If your organization is exploring opportunities under Australia’s Open Banking framework, the most significant hurdle (in effort and cost) is meeting the Consumer Data Right (CDR) information security requirements outlined in Schedule 2.
To gain accreditation as a CDR data recipient, your systems and processes must satisfy 24 prescribed security requirements. These include multi-factor authentication, data loss prevention, system monitoring, and user access controls. To demonstrate compliance, you’ll need an independent assurance report—typically under SOC 1, SOC 2, or ASAE 3150.
Here’s how to evaluate which report is right for you, and how to make the most of your investment.
Start With What You Have
If your organization already maintains a SOC 1 or SOC 2 report, you’re ahead of the curve. You may be working with frameworks like GS 007, ISAE/ASAE 3402, ASAE 3150 (which aligns with SOC 2 Trust Services Criteria), or AT-105 (the official SOC 2 standard). These frameworks vary slightly in structure and origin but share a common goal: validating that your controls meet specified objectives.
Notably, ISO/IEC 27001 certification—while widely recognized—does not meet CDR accreditation requirements.
Choosing the Right Path to Accreditation
If you don’t currently have a SOC report, the fastest and most cost-effective option may be a one-time ASAE 3150 report tailored to the CDR criteria. However, this type of report has limited utility beyond CDR accreditation.
If you anticipate needing assurance reports for customers or want to streamline future due diligence efforts, investing in a SOC 2 report may offer greater long-term value. Whichever option you choose, be sure the report specifically addresses CDR requirements.
If you already have a SOC report, you may need to expand its scope. For example:
- SOC 2 reports often align closely with CDR requirements and may need only minor adjustments.
- SOC 1 reports are less prescriptive and may require more extensive updates.
Either way, extending your existing SOC reporting approach is likely the most efficient path forward.
Three Key Differences With CDR Reporting
CDR compliance introduces a few nuances that differ from standard SOC reporting. These areas require special attention:
1. Scope of Systems
Under Schedule 2, Part 1, CDR requires a clearly defined “CDR Data Environment.” This includes the systems, people, and processes that collect, store, or interact with CDR data.
While traditional SOC reporting starts with the scope of services and associated systems, CDR flips the model: it starts with the consumer data and works outward to define scope. If your current SOC report wasn’t built with this in mind, you may need to expand its boundaries to meet CDR expectations.
2. Carve-In Approach to Third Parties
Standard SOC reports typically use a “carve-out” approach, excluding the controls of third-party service providers. Instead, the focus is on how your organization oversees those providers.
The CDR requires a “carve-in” approach. You must demonstrate all third parties supporting your CDR Data Environment meet the same stringent security standards. Cloud infrastructure providers like AWS, Microsoft, and Google typically meet this requirement with their own SOC reports.
However, challenges may arise with vendors that don’t offer SOC reports—such as certain software developers, IT service providers, or data center operators. In these cases, ISO/IEC 27001 or similar certifications are not considered sufficient under CDR, which may require a more thorough evaluation of your third-party risk strategy.
3. Prescriptive Control Requirements
CDR is unique in that it prescribes specific control activities. For example, it mandates multi-factor authentication across all in-scope systems. This contrasts with traditional SOC reporting, which allows more flexibility in how organizations meet control objectives.
To satisfy CDR, your report must directly align with each of these specific requirements.
CDR Compliance Extends Beyond Information Security
While Schedule 2, Part 2, is often the most challenging and costly piece of the CDR framework, it’s not the only requirement. To achieve full accreditation, organizations must also:
- Maintain adequate insurance coverage
- Uphold strong privacy practices
- Honor consumer privacy rights
- Define and govern the CDR Data Environment
- Establish oversight and monitoring mechanisms
Some of these may already be addressed in your existing SOC report. Others will require additional planning and documentation.
Tailoring Your Approach
Achieving CDR accreditation requires a strategic, prescriptive approach to assurance. Whether you pursue a SOC 1, SOC 2, or ASAE 3150 report, your selected framework must fully address CDR’s rigorous security requirements.
For many, the best path is building on an existing SOC reporting process—updating its scope and controls to align with CDR expectations. If starting from scratch, carefully weigh the value of a report tailored solely to CDR against the broader benefits of a SOC 2 that can support future business needs.
To evaluate the best approach for your organization’s CDR accreditation strategy, contact us. We’re here to help you align compliance with opportunity.