Open Banking: How It Works, Benefits & Security

Updated 12 Mar 2026Content was accurate at the time of publication

Open banking (also called bank data sharing under the Consumer Data Right or CDR) gives you safer, faster ways to share your bank account data with apps, lenders and services — with your explicit consent and legal protections. This guide explains what open banking is, how it works under the CDR, who runs it, what data can be shared, how to give or revoke consent, and practical checks to protect your data.

What is open banking?

Open banking is a regulated framework that lets you authorise trusted third parties to access specific financial data held by your bank or other data holders. It's a sector of the Consumer Data Right (CDR), which gives consumers control over machine-readable data held by designated data holders.

In plain terms: you can allow an accredited provider to read (and in future, where permitted, write) certain account information so you can use budgeting apps, comparison tools, faster loan applications or automated accounting. It's consent-based, auditable and governed by law — not the same as handing over your internet banking username and password.

How open banking works (data flows & actors)

Open banking relies on a small set of clearly defined participants and secure API-driven data flows.

Participants

Consumer (you): owns the data and provides consent.
Data holder (banks, account providers): authorised to supply data on request.
Accredited Data Recipient (ADR): an entity accredited under CDR rules to request or receive data.
Regulator / standards body: sets rules, security standards and oversight.

Consent and data flow lifecycle

You choose a service (for example a budgeting app or a lender) and request to connect.
The app redirects you to your bank's consent page — you do not share login credentials with the third party.
The consent screen lists data types, scope, purpose and duration — you review and grant consent.
The ADR accesses only the authorised data via secure APIs using strong authentication and encryption.
Data is delivered in a standard format to the ADR; all access is logged and auditable.
You can view, manage and revoke consents through the provider or the bank.

This API-driven model uses standardised data formats so transaction histories, balances and product data can be consumed consistently by apps and lenders.

Consumer Data Right and regulation — who does what

Open banking operates within the Consumer Data Right regime. Key roles:

Treasury: develops CDR policy and primary legislation.
ACCC (Australian Competition and Consumer Commission): administers accreditation, enforces CDR rules and manages industry obligations.
OAIC (Office of the Australian Information Commissioner): enforces privacy obligations and how the CDR interacts with the Privacy Act (APPs).

Key instruments

CDR Rules: govern consent, accreditation, data standards and dispute resolution.
Accreditation: ADRs must be accredited and are subject to conditions and audits.
Compliance & enforcement: ACCC and OAIC can investigate breaches, require remediation and impose penalties.

When assessing responsibilities, remember: data holders operate the secure APIs and privacy notices; ADRs must meet accreditation and security obligations; you retain rights to withdraw consent and lodge complaints.

Official regulator resources

ACCC — Consumer Data Right: https://www.accc.gov.au/focus-areas/consumer-data-right-cdr
CDR official portal: https://www.cdr.gov.au
OAIC — CDR and privacy: https://www.oaic.gov.au/privacy/consumer-data-right
Treasury — CDR policy: https://treasury.gov.au/consumer-data-right

To confirm a provider's status, check the CDR participants/accreditation register: https://www.cdr.gov.au/participants-register

What types of data can be shared

Common data classes in the CDR scope:

Transaction history: debits, credits, payees and memos (subject to data minimisation).
Account balances and account identifiers.
Product data: interest rates, fees and product features.
Identity and contact details necessary for service delivery (limited to what's needed).
Future open finance phases may include superannuation, insurance and more detailed lending data.

Exclusions and limits

Sensitive personal information beyond the CDR scope is restricted.
ADRs never receive your banking credentials (passwords, PINs); they operate via APIs.
Rules limit use of data for unsolicited marketing and resale without additional consent.

How you give consent and manage data sharing

Consent must be informed, specific and revocable.

Step-by-step consent flow

Choose a service (e.g., accounting software or a loan comparison site).
You're redirected to your bank's consent interface.
The consent screen shows:
- Who is requesting access (name of ADR).
- Exact data classes requested (e.g., 12 months transaction history).
- Purpose of use (e.g., assess loan eligibility).
- Duration and frequency of access.
Authenticate with your bank using its secure login.
Grant or refuse consent; the decision is logged and you'll usually receive a receipt.

Managing consent

Review active consents in the app you authorised and in your bank's data sharing dashboard.
Revoke access anytime via the ADR's settings or the data holder's consent management page.
Check access logs to see when and what data was retrieved.

Practical checks before authorising

Confirm the ADR is accredited via the CDR register.
Limit scope and duration to the minimum needed.
Prefer read-only access; only allow write permissions when necessary.

Benefits and use cases

Open banking unlocks practical benefits for consumers and businesses.

Consumer benefits

Faster loan and mortgage pre-assessments: lenders can verify income and expenses quickly.
Improved budgeting and personal finance management: aggregated accounts and automatic categorisation.
Easier switching between accounts and tailored product recommendations.

