What is the Consumer Data Right (CDR) and Open Banking?
The Consumer Data Right was introduced by the Australian Federal Government under the Competition and Consumer Act 2010 and the Competition and Consumer Rules 2020 (CDR Legislation). It gives you greater rights to access and transfer data which relates to you as an HSBC Australia customer.
The Australian Competition and Consumer Commission (ACCC) is the key regulator of the CDR Legislation and is supported by the Office of the Australian Information Commissioner (OAIC) and other regulators.
The CDR Legislation applies to the banking sector by the use of a ministerial legislative instrument. When it's talking about data held by a bank, it is commonly referred to as, "Open Banking".
You can find more information and FAQs on Open Banking and what it means for you on our website.
What does this CDR Policy do?
This CDR Policy explains how we manage your CDR Data, including how you can seek access to, authorise a transfer of, and correct CDR Data that we hold about you. It also explains how you can make a complaint about how we handle your CDR Data.
This CDR Policy and all updates are available on our website, via our HSBC Mobile Banking App, and any online service where you ordinarily deal with us. At your request, we can also provide a copy of the latest version of this policy to you electronically or in hard copy, whichever you prefer. You will always find the most up-to-date version on our website.
This CDR Policy is provided under the CDR Legislation and applies to HSBC Bank Australia Limited (ABN 48 006 434 162) of 100 Barangaroo Avenue Level 36, Tower 1 Sydney, NSW 2000 Australia, which is referred to as "HSBC Australia", "we", "us" and "our" in this CDR Policy. HSBC Australia is currently a data holder under the CDR Legislation.
What is CDR Data?
CDR Data is a broad term that describes data which you might provide to HSBC Australia or which we might create when providing products and services to you, including your personal information (for example, information about you, or which identifies you), your use of any HSBC Australia's products or services (for example, transaction and account data) as well as product specific data about the particular HSBC Australia product or service provided (for example, the terms and conditions applicable to a HSBC savings account), together with other data that we hold which may be derived from any of the above.
Under CDR Legislation, as a data holder, we are required to make available and share specified sets of data relating to our customers and our products and services. When the data relates to and identifies a customer (including you), it is referred to as Consumer Data. Data relating solely to our products and services and which does not relate to any customer (including you), is referred to as Product Data. Together, Consumer Data and Product Data comprise CDR Data.
These data sets will be made available gradually under the CDR Legislation. Currently, our obligations under the CDR Legislation are to make available the specified Product Data and Consumer Data set out under the Open Banking/CDR phased release program, available at: www.cdr.gov.au/rollout. You can find more information on which data sets are available to you for sharing, and when these will be made available in the open banking section of our website.
We will only share CDR Data that we are required to share under the CDR Legislation.
However, we may choose to make available, at any time, additional data over and above the minimum datasets required under the CDR Legislation, but we are not obliged to do so. If we choose to do so, this data is known as Voluntary Data (made up of Voluntary Product Data or Voluntary Consumer Data, as applicable to the relevant data set).
We are not currently accepting requests for Voluntary Product Data or Voluntary Consumer Data. If, in the future, we choose to offer access to any Voluntary Product Data or Voluntary Consumer Data that we hold, we may charge you a small fee to cover the related costs. We will always notify you, in advance, of the fees applicable to any sharing of Voluntary CDR Data.
How do I access my data and authorise HSBC to share my data?
You can choose to share any available CDR Data with an accredited third party provider, known as an Accredited Data Recipient (ADR) for any reason, including so that they can provide you with a product or service. An ADR could be another bank.
Once you provide your consent to an ADR to collect your specified CDR Data from us, you will be securely redirected by the ADR to our Internet Banking (e.g. HSBC Online Banking or the HSBC Mobile Banking App) to complete your authorisation. We will ask you to authorise us to share your selected CDR Data with the ADR for a certain period of time (up to a maximum of 12 months).
