Next Article in Journal
Implementing EU Sanctions Through Criminal Law: Serious Negligence as a New Form of Culpability in the Slovak Republic
Previous Article in Journal
State Capture, Symbolic Law, and the Perceived Risk of Reporting Corruption: A Multilevel Analysis of Bribery in Africa
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Laws
Volume 15
Issue 2
10.3390/laws15020016
laws-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Transplanting Australia’s Consumer Data Right: A Viable U.S. Open Banking Model?

by
Rory O’Callaghan
and
Casey Watters
*
Faculty of Law, Bond University, Gold Coast 4226, Australia
*
Author to whom correspondence should be addressed.
Laws 2026, 15(2), 16; https://doi.org/10.3390/laws15020016
Submission received: 24 December 2025 / Revised: 4 February 2026 / Accepted: 25 February 2026 / Published: 4 March 2026
Browse Figures
Versions Notes

Abstract

Open Banking aims to empower consumers to control their financial data, yet jurisdictions vary in their regulatory approaches. This article examines whether the US should adopt Australia’s statutory Consumer Data Right (CDR) as part of a domestic open banking framework, as open banking is yet to be fully realized under Section 1033 of the Dodd-Frank Act. This study employs a comparative analysis of the economic and institutional differences between the Australian and US systems, with a focus on non-bank lenders and the challenges of legal transplantation. It argues that although Australia’s rights-based model provides a normative foundation for consumer empowerment, its rigid structure and expensive accreditation processes risk limiting participation and innovation. Instead, the paper advocates a hybrid approach for the US, integrating CDR principles into a market-responsive framework.

1. Introduction

‘Open Banking’ is positioned as a solution to the growing complexity in financial services, where expanding regulations, increasing non-bank participation and a widening array of financial products are making it more difficult for consumers to navigate the industry (Myers 2022).
Open Banking refers to a market framework that facilitates consumers to securely access and share their financial data with third parties, empowering market transparency, innovatively tailored products and more informed consumers. This is achieved through Application Programming Interfaces (‘API’s’) between two or more unaffiliated parties to deliver enhanced sharing capabilities in the marketplace (Brodsky and Oakes 2022).
Australia has formalized Open Banking through a rights-based, legislatively embedded model (Jevglevskaja and Buckley 2022a). This model is known as the Consumer Data Right (‘CDR’), enacted under Part IVD of the Competition and Consumer Act 2010 (Cth), and provides a statutory mechanism for consumers to access and control the sharing of their data. In the United States (‘U.S.’), equivalent reform has come more slowly, historically relying instead on market-led initiatives and fragmented, inactive federal laws (Hogan 2023). However, the eventual enactment of rules from the Consumer Financial Protection Bureau (‘The Bureau’) attached to Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act 2010 (US) (‘Dodd-Frank Act’) will aim to change this by granting U.S. consumers the right to access their financial information, improving the portability of consumer financial transaction data (Jevglevskaja and Buckley 2022a).
The effectiveness of Open Banking relies on broad participation: data must be portable not just between banks but across the entire financial services ecosystem. Open data ecosystems could ‘unlock $3 trillion globally in potential economic value’ but only when data can flow across standardized and trust-based systems (Manyika et al. 2013). Critically, this includes non-bank lenders (‘NBLs’), who now play a significant role in modern credit markets within the financial services industry, accounting for over a quarter of all new consumer and SME lending in Australia (Treasury 2024a). Yet they remain outside the operational scope of the CDR (CDR 2010). A parallel issue exists in the U.S. Although Section 1002(6) of the Dodd-Frank Act’s broad definition of a ‘covered person’ includes NBLs, Section 1033 has not yet been fully activated due to the lack of corresponding published rules by the Bureau (Dodd-Frank 2010; Hogan 2023).
This regulatory gap presents a problem. It directly undermines the goals of Open Banking and consumer fairness by entrenching advantages for Authorized Deposit-taking Institutions (‘ADIs’) and limiting the ability of NBLs to compete on an equal footing. The result in both jurisdictions is the same: consumers who borrow from NBLs lack data mobility, and NBLs themselves lack access to consumer data. This distorts credit markets, weakens consumer protections, decreases the competitiveness of NBL products and thus undermines Open Banking’s foundational goals.
Australia has recently signified that it will expand the CDR to the non-bank lending sector from November 2026 (Australian Commonwealth Treasury 2024). However, the U.S. continues to show little progress toward an active Open Banking regulatory framework for all institutions, including NBLs.

Research Objectives

This article examines whether the United States, through Section 1033 of the Dodd-Frank Act, should structurally replicate Australia’s CDR regime, as Australia expands it to include NBLs. Although Australia’s approach to legislating consumer data rights originates in Europe, Australia was selected for this comparative analysis due to its similar legal and cultural history, as well as the fact that both countries are federations with significant authority granted to the states under written constitutional frameworks. While each jurisdiction has unique characteristics that pose challenges to legal transplantation, Australia and the U.S. have significantly more in common than the European Union, which adopted civil law, or the United Kingdom, which lacks a similar federal structure.
Despite similarities between the Australian and US legal systems, one significant difference is the treatment of consumer protection. Australia is said to have a “consumer protection culture” (Booysen 2021) while the United States relies heavily on state law for consumer protection. However, the Federal Trade Commission enforces a prohibition on unfair or deceptive practices (Keegan and Schroeder 2019), and the Consumer Financial Protection Bureau regulates financial services (Levitin 2012). Australia, on the other hand, has a comprehensive consumer protection regime, the Australian Consumer Law (ACL), for general consumer protection, and the Australian Securities & Investments Commission (ASIC) regulates financial products and services (Pearson 2015). Compared with US government entities, ASIC serves as a “super regulator” with extensive investigatory and enforcement powers (Bird 2011). The role of ASIC, coupled with Australia’s consumer protection culture, stands in contrast to the more relaxed regulatory approach of the United States on the national level. US states may adopt their own privacy laws, with California having adopted one of the strongest modern consumer privacy frameworks (Park 2019; Yallen 2019). The relationship between the US state and federal consumer privacy laws is outside the scope of this paper. However, it is worth noting that the US commerce clause is generally viewed as granting Congress authority to regulate in this area (Freeman 2005).
Whilst much of the comparative commentary supports Australia’s legislated approach in principle, this article critically examines its regulatory effectiveness, particularly in relation to the uniform extension to NBLs. It argues that Australia’s model, whilst conceptually strong, faces implementation challenges due to rigid consent mechanisms, complex accreditation pathways, and burdensome compliance costs. These features risk undermining innovation and excluding smaller firms from participating, potentially burdening the sectors Open Banking aims to empower.
This article makes two key contributions. First, it places NBLs at the center of legal analysis, given their growing market share, drawing upon real-time policy submissions and regulatory consultations. Secondly, it challenges assumptions about the global transferability of rights-based data regimes, contributing to broader debates on legal transplantation in financial data regulation. This critique is especially relevant as Australia has positioned its CDR as a world-leading framework with ambitions for global exportation (Treasury 2021), and the U.S. continues to experience ongoing regulatory instability surrounding data governance through Section 1033 (Myers 2022; Farrell 2022; Lux and Zhao 2025).

