Background

On 21 November 2022, the non-bank lenders sector was designated as subject to the CDR.

On 4 March 2025, amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) took effect which:

  • extend the operation of CDR to the non-bank lenders sector
  • set out the requirements for the sector, and
  • include a timetable for when CDR data sharing obligations commence for relevant non-bank lenders. 

Product data sharing obligations will apply in the non-bank lenders sector from 13 July 2026. This will be followed by consumer data sharing obligations starting from 9 November 2026 for initial providers and from 10 May 2027 for large providers. 

Regulatory framework

The Consumer Data Right legislation page provides an outline of the CDR legislative framework, including sector designation instruments, a history of the CDR Rules and links to related explanatory materials.

The Consumer Data Right (Non-Bank Lenders) Designation 2022 is the instrument which designates the non-bank lenders sector as subject to the CDR.

The Data Standards Body is currently developing Consumer Data Standards that prescribe the technical requirements for how data is shared under CDR in the non-bank lenders sector.

The Australian Competition and Consumer Commission, Data Standards Body and the Office of the Australian Information Commissioner provide a range of guidance to help CDR participants understand their obligations under the CDR regulatory framework.

Relevant consultations

Data holders

‘Relevant non-bank lenders’ are data holders in CDR. A relevant non-bank lender is a corporation that:

  • is a registrable corporation under section 7 of the Financial Sector (Collection of Data) Act 2001, or
  • would be a registrable corporation if section 7(2)(i) of that Act didn’t apply (i.e. even if the value of specified assets, and the sum of the principal amounts on outstanding loans, are each under $50 million).

A relevant non-bank lender will generally have data sharing obligations if it offers one or more covered products in the non-bank lenders sector, is considered an ‘initial provider’ or a ‘large provider’ under the CDR Rules and has data that it is required to share under the rules. The definitions of ‘initial provider’ and ‘large provider’ are set out in the timeline below.

Timeline

The date that CDR obligations commence for the non-bank lenders sector depends on whether the data holder is classified as an initial or large provider, and whether the data request relates to product or consumer data. 

In the non-bank lenders sector, the CDR Rules do not apply to complex requests. This means data holders will not be required to respond to consumer data requests made on behalf of a secondary user, a CDR consumer who has a nominated representative, or related to a joint or partnership account.

Description Key dates

A relevant non-bank lender is an initial provider if on 4 March 2025, the combined total value of resident loans and resident finance leases reported to the Australian Prudential Regulation Authority (APRA) by the lender and each of its associated non-bank lenders under the applicable APRA reporting standards:

  • is over $10 billion for the most recent calendar month for which a report was given to APRA, and
  • averaged over $10 billion during the 12 months before 4 March 2025.

Initial providers must comply with product data sharing obligations from 13 July 2026.

These providers must comply with consumer data sharing obligations (except in relation to complex requests) from 9 November 2026.
Description Key dates

A relevant non-bank lender is a large provider if on 4 March 2025, or on a 1 July after that day:

  • it is not an initial provider
  • it has over 1,000 customers on that day, and
  • the combined total value of resident loans and resident finance leases reported to APRA by the lender and each of its associated non-bank lenders under the applicable standards:
    • is over $1 billion for the most recent calendar month for which a report was given to APRA, and
    • averaged over $1 billion during the previous 12 months.

A relevant non-bank lender is also a large provider if it is not an initial provider but is an accredited person. However, a lender that is a large provider on this basis would no longer be considered a large provider if it ceases to be an accredited person and has not otherwise met the large provider qualification at any time before that day.

Relevant non-bank lenders that become large providers on or before 13 July 2025 must comply with product data sharing obligations from 13 July 2026. These providers must comply with consumer data sharing obligations (except in relation to complex requests) from 10 May 2027.

Relevant non-bank lenders that become large providers after 13 July 2025 must comply with product sharing obligations 12 months after they become a large provider. These providers must comply with consumer data obligations (except in relation to complex requests) 15 months after they become a large provider.
Description Key dates

A relevant non-bank lender that is neither an initial provider, large provider nor an ‘excluded data holder’ , may choose to participate in CDR voluntarily.

If a relevant non-bank lender chooses to participate in CDR, it must comply with all relevant aspects of the CDR Rules.

 A relevant non-bank lender that wishes to participate in CDR voluntarily should contact the ACCC and specify the date it would like to participate from.

Related links