What is the Consumer Data Right (CDR) and Open Banking?
The Consumer Data Right was introduced by the Australian Federal Government under the Competition and Consumer Act 2010 and the Competition and Consumer Rules 2020 (CDR Legislation). It gives you greater rights to access and transfer data which relates to you as a HSBC Australia customer.
The Australian Competition and Consumer Commission (ACCC) is the key regulator of the CDR Legislation and is supported by the Office of the Australian Information Commissioner (OAIC) and other regulators.
The CDR Legislation applies to the banking sector by the use of a ministerial legislative instrument. When it's talking about data held by a bank, it is commonly referred to as, "Open Banking".
You can find more information and FAQs on Open Banking and what it means for you on our website.
What does this CDR Policy do?
This CDR Policy explains how we manage your CDR Data, including how you can seek access to, authorise a transfer of, and correct CDR Data that we hold about you. It also explains how you can make a complaint about how we handle your CDR Data.
This CDR Policy and all updates are available on our website, via our HSBC Mobile Banking App, and any online service where you ordinarily deal with us. At your request, we can also provide a copy of the latest version of this policy to you electronically or in hard copy, whichever you prefer. You will always find the most up-to-date version on our website.
This CDR Policy is provided under the CDR Legislation and applies to HSBC Bank Australia Limited (ABN 48 006 434 162) of Level 36, Tower 1, 100 Barangaroo Avenue Sydney, NSW 2000 Australia", "we", "us" and "our" in this CDR Policy. HSBC Australia is currently a data holder under the CDR Legislation.
What is CDR Data?
CDR Data is a broad term that describes data which you might provide to HSBC Australia or which we might create when providing products and services to you, including your personal information (for example, information about you, or which identifies you), your use of any HSBC Australia's products or services (for example, transaction and account data) as well as product specific data about the particular HSBC Australia product or service provided (for example, the terms and conditions applicable to a HSBC savings account), together with other data that we hold which may be derived from any of the above.
Under CDR Legislation, as a data holder, we are required to make available and share specified sets of data relating to our customers and our products and services. When the data relates to and identifies a customer (including you), it is referred to as Consumer Data. Data relating solely to our products and services and which does not relate to any customer (including you), is referred to as Product Data. Together, Consumer Data and Product Data comprise CDR Data.
Currently, our obligations under the CDR Legislation are to make available the specified Product Data and Consumer Data set out under the Open Banking/CDR phased release program, available at: www.cdr.gov.au/rollout. You can find more information on which data sets are available to you for sharing, and when these will be made available in the open banking section of our website.
We will only share CDR Data that we are required to share under the CDR Legislation.
However, we may choose to make available, at any time, additional data over and above the minimum datasets required under the CDR Legislation, but we are not obliged to do so. If we choose to do so, this data is known as Voluntary Data (made up of Voluntary Product Data or Voluntary Consumer Data, as applicable to the relevant data set).
We are not currently accepting requests for Voluntary Product Data or Voluntary Consumer Data. If, in the future, we choose to offer access to any Voluntary Product Data or Voluntary Consumer Data that we hold, we may charge you a small fee to cover the related costs. We will always notify you, in advance, of the fees applicable to any sharing of Voluntary CDR Data.
How do I access my data and authorise HSBC to share my data?
You can choose to share any available CDR Data with an accredited third party provider, known as an Accredited Data Recipient (ADR), or to a third party with an ACCC approved data access model. Data can be shared for any reason, including so that they can provide you with a product or service. An ADR could be another bank.
Once you provide your consent to an accredited third party to collect your specified CDR Data from us, you will be securely redirected by the third party to HSBC to complete your authorisation. We will ask you to authorise us to share your selected CDR Data with the third party for a certain period of time (up to a maximum of 12 months).
So, once we receive a request to provide access to your CDR Data from a third party, we will:
- go through our authentication process to verify the request;
- verify that the third party is accredited on the ACCC's Register to receive data;
- authenticate you as an HSBC Australia customer; and
- obtain your authorisation to share the selected CDR Data for your desired length of time.
- we will arrange to transfer the approved CDR Data in the requested format, in line with the CDR Data Standards and CDR Legislation; and
- you will be securely redirected back to the third party who will then present you with the outcome of your CDR Data sharing.
We will not share any of your CDR Data unless we have received your prior authorisation to do so, except where required by law.
You can use your data sharing dashboard in the HSBC Mobile Banking App to track all the authorisations you have given to us to share your CDR Data.
Can I withdraw my authorisation to share?