2. Methodology and Theoretical Framework

This article employs a comparative legal methodology to assess the viability of transplanting Australia’s CDR regime into the United States via Section 1033 of the Dodd-Frank Act (Dodd-Frank 2010). It adopts a doctrinal approach, analyzing and comparing each country’s regulatory and legislative instruments governing data sharing and consumer data rights.
Legal transplantation, as proposed in this article, can be viewed as a subset of comparative legal theory. While legal transplantation is often spurred by “political, economic, and reputational incentives” (Schauer 2000), this analysis focuses on the benefits for consumers independent of political incentives. Legal transplantation also stands in contrast to mirror theory, which postulates that laws mirror the values and development of society (Ewald 1995; Cotterrell 2001).
The theoretical motivations underlying legal transactions are as diverse as the adoption of other laws (Teubner 1998). In the case of open banking, the justifications are primarily economic. Economic legal transplantation is often independent of cultural factors and seeks to reduce transaction costs. As Graziadei points out, “[t]he modern corporate form, trust and other asset-management techniques, as well as negotiable instruments” have been transplanted across jurisdictions to reduce transaction costs present in earlier legal frameworks (Graziadei 2006). Jurisdictions may compete for business, spurring increased efficiency and reduced regulation, sometimes criticized as a race to the bottom (Jiang et al. 2022).
In the case of open banking, customers would be empowered to move between financial institutions, thereby leveraging the market to incentivize innovation in the banking sector. In this sense, open banking reintroduces an element of economic efficiency into the highly regulated banking industry where little competition currently exists (Colangelo 2024; CMA 2017). Within open banking, there remains the debate whether a common API standard should be legislated or if the standard should be left to the market (Colangelo 2024). A common standard creates market efficiency by reducing the cost barriers of entry for smaller financial institutions. However, leaving the standard(s) to the market leaves room for innovation. These issues must be addressed as the US decides whether to adopt the Australian model.
To support this analysis, the research will integrate policy-oriented, non-doctrinal materials, including consultation reports and regulatory explanations on existing legal frameworks and proposed amendments. It will also assess industry submissions on these frameworks to understand the practicality of their application from the industry’s perspective. Particular attention will be given to Australia’s amendment extending the CDR to NBLs (CDR 2010), to now assess the framework’s flexibility, scalability and applicability to the structurally different U.S. environment, which already encapsulates both banks and NBLs in its ‘covered persons’ definition (Dodd-Frank 2010). Finally, academic commentary will be assessed to gain a theoretical understanding of the current regulatory design and academic perspectives toward each jurisdiction’s approach.
This integrated approach enables a balanced assessment of whether legal transplantation of Australia’s rights-based framework is not only conceptually desirable but also practically achievable in the U.S. By comparing both regimes, this article uniquely highlights the challenges of importing complex data regulations across jurisdictions with differing legal systems, privacy regimes, market structures and regulatory philosophies.

3. Background and Literature Review

3.1. Literature Review

In identifying the current state of the academic literature, it was essential not only to examine the literature focused on open banking in Australia and the United States, but also to consider the global literature. To this end, we first conducted a general search for “Open Banking” on Scopus, which returned 331 publications by authors from at least 64 jurisdictions (20 publications did not have location information for the authors). Figure 1, below, illustrates the geographic distribution of articles on open banking, encompassing every populated continent, highlighting the global significance of this issue.
Before examining the literature focused specifically on Australia and the United States, we wanted to carefully examine the literature that focuses on the use of APIs in transferring data as part of open banking. By adding the search term “API” to “Open banking”, the number of publications reduces from 331 to 53. We then excluded conference papers (19) and a conference review, leaving a total of 33 publications. As this research focuses on the regulatory framework, we excluded the publications from STEM disciplines, limiting the results to social sciences, economics, econometrics and finance, and business, management and accounting. The remaining 17 publications, consisting of 11 articles and 6 book chapters, are presented in Table 1 below. Some publications repeat as Scopus places them in more than one discipline category.
The term “Open Banking” was excluded for the Australia and US-specific searches represented in Table 2 below, as these articles were already identified in the initial search above. These focus individually on each jurisdiction.
While there are many articles on open banking, and few articles address Open Banking reforms in the US (Lin et al. 2025), the articles investigating legal transplantation (Colangelo 2024) are sparse with none identified as specifically proposing the US model’s reforms on the Australian approach, thereby making this study a novel contribution to the academic literature.
Academia and key market stakeholders across both jurisdictions widely acknowledge the critical role of enforceable consumer data rights in promoting competition, consumer empowerment and market fairness. In Australia, Jevglevskaja and Buckley characterize the CDR as a ‘world leading’ regime, demonstrating its ability to shift data control from institutions to individuals, thereby enhancing market transparency and fairness (Jevglevskaja and Buckley 2022a). They argue the CDR’s consumer-centric design directly counters traditional market inefficiencies, such as differential pricing that penalizes existing customers, restoring basic fairness and market morality. Nevertheless, they identify significant operational hurdles, particularly citing the CDR’s ‘stringent and lengthy’ accreditation and consent architecture, which risks discouraging participation from smaller market firms (Jevglevskaja and Buckley 2022a). Additionally, they emphasize that without addressing limited consumer awareness and persistent misconceptions, the CDR’s transformative potential remains uncertain. Their analysis underscores the necessity of ‘highly effective data governance practices’ and ‘effective consumer education’ to realize the framework’s full potential (Jevglevskaja and Buckley 2022a).
These academic insights are reinforced by recent stakeholder submissions on the proposed expansion of the CDR to NBLs (Australian Government Treasury 2025). Whilst stakeholders broadly support extending the CDR, several raise practical concerns. FinTech Australia notes that the proposed ‘de minimis’ threshold could inadvertently exclude many innovative digital lenders, compromising the CDR’s inclusivity (FinTech Australia 2024). Similarly, the Australian Finance Industry Association and AFG warn of disproportionate compliance costs for smaller lenders still deemed data holders, potentially distorting the market (Australian Finance Industry Association 2024). Xero further highlighted that smaller lenders may lack sufficient scale or resources to manage the complex accreditation processes and technical standards required under the current regime (Xero 2024). Shift similarly warned that applying a regime built for banks onto fundamentally different business models could generate more complexity than benefit, especially where internal systems and data standards are not API-ready (Shift 2024). Several stakeholders have also highlighted that the existing CDR framework suffers from an impractical multi-step consent mechanism, raising concerns about consumer engagement once extended to more diverse, advanced financial products with NBLs (Shanahan 2025). These industry perspectives collectively suggest that the CDR’s highly centralized and uniform design, whilst robust in principle (CDR 2010), may not effectively accommodate the diverse operational realities of the NBL sector, undermining its effectiveness.
In contrast, U.S. commentary reflects increasing frustration with the current decentralized, market-led model governed by private contracts. Marciniak vividly describes the U.S. data regulatory landscape as a ‘Wild West’, marked by fragmented state and federal laws, which collectively fail to provide comprehensive privacy protection or data portability rights (Marciniak 2021). He argues the current ‘privacy void’ exacerbates systemic risks, advocating for a dedicated Consumer Data Protection Bureau, explicitly inspired by the Consumer Financial Protection Bureau established under the Dodd-Frank Act, to ensure stronger and more coherent enforcement of consumer data rights under Section 1033 (Marciniak 2021). This theoretically becomes established from the Bureau publishing its rule activating Section 1033 (Dodd-Frank 2010). Similarly, Hogan critiques the U.S. model’s reliance on bilateral contracts, highlighting how this approach entrenches established financial institutions at the expense of emerging FinTech competitors, thereby hindering innovation and consumer choice (Hogan 2023). She argues strongly for regulatory intervention, stating that the Bureau should actively enforce uniform data-sharing standards and conditions to promote genuine market competition (Hogan 2023).
Supporting these calls, Myers explicitly endorses the Australian CDR as ‘the most comprehensive, well-structured and well-designed’ consumer financial data access system globally (Myers 2022). He stresses that only a legislative, regulatory-backed solution like Australia’s CDR can ensure standardized, secure data access, asserting voluntary industry-led initiatives are insufficient (Myers 2022). Myers concludes that consumer data rights should be statutory entitlements rather than privileges controlled by incumbents (Myers 2022).
These positions collectively reflect an incomplete consensus, highlighting critical tensions around operational rigidity, compliance burdens and structural adaptability. Given these unresolved issues, the following sections critically assess the structural and legal differences between the Australian and U.S. regimes, evaluating whether Australia’s CDR regulatory design can feasibly and beneficially be transplanted to the U.S. system.

