Open Banking Australia and Your Net Worth: A Plain-English Guide to CDR in 2026
A plain-English explanation of Australia’s Consumer Data Right — what banks must share, who can receive it, how it differs from screen scraping, and what it actually enables for net worth tracking in 2026.
Open banking has been quietly running in Australia since 2020, and most people who use a digital wealth tool have unknowingly touched it. Behind the marketing language sits a piece of federal infrastructure called the Consumer Data Right (CDR), administered jointly by the Australian Competition and Consumer Commission (ACCC), the Office of the Australian Information Commissioner (OAIC), and Treasury. CDR governs the right of an Australian consumer or business to authorise a third party to access their data held by a designated provider — initially banks, with energy and non-bank lending in scope, and other sectors progressively joining.
For people building or using a serious net worth tracker, CDR matters for one reason: it is the only legal, audited, government-supervisedway to read Australian banking data without sharing passwords. This guide explains how the regime actually works, what it covers, where it falls short, and how Auravest combines CDR-style access with other connectors (Up’s Personal Access Token, broker APIs, property AVMs) to produce a complete Australian balance sheet.
What CDR (open banking) actually is
The Consumer Data Right was created by the Treasury Laws Amendment (Consumer Data Right) Act 2019 and is administered under Part IVD of the Competition and Consumer Act 2010. The legislation gives Australian consumers a statutory right to direct a data holder (such as their bank) to share specified categories of data with an Accredited Data Recipient. Operational rules are published as the Competition and Consumer (Consumer Data Right) Rules 2020 and the technical standards are published by the Data Standards Body (DSB) at consumerdatastandardsaustralia.github.io.
In practice, CDR Banking has three moving parts:
- Data holders — Australian ADIs (authorised deposit-taking institutions) and other designated entities that hold consumer data. Initially the four majors (CBA, NAB, Westpac, ANZ), now extended to most banks and many non-bank lenders.
- Data recipients — accredited businesses, trusted advisers, or representatives that may request and receive consumer data after the consumer authorises the sharing.
- The consumer — you. The right is granted to you. You authorise sharing, you control the period, and you can revoke it at any time.
The regime is enforced by the ACCC (general compliance) and the OAIC (privacy safeguards). Both publish breach decisions and accreditation register updates on their websites. CDR is not a voluntary industry code — it is a federal law with statutory penalties for non-compliance.
Why “open banking” is a misleading shorthand
Globally, “open banking” usually refers to bank-to-bank payment initiation as well as account information. Australia’s CDR Banking regime today is almost entirely about read-onlydata sharing — Action Initiation (the ability for a third party to initiate a transfer on your behalf) was legislated but not yet operational for banking. When someone says “open banking in Australia” they almost always mean CDR Banking read-only data sharing.
Which banks must share — and what data
Mandatory data holder coverage rolled out in phases. The four majors went first (from 2020), then second-tier banks, then the rest of the ADI sector, then non-bank lenders for some datasets. By 2026, the practical coverage is:
- All ADIs holding personal customer accounts
- Most credit providers in the regulated credit market
- Energy retailers and distributors (CDR Energy is operational but distinct from CDR Banking)
- Designated non-bank lenders for personal and home loans (rollout continues)
What data is in scope for CDR Banking, at a high level:
| Data category | Typically includes |
|---|---|
| Customer data | Name, address, contact details on file |
| Account data | Account type, BSB, masked account number, nicknames |
| Balance data | Current balance, available balance, currency |
| Transaction data | Posted transactions with date, amount, description, counterparty information where available |
| Direct debit and scheduled payments | Active recurring authorisations on the account |
| Product reference data | Public product feature and pricing data (no consent needed — published openly by data holders) |
Indicative summary of CDR Banking data categories. Refer to the Consumer Data Standards Body for the authoritative technical specification.
Note what is not in scope: superannuation fund balances, broker-held share holdings, property valuations, and crypto. These are why any serious Australian net worth tracker has to combine CDR data with additional connectors. CDR Banking solves the banking layer cleanly; it does not solve the whole balance sheet.
ADRs, Trusted Advisers, and sponsorship
Reading CDR data legally requires playing one of a defined set of roles. Understanding which role a provider operates under tells you something real about the consent flow and the accountability chain.
Accredited Data Recipient (ADR)
An ADR has been through the ACCC’s accreditation process: information security audit, insurance, internal policies and procedures review, fit-and-proper checks on directors and key personnel. ADRs may receive consumer data directly from data holders and are bound by the CDR Privacy Safeguards. The current ADR register is published by the ACCC and updated regularly.
Trusted Adviser
A Trusted Adviser is a professional in a defined category (registered tax agents, accountants, financial advisers, mortgage brokers, lawyers) whom a consumer can nominate to receive their CDR data. The data passes through an ADR but the disclosure to the adviser is permitted under the Trusted Adviser exemption to the disclosure restrictions.
