With Tony Thrassis, CIO of Frollo, the first FinTech ADR in Australia.
Last week the ACCC announced the launch of the Consumer Data Right Register and Accreditation Application Platform (RAAP). Among other things, this will serve as the platform to lodge applications to become an Accredited Data Recipient (ADR).
As the process to become an ADR has now opened up to businesses outside the original 10 FinTechs, we asked our CIO Tony Thrassis to share some of his learnings and insights from leading the process for Frollo to become the first FinTech ADR in Australia.
1. What does it mean when a business is accredited? And why is this important?
“Frollo is an Accredited Data Recipient, which means we have all the necessary controls in place that safeguard a consumers’ data, and we’ve embedded that into our systems, people and processes. It basically means we can be trusted to safeguard consumer banking data.
That’s how the accreditation process builds trust in the Consumer Data Right: by ensuring that only businesses which have passed a thorough audit can request CDR data.
Because it’s so thorough, it’s quite a long and sometimes complex process. Importantly, it’s not just about IT and systems, but also about people and organisational processes. Businesses need to look at who is involved in data management, where the data is used and what controls are in place. They need to ensure that the organisation is ready to safeguard a consumer’s banking data.
Without accreditation there is no trust. The CDR reputation depends on trust. That’s why it’s important.”
2. What was the process like for Frollo, being the first to go through this?
“We started as one of the trial data recipients in October 2019. Being this early in the process, it was less streamlined than the new potential ADRs will experience.
Throughout that period we were coming to terms with what the actual Open Banking program looked like, who all the players were, what its purpose was, what the process looked like in the coming months and the aspirations for 2020.
We realised early that we were not only testing our own systems, but testing an ecosystem made up of banks and the ACCC registry. This was actually very exciting and gratifying. To see and learn in intricate detail the ins and outs of open banking was a rewarding experience for myself and the team.
The great thing about being this early in the development of a new platform, was that we were able to provide input on both the technical API standards and accreditation criteria.
3. Frollo was already ISO27001 certified when we applied for accreditation, did that help in any way?
“Yes, many of the control objectives and controls are the same as for our ISO27001 certification, so when it comes to collecting evidence we were well on our way. The cost will still surprise you though!”
4. What insights and learnings can you share from the accreditation process?
“One of the most important things to realise is that CDR compliance isn’t only about systems, it’s just as much about people and processes.
When you’re defining your CDR boundaries, people with access to that data must be defined within the boundary. Anything that touches that data, needs to be looked at and safeguards need to be put in place. There are civil penalties associated with not doing this right, so it’s important to consider the whole picture: people, processes and systems.
Another thing thing to know is that you can’t take the controls of your technology providers for granted. Even if your partners have their own controls in place, part of accreditation is to make sure you understand the controls of the partners you work with and ensure you’re happy with them as part of your process.
Luckily we build a lot of our technology in house, but when we do use third party technology for things like cloud computing, it’s important not just to take their controls for granted.
A benefit of being an ADR for us is that partners who use our technology can trust our controls are up to CDR standards.”
5. If you had to go through the accreditation process again, what would you do different?
I’d love to say ‘learning from people who know the process’, but being the first that wasn’t really an option for us. We did draw on help from some partners, and worked very closely with the ACCC throughout the whole process. These collaborations were very important to the success of our application.
Also, having a crack team dedicated to this was absolutely essential.
6. What advice would you give businesses considering to lodge their ADR application?
I’d give them two pieces of advice. The first one is about the importance of developing a governance structure that allows for ongoing evaluation of changes against CDR regulations. Accreditation is not just a point in time, it’s ongoing. Every change needs to be evaluated.
We developed a framework to evaluate whether changes within the company would be impacted by the CDR rules. For example when we develop a new product: how does that new product affect the CDR boundary? If it does, what safeguards do we need to put in place?
The second piece of advice is to find people or businesses that know the process and learn from them. The accreditation process will be quicker and cheaper, and the outcome will be better when you work with partners who’ve done it before.