3.2. Australian Data Sharing Model

3.2.1. Existing CDR Legislation

The origins of Australia’s CDR legislation stem from the Payment Services Directive (‘PSD2’) in the European Union and the General Data Protection Regulation (‘GDPR’) in the United Kingdom (Directive-2015/2366 2015; GDPR 2018; EU 2018; DPA 2018). The PSD2 set the standard for financial account data retrieval and payment initiation by third parties (Directive-2015/2366 2015), whilst the GDPR sought to guide how financial data could be created, used and shared via APIs (GDPR 2018). Subsequently, Australia aimed to provide a broader and more practical framework for consumer data portability with the CDR (CDR 2010).
After substantial inquiries, sector-specific reviews and consultation between 2014 and 2017 (Treasury 2024a), the legislative framework for the CDR regime was enacted through the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (TLA 2019; ICA 2010; PA 1988), which inserted Part IVD—Consumer Data Right into the Competition and Consumer Act 2010 (Cth) (‘CCA’). The amended bill enabled the Treasury to apply the CDR to sectors of the economy and outline the functions of its regulatory bodies (TLA 2019). The Australian Competition and Consumer Commission (‘ACCC’) subsequently published the corresponding Competition and Consumer (Consumer Data Rights) Rules 2020 (Cth) (‘CDR Rules’) in February 2020 to operationalize the legislative framework (CDRR 2020), alongside privacy guidelines issued by The Office of the Australian Information Commissioner (‘OAIC’) to assist with navigating the privacy safeguards attached to the CDR under the CCA (CCA 2010).
These rules have given effect to Part IVD of the CCA, operationalizing the requirements attached to the CDR legislation, which participants must comply with as a condition of participation. The ACCC was tasked with the responsibility of assessing sectors of CDR application, accreditation criteria, overseeing the Data Standard Body and strategic enforcement (Sullivan 2022). The OAIC was then responsible for advising the Australian Treasurer and the ACCC on privacy implications in each sector, as well as providing advice and education for firms within the relevant markets (CDRR 2020).
The CDR framework legislated the standards governing how data is shared and detailed the technical standards for data sharing.
This enabled Open Banking in Australia to consist of three key elements (CDRR 2020):
  • Consumers having greater access and control over their banking data.
  • Banks are required by law to share product and consumer data with consumers.
  • Upon the consent of the consumer, banks are required to share product and consumer data with accredited third parties of the consumer’s choosing.
The CDR currently only applies to ADIs within the financial services industry, initially including Australia New Zealand Banking Group (‘ANZ’), Commonwealth Bank of Australia (‘CBA’), National Australia Bank (‘NAB’) and Westpac Banking Corporation (‘Westpac’) (OAIC 2024b). It is now operationalized to all ADIs across all products as of November 2022. Examples of these products include savings accounts, debit card accounts, home loans, personal loans, offset accounts and trust accounts.
Operationally, under the CDR framework, data sharing begins when a consumer consents to an accredited person accessing their data to provide a service (OAIC 2024a). An accredited person is an entity that has been granted accreditation by the ACCC under s 56CE of the CDR (CDR 2010), having satisfied the accreditation criteria prescribed under division 5.2 of the CDR Rules (CDRR 2020), and thus has been authorized to collect and use CDR data by the ACCC. These criteria include compliance with information security standards, suitable corporate governance and products, fit and proper person requirements, adequate insurance (Yang et al. 2025) and adherence to the 13 privacy safeguards as outlined in the CDR (ACCC 2023).
The accredited person then contacts the relevant data holder, as defined under s 56AJ of the CDR, who verifies the accreditation and initiates a request for consumer authorization (CDR 2010; OAIC 2024a). Only entities or persons within sectors that have been formally designated by the Treasurer under s 56AC of the CDR can be required to share data as data holders (CDR 2010). Upon request, the data holder asks the consumer to formally authorize the disclosure. Once authorized, the data holder securely shares the requested data via API with the accredited person, who then becomes an accredited data recipient (OAIC 2024a). An accredited data recipient is a person who has received CDR data in response to a valid consumer-authorized request and is bound by strict obligations under the CDR and 13 Privacy Safeguards, including secure data use, retention limits, and delegation requirements (CDR 2010; CDRR 2020). Once the data is received, the recipient may then use the data to deliver the specific product or service the consumer requested (OAIC 2024a). This process is underpinned by privacy safeguards and accreditation rules to ensure secure and controlled data sharing and, most importantly, consumer consent as shown in Figure 2 below.
Perhaps the most integral aspect of the CDR framework in its operation is its consumer consent process. Consumers must provide granular consent to an accredited data recipient, specifying the type of data, the duration of access, and the purpose of sharing (CDRR 2020; DSB 2019). The Consumer Experience Guidelines require an accredited data holder to provide a dedicated dashboard for each consumer who has provided consent to the collection and use of their data (DSB 2019). This dashboard must enable consumers to manage their active consents, monitor what data has been shared and revoke access at any time. Once the consumer’s consent is given, they are redirected to their accredited data holder’s platform, where identity verification and authorization are completed. Ultimately, together these mechanisms operationalize the CDR’s goal of secure, consumer-driven data sharing in designated sectors (Sullivan 2022).