Sponsored and representative arrangements
Smaller firms can act under a Sponsored or Representative arrangement with an existing ADR. The sponsor or principal ADR remains liable for compliance; the sponsored or representative entity can operate on the data within agreed limits. This is the most common route for fintechs in the first few years of operation, before they pursue full accreditation.
How to verify a CDR data recipient
Before granting CDR consent to anyone, check the ACCC’s Find a Provider register. The entity should be listed as an Accredited Data Recipient, a Sponsor, an Affiliate, or a Representative of an accredited body. If the entity is not on the register and is asking for your banking credentials, you are not in a CDR flow — you are in a screen-scraping flow and the protections are different.
How consent and revocation work
The CDR consent flow looks straightforward to the consumer and contains several specific legal elements behind the scenes. Walking through a typical flow:
- You start in the data recipient’s app or website and choose to connect a bank account.
- The data recipient presents a consent screen that lists the specific data categories being requested, the purpose for each, and the duration of the sharing arrangement (the maximum being 12 months under current rules, renewable).
- You are redirected to your bank’s authorisation portal. You log in to the bank with your real credentials — not to the data recipient. The data recipient never sees your banking password.
- The bank presents a parallel consent screen confirming the data being shared, the duration, and the recipient’s accreditation status. You confirm.
- The bank issues an authorisation that the data recipient exchanges for access tokens. Subsequent API calls happen machine-to-machine between the data recipient and the bank.
Revocation is symmetric. You can revoke either through the data recipient (which immediately stops new data calls and triggers the recipient’s deletion or de-identification obligations) or through the bank’s online banking CDR dashboard. Banks must surface an active sharing list and must allow one-click revocation under the CDR rules.
Open banking vs screen scraping vs Personal Access Tokens
Australian wealth and budgeting apps today read banking data through three different mechanisms. They are not equivalent.
| Mechanism | Credential exposure | Governed by |
|---|---|---|
| Screen scraping | You give the third party your online banking username and password | Bank T&Cs only — usually breaches them |
| CDR (open banking) | No credentials shared. Bank authenticates you directly. | Federal law (ACCC, OAIC, Treasury) |
| Personal Access Token (e.g. Up) | Bank issues a read-only token to you; you paste it into the third party | Bank’s own API terms; bank can revoke at any time |
Screen scraping is the legacy approach. It works because your banking session can be impersonated by anyone with your credentials, but it violates most banks’ terms of service and exposes you to the “authorised user” defence the bank can invoke if money disappears from your account. The Australian Banking Association and consumer groups have campaigned for years to retire it; in practice it is still widespread because CDR coverage and developer ergonomics are not yet universal.
CDR is the regulator-blessed answer. It is robust, audited, and credential-free. The current drawbacks are practical: not every Australian financial institution is yet a participating data holder, the consent UX still has rough edges in some banks’ portals, and the data coverage is banking-only.
Personal Access Tokens are a middle path used by tech-led banks (Up is the prominent Australian example). The bank issues a read-only token to its authenticated customer; the customer gives the token to the third party. The token can be revoked instantly from the bank app. It is not the same legal regime as CDR — it is the bank’s product decision — but for the bank’s own customer the security properties are similar.
The security model behind CDR
CDR is built on the OAuth 2.0 family of standards with Australia-specific profiles defined by the Data Standards Body. Three security primitives matter for understanding it.
1. Authentication happens at the bank, not the app
The data recipient never sees your banking password. The redirect to the data holder forces authentication on the bank’s own infrastructure with whatever MFA the bank normally uses. If your bank requires a one-time SMS code to log in, CDR consent requires the same code.
2. Tokens are short-lived and scoped
Once consent is granted, the data recipient holds short-lived access tokens with a refresh token for the duration of the consent. Access tokens are scoped to the specific data categories you consented to — a recipient that asked for accounts and balances does not get transaction history unless that was also consented to.
3. Information security controls are audited
ADRs must implement a defined Information Security framework (CDR Schedule 2) and provide assurance to the ACCC during accreditation and annually thereafter. The framework includes data minimisation, encryption at rest and in transit, role-based access, incident response, and the OAIC’s Notifiable Data Breaches scheme is triggered if a breach occurs.
CDR is not unbreakable — but the bar is high
CDR replaces credential exposure with a much tighter technical and legal surface. It does not eliminate risk entirely. Phishing of CDR consent screens, malicious intermediaries, and breaches of accredited recipients are all possible. The protection sits in the combination of accreditation requirements, technical controls, OAIC oversight, and the consumer’s ability to revoke at any time.
Where CDR helps net worth — and where it doesn’t
For Australian net worth tracking, CDR Banking covers a meaningful but partial slice of the balance sheet. Here is the honest map.
