Open Banking

Data holders are data givers under the Consumer Data Right (CDR). These are the providers who currently hold consumer data. Registered Data Holders are required to share customer data with a nominated Accredited Data Recipient when a customer directs them to. 

An accredited provider is one which has successfully undergone the Australian Competition and Consumer Commission (ACCC)’s accreditation process to become an Accredited Data Recipient (ADR).

Data recipients are data receivers under the Consumer Data Right (CDR). These are the providers who receive a consumer’s data after the consumer has given their consent. The data recipient will then use this data to offer a service the consumer has requested (e.g. comparison of products).

Only accredited providers can operate within Open Banking and offer services under CDR.

How do I know who is an accredited provider?

Consumers can confirm if a provider is accredited by viewing the list of current accredited providers on the official the Consumer Data Right (CDR) website.

As CDR has only recently launched in Australia, there are currently only a limited number of accredited providers. As CDR grows over time, more and more providers will become accredited.

Many precautions have been factored into the Open Banking data sharing environment, such as:

• The standards, format, and process for data sharing under the Consumer Data Right (CDR) has been established by the Data Standards Body (DSB)
• Only providers that have met the Australian Competition and Consumer Commission (ACCC)’s accreditation process are able to participate in Open Banking as a data recipient. Providers must demonstrate that they meet technical and system requirements to receive data and comply with data standards, and adhere to many legal requirements
• Providers are only able to collect and use data as required to provide a product or service, in line with the customer consent provided
• The CDR is co-regulated by the ACCC and the Office of the Australian Information Commissioner (OAIC), who jointly monitor compliance to CDR regulations. They work together to respond to issues, including taking enforcement action if needed. More information can be found in the ACCC/AIOC Compliance and Enforcement Policy for the Consumer Data Right.

There is no obligation for you to share your personal data. Open Banking is an opt-in service, so the choice is completely yours. When choosing to share your data, you have control over:

• Whether you want to share your information or not
• What information you wish to share
• The specific purpose for which your data will be used
• Who you share your information with
• When you want to stop sharing your information

Also, if you do decide to share your data, you are able to revoke your consent on this data sharing at any stage.

Individual, sole trader, and non-individual customers can opt-in to share data for most of the following products:

• Savings, transaction, and overdraft accounts
• Term deposits
• Credit cards
• Personal loans
• Home loans and mortgage offset accounts
• Business loans.

Please note:

• Changes in your customer and account data (including balances and transactions) may only be made available for sharing after 24-48 hours. Changes in credit card data are generally made available as they occur
• Pending transactions are not yet available for sharing
• Interest rates, fees and product features associated with individual accounts are not yet available for sharing.

Data sharing will start on an Accredited Data Recipient’s (ADR) website or app, where you may be asked if you wish to share your data while browsing for a service or product:

• If you consent to data sharing, your identity will need to be verified by BOQ before we share any data.
• You will be directed to BOQ’s Data Holder services platform and prompted to enter your customer ID.
• You will then be sent a One Time Password (OTP) to your mobile or email.
• When the OTP has been successfully entered and your identity verified, you will be prompted to choose the specific accounts you consent for data sharing, before being linked back to the ADR site where you may begin using your shared data.  

When sharing joint account data,  a notification email or text (depending upon the preferred communication channel) will be sent to all joint account holders each time data sharing has started, and when data sharing has stopped for that joint account. Account holders must log into Customer Dashboard for more information. 

To be eligible to participate in data sharing, you must:

• be at least 18 years of age, and
• hold at least one open and online account.
• The process will start on an accredited provider’s website or app. The whole process takes less than two minutes.

For joint account data sharing, all joint account holders must be:

• Individual or sole trader customers
• legal owners of the joint account
• eligible to participate in data sharing

How do I share data on a joint account? 

Eligible joint accounts are available for data sharing by default, so you won’t need approval from other joint account holders to share data with accredited providers. However, if you or any other account holder have disabled your joint account for data sharing it will need to be re-enabled before data can be shared.

You may change your data sharing settings for your joint account or stop data sharing at any time via the Customer Dashboard. If you choose to disable your joint account for data sharing, all other joint account holders will need to approve and re-enable the account for data sharing.

To enable data sharing:

1. Go to Accounts management > Joint accounts and enable the joint account you want to share by following the onscreen prompts.
2. We’ll send the other joint account holder an email or text notification to log into the Customer Dashboard, asking them to approve or decline your request. A notification will also be sent to the account holder that initiated the request but no action is required. 
3. Each Joint Account holder will need to log in to their Customer Dashboard to view the notification* and approve the request to enable data sharing for the joint account.
4. If all joint account holders approve the request, your joint account will be enabled for data sharing and you will be able to select it from the list of accounts eligible for data sharing when creating a new consent.