3.2.2. Non-Bank Lenders Amendment

In August 2024, the Minister for Financial Services announced that the CDR would be expanded to include the Australian non-bank lending sector (CCA 2010), taking effect in four phases spanning from November 2026 to September 2027 (Australian Commonwealth Treasury 2024). The expansion’s implementation is expected to facilitate ‘more informed consumer engagement with both banks and non-bank lenders’ (Australian Commonwealth Treasury 2024). Thus, its purpose is to improve financial outcomes for individuals and businesses by increasing the availability of data in the market, encouraging innovation in financial technology and products, whilst also helping consumers better understand and manage their finances (Australian Commonwealth Treasury 2024).
The updated rules now explicitly designate NBLs as data holders and, therefore, will be subject to mandatory data-sharing obligations and regulation under the CDR, regardless of their accreditation status, in accordance with the amended CDR Rules. This contrasts with the previous model, under which accredited data recipients could withdraw from data-sharing obligations by relinquishing their accreditation. The designation of the non-bank lending sector under Section 56AC of the CCA removes this flexibility, ensuring consistent data sharing across all designated entities in financial services, both from bank and non-bank models (CDR 2010).
Upon the inclusion of the non-bank lending sector into the CDR, the following measures will be operationally implemented into the CDR Rules to theoretically limit the costs to NBLs and reduce compliance costs for the banking sector. Firstly, an NBL will be classified as a data holder if it is a ‘relevant non-bank lender’ which is a registrable corporation under s 7 of the Financial Sector (Collection of Data) Act 2001 or would be a registrable corporation without the $50 million threshold in that section applying (Commonwealth of Australia 2025). Consequently, like ADIs, eligible NBL data holders will be responsible for providing necessary infrastructure to enable consumer data access, disclosing product data, transferring data with valid consumer authorization and managing that authorization (Commonwealth of Australia 2025). They must also comply with obligations such as disclosing data, resolving disputes, recordkeeping and meeting privacy and reporting requirements (Commonwealth of Australia 2025).
Secondly, there will be a ‘de minimis’ threshold criterion to determine whether an NBL data holder is required to implement CDR data sharing measures and systems (Australian Commonwealth Treasury 2024). Theoretically, the aim of the threshold is to ‘unlock’ data for high-value use cases, e.g., larger, established FinTech’s, whilst limiting potential costs and regulatory burdens for emerging NBL data holders (Australian Commonwealth Treasury 2024). The ‘de minimis’ threshold will include a two-tier approach (Australian Commonwealth Treasury 2024):
Initial Provider (Commonwealth of Australia 2025):
-
An NBL data holder which has had $10 billion in resident loans and finance leases reported to the Australian Prudential Regulation Authority (APRA) for the most recent calendar month before 4 March 2025.
-
Averaged over $10 billion over the preceding 12 months.
Large Provider (Commonwealth of Australia 2025):
An NBL data holder that is not an initial provider but on the commencement date or 1 July 2025 thereafter:
-
Had over $1 billion in resident loans and finance leases reported to APRA for the most recent calendar month before that date.
-
Averaged over $1 billion in the 12 preceding months.
-
Had more than 1000 customers, or was an accredited person under the CDR.
Thus, initial providers are identified based on their size prior to the regime’s commencement, whilst large providers are captured on a rolling basis thereafter as they meet prescribed loan and customer metrics (Commonwealth of Australia 2025). However, both have the same obligations under the CDR. It is noted that NBLs that do not meet this threshold can choose to join the CDR by notifying the ACCC for accreditation approval, to remain on equal footing with the wider market (Australian Commonwealth Treasury 2024; Commonwealth of Australia 2025).
Thirdly, the updated rules narrow the range of products for which CDR data sharing would be compulsory for banking and ADI data holders that meet the ‘de minimis’ threshold (Australian Commonwealth Treasury 2024). This initiative aims to avoid unnecessary cost burdens for data holders relating to ‘niche and small target’ products for which the CDR is unlikely to be shared at scale to support high-value use cases. These products, whereby data sharing would be voluntary, include asset finance (excluding auto finance), consumer leases, foreign currency accounts, margin loans and reverse mortgages (Australian Commonwealth Treasury 2024).
Finally, the updated rules reduce the requirement to share historical consumer data for both bank and non-bank data holders (Australian Commonwealth Treasury 2024). Thus, a bank and non-bank lending data holder would not be required to share consumer data if the data related to a transaction that occurred more than two years before the time of the request.

