The Consumer Data Right (CDR) and Open Banking
What is Open Banking?
In 2018, the Australian Competition and Consumer Commission (ACCC) announced the introduction of the Consumer Data Right (CDR). CDR has been introduced to give consumers (both individuals and small businesses) better access and control over their personal data.
Open Banking is the implementation of CDR in the banking sector. Within Open Banking, consumers can opt-in to share their personal banking data securely with accredited service providers. Service providers may include other banks, Fintechs or third-party financial providers that have completed a rigorous, CDR accreditation process which is overseen by the ACCC.
What does Open Banking mean for me?
By giving customers the choice to share their personal financial data, Open Banking aims to give customers greater choice, control and convenience. It will enable customers to compare products and services quickly and easily, and access new products and offerings that are specifically tailored to them and their needs.
How do I get started?
To start sharing your banking data with an accredited service provider, simply follow the service provider’s instructions and select BOQ in the list of data holders. You will be asked to provide your Customer ID and then sent an SMS one-time password to verify your identity. Note that you will never be asked to enter your password when sharing your data using Open Banking. For further details, see the frequently asked questions section below.
What is my Customer ID?
To authorise and manage sharing for accounts available in BOQ internet banking or the BOQ mobile app, please login using your Customer Access Number (CAN) including leading zeros (10 digits).
To authorise and manage sharing for accounts available in the myBOQ app, please login using your mobile number (10 digits).
Login to your BOQ Customer Dashboard Customer Dashboard
Frequently Asked Questions
What is a data holder?
Data holders are data givers under the Consumer Data Right (CDR). These are the providers who currently hold consumer data. Registered Data Holders are required to share customer data with a nominated Accredited Data Recipient when a customer directs them to.
What is an accredited provider?
An accredited provider is one which has successfully undergone the Australian Competition and Consumer Commission (ACCC)’s accreditation process to become an Accredited Data Recipient (ADR).
Data recipients are data receivers under the Consumer Data Right (CDR). These are the providers who receive a consumer’s data after the consumer has given their consent. The data recipient will then use this data to offer a service the consumer has requested (e.g. comparison of products).
Only accredited providers can operate within Open Banking and offer services under CDR.
How do I know who is an accredited provider?
As CDR has only recently launched in Australia, there are currently only a limited number of accredited providers. As CDR grows over time, more and more providers will become accredited.
How does it work?
Data sharing will start on an Accredited Data Recipient’s (ADR) website or app, where you may be asked if you wish to share your data while browsing for a service or product:
- If you consent to data sharing, your identity will need to be verified by BOQ before we share any data.
- You will be directed to BOQ’s Data Holder services platform and prompted to enter your customer ID.
- You will then be sent a One Time Password (OTP) to your mobile or email.
- When the OTP has been successfully entered and your identity verified, you will be prompted to choose the specific accounts you consent for data sharing, before being linked back to the ADR site where you may begin using your shared data.
When sharing joint account data, a notification email or text (depending upon the preferred communication channel) will be sent to all joint account holders each time data sharing has started, and when data sharing has stopped for that joint account. Account holders must log into Customer Dashboard for more information.
How do I manage data sharing for my account(s)?
Once you have authorised sharing of your personal data, you will receive access to your Customer Dashboard. Through this dashboard, you can view each of your data sharing consents, including the accredited providers that you have consented to share your data with, the specific accounts shared with each provider, and the period you have nominated for each data sharing consent. You can and easily manage your consents through this dashboard.
How do I access my customer dashboard?
The Customer Dashboard can be accessed from the BOQ (Public Website) home page: Log On menu > Manage Data Sharing
How will my account name(s) appear in the customer dashboard?
Your ‘account names’ will not be visible in the customer dashboard. Instead, the ‘product category’ will be displayed (e.g. ‘savings account’).
Where can I see the data that I have consented for BOQ to provide?
BOQ’s Customer Dashboard will provide you with visibility of the account(s) that you have shared, the providers you have shared your data with (Accredited Data Recipients), and the last 4 digits of these accounts. Transaction data is not displayed.
Why can’t I see all accounts that I have with BOQ in the dashboard?
Customer dashboards are consent focused. If there is no consent associated with an account, it will not be displayed in the dashboard. Additionally, not all products and account types are currently in scope.
For joint accounts, data sharing is only available if all joint account holders are legal owners of the account and eligible for data sharing.
For secondary user data sharing, data sharing is only available if an account owner has enabled secondary user data sharing for the account via the Customer Dashboard.
For Nominated Representative data sharing on behalf of a business entity / organisation, data sharing is only available if the authorised representative[s] of the business entity have completed and submitted the Open Banking – Data Sharing Form for Business Entities. For more information, please see ‘Can non-individuals (business entities) share data?’.
Is there a mobile phone app available for the customer dashboard?
Currently the customer dashboard is browser based and optimised for mobile and desktop devices. At this stage, a dedicated mobile app is not planned.
Is the customer dashboard designed with accessibility in mind?