Small business & SME benefits

Streamlined bookkeeping by linking bank feeds to accounting software.
Faster access to working capital: invoice finance and business lending can assess cashflow in real time.
Smarter cashflow forecasting using aggregated customer and supplier data.

Fintech and developer use cases

Build authorised apps offering account aggregation, automated tax prep, or tailored lending decisions.
Integrate bank-grade APIs for secure consent orchestration.

Risks, safeguards and security

Open banking is designed to minimise risk, but you should understand safeguards and residual exposures.

Key security measures

Accreditation: ADRs must demonstrate security, governance and reporting capability.
API security: strong encryption and authentication, with access limited to the authorised scope.
Consent auditing: all consent grants and data transfers are logged and auditable.
Data minimisation: only necessary data for the stated purpose may be requested.

Privacy and legal safeguards

OAIC oversight ensures the CDR aligns with the Privacy Act (APPs).
ACCC enforces CDR rules and can take action for misuse or non-compliance.
ADRs and data holders must report incidents and notify affected consumers and regulators where required.

Liability and redress

If your data is misused, start with the ADR or data holder's complaints process; escalate unresolved issues to the OAIC (privacy) or ACCC (CDR compliance).
Compensation and enforcement actions are available under CDR and consumer law.

Practical tips for consumers

Only authorise accredited providers — check the CDR participants register.
Limit consent scope and duration.
Monitor account activity and access logs.
Use reputable apps with clear privacy policies and read the consent screen carefully.

Who can participate — banks, fintechs and accreditation

Participation categories

Data holders: banks and other institutions that hold consumer data.
Accredited Data Recipients (ADRs): fintechs, lenders or service providers that apply for accreditation.
Intermediaries and consent orchestration platforms: services that help manage consent and connectivity.

Accreditation basics

ADRs apply for accreditation and must provide evidence of security, governance and compliance systems.
Accreditation may be conditional and is subject to ACCC oversight.
Check provider accreditation on the CDR participants register: https://www.cdr.gov.au/participants-register

Penalties and non-compliance

ADRs or data holders that breach CDR rules may face investigations, enforcement notices and fines.

Practical steps: How to share, revoke and complain

Before sharing

Verify the provider's identity and accreditation status (CDR register).
Read the consent screen: check scope, duration, purpose and data types.
Prefer minimum necessary data and single-use consents where possible.

How to share

Select the provider and follow the connection flow.
Authenticate with your bank on the official consent screen.
Save consent receipts or confirmation emails.

How to revoke

In the ADR: open app permissions or account settings and revoke consent.
At the bank/data holder: visit the bank's data sharing dashboard and remove ADR access.
Confirm revocation: verify the ADR can no longer retrieve data.

How to complain

Start with the ADR or data holder's internal dispute process.
If unresolved, escalate to:
- OAIC (privacy breaches): https://www.oaic.gov.au/privacy/consumer-data-right
- ACCC (CDR rule breaches and consumer issues): https://www.accc.gov.au/focus-areas/consumer-data-right-cdr
Keep records of consent screens, receipts and correspondence.

FAQ

Does open banking give apps access to my online banking password?

No. Open banking uses secure APIs and consent tokens. You never share your bank login credentials with ADRs.

Will my bank have full access to other accounts once I grant consent?

No. Consent is scoped — the ADR can access only the accounts and data types you authorised for the stated duration.

Are ADRs free to sell my data?

No. CDR rules restrict secondary uses and resale without explicit additional consent. ADRs must act within the declared purpose.

Can I be denied a loan if I revoke consent?

Lenders may be unable to verify income or expenses without access to data, which can affect assessments. Revocation doesn't retroactively invalidate prior lawful uses.

How do I check if a provider is accredited?

Use the CDR participants register on the official CDR site: https://www.cdr.gov.au/participants-register

What happens in a data breach?

ADRs and data holders must notify affected consumers and regulators. You can lodge complaints with OAIC (privacy) and ACCC (CDR compliance) and seek remediation.

Are there fees to use open banking services?

Many consumer-facing services are free, but commercial arrangements vary. Read the ADR's terms and disclosures.

Is open banking the same as open finance?

Open banking is the initial CDR sector rollout focused on bank data. Open finance refers to CDR extensions into superannuation, insurance, energy and other financial products.

Key takeaways

Open banking under the Consumer Data Right gives you control over how your financial data is shared with accredited third parties. It's built on secure APIs and consent mechanisms that protect your banking credentials while enabling faster loan applications, better budgeting tools, and improved switching between providers. Always verify a provider's accreditation before sharing data, limit consent to what's necessary, and use the CDR register and regulator contact points (ACCC, OAIC) if issues arise.