The ACCC has refused Consumer Data Right (CDR) accreditation to iSignthis Australia Pty Ltd (iSignthis), as the ACCC was not satisfied iSignthis would be able to comply with the obligations of an accredited data recipient under the CDR Rules.
"We refused to accredit iSignthis because we were not satisfied on the material before us about iSignthis's data security protections, insurance and whether it is a fit and proper person to be accredited," ACCC Commissioner Peter Crone said.
Under the CDR, accredited data recipients can use consumers' data - with a consumer's consent - to provide them with useful products and services.
"A high degree of data security is one of the most fundamental requirements of being able to join the CDR. The ACCC was not satisfied, however, that iSignthis had demonstrated it would be able to comply with the information security requirements, as required by the CDR Rules," Mr Crone said.
In addition, iSignthis did not provide evidence of its current insurance policies and, as a result, the ACCC was not able to assess the adequacy of iSignthis's insurance arrangements to manage CDR data.
The ACCC also had regard to a number of matters in relation to its assessment of whether it was satisfied that iSignthis is a fit and proper person to be accredited.
"The ACCC takes its role as the Data Recipient Accreditor in the Consumer Data Right system very seriously. We are acutely aware of the importance of making sure that only businesses who can satisfy us that they can meet their CDR obligations get access to consumer data," Mr Crone said.
This is the first time the ACCC has refused to accredit a company seeking to be an accredited data recipient in the CDR.
An applicant for accreditation may seek to have a decision by the Accreditor to deny accreditation reviewed by the Administrative Appeals Tribunal.
There are currently 37 accredited data recipients in the CDR system.
Note
The ACCC is given the role of Data Recipient Accreditor in the CDR by the Competition and Consumer Act. The CDR Rules set out how the CDR is to operate including the criteria that the Data Recipient Accreditor, the ACCC, will apply when considering an application for accreditation.
The CDR Rules allow the ACCC to consider not just the applicant for accreditation but also any associated persons (such as a parent company) in assessing whether an applicant meets the fit and proper person criteria.
An applicant may seek to have a decision by the Accreditor to deny accreditation reviewed by the Administrative Appeals Tribunal.
More information and guidance on accreditation can be found here: Accreditation guidelines
Background
iSignthis Australia Pty Ltd is an Australian FinTech company with registered offices in Melbourne. Between November 2020 and December 2021, iSignthis was known as ISX Financial Pty Ltd, and before November 2020 was known as iSignthis eMoney (AU) Pty Ltd.
iSignthis is a wholly owned subsidiary of Southern Cross Payments Ltd, which was, until 4 November 2022, a public company listed on the Australian Securities Exchange. Prior to a name change in May 2022, Southern Cross Payments was known as iSignthis Ltd.
CDR gives consumers the right to safely access data about them, held by data holders, and direct this information to be transferred to accredited third parties, potentially to access new products and services, including better deals on everyday products and services.
CDR is an economy-wide reform that is being rolled out sector by sector. CDR has already been rolled out to banking and energy. CDR is designed and overseen by the Australian Government and independent regulators to ensure it is safe and secure for consumers.
More information on the CDR can be found here: https://www.cdr.gov.au