So, once we receive a request to provide access to your CDR Data from an ADR, we will:
- go through our authentication process to verify the ADR request;
- verify that the ADR is an accredited ADR on the ACCC's Register of ADRs;
- authenticate you as an HSBC Australia customer; and
- obtain your authorisation to share the selected CDR Data with the ADR for your desired length of time.
- we will arrange to transfer the approved CDR Data in the requested format and media, in line with the CDR Data Standards and CDR Legislation; and
- you will be securely redirected back to the ADR who will then present you with the outcome of your CDR Data sharing.
We will not share any of your CDR Data unless we have received your prior authorisation to do so, except where required by law.
Only ADRs to whom you have provided your consent to share relevant CDR Data are capable of accessing that CDR Data under the CDR Legislation. To learn more about accreditation, please see the Government Consumer Data Right website at www.cdr.gov.au.
You can use your data sharing dashboard in HSBC online banking or the HSBC Mobile Banking App to track all the authorisations you have given to us to share your CDR Data. We will always notify you via the data sharing dashboard as soon as practicable after sharing your CDR Data with an authorised ADR.
Can I withdraw my authorisation to share?
Yes. You can withdraw the authorisation provided to HSBC Australia and stop sharing your CDR Data with any ADR at any time. You can do this by downloading the latest version of the HSBC Mobile Banking App on your mobile phone, logging on and selecting 'Manage data sharing' to view all the active 'consent to data sharing' authorisations you provided. You can then follow the steps to withdraw authorisation provided to HSBC Australia to share your data with either one or all of your ADRs.
Alternatively, you may contact us directly by email or telephone at https://www.hsbc.com.au/help/contact/ and request a withdrawal of your authorisation to share CDR Data.
Upon confirmation, the relevant ADR(s) will be notified of your authorisation withdrawal and all data sharing with such ADR(s) will stop immediately. It may be advisable to contact your ADR to confirm the impact to your receipt of products or services from the ADR which may arise from stopping to share your data.
Request to access copies of, and correction of your CDR Data
You have the right to request access to copies of your CDR Data and to correct it if you think it is inaccurate, out of date, incomplete or misleading. We may be unable to provide you with access to, or correct, certain CDR Data. If so, we'll explain why not, unless it is not lawful to tell you. If we are unable to correct the CDR Data, we will also tell you and provide reasons, unless it is not lawful to do so. You can also ask us to explain our policies and practices as they apply to the management of CDR Data.
A request to access and correct your CDR Data can be made by contacting us through any of the following:
- Directly by email or telephone;
- Using the details set out in the section below "Making a Complaint"; or
- Contacting your Relationship Manager, if you have one.
Making a complaint
You may also lodge a complaint with the HSBC Australia Customer Relations Department at any time, whose details are as follows:
When you make a complaint, we will ask you to provide us with certain details including your full name, contact details and a short description of your complaint. Where we need further information in order to resolve your complaint, we will request this from you.
We will acknowledge and attempt to respond to any complaints as soon as practicable in accordance with the HSBC Australia's complaints handling policy and timeframes, and in any event no later than 30 days after we have received your complaint.
However, in complex matters, and where the law allows, we may need to ask you for an extension to this period. We'll give you the reasons why if we need to do so.
If you wish to make a complaint on the way we have handled your CDR Data under the CDR Legislation, you can email our HSBC Australia Privacy Officer at any time at firstname.lastname@example.org.
What if I am not satisfied?
You may also – at any time – contact the Australian Financial Complaints Authority (AFCA) at:
Post: GPO Box 3, Melbourne, VIC 3001
Phone: 1800 931 678
AFCA is a free service established to provide you with an independent mechanism to resolve specific complaints.
We would ask that you please make your complaint firstly to HSBC Australia, as the respondent organization, and allow us an opportunity to resolve your complaint in accordance with the process set out above.
This CDR Policy is current, and has been updated, as of 1 July 2021.
Please check back regularly for any updates to this CDR Policy.