Open Banking

What is a data holder?

Data holders are data givers under the Consumer Data Right (CDR). These are the providers who currently hold consumer data. Registered Data Holders are required to share customer data with a nominated accredited data recipient when a customer directs them to. 

What is an accredited provider?

An accredited provider is one which has successfully undergone the Australian Competition and Consumer Commission (ACCC)’s accreditation process to become an Accredited Data Recipient (ADR).

Data recipients are data receivers under the Consumer Data Right (CDR).  These are the providers who receive a consumer’s data after the consumer has given their consent. The data recipient will then use this data to offer a service the consumer has requested (e.g. comparison of products).

Only accredited providers can operate within Open Banking and offer services under CDR.

Is BOQ becoming an Accredited Data Recipient?

BOQ becoming a Data Holder in late 2021 sets the foundations required for us to become an Accredited Data Recipient (ADR) in 2022. As an ADR, BOQ can realise the benefits of data sharing and analytics to obtain valuable insights, better understand our customers’ needs, and offer more tailored products and services. This supports our vision “to be a Digital Bank of the Future with a Personal Touch”.

How do I know who is an accredited provider?

Consumers can confirm if a provider is accredited by looking for the logo on the right, or by viewing the list of current accredited providers on the official the Consumer Data Right (CDR) website.

As CDR has just been launched in Australia, there are currently only a limited number of accredited providers. As CDR grows over time, more and more providers will become accredited.

How safe is it to share my data?

Many precautions have been factored into the Open Banking data sharing environment, such as:

• The standards, format and process for data sharing under the Consumer Data Right (CDR) has been established by the Data Standards Body (DSB)
• Only providers that have met the Australian Competition and Consumer Commission (ACCC)’s accreditation process are able to participate in Open Banking as a data recipient. Providers must demonstrate that they meet technical and system requirements to receive data and comply with data standards, and adhere to many legal requirements
• Providers are only able to collect and use data as required to provide a product or service, in line with the customer consent provided
• The CDR is co-regulated by the ACCC and the Office of the Australian Information Commissioner (OAIC), who jointly monitor compliance to CDR regulations. They work together to respond to issues, including taking enforcement action if needed. More information can be found in the ACCC/AIOC Compliance and Enforcement Policy for the Consumer Data Right.

Do I have to share my data?

There is no obligation for you to share your personal data. Open Banking is an opt-in service, so the choice is completely yours. When choosing to share your data, you have control over:

• Whether you want to share your information or not
• What information you wish to share
• The specific purpose for which your data will be used
• Who you share your information with
• When you want to stop sharing your information

Also, if you do decide to share your data, you are able to revoke your consent on this data sharing at any stage.

What data can I share?

From late 2021, customers with individual and sole trader accounts will be able to opt-in to share data for most savings and transactions accounts, as well as term deposits.

BOQ Specialist clients with individual and sole trader accounts will also be able to share data for credit card accounts, residential home loans, investment property loans and mortgage offset accounts.

Options to share more data for other products, customer types and account types will become available beyond 2021 (e.g. Joint Accounts).

How do I share my data?

Please note that to be eligible to participate in data sharing, you must:

• be at least 18 years of age, and
• hold at least one open and online account with BOQ, BOQ Specialist, VMA or DDHG
• The process will start on an accredited provider’s website or app. The whole process takes less than two minutes.

Data sharing will start on an Accredited Data Recipient’s (ADR) website or app, where you may be asked if you wish to share your data while browsing for a service or product. If you consent to data sharing, your identity will need to be verified by BOQ before we share any data. You will be directed to BOQ’s Data Holder services platform and prompted to enter your customer ID. You will then be sent a One Time Password (OTP) to your mobile or email. When the OTP has been successfully entered and your identity verified, you will be prompted to choose the specific accounts you consent for data sharing, before being linked back to the ADR site where you may begin using your shared data.  

How do I manage data sharing for my account(s)?

Once you have authorised sharing of your personal data, you will receive access to your Customer Dashboard. Through this dashboard, you are able to view each of your data sharing consents, including the accredited providers that you have consented to share your data with, the specific accounts shared with each provider, and the time period you have nominated for each data sharing consent. You are able to and easily manage your consents through this dashboard. 

Giving consent

I hold accounts with more than one BOQ brand. Do I need to complete a consent to share data for each brand?

Yes. You will need to provide a consent for each brand.

I want to give three banks access to my BOQ Data. Does this require three separate consents?

Yes. You will need to provide a consent for each Accredited Data Recipient (ADR).

How do I share information on a new account?

You must provide consent to share data per account, including for any newly created accounts.

Where can I find more details on any ‘terms and conditions’ for data sharing?