Yes. Screens within the dashboard have been designed to meet accessibility requirements in the Consumer Data Right (CDR) standards, including colours, fonts and resizeability, to make sure we are meeting the needs of as many of our customers as possible.
How immediately will changes to my data sharing consent(s) be reflected in the Customer Dashboard?
Updates to data sharing consents that are made via the Customer Dashboard will be reflected immediately.
How immediately will any data corrections/updates be reflected in the Customer Dashboard?
Please allow up to 24 – 48 hours for data corrections/updates to be reflected in your dashboard.
I hold accounts with more than one BOQ brand. Do I need to complete a consent to share data for each brand?
Yes. You will need to provide a consent for each brand.
I want to give three banks access to my BOQ Data. Does this require three separate consents?
Yes. You will need to provide a consent for each Accredited Data Recipient (ADR).
How do I share information on a new account?
You must provide consent to share data per account, including for any newly created accounts.
Where can I find more details on any ‘terms and conditions’ for data sharing?
This responsibility largely sits with the Accredited Data Recipient (ADR), who is required to provide a clear declaration of data usage. Please contact the relevant ADR for further information on this.
Note that the BOQ's Customer Dashboard has been designed to meet Data Holder obligations of Open Banking.
One Time Password (OTP)
I have been blocked due to too many failed login attempts. Can I be unblocked so that I can access the dashboard?
There is no ability to unblock a customer before the 24-hour period. If you have failed the maximum login attempts to access your dashboard and have been blocked, you will need to wait 24 hours until the block is removed before you can try again.
Can the One Time Password (OTP) be emailed?
The OTP will be sent via SMS to customers who have a valid mobile number registered with BOQ. The OTP will only be sent via email in the instance that BOQ does not have a valid mobile number registered for a customer.
How do I revoke a consent I created?
You may revoke a data sharing consent at any time:
- Access your Customer Dashboard
- Click Sharing started by you and follow the onscreen prompts to stop sharing.
How do I stop joint account data sharing on a consent created by another joint account holder?
You may stop data sharing for a specific account within a consent created by another joint account holder. Note that you are only able to view accounts within a consent where you are a legal owner of the account. This action will not prevent joint account holders from creating new consents that may include the account*.
- Access your Customer Dashboard
- Click Sharing started by others and follow the onscreen prompts to stop sharing.
- An email or text notification will be sent to all joint account holders notifying that data sharing has stopped. Account holders can log into their Customer Dashboard for more information.
*If you would like to disable data sharing on an account for all current and future data sharing consents, please refer to the relevant section on disabling joint account data sharing within ‘How do I share data on my joint accounts?’.
How do I stop non-individual data sharing on a consent created by another Nominated Representative?
Nominated Representatives may view and manage all data sharing consents that they or another Nominated Representative have created on behalf of the business entity by logging into the Customer Dashboard at any time.
- Log in to the Customer Dashboard. If you have data sharing consents for your personal BOQ accounts, you will be required to select the profile* of the business entity after logging in. You may then revoke any active data sharing consents on behalf of the business entity by following the onscreen prompts. Note that this action will not prevent a Nominated Representative from creating new consents with the accredited provider.
*Profile selection will only be displayed at log in when a customer has access to more than one profile for Open Banking. For example, you may be asked to choose between profiles such as ‘Myself’ (for your personal accounts) or ‘Company A’ (as a Nominated Representative). The profile you choose will filter which accounts and consents you will see. You may switch between profiles by clicking the Home button in the Customer Dashboard.
How long after revoking a consent will my data sharing stop?
Changes due to revoking consent are managed ‘real time’ and will be reflected immediately.
If I had revoked a consent but have now changed my mind, can this consent be reinstated?
No, you are unable to reinstate a revoked consent, as revoking a consent stops the sharing of data. You will need to grant a new consent via the Accredited Data Recipient (ADR).
Can I revoke a ‘pending’ consent?
Yes. You can revoke a pending consent.
Inactive and expired consents
How long can I view inactive consents under ‘Consent History’?
The Customer Dashboard will show 2 years of history, however BOQ will retain consent information for an additional 5 years.
What happens to data that I have shared with an Accredited Data Recipient (ADR) once the consented time period is over?
The data is either de-identified or deleted according to your preferences as captured at the time of granting consent.
- In what circumstances can BOQ refuse to share customer data in response to a request from an Accredited Data Recipient (ADR)?
Under what circumstances would BOQ manage consents on behalf of a customer?
Under the Consumer Data Right (CDR) rules:
- Customers can request that a Data Holder revoke a consent e.g. via a call centre. This may be as the customer is unable to do it themselves. A Data Holder has an obligation to revoke consents for customers who have requested the Data Holder to do so
- A Data Holder has an obligation to revoke consents for customers who are not eligible anymore e.g. no longer a customer
- An authorised staff member can suspend (i.e. temporarily block) a specific account from consent. e.g. for the prevention of physical, psychological or financial harm or abuse to any person
- In the event that a customer is deceased
- In the event that fraudulent activity has been detected