*The notification will expire after 30 days. If the other joint account holders do not approve the request during this time, you will need to repeat the process from Step 1.

How do I know if another joint account holder is sharing the account data?

Whenever a new data sharing consent is given, is revoked, or expires, all joint account holders will be notified via email or text. Joint account holders must log into their Customer Dashboard to see what data is being shared. 

How do I enable a joint account for data sharing?

Eligible joint accounts are available for data sharing by default, so you won’t need approval from other joint account holders to share data with accredited providers. However, if you or any other account holder have disabled your joint account for data sharing it will need to be re-enabled before data can be shared.

To enable data sharing:

1. Go to Accounts management > Joint accounts and enable the joint account you want to share by following the onscreen prompts.
2. We’ll send the other joint account holder an email or text notification to log into the Customer Dashboard, asking them to approve or decline your request. A notification will also be sent to the account holder that initiated the request but no action is required. 
3. Each Joint Account holder will need to log in to their Customer Dashboard to view the notification* and approve the request to enable data sharing for the joint account.
4. If all joint account holders approve the request, your joint account will be enabled for data sharing and you will be able to select it from the list of accounts eligible for data sharing when creating a new consent.

*The notification will expire after 30 days. If the other joint account holders do not approve the request during this time, you will need to repeat the process from Step 1.

How do I disable a joint account for data sharing?

You may disable a joint account for data sharing at any time. This action will disable data sharing on the account for all joint account holders and secondary users:

1. Go to Accounts management > Joint accounts and disable the joint account by following the onscreen prompts.

We'll send all joint account holders an email or text notification that data sharing for the joint account has been disabled. Account holders can log into their Customer Dashboard for more information. 

Will I get notified when data sharing is enabled or disabled?

Yes, if you have opted in to receive notifications, we will send you an email or text to inform when data sharing on the joint account has started or stopped. 

To be eligible for secondary user data sharing:

• All account owners, and secondary users seeking to share data must be eligible to share data as per the criteria above (see ‘Who can share data?’)
• Secondary users seeking to share data must be able to transact on the account*
• An account owner must enable data sharing for secondary users via the Customer Dashboard

*Note that power of attorney relationships and delegated users are not secondary users. Delegated users seeking to share data as secondary users would need to be added as a signatory on the account by the account owner/s. Note that that signatory relationships may provide additional permissions to operate the account.

How do I enable secondary user data sharing on my account? 

Data sharing permissions for secondary users must be enabled by an account owner via the Customer Dashboard. Account owners may choose to enable data sharing for all eligible secondary users per eligible account.

To enable data sharing for secondary users as an account owner:

1.  to Accounts management > Secondary users and enable the account for secondary user data sharing by following the onscreen prompts. Note that this action enables data sharing for all eligible secondary users on the account, including secondary users subsequently added to the account.

Account holders are notified via email or text when secondary user is sharing data. 

For secondary users on eligible accounts, please note that ACCC has granted an exemption to NAB, the issuer of BOQ Credit Cards, for its obligations to share CDR data with secondary users. This means that eligible Credit Card accounts for secondary users are not available for selection during consent authorisation. We apologise for any inconvenience.

How do I know if a secondary user is sharing the account data?

Account holders are notified via email or text when secondary user is sharing data. Account holders can log into their Customer Dashboard and click Sharing started by others to see what data is being shared. 

Can my delegated user on BOQ internet banking share data?

No. Delegated users setup via BOQ internet banking are not eligible to share data as secondary users. For more information on secondary user eligibility, see ‘How do I share my data?’.

How do I disable secondary user data sharing on my account?

Eligible accounts are disabled for secondary user data sharing by default. However, if an account owner has previously enabled secondary user data sharing, any account owner may disable the account for secondary user data sharing at any time via the Customer Dashboard. This action will disable data sharing for all eligible secondary users on the account:

1. Go to Accounts management > Secondary users and disable the account by following the onscreen prompts.

For non-individual (business) data sharing:

• Within Open Banking non-individuals / organisations can authorise a Nominated Representative to share the business entity’s banking data with accredited service providers.
• Nominated Representatives must be eligible to share data as per the criteria above and be a signatory on at least one of the accounts attached to the business entity.
• Currently, non-individual entities, which may include a single trading name or a single trust but not both, are able to share data via a Nominated Representative. Data sharing for additional types of business entities and ownership structures will be made available in the future. 
• Accounts that are jointly owned by one or more individuals and/or involve multiple non individual entities (e.g. an account owned by two companies) are not eligible under the Consumer Data Right rules.