This responsibility largely sits with the Accredited Data Recipient (ADR), who is required to provide a clear declaration of data usage. Please contact the relevant ADR for further information on this.

Note that the BOQ's Customer Dashboard has been designed to meet Data Holder obligations of Open Banking.

What is my Customer ID? Is it the same for each brand?

The customer ID is the generic name given to the unique customer identifier you use to log into internet banking. If accessing your account(s) via BOQ Internet Banking: Customer Access Number (CAN)

One Time Password (OTP)

I have been blocked due to too many failed login attempts. Can I be unblocked so that I can access the dashboard?

There is no ability to unblock a customer before the 24 hour period. If you have failed the maximum login attempts to access your dashboard and are been blocked, you will need to wait 24 hours until the block is removed before you can try again.

Is there an autofill feature for the One Time Password (OTP) for mobile phones?

This feature is not available in our Data Holder solution.

Can the One Time Password (OTP) be emailed?

The OTP will be sent via SMS to customers who have a valid mobile number registered with BOQ. The OTP will only be sent via email in the instance that BOQ does not have a valid mobile number registered for a customer.

Refusing consent

In what circumstances can BOQ refuse to share customer data in response to a request from an Accredited Data Recipient (ADR)?

BOQ may refuse to disclose required customer data in response to a request in the following instances:

• if BOQ considers this to be necessary to prevent physical or financial harm or abuse; or
• in relation to an account that is blocked or suspended; or
• in circumstances set out in the data standard

BOQ is required to inform any customer of such a refusal in accordance with the data standards.

Managing consent

Under what circumstances would BOQ manage consents on behalf of a customer?

Under the Consumer Data Right (CDR) rules:

• Customers can request that a Data Holder revoke a consent e.g. via a call centre. This may be as the customer is unable to do it themselves. A Data Holder has an obligation to revoke consents for customers who have requested the Data Holder to do so
• A Data Holder has an obligation to revoke consents for customers who are not eligible anymore e.g. no longer a customer
• An authorised staff member can suspend (i.e. temporarily block) a specific account from consent. e.g. for the prevention of harm and abuse
• In the event that a customer is deceased
• In the event that fraudulent activity has been detected

How immediately will changes to my data sharing consent(s) be reflected in the Customer Dashboard?

Updates to data sharing consents that are made via the Customer Dashboard will be reflected immediately.

How immediately will any data corrections / updates be reflected in the Customer Dashboard?

Please allow up to 24 – 48 hours for data corrections / updates to be reflected in your dashboard.

Revoking consent

How long after revoking a consent will my data sharing stop?  

Changes due to revoking consent are managed ‘real time’ and will be reflected immediately.

If I had revoked a consent but have now changed my mind, can this consent be reinstated?

No, you are unable to reinstate a revoked consent, as revoking a consent stops the sharing of data. You will need to grant a new consent via the Accredited Data Recipient (ADR).

Can I revoke a ‘pending’ consent?

Yes. You can revoke a pending consent.

Inactive and expired consents

How long can I view inactive consents under ‘Consent History’?

The Customer Dashboard will show 2 years of history, however BOQ will retain consent information for an additional 5 years.

What happens to data that I have shared with an Accredited Data Recipient (ADR) once the consented time period is over?

The data is either de-identified or deleted according to your preferences as captured at the time of granting consent.

How do I access my customer dashboard?

The Customer Dashboard can be accessed from the BOQ (Public Website).

• Home page log on menu > Manage Data Sharing

How will my account name(s) appear in the customer dashboard?

Your ‘account names’ will not be visible in the customer dashboard. Instead, the ‘product category’ will be displayed (e.g. ‘savings account’).

Where can I see the data that I have consented for BOQ to provide?

BOQ’s Customer Dashboard will provide you with visibility of the account(s) that you have shared, the provider’s you have shared your data with (Accredited Data Recipients), and the last 4 digits of these accounts. Transaction data is not displayed.

Why can’t I see all accounts that I have with BOQ in the dashboard?

Customer dashboards are consent focussed. If there is no consent associated with an account, it will not be displayed in the dashboard. Additionally, not all products and account types are currently in scope (e.g. Joint Accounts). These will become in scope at a later date.

Is there a mobile phone app available for the customer dashboard?

Currently the customer dashboard is browser based and optimised for mobile and desktop devices. At this stage, a dedicated mobile app is not planned.

Is the customer dashboard designed with accessibility in mind?

Yes. Screens within the dashboard have been designed to meet accessibility requirements in the Consumer Data Right (CDR) standards, including colours, fonts and resizeability, to make sure we are meeting the needs of as many of our customers as possible.

For more information please see our Customer Dashboard and Customer Consent Authorisation (Open Banking) User Guide.

User Guide