3.3. US Data Sharing Model

The United States currently operate using a market-based approach. A market-based approach relies on private contracts between banks, third parties and non-banks to facilitate the sharing of consumer data, rather than a centralized regulatory framework that mandates it. For example, Plaid, backed by Mastercard and Visa, has become a leading US data aggregator, facilitating transfers between financial institutions and FinTech’s and now controlling a significant share of the data aggregation market (Crosman 2020).
The Gramm Leach Bliley Act 1999 (‘GLBA’) remains the principal federal privacy law in banking, requiring financial institutions (including NBLs) to safeguard ‘non-public personal information’ but granting no right to data portability for consumers and exempting third-party aggregators such as non-bank FinTech’s (GLBA 1999). Thus, to address portability, Congress enacted Section 1033 of the Dodd-Frank Act (Dodd-Frank 2010), compelling ‘covered persons’(Dodd-Frank 2010), which includes both bank and non-bank lenders, to supply consumers with information about any financial product or service in an electronic form usable by consumers, and authorizing the Bureau to prescribe binding rules governing its implementation and application (Dodd-Frank 2010).
Despite this legislative framework, Section 1033 has not been operationalized because the Bureau has failed to publish these rules. Since 2016, the Bureau has issued multiple discussion documents, including Consumer Protection Principles (2017) (CFPB 2017), an Advance Notice of Proposed Rulemaking (CFPB 2020), and a draft rule of the Personal Financial Data Rights Rules (CFPB 2023), yet the section remains dormant.
In October 2024, the Bureau under the President Biden administration finalized the Personal Financial Data Rights Rule (‘2024 Rules’) under Section 1033. The 2024 Rules required banks, credit card issuers and other financial providers to make consumers’ financial data available for transfer to another provider at the consumer’s request and at no cost (CFPB 2024a). The 2024 Rules mandated the use of secure APIs (prohibiting screen scraping for compliant data aggregators), imposed phased compliance based on institutional asset size and set data access and consent standards that authorized third parties and data aggregators must meet. Evidently, features reminiscent of Australia’s CDR framework (Grimm 2024; CFPB 2024c). The 2024 Rules were scheduled to take effect in April 2026 (CFPB 2024c). This marked a significant regulatory step toward fully activating Section 1033, thereby accelerating responsible Open Banking in the U.S. with uniform, enforceable consumer rights that significantly expanded consumer access to their financial data.
However, in May 2025, under the new Trump administration, the Bureau moved to withdraw the 2024 Rules attached to Section 1033 (Vaske 2025). This decision followed a legal challenge from the Banking Policy Institute (BPI) and the Kentucky Bankers Association, who argued that the Bureau exceeded its statutory authority under the Dodd-Frank Act, suggesting that banks have already made it possible for hundreds of millions of Americans to safely access and share their data, and the rule would undermine that ecosystem (Vaske 2025). The Bureau stated that after President Trump’s directive to review the 2024 Rules, its leadership determined that the rule is unlawful and thus should be set aside (Sullivan 2022).
Although Section 1033 imposes a statutory obligation on the Bureau to prescribe rules facilitating consumer access to financial data, it does not include any deadline or enforcement mechanism, allowing successive administrations to exercise broad discretion in delaying or declining to act (Dodd-Frank 2010; Vaske 2025). Consequently, despite this ongoing legislative requirement, the Bureau’s new leadership has not indicated whether it will reinitiate the rulemaking process following its move to vacate and revoke the 2024 Rules. Thus, the U.S. remains without enforceable rules from the Bureau to activate Section 1033, and the regulatory direction of consumer data rights under the Trump administration remains uncertain.
Therefore, in the absence of the Bureau’s rules, the U.S. still relies on the private sector to effectuate data portability and Open Banking. This contract-based approach lacks a comprehensive privacy framework, leaving the terms of data access and sharing largely determined by individual agreements rather than enforceable consumer protections (Gross 2022). Subsequently, one-off private contracts dictate when and where consumers can share their data. Operationally, this means that there is no enforceable right for a consumer to direct an entity, such as a bank or an ADI, to transfer or share their data, or to change providers or products. Rather, banks or ADIs must have a privately contracted arrangement, such as Chase with Xero and Wells Fargo with Finicity, facilitating the sharing of data (Brodsky and Oakes 2022). However, consumers are limited to the specific partnership in place, restricting their ability to conveniently share data beyond that arrangement.
The US still has few restrictions on how data is collected. Thus, companies are able to engage in ‘screen scraping’, a process whereby third parties use consumers’ login credentials to access their bank accounts and extract data directly from the user interface (Grainger-Marsh 2024). Alternatively, API’s can also be used, facilitating custom arrangements between customers, banks and third parties, with no governmental intervention or mandatory sharing format (Grainger-Marsh 2024).
The U.S. remains without active rules from the Bureau. Ultimately, the Trump administration’s reasoning for revoking the 2024 Rules highlights the core problem with the existing U.S. framework: banks retain control, while consumers and competing firms lack any legally enforceable right to access, control, or share data. Consequently, entrenching structural inequality in both consumer rights and market competition. It is precisely this policy void and institutional inconsistency that makes the present inquiry urgent: in the absence of active, enforceable rules in the U.S, this article interrogates whether Australia’s legislated, rights-based CDR offers the structural clarity and regulatory force the U.S. has repeatedly failed to realize.

4. Discussion

4.1. Australia-U.S. Comparative Analysis

The distinct market structures of Australia and the United States profoundly shape their respective regulatory frameworks governing consumer data portability. Australia’s legislatively embedded, rights-based CDR contrasts sharply with the U.S.’s fragmented, market-led model, which relies on private contractual arrangements. These divergent approaches reflect deeper institutional, market and regulatory differences explored in the preceding Background and Literature Review sections. This section comparatively analyses the viability of transplanting the CDR framework into the U.S. system, focusing specifically on four critical dimensions: market structure, legal foundation, and the treatment of non-bank lenders. Through this structured comparison, the analysis establishes the groundwork for assessing precisely which elements of Australia’s CDR can feasibly enhance the U.S. regime under Section 1033, without compromising its innovative financial ecosystem.

4.1.1. Market Landscapes

Australia and the U.S. exhibit fundamentally distinct financial market structures that significantly impact their regulatory approaches to consumer data rights. The Australian market is comparatively concentrated, with the four major banks—Westpac, CBA, NAB and ANZ (‘Big Four’)—dominating the market, controlling 80% of the Australian financial system at present (Forbes Advisor Australia 2024). At the end of 2023 this share was worth more than $3.85 trillion, double the size of the country’s economic output (GDP) (Forbes Advisor Australia 2024). These banks sit alongside a smaller number of less influential ADIs.
The FinTech and NBL ecosystem in Australia, whilst growing to approximately 767 firms, remains modest in size and scale relative to the major banks, with many FinTech’s being subsidiaries or strategic partners of the Big Four, designed to evolve their products with market demand and changing expectations (KPMG 2024). This is evident in the major banks’ focus on third-party banking, such as CBA’s digital home loan brand Unloan (Marsh 2022). This centralized structure of the Australian financial market facilitated the phased rollout of CDR, initially targeting the Big Four banks. It also highlights the importance of gradually extending to NBLs and FinTech providers to ensure greater competition and inclusivity in the Australian market, which has historically been dominated by the major banks.
Conversely, the U.S. maintains a vastly different market structure; one that is far less concentrated and rather more pluralistic and FinTech-driven. Unlike Australia’s highly concentrated banking sector, the U.S. exhibits a markedly decentralized structure, with its three largest banks accounting for just under 39% of total commercial banking assets (Federal Reserve Bank of St Louis 2024). The U.S. market comprises over 4462 FDIC-insured banks and more than 4411 credit unions, with its commercial banking assets totaling approximately USD $23.6 trillion, which is over six times the size of the Australian banking sector by comparative size and almost equivalent to the entire U.S. GDP (Board of Governors of the Federal Reserve System 2023). Additionally, the U.S. hosts close to 9000 NBLs and FinTechs, many of which operate as primary lenders, payment processors and aggregators competing with traditional banks (Mordor Intelligence 2024). The U.S. consumer lending market reflects this dynamism, distinct from Australia’s reliance on central banking institutions.
FinTech firms, led by entities such as SoFi, Rocket Mortgage, and LendingClub, now service millions of American consumers across credit, savings, and investment functions and routinely interface with third-party data aggregators, including Plaid and Yodlee (Antosz 2023). The U.S. market environment is therefore one driven by private contractual relationships and competitive dynamics. It is dominated by FinTech’s and NBLs relative to Australia’s market (767 vs. 9000). Such structural features like scale, fragmentation of market share, diversity of market participants, and innovation pace complicate the direct transplantation of Australia’s uniform, rights-based model. That model relies on the actions of the Big Four to dictate the behaviors of the market, which fosters competition but complicates the very concept of uniform data regulation across the U.S. pluralistic financial market.