How do I add and remove a Nominated Representative for data sharing on behalf of my organisation?

Non-individual data sharing is disabled by default. Within Open Banking eligible non-individuals / organisations can authorise a Nominated Representative to share a business entity’s banking data with accredited service providers. Once authorised, Nominated Representatives may choose to create data sharing consents including all eligible accounts for the business entity.

To add or remove a Nominated Representative, the authorised representative[s] of the business entity must complete the Open Banking – Data Sharing Form for Business Entities and return / email to their nearest BOQ Branch or Business Banker for validation.

• Once authorised, the Nominated Representative will be able to share all accounts associated with the business entity, even those they do not have signing authority on.
• Once removed, the Nominated Representative will not be able to share data on any accounts associated with the business entity, and any active data sharing consents they have created for the business entity will be immediately revoked.

Note that if the Nominated Representative also holds eligible personal BOQ accounts or is a Nominated Representative for more than one business entity, they will be required to select the profile of the relevant business entity during the initial consent process. For example, the Nominated Representative may be asked to choose between profiles such as ‘Myself’ (for their personal accounts) or ‘Company A’ (as a Nominated Representative). The profile they select will filter the relevant accounts available for data sharing.

What data can a Nominated Representative share?

Once authorised a Nominated Representative will be able to share all accounts associated with the business entity, even those they do not have signing authority on and including accounts that have been closed in the last two years.

Can my business or organisation have more than one Nominated Representative?

Yes. Authorised representative[s] of the business entity may add multiple Nominated Representatives.

How do I know if a Nominated Representatives is sharing the account data?

Nominated Representatives may view and manage all data sharing consents that they or another Nominated Representative have created on behalf of the business entity via the Customer Dashboard at any time.

Note that only authorised Nominated Representatives have access to the Customer Dashboard to view and revoke data sharing consents on behalf of the business entity.

Once you have authorised sharing of your personal data, you will receive access to your Customer Dashboard. Through this dashboard, you can view each of your data sharing consents, including the accredited providers that you have consented to share your data with, the specific accounts shared with each provider, and the period you have nominated for each data sharing consent. You can and easily manage your consents through this dashboard.

How do I access my customer dashboard?

The Customer Dashboard can be accessed from the BOQ (Public Website) home page: Log On menu > Manage Data Sharing

How will my account name(s) appear in the customer dashboard?

Your ‘account names’ will not be visible in the customer dashboard. Instead, the ‘product category’ will be displayed (e.g. ‘savings account’).

Where can I see the data that I have consented for BOQ to provide?

BOQ’s Customer Dashboard will provide you with visibility of the account(s) that you have shared, the providers you have shared your data with (Accredited Data Recipients), and the last 4 digits of these accounts. Transaction data is not displayed.

Why can’t I see all accounts that I have with BOQ in the dashboard?

Customer dashboards are consent focused. If there is no consent associated with an account, it will not be displayed in the dashboard. Additionally, not all products and account types are currently in scope.

For joint accounts, data sharing is only available if all joint account holders are legal owners of the account and eligible for data sharing.

For secondary user data sharing, data sharing is only available if an account owner has enabled secondary user data sharing for the account via the Customer Dashboard.

For Nominated Representative data sharing on behalf of a business entity / organisation, data sharing is only available if the authorised representative[s] of the business entity have completed and submitted the Open Banking – Data Sharing Form for Business Entities. For more information, please see ‘Can non-individuals (business entities) share data?’.

Is there a mobile phone app available for the customer dashboard?

Currently the customer dashboard is browser based and optimised for mobile and desktop devices. At this stage, a dedicated mobile app is not planned.

Is the customer dashboard designed with accessibility in mind?

Yes. Screens within the dashboard have been designed to meet accessibility requirements in the Consumer Data Right (CDR) standards, including colours, fonts and resizeability, to make sure we are meeting the needs of as many of our customers as possible.

How immediately will changes to my data sharing consent(s) be reflected in the Customer Dashboard?

Updates to data sharing consents that are made via the Customer Dashboard will be reflected immediately.

How immediately will any data corrections/updates be reflected in the Customer Dashboard?

Please allow up to 24 – 48 hours for data corrections/updates to be reflected in your dashboard.

I hold accounts with more than one BOQ brand. Do I need to complete a consent to share data for each brand?

