The Australian Consumer Data Right to be extended to insurance

Upcoming rules on the Consumer Data Right (CDR) for Australian insurers will mean significant preparatory work is needed to uplift their technology and data quality.

The introduction of the CDR regime to the insurance sector (i.e. Open Insurance) is expected to make the market in Australia even more flexible and competitive in 2024. As such, insurers across Australia will need to ready themselves, their IT and data.

The CDR regime first came into force in the banking sector in 2020 and is currently being rolled out in the retail energy and non bank lending sectors. It is slated to be extended to insurance in 2024 or 2025, before ultimately being rolled out economy wide. 

Its goal is to ultimately make it easier for ‘consumer’ customers (including small businesses) to switch insurers. Once in place, consumers can direct insurers to provide any data they may hold on them to an accredited recipient business, be it another insurer, intermediary or aggregator. This will allow them to make informed and competitive offers around tailored products and services for customers. 

The consumer data is to be transferred using prescribed secure automated technology via an API. It  will be subject to the consent of the insured, as well as a stringent set of standards regulating its format, quality, use and retention. 

Preparing for the CDR regime will be a challenge for many insurers, notably those which have to date been squeezing the most out of legacy and patched-up and/or multiple separate IT systems, often because of mergers and acquisitions over several years. It also requires that insurers know exactly what consumer data they have and where it is.

As well as ensuring they’re ready for Open Insurance and the consumer requests it may trigger, Australian insurers may also wish to make the most of the opportunities it presents. For example, they can use data from competitors’ customers to competitively price their own policies and encourage consumers to switch. To do so, however, insurers will need to become accredited under the CDR regime which requires the implementation of and adherence to a set of stringent privacy and risk management requirements. This will require even privacy mature insurers to uplift their privacy processes, policies and IT systems in order to achieve accreditation.