4.1.2. Legal Foundation1

Australia’s CDR is legislatively entrenched through amendments to the CCA (CCA 2010), designed to be rights-based, entrenching consumer rights to access and direct the sharing of their data. The legal foundation prioritizes a uniform, enforceable rights regime, centrally designed and phased across sectors, beginning with banking. The CDR was described by Treasury as a ‘consumer-centric’ framework embedded in legislation (Australian Government Treasury 2021), aiming to shift control of data from institutions to individuals (Australian Government Treasury 2018).
By contrast, the U.S. has historically relied on industry-led arrangements and private contracts to facilitate data sharing, largely through APIs or screen scraping. Section 1033 of the Dodd-Frank Act mandates that financial institutions provide consumers with the right to access their data but currently lacks the implementation of rules to activate the section. As the Bureau has noted, Section 1033 establishes the statutory right but does not provide detailed rules or implementation pathways to enforce that right (CFPB 2020; CFPB 2024b).
Thus, that statutory right in the U.S. framework remains effectively inactive without implementing enforceable rules from the Bureau. The recent withdrawal of The Bureau’s 2024 Rules under the Trump administration underscores the volatility and uncertainty inherent in the U.S. regulatory environment, leaving data portability subject to private sector discretion and exacerbating systemic inequalities. Until the finalization of The Bureau’s proposed rules, U.S. data access remains fragmented and largely unenforceable, relying on private, platform-level discretion rather than codified rights. This absence of enforceable implementation illustrates the need for the U.S. to move beyond abstract rights and toward structured, consistent data access mechanisms that place the rights of consumers at the forefront of Open Banking—as Australia has done through the CDR.

4.1.3. Inclusion of Non-Bank Lenders

The treatment of NBLs represents a critical point of divergence between Australia’s rights-based CDR framework and the U.S. market-led regime.
Initially, Australia excluded NBLs from its CDR regime, prioritizing the inclusion of major banks and ADIs to ensure foundational stability and application. However, this delay attracted widespread criticism for entrenching incumbents’ data accessibility and inhibiting innovation among FinTech’s and NBLs. The 2024 amendment to the CDR marked a pivotal shift, whereby, as explained above, NBLs were introduced as designated data holders, subject to mandatory data-sharing under the CDR framework (Australian Commonwealth Treasury 2024). Treasury’s phased inclusion from 2026 to 2027 introduced structural accommodations, such as a ‘de minimis’ threshold, reduced historical data obligations and product-specific carveouts, to temper compliance costs (Australian Commonwealth Treasury 2024). Yet market consultation responses, including from FinTech Australia and Xero, suggest the changes may not sufficiently support all NBLs, who consequently face high compliance costs, lack the technical capacity to build or access API-based systems which facilitate CDR sharing and consent requirements and must navigate burdensome accreditation and consent processes (FinTech Australia 2024).
By contrast, the U.S. financial data landscape has long positioned NBLs as central participants. NBL, FinTech lenders such as SoFi, Affirm, Finicity and LendingClub accounted for over 35% of unsecured personal loans and 54% of residential mortgages in 2023 (American Bankers Association 2023; Financial Stability Oversight Council 2024). In the absence of active Federal data-sharing mandates, these NBLs have approached the open finance environment by forging aggregator partnerships and proprietary systems to remain relevant to consumers and attractive to larger institutions. A notable example is Wells Fargo’s contractual agreement with Finicity, which provided an API method for sharing Wells Fargo customer information with the financial apps and services that Finicity supports (Finicity 2017). These privately negotiated partnerships have become a commercial necessity for NBLs to access consumer financial data, thereby remaining relevant to consumers and competitive with banks. However, it raises significant barriers to access for smaller or emerging NBLs who often lack the resources, bargaining power or technical infrastructure to form equivalent agreements, leaving them effectively shut out of meaningful data access and unable to compete on equal footing. Although the broad definition of a ‘covered person’ under s 1002(6) of the Dodd-Frank Act includes NBLs, without Section 1033 being fully operationalized, it has limited effect (Dodd-Frank 2010).
This underscores a persistent structural gap: although U.S. NBLs are included as ‘covered persons,’ their legal ability to receive and reciprocate data remains largely voluntary and fragmented (Dodd-Frank 2010). This has major market implications. The Bureau’s 2024 Rules would have required secure API-based data sharing, prohibited screen scraping and ensured reciprocal access for NBLs, yet was withdrawn by the Trump administration (CFPB 2024a). The remaining gap has been widely denounced, with the Financial Technology Association labelling Trump’s decision as a ‘handout to Wall Street banks’, who are trying to limit competition and debank Americans from digital financial services, ensuring NBLs are not able to innovate and compete equally in the market (Vaske 2025). CEO Penny Lee asserted, ‘Americans must have the right to control their financial lives, not the nation’s biggest banks’. She argued that Trump’s withdrawal of these rules undermines consumer mobility by making it harder for individuals to share their financial data with NBLs and access their products compared to banks (CFPB 2024a). Thus, entrenching power with incumbent banks erodes the competitive edge of NBLs despite their structural centrality. This paradox illustrates that without enforceable data access rights under Section 1033, NBLs remain disadvantaged, even in a system where they are nominally included and central to U.S. lending markets.
This regulatory paradox whereby NBLs are statutorily recognized but operationally marginalized exposes a fundamental weakness in the U.S. system. In contrast, Australia’s CDR amendments provide a more coherent model, mandating participation, embedding reciprocity and facilitating API-based interoperability across all designated actors. Whilst the Australian approach presents operational rigidity that may not suit the U.S. market wholesale, it nonetheless demonstrates that enforceable access rights and reciprocal data-sharing obligations are necessary to prevent data sharing and access from becoming reserved for institutions with scale and bargaining power, thereby diminishing market equality.
To restore competitive parity and consumer agency, the U.S. must move beyond nominal inclusion. It requires a legislated, enforceable data-sharing framework that includes NBLs, similar to Australia’s amendment. Australia’s CDR model offers a clearer template, mandating access, standardizing APIs and embedding reciprocity. Currently, the U.S. model provides operational freedom yet fails to guarantee equitable access. Whilst the U.S. should not transplant Australia’s centralized framework wholesale, it must accept its core principles, particularly enforceability and reciprocity, as regulatory pillars necessary to replace its current market-led approach with meaningful inclusion. Thus, establishing a uniform, equal rights-based structure that lowers access barriers and prevents data access from becoming a privilege of scale, dictated by banks. Until then, NBL participants in the U.S. market will remain structurally unequal; recognized in statute but excluded in practice.

