Integrity and security of data handling and usage are at the fore of the Australian Competition and Consumer Commission (ACCC)’s first-ever denial of a company seeking Consumer Data Right (CDR) endorsement.
The regulator has refused CDR accreditation to iSignthis Australia Pty Ltd (iSignthis) as the ACCC was “not satisfied” iSignthis would be able to comply with the obligations of an accredited data recipient under the CDR Rules, it has explained.
iSignthis Australia Pty Ltd is an Australian fintech company with registered offices in Melbourne.
“We refused to accredit iSignthis because we were not satisfied on the material before us about iSignthis’s data security protections, insurance and whether it is a fit and proper person to be accredited,” ACCC commissioner, Peter Crone, said.
“A high degree of data security is one of the most fundamental requirements of being able to join the CDR.
“The ACCC was not satisfied, however, that iSignthis had demonstrated it would be able to comply with the information security requirements, as required by the CDR Rules.”
Under the CDR, accredited data recipients can use consumers’ data — with a consumer’s consent — to provide them with useful products and services.
This is the first time the ACCC has refused to accredit a company seeking to be an accredited data recipient in the CDR.
There are currently 37 accredited data recipients in the CDR system, the ACCC has confirmed.
Multiple issues involved in the decision
According to the ACCC, additionally, iSignthis did not provide evidence of its current insurance policies and, as a result, the regulator was not able to assess the adequacy of iSignthis’ insurance arrangements to manage CDR data.
The ACCC also had regard to a number of matters in relation to its assessment of whether it was satisfied that iSignthis is a fit and proper person to be accredited, the authority has outlined.
Mr Crone added: “The ACCC takes its role as the Data Recipient Accreditor in the Consumer Data Right system very seriously.
“We are acutely aware of the importance of making sure that only businesses who can satisfy us that they can meet their CDR obligations get access to consumer data.”
Where the authority stems from
The ACCC has been given the role of data recipient accreditor in the CDR by the Competition and Consumer Act, it explained.
The CDR Rules set out how the CDR is to operate including the criteria that the data recipient accreditor, the ACCC, will apply when considering an application for accreditation, it highlighted.
The CDR Rules allow the ACCC to consider not just the applicant for accreditation but also any associated persons (such as a parent company) in assessing whether an applicant meets the fit and proper person criteria.
Potential to appeal the result
As the ACCC confirmed, any applicant for CDR accreditation may seek to have a ‘rejection’ by the accreditor reviewed by the Administrative Appeals Tribunal.
At the time of writing, Mortgage Business had contacted iSignthis’ parent company Southern Cross Payments Ltd as to whether such an appeal would be made.
The applicant’s lineage and status
Between November 2020 and December 2021, iSignthis was known as ISX Financial Pty Ltd and before November 2020 was known as iSignthis eMoney (AU) Pty Ltd. iSignthis is a wholly owned subsidiary of Southern Cross Payments Ltd, which was, until 4 November 2022, a public company listed on the Australian Securities Exchange.
Prior to a name change in May 2022, Southern Cross Payments was known as iSignthis Ltd.
Why CDR is being protected
In terms of the overall system, CDR gives consumers the right to safely access data about them, held by data holders, and direct this information to be transferred to accredited third parties, potentially to access new products and services, including better deals on everyday products and services, the ACCC outlined.
CDR is an economy-wide reform that is being rolled out sector by sector and has already been rolled out to banking and energy.
CDR is designed and overseen by the Australian government and independent regulators to ensure it is safe and secure for consumers.
[Related: ‘Game changing’ action initiation CDR legislation introduced]