CDR Attestations

Following legislative updates in October 2021, Australian businesses have five approved ways to access consumer data under the CDR. The right model for your organization depends on how you plan to use the data, and how quickly you want to get up and running.

Trusted Advisor and CDR Insights:

These models allow access without formal accreditation, but their use cases are restricted. Trusted Advisor enables sharing data with professionals like lawyers or accountants, while CDR Insights provides limited access to specific datasets for targeted purposes.

For full, flexible access to consumer data, your best options are:

Unrestricted offers full accreditation and the highest level of control. You can act independently and sponsor or authorize other parties under the Representative or Sponsored models. It’s ideal for companies prioritizing long-term scalability, independence, and market leadership.

Representative Gain faster entry into the ecosystem by partnering with an accredited “Principal” who collects and shares data on your behalf. Your Principal handles the compliance requirements, allowing you to focus on delivering value. We collaborate closely with Principals to help Representatives onboard efficiently and stay audit-ready.

Sponsored requires ACCC approval but has lighter compliance obligations—no ASAE 3150 audit is required. Sponsored access is less common and may involve longer approval timelines compared to Representative access.

For most companies, we recommend Unrestricted access for complete control and long-term resilience, or Representative access for a faster, lower-friction path to market.

Meeting Consumer Data Right (CDR) compliance requirements may seem complex, but with the right strategy and support, it’s a manageable process. The framework is designed to ensure transparency, protect consumer data, and promote trust.

Here are the core elements of CDR compliance:

• Consumer consent: You must obtain, manage, and track consumer consent for every data-sharing interaction. This ensures individuals always remain in control of their personal information.
• Transparency: Your business must maintain a clearly written, publicly available CDR policy outlining how data is collected, used, stored, and shared.
• Data sharing: You’ll need documented policies that specify who you can share CDR data with, under what conditions, and how those exchanges are protected.

A major component of CDR compliance involves information security, detailed in Schedule 2 of the CDR rules:

• Part 1 focuses on governance: define your CDR data environment, assess risks, document controls, and test incident response plans.
• Part 2 outlines specific security practices: access management, data loss prevention, malware protection, lifecycle asset management, HR security, and more.

CDR security requirements align closely with internationally recognized frameworks such as SOC 2 and ISO/IEC 27001. This makes it possible to streamline your compliance journey, pursue multiple certifications in parallel, and avoid duplicating effort across audits.

If you’re seeking Unrestricted CDR accreditation, you’ll need an ASAE 3150 assurance report—an Australian standard similar in purpose to the global SOC 2 framework.

• Type 1 Report: Confirms that your control environment is designed thoughtfully and implemented properly as of a specific date. This report is required for your initial accreditation.
• Type 2 Report: Evaluates how effectively those controls perform over time (typically a 12-month period). It’s required every two years to maintain your accreditation status.

Beyond meeting regulatory expectations, these reports help showcase your organization’s maturity, strengthen trust with stakeholders, and reinforce your credibility with partners and customers.

Your timeline for accessing Consumer Data Right (CDR) data depends on your chosen access model:

• Unrestricted Access: Expect a timeframe of 4 to 9 months. This includes roughly 1–3 months for implementation, followed by 3–5 months for ACCC assessment and about a month for final testing and launch.
• Representative Access: When paired with the right technology and a seasoned CDR Principal, this route can take just a few weeks. It’s the fastest way to achieve compliant access to CDR data.

  Working with experienced partners can make all the difference, helping you streamline the process and avoid unnecessary delays.

Yes. Compliance automation tools can reduce your time to accreditation dramatically by streamlining critical steps, including:

• Pre-configured controls and policy templates aligned with CDR obligations.
• Automated workflows for collecting and verifying compliance evidence.
• Built-in mapping for the Representative and Unrestricted access models.

We support two purpose-built frameworks: one optimized for fast, low-lift Representative access, and another designed to meet the full scope of Unrestricted accreditation. Both are structured to reduce business disruption and help you move forward.