4.1.4. Transplantation Implications from Differing Legal and Market Design

Whilst both jurisdictions aim to enhance consumer control through data portability, the regulatory and market conditions under which Australia’s CDR emerged, centralized, legislatively coordinated and concentrated, fundamentally differ from the pluralistic, innovation-led financial ecosystem of the U.S. These structural divergences caution against any full-scale transplantation of the Australian model. However, they also reveal persistent regulatory gaps in the U.S. framework after Trumps withdrawal of the 2024 Rules, particularly regarding enforceable consumer rights and equitable NBL participation. Both issues fundamentally depend on the implementation of structured consent protocols and accreditation mechanisms, which the selective adoption of CDR style mechanisms could help address. NBL inclusion in the U.S. market is not a peripheral concern but a structural necessity for any credible consumer data rights regime.

4.2. Feasibility of Selective CDR Integration

Fundamental principles of enforceable consumer rights and equitable NBL participation in data access are not abstract: they are operationalized through structured consent protocols and accreditation regimes, which now form the focus of the next section. As the preceding comparative analysis has shown, wholesale transplantation of Australia’s CDR into the U.S. is impractical due to foundational differences in legal structures, market design and NBL market participation. However, the core principles underpinning the CDR, enforceability, interoperability and fairness, remain normatively desirable.
Therefore, this next section assesses the feasibility of incorporating these elements, not as a wholesale import but as calibrated regulatory transplants. It focuses on the viability of embedding key safeguards into the U.S. framework, which promote the CDR’s core principles, such as standardized consent protocols that empower consumers and an accreditation regime that supports NBL participation, without reproducing the operational burdens that evidently limit their effectiveness in Australia.

4.2.1. Accreditation and Liability

The structural differences between Australia’s centralized accreditation system under the CDR and the decentralized, market-driven approach currently operating in the U.S. fundamentally determine the feasibility of transplanting Australia’s model into U.S. law. Australia’s tiered accreditation regime, embedded in legislation and administered by the ACCC (CDR 2010; CDRR 2020), contrasts starkly with the existing U.S. landscape, where accreditation lacks statutory support and is primarily driven by discretionary, commercially negotiated agreements (Mobilefirst 2023). Given these differences, a full-scale transplantation of Australia’s accreditation system would be impractical; however, a calibrated, principled adaptation is both feasible and necessary to address significant regulatory gaps in the U.S. model, particularly regarding enforceability, proportionality and equitable market participation for NBLs.
The existing U.S. model, characterized by private agreements between data aggregators like Plaid or Yodlee and banks or other financial institutions, exemplifies a fragmented and discretionary accreditation model (CDR 2010). Whilst the agility of this system enables rapid market entry and innovation, it simultaneously fosters exclusionary practices, inconsistent data standards and inadequate consumer protections. Without enforceable, uniform accreditation standards, the U.S. financial data ecosystem is vulnerable to data misuse, consumer harm and entrenched market inequities, especially disadvantaging smaller and emerging NBLs lacking negotiating leverage. The Bureau’s revoked proposal for a credentialing framework under Section 1033 within the 2024 Rules by the Trump administration underscores this critical regulatory deficiency (CFPB 2024a), leaving consumer protection and market equality largely subordinate to market-driven profitability and commercial interests.
Australia’s CDR regime, despite its operational shortcomings, offers essential guiding principles: enforceability, proportionality, transparency, and structured market inclusion, which could significantly enhance the U.S. approach. Australia’s tiered accreditation framework provides a scalable model of regulatory scrutiny that is proportionate to data sensitivity, operational size, and technical capability. Australia’s Unrestricted Accreditation tier requires rigorous, independent third-party audits and comprehensive compliance documentation, effectively ensuring robust data protections, but it proves overly burdensome for smaller market participants (Commonwealth of Australia 2024). Conversely, the Sponsored Accreditation and Representative Arrangements tiers lower barriers by allowing smaller entities to engage under the oversight or formal responsibility of fully accredited participants, thereby preserving consumer trust while expanding market access (Commonwealth of Australia 2024).
Given the decentralized, highly diverse and innovation-driven U.S. financial market, a proportionate and hybrid approach is necessary rather than adopting Australia’s model wholesale. Such a model would utilize Australia’s principle of tiered accreditation but adapt it into a risk-based structure tailored explicitly for U.S. market dynamics.
Larger data aggregators and financial institutions handling substantial sensitive data would face stringent, enforceable standards, comparable to Australia’s Unrestricted Accreditation tier, supervised directly by the Bureau. Smaller FinTech firms and NBLs, in contrast, would benefit from lighter regulatory burdens under a sponsored or affiliate accreditation category. However, this calibrated approach must embed statutory obligations for transparency and consumer protection to address the weaknesses inherent in purely market-driven arrangements.
A hybrid accreditation model, combining private certification with statutory oversight, is particularly suited to the U.S.’s historically lighter regulatory approach. This mirrors Australia’s allowance for accredited entities to sponsor unaffiliated providers under strict contractual arrangements, enabling layered compliance without undermining security (OAIC 2022). In the U.S. context, this could be adapted to empower established aggregators to assume formal gatekeeping responsibilities under clear statutory duties and direct oversight by the Bureau. Embedding this structure within a legislated Section 1033 framework would address the current lack of enforceability and consistency in accreditation, whilst preserving the agility and dynamism of the innovative U.S. financial landscape. Critically, embedding enforceable, transparent standards would also constrain the discretion currently held by market incumbents, helping to restore competitive parity and ensure open finance reforms extend beyond the interests of dominant firms. Moreover, proactive measures to ensure structural inclusion of NBLs are critical. These risks are already evident in Australia.
Industry submissions by Chartered Accountants Australia and New Zealand, CPA Australia and the Institute of Public Accountants highlight that many smaller FinTech’s and NBLs are unwilling or unable to absorb the time, cost and complexity required to both attain and maintain accreditation (Chartered Accountants Australia and New Zealand et al. 2024). Treasury estimates suggest it costs approximately A$250,000 to complete an application for accreditation, with the ACCC further estimating setup costs between A$50,000 and A$70,000 for compliant data storage (ILLION 2020; FinTech Australia 2020; Select Committee on Financial Technology and Regulatory Technology 2020). An independent strategic review similarly found that mid-tier institutions face disproportionately higher compliance costs per customer, fundamentally undermining the CDR’s intended goals of broad-based inclusion and competition as the regime expands to NBLs (Kelly 2022). A U.S.-specific approach must therefore incorporate tailored regulatory sandboxes, subsidized technical assistance and expedited onboarding pathways specifically designed to support smaller, emerging entities and NBLs, especially given their prominence and abundance in the U.S. market. Such support mechanisms, notably absent in the initial Australian model, would prevent unintentionally strengthening the position of existing dominant incumbents and instead encourage broader competition and participation, aligning regulatory objectives with the realities of the U.S. financial ecosystem.
Ultimately, whilst full transplantation of Australia’s rigorous and uniform accreditation regime under the CDR into the U.S. regulatory frameworks via Section 1033 is neither practical nor desirable, adopting its underlying principles in a calibrated, context-sensitive manner is both feasible and necessary. A hybrid, risk-based accreditation model, anchored in statutory enforceability but allowing proportional, tiered compliance obligations and aggregator-led sponsorship under The Bureau’s oversight, offers a practical path forward toward transparency and structured inclusion. This tailored framework could effectively resolve existing regulatory deficiencies and reduce barriers to entry for NBLs without imposing undue operational burdens that would stifle the very foundations that make the U.S. market so powerful: competition and innovation. Thus, establishing a robust foundation for consumer data rights promotes equitable market access and preserves the competitive dynamism and innovation characteristic of the U.S. financial services landscape.