Yes. You can withdraw the authorisation provided to HSBC Australia and stop sharing your CDR Data with any ADR at any time. You can do this by downloading the latest version of the HSBC Mobile Banking App on your mobile phone, logging on and selecting 'Manage data sharing' to view all the active 'consent to data sharing' authorisations you provided. You can then follow the steps to withdraw authorisation provided to HSBC Australia to share your data with either one or all of your ADRs.
Alternatively, you may contact us directly by email or telephone at https://www.hsbc.com.au/help/contact/ and request a withdrawal of your authorisation to share CDR Data.
Upon confirmation, the relevant third party will be notified of your authorisation withdrawal and all data sharing with such will stop immediately. It may be advisable to contact your ADR(s) to confirm the impact to your receipt of products or services from the ADR(s) which may arise from stopping to share your data.
Sharing data from a joint account
A joint account is automatically enabled for data sharing by any account owner. This means any account owner is permitted to share the account data via Open Banking channels without the approval of other account owners. To view joint account permissions for data sharing, visit the Manage Data Sharing section of the HSBC Mobile Banking app
At any time, any of the joint account owners can choose to disable the account from data sharing via the HSBC Mobile Banking app. Once disabled, data relating to the account cannot be shared. Once an account is disabled for data sharing, all account owners will need to approve for the account to be re-enabled. This is also managed in the HSBC Mobile Banking app.
Eligibility requirements for data sharing also apply to joint accounts. For more information on how to manage data sharing for joint accounts, visit the Open Banking page on our website at www.hsbc.com.au/help/open-banking/data-sharing.
Sharing data as a secondary user
Account owners can grant permission for non-account owners to share their account data through the CDR. This is known as a secondary user permission. Secondary users are restricted to persons who hold a current 'authority to transact' permission for an account, or for customers listed as additional card holders on a credit card. Any account owner can manage secondary user permissions within the HSBC Mobile Banking app. Once approval is granted, a secondary user can share data on the account. All account owners will be notified when a secondary user amends or withdraws a consent, or if the consent expires.
For further information regarding secondary user permissions, visit the Open Banking page on our website at www.hsbc.com.au/help/open-banking/data-sharing.
Sharing data for an account in the name of a non-individual entity
There are controls in place to facilitate data sharing of accounts in the name of a non-individual. Where an account is owned by a trust, self-managed super fund, or non-trading entity, the directors and trustees are able to share data through the CDR as a nominated representative for the account. All nominated representatives will have permission to manage data sharing through the HSBC Mobile Banking app.
For further information regarding data sharing for non-individual owned accounts, visit the Open Banking page on our website.
Request to access copies of, and correction of your CDR Data
It’s important to keep your CDR data up to date. If you notice that your CDR data is incorrect, you should contact us https://www.hsbc.com.au/help/contact/ to ask us to correct it.
You have the right to request HSBC to correct your CDR data if you think it is inaccurate, out of date, incomplete or misleading. We may be unable to provide you with access to, or correct, certain CDR Data. If so, we'll explain why not, unless it is not lawful to tell you. If we are unable to correct the CDR Data, we will also tell you and provide reasons, unless it is not lawful to do so. You can also ask us to explain our policies and practices as they apply to the management of CDR Data.
A request to access and correct your CDR Data can be made by contacting us through any of the following:
- Directly by email or telephone;
- Using the details set out in the section below "Making a Complaint"; or
- Contacting your Relationship Manager, if you have one.
Making a complaint
You may also lodge a complaint with the HSBC Australia Customer Relations Department at any time, whose details are as follows:
When you make a complaint, we will ask you to provide us with certain details including your full name, contact details and a short description of your complaint. Where we need further information in order to resolve your complaint, we will request this from you.
We will acknowledge and attempt to respond to any complaints as soon as practicable in accordance with the HSBC Australia's complaints handling policy and timeframes, and in any event no later than 30 days after we have received your complaint.
However, in complex matters, and where the law allows, we may need to ask you for an extension to this period. We'll give you the reasons why if we need to do so.
If you wish to make a complaint on the way we have handled your CDR Data under the CDR Legislation, you can email our HSBC Australia Privacy Officer at any time at firstname.lastname@example.org.
What if I am not satisfied?
You may also – at any time – contact the Australian Financial Complaints Authority (AFCA) at:
Post: GPO Box 3, Melbourne, VIC 3001
Phone: 1800 931 678
AFCA is a free service established to provide you with an independent mechanism to resolve specific complaints.
We would ask that you please make your complaint firstly to HSBC Australia, as the respondent organization, and allow us an opportunity to resolve your complaint in accordance with the process set out above.
This CDR Policy is current, and has been updated, as of 27 November 2023.
Please check back regularly for any updates to this CDR Policy.