Yes. You will need to provide a consent for each brand.

I want to give three banks access to my BOQ Data. Does this require three separate consents?

Yes. You will need to provide a consent for each Accredited Data Recipient (ADR).

How do I share information on a new account?

You must provide consent to share data per account, including for any newly created accounts.

Where can I find more details on any ‘terms and conditions’ for data sharing?

This responsibility largely sits with the Accredited Data Recipient (ADR), who is required to provide a clear declaration of data usage. Please contact the relevant ADR for further information on this.

Note that the BOQ's Customer Dashboard has been designed to meet Data Holder obligations of Open Banking. 

I have been blocked due to too many failed login attempts. Can I be unblocked so that I can access the dashboard?

There is no ability to unblock a customer before the 24-hour period. If you have failed the maximum login attempts to access your dashboard and have been blocked, you will need to wait 24 hours until the block is removed before you can try again.

Can the One Time Password (OTP) be emailed?

The OTP will be sent via SMS to customers who have a valid mobile number registered with BOQ. The OTP will only be sent via email in the instance that BOQ does not have a valid mobile number registered for a customer.

How do I revoke a consent I created?  

You may revoke a data sharing consent at any time:

1. Access your Customer Dashboard
2. Click Sharing started by you and follow the onscreen prompts to stop sharing.

How do I stop joint account data sharing on a consent created by another joint account holder?  

You may stop data sharing for a specific account within a consent created by another joint account holder. Note that you are only able to view accounts within a consent where you are a legal owner of the account. This action will not prevent joint account holders from creating new consents that may include the account*.

1. Access your Customer Dashboard
2. Click Sharing started by others and follow the onscreen prompts to stop sharing.
3. An email or text notification will be sent to all joint account holders notifying that data sharing has stopped. Account holders can log into their Customer Dashboard for more information. 

*If you would like to disable data sharing on an account for all current and future data sharing consents, please refer to the relevant section on disabling joint account data sharing within ‘How do I share data on my joint accounts?’.

How do I stop non-individual data sharing on a consent created by another Nominated Representative?

Nominated Representatives may view and manage all data sharing consents that they or another Nominated Representative have created on behalf of the business entity by logging into the Customer Dashboard at any time.

1. Log in to the Customer Dashboard. If you have data sharing consents for your personal BOQ accounts, you will be required to select the profile* of the business entity after logging in. You may then revoke any active data sharing consents on behalf of the business entity by following the onscreen prompts. Note that this action will not prevent a Nominated Representative from creating new consents with the accredited provider.

*Profile selection will only be displayed at log in when a customer has access to more than one profile for Open Banking. For example, you may be asked to choose between profiles such as ‘Myself’ (for your personal accounts) or ‘Company A’ (as a Nominated Representative). The profile you choose will filter which accounts and consents you will see. You may switch between profiles by clicking the Home button in the Customer Dashboard.

How long after revoking a consent will my data sharing stop?  

Changes due to revoking consent are managed ‘real time’ and will be reflected immediately.

If I had revoked a consent but have now changed my mind, can this consent be reinstated?

No, you are unable to reinstate a revoked consent, as revoking a consent stops the sharing of data. You will need to grant a new consent via the Accredited Data Recipient (ADR).

Can I revoke a ‘pending’ consent?

Yes. You can revoke a pending consent.

How long can I view inactive consents under ‘Consent History’?

The Customer Dashboard will show 2 years of history, however BOQ will retain consent information for an additional 5 years.

What happens to data that I have shared with an Accredited Data Recipient (ADR) once the consented time period is over?

The data is either de-identified or deleted according to your preferences as captured at the time of granting consent.

BOQ may refuse to disclose required customer data in response to a request in the following instances: 

• if BOQ considers this to be necessary to prevent physical, psychological or financial harm or abuse to any person; or
• in relation to an account that is blocked or suspended; or
• in circumstances set out in the data standard

BOQ is required to inform any customer of such a refusal in accordance with the data standards.

Under the Consumer Data Right (CDR) rules:

• Customers can request that a Data Holder revoke a consent e.g. via a call centre. This may be as the customer is unable to do it themselves. A Data Holder has an obligation to revoke consents for customers who have requested the Data Holder to do so
• A Data Holder has an obligation to revoke consents for customers who are not eligible anymore e.g. no longer a customer
• An authorised staff member can suspend (i.e. temporarily block) a specific account from consent. e.g. for the prevention of physical, psychological or financial harm or abuse to any person
• In the event that a customer is deceased
• In the event that fraudulent activity has been detected