What CDR covers well
- Everyday transaction accounts at participating banks (CBA, Westpac, NAB, ANZ, ING, Macquarie, ubank, Bendigo, BOQ, Suncorp, and many more)
- High-interest savings accounts and Goalsaver / similar bonus products
- Term deposits (current balance and maturity terms)
- Credit card balances and statements
- Personal loan balances and repayment data
- Increasingly, home loan balances, offset balances, and redraw availability
What CDR does not cover (today)
- Superannuation balances and unit holdings. Super is not yet a CDR sector. APRA-regulated fund balances are read by other means (some funds expose member portals with read-only access, others require manual entry).
- Self-managed super fund holdings. SMSFs live across brokers, exchanges, banks, and registries — CDR Banking captures the cash component if held at an ADI but not the underlying investments.
- Direct share and ETF holdings. CHESS holdings sit on the share registry (Computershare, Link Group, MUFG). Beneficial holdings sit with custodial brokers. Neither is in CDR scope.
- Property valuations. Property value is an estimate produced by AVM providers (CoreLogic, PropTrack, Domain) and does not pass through CDR.
- Crypto. Exchange and wallet data are outside CDR. Connections are made via exchange APIs and blockchain read endpoints.
- Foreign accounts. Out of scope of an Australian regime.
A net worth tracker that relies solely on CDR will give you an excellent cash and credit picture and very little else. That is why most credible Australian wealth tools combine CDR Banking with broker-specific feeds, AVM partnerships for property, exchange APIs for crypto, and manual entry (or third-party SMSF admin integrations) for super.
How Auravest uses CDR (and what it doesn’t)
Auravest is built for Australians who want a complete picture of their wealth. Banking data is one layer of that. Our approach to the banking layer is pragmatic:
- For Up Bank customers, we use Up’s native Personal Access Token API — it is faster, cleaner, and identical in security posture to CDR for this specific bank. See our Up Bank integration guide.
- For other Australian banks where CDR is operational, we use CDR via an accredited intermediary under a sponsorship arrangement, consistent with the regime’s rules.
- Where neither is available (still common at smaller mutuals and some non-banks), we offer manual entry. We never screen-scrape, and we never store your banking password.
Beyond banking, Auravest connects super (where the fund exposes a member portal we can read), SMSF look-through holdings (via direct broker, exchange, and registry integrations), property (via AVM partnerships), shares and ETFs (CHESS and custodial broker APIs), and crypto (exchange APIs plus self-custody wallet read-only addresses). The result is a single Australian-aware net worth view that is comparable across asset classes and updated continuously.
See your complete Australian balance sheet — securely
Connect banks via CDR or Personal Access Tokens, plus super, SMSF look-through, property, shares, and crypto. Start free with Auravest.
Start free with AuravestFrequently asked questions
What is open banking in Australia?
Open banking is the colloquial name for the banking sector implementation of the Consumer Data Right (CDR). It is an Australian law administered by the ACCC, the Office of the Australian Information Commissioner (OAIC), and Treasury that requires data holders (initially the major banks) to share specific categories of consumer financial data with accredited third parties when the consumer authorises the sharing.
Which banks must share data under CDR?
The four major banks (CBA, Westpac, NAB, ANZ) were the first mandatory data holders. The regime now extends to most authorised deposit-taking institutions in Australia, including non-major banks, mutual banks, and many neobanks. Coverage continues to expand and is published by the ACCC and the Consumer Data Standards Body.
Is open banking the same as screen scraping?
No. Screen scraping relies on you giving a third party your online banking username and password, which the third party then uses to log in as you and copy data from the bank's web pages. Open banking uses an authorised API: the bank authenticates you directly, you consent to specific data categories for a specific period, and the third party never sees your banking password.
What is an Accredited Data Recipient (ADR)?
An Accredited Data Recipient is a company that has passed the ACCC's accreditation process, agreed to the CDR Privacy Safeguards, and is permitted to receive consumer data directly under the regime. Some businesses act under a different role called Trusted Adviser, and others use Sponsorship or Representative arrangements to access data through an accredited intermediary.
How long does a CDR data sharing consent last?
CDR consent is granted by the consumer for a defined period — most commonly 12 months — and is renewable. The consumer can revoke the consent at any time, either through the data holder bank or directly with the data recipient. On revocation, the data recipient must stop collecting new data and is subject to retention and deletion obligations.
Can open banking power a real net worth tracker?
Yes, for the cash and credit components of your balance sheet. Open banking covers transaction accounts, savings accounts, term deposits, credit cards, personal loans, and (increasingly) mortgages and offset accounts. Investment custody data (CHESS holdings, ETF unit balances), property valuations, and super are outside the current CDR Banking scope — those still need other connectors.