADR uses to help implement such use cases. For guidance on OSP arrangements more generally, see the fact sheet on CDR outsourcing arrangements
2662 General (DH) Unexpected success response when updating jti via PUT /register

We registering a client using the POST /register API. While updating the registration using PUT /register, we deliberately modified the jti value with a random string. In this case, the PUT /register request returns a successful response instead of an error, even though jti is an unmodifiable parameter, as it does not have a green tick mark in the CDS.

As you know, jti is a "Unique identifier for the JWT, used to prevent reuse of the SSA."		 The jti value is expected to be a unique identifier for every JWT (see here), so the fact that you changed it, and it was accepted, would appear to be correct.

Your reference to the field being 'modifiable' appears to refer to the table in the Client Registration section.

As some of those fields are not part of the SSA itself, they are not really meant to be subject to the 'modifiable' statement - in particular for jti as the upstream standard requires it to change on every use. I understand that this can be confusing.

There is a standards maintenance issue to address this inconsistency, as outlined in statements -
2664 Non-Bank Lenders Amending consent

As a designated NBL data holder, our existing systems currently support a revoke-and-recreate capability (i.e. within the standard amend CX journey, the consumer creates a new consent reflecting the amended details, and separately manually revokes the prior consent).

If the revoked and new consents are appropriately linked (e.g. via a common arrangement ID), would this approach satisfy the CDR requirements for consent amendment? Or is there a clear expectation that amendment must occur without requiring the consumer to revoke the original consent?		 We can't provide specific implementation advice, but the following details are relevant to the amendment process -
  • Dashboard Standards
  • Specifying an existing arrangement (extract below)
    If a Data Recipient Software Product provides the cdr_arrangement_id claim in the request object to the Data Holder's PAR endpoint, the Data Holder MUST revoke any existing tokens related to the arrangement once the new consent is successfully established and a new set of tokens has been provided to the Data Recipient Software Product.
  • Revocations initiated by the consumer would normally require the DH to notify the ADR of the revoked arrangement ID. As the amended authorisation would be given the same arrangement ID as the original authorisation, a typical manual revocation notification to the ADR would cause them to revoke amended consent in the scenario you described.
  • As an amendment is not expected to involve manual revocation, your scenario may also impact Metrics reporting, in particular -
    • revokedAuthorisationCount: The number of revoked authorisations.
  • Most importantly and directly related to the scenario you propose, the rules state:
    4.24 Restrictions when asking CDR consumer to authorise disclosure of CDR data
    When asking a CDR consumer to authorise the disclosure of CDR data or to amend a current authorisation, the data holder must not do any of the following:
    (a) add any requirements to the authorisation process beyond those specified in the data standards and these rules;
    (b) provide or request additional information during the authorisation process beyond that specified in the data standards and these rules;
    (c) offer additional or alternative services as part of the authorisation process;
    (d) include or refer to other documents.
The standards do not support an experience where the consumer would be informed of a need to revoke an authorisation as part of an amendment.
Verbal Question 1 Banking Is there any update on the Treasury proposal to introduce a de minimis threshold in the banking sector? The Treasury provided the below update post-call:

The introduction of a possible de minimis threshold for the banking sector is still under consideration by the Government. As noted previously, this work is only examining arrangements for the banking sector. Changes to other sectors are not being looked at.
Verbal Question 2 Banking (DH) I would like to know if FDOs will be published for the Data Holders to start using the new versions of the following Register endpoints.
If not, is there a page where I can find information about when the existing versions will get retired?
  1. Get Software Product Statuses (V3)
  2. Get Data Recipients Statuses (V3)
  3. Get Data Recipients (V4)
 Register Implementation Schedule

There's not a specific FDO for calling those endpoints. They were essentially unchanged, but they adjusted some of the filters that were previously available that allowed their data recipient endpoints to be filtered by banking or energy, but those filters were never applied because all data recipients are kind of sector agnostic. Those new versions should be available now, but not sure if the ACCC has a plan for when previous versions may be deprecated.
Verbal Question 2 follow up Banking (DH) I've gone through the change and it's specific to the sector related enumerated value message, but it will be good to know if there is any plan to retire the existing version so that we can prepare for the change to start using the new versions. To be followed up with the ACCC
Verbal Question 3 Banking (DH) In the data standards there is the "Lending Adjustment rate - Penalty" field. Based on a sample of financial institutions, this does not appear to be in use. What did the Standards have in mind to be covered with this? I think the original intention was that if you have a loan and you don't make repayments, you may get a penalty (eg an extra half a percent rate) and that would be specified as a penalty adjustment for a lending rate.
Verbal Question 4 Banking (DH) Are the traffic thresholds for Customer Present and AuthZ traffic to be considered discretely from the thresholds for unattended traffic? Specifically, with regard to the 50TPS per software product NFR, during low traffic periods should DH's support a minimum of 100TPS per software product in aggregate? To be followed up with the DSB
Verbal Question 5 Energy When do AEMO anticipate they will have implementation dates for their API changes? How will these be communicated through to us? The build phase is in progress our indicative delivery dates as of today are:

Pre-production July 2026
Production August 2026

Communications channels
  • MSUG - Market Systems User Group (Every 6 weeks)
  • Implementation Forum (Held Monthly NEM Reform Changes)
  • ITF - Industry Testing Forum WEM (Targeted dates as communications come available)
  • ITDF - IT Development Forum (Gas Markets Monthly)
  • AEMO Support Hub Bulletins closer to Go-Live dates

Special note the Legacy URL's and new URLs will run in parallel until late December 2026.
Verbal Question 6 Non-Bank Lenders First Question: Products with rate ranges.
I'm just keen to understand what the schedule is for the DSB and the Chair are to address support for products with rate ranges as it is a pressing issue for the viability and usability of the data once the PRD is published.

Second Question: Campaigns for NBLs that do short-term campaigns.
There are generally two approaches that NBL's are considering:
  1. When there's a campaign, they'll do a duplicate product just for that campaign. And they'll put an effective date, start date and end date and give it a new name, etc. So it'll appear in the PRD for a period of time with effective date and start date related to the campaign with eligibility criteria indicating eligibility and how you can apply for it under the campaign.
  2. Keep the product that is the subject of the campaign and just republish it with a new discounted rate with the appropriate additional info associated with it. And then when the campaign is over, they'll republish again and remove it. So effectively, as the campaign becomes available and then ceases to be available, the core product gets updated.
I just wanted confirmation that both of these seem completely viable under the DSB standards.		 The DSB and ACCC are currently in the process to responding to all the questions from the NBL workshop and will come back ASAP.

Any Other Business

imp-call_any-other-business

Attendees are invited to raise topics related to the Consumer Data Right that would benefit from the DSB and ACCCs' consideration.

The Next CDR Implementation Call

The Next CDR Implementation Call

16 April 2026

Thursday, 3:00pm (Canberra Time)

Minutes from the previous Implementation Call (19 February 2026): https://github.com/ConsumerDataStandardsAustralia/standards/wiki/ACCC-&-DSB-%7C-CDR-Implementation-Call-Agenda-&-Minutes-%7C-19-February-2026

Useful Links

imp-call_useful-links View a number of informative and useful links in the Consumer Data Standards Guide on Information Links.

Data Standards Body Consumer Data Right Digital ID Contact & Media
Chair Standards Accreditation Standards Website
News Maintenance Iteration AGDIS Standards Email
Advisory Committee CX Guidelines Calendar
Support Portal LinkedIn
YouTube
GitHub
Newsletter
⚠️ **GitHub.com Fallback** ⚠️