4.2.2. Consent and Interoperability

The feasibility of transplanting Australia’s consent management framework under the CDR into the U.S. via Section 1033 of the Dodd-Frank Act requires careful comparative analysis. Australia’s legislated consent model is explicitly rights-based, granular, revocable and purpose-specific, mediated through firm-specific accredited dashboards (CDRR 2020; DSB 2019). This contrasts starkly with the U.S. market-led system, which is characterized by broad, discretionary commercial terms of service between consumers and data aggregators. Australia’s framework establishes a high benchmark through its detailed specifications, emphasizing consumer control, data minimization and auditability—features that are integral to protecting consumer data rights and ensuring informed, meaningful consent.
However, despite its strong normative foundation, Australia’s consent architecture has demonstrated substantial operational weaknesses, primarily attributable to its rigidity and fragmentation (Solia and Summers 2021; Skript 2024; Australian Government Treasury 2024a). Firm-specific dashboards mandated by the CDR Rules impose considerable technical and resource burdens, particularly pronounced in multi-party transactional contexts (DSB 2019). Tiimely Pty Ltd’s submission to Treasury’s 2024 Review of the CDR Rules underscores these operational hurdles, noting that maintaining separate dashboards significantly increases administrative overheads, creating disproportionate challenges for smaller firms (Tiimely Pty Ltd. 2024). Similarly, Skript’s submission criticized the existing consent interface for inducing unnecessary friction, confusion and scalability limitations, thus negatively affecting the user experience (Skript 2024). These concerns have been validated by the Treasury’s November 2024 Consultation Outcome Report on Consent and Operational Enhancements, which explicitly states that implementing consent management reforms is necessary to alleviate the existing friction, confusion, and complexity currently experienced by consumers (Treasury 2024b). Reflecting these usability challenges, data from the Australian Banking Association reveals that as of 2023, only 0.31% of customers maintained active data sharing arrangements under the CDR (ABA 2024), underscoring limited consumer engagement and the practical shortcomings of Australia’s consent implementation. However, in Australia, lending is significantly more concentrated among a small number of financial institutions than in the US. If the United States were to adopt the Australian approach, a higher percentage of borrowers may embrace open banking.
In response, the Albanese government has proposed amendments to the CDR Rules aimed explicitly at enhancing operational efficiency, reducing consumer friction and improving scalability (Australian Government Treasury 2024b). Key proposed adjustments include enabling bundled consents across multiple providers, simplifying the dashboard and consent architecture and easing compliance obligations for accredited data holders seeking consumer data (ABA 2024). Although not yet implemented, these reforms mark a regulatory shift towards greater interoperability and reduced friction, implicitly recognizing the necessity of balancing robust consumer protections with practical usability.
In stark contrast, the current U.S. consent model lacks enforceable regulatory standards and relies on opaque, commercially negotiated terms of service that often fail to clearly define the scope and duration of consumer data sharing arrangements. The absence of standardized APIs, real-time dashboards or consent revocation tools further diminishes transparency and consumer agency. The Bureau’s proposed but subsequently revoked 2024 Rules sought to address these deficiencies by introducing structured, time-bound and scope-limited consent frameworks, but their withdrawal has left these protections theoretical and unenforceable (CFPB 2024d). Moreover, the continued practice of screen scraping in the U.S., whereby third parties can use consumer credentials to access data directly from consumer accounts, poses ongoing transparency and security risks to consumer privacy and data rights, a practice Australia effectively eliminated under its CDR regime (Bank Policy Institute 2025).
Given these operational deficiencies in Australia’s current model and the fundamental structural differences, it is once again neither practical nor desirable for the U.S. to fully replicate Australia’s dashboard-driven consent infrastructure. Firm-specific dashboard rigidity imposes substantial operational friction, requiring consumers to navigate, authenticate and manage new interfaces with each data-sharing request, often engaging with multiple dashboards, including both the data holder and recipient, for a single transaction. This fragmented architecture risks undermining user experience and could stifle the innovation and agility that characterize the U.S. fintech and financial services sectors. However, transplanting Australia’s core consent principles, enforceability, revocability, specificity, auditability, and purpose-limited, time-bound consent is both feasible and necessary for enhancing the U.S. regulatory framework.
Practically, this adaptation would entail establishing a centralized, regulator-managed, API-based dashboard system underpinned by enforceable obligations enacted through Section 1033 of the Dodd-Frank Act. This dashboard would offer consumers unified visibility and control across multiple service providers, integrating purpose-specific, time-bound, and revocable consent protections—reminiscent of those in Australia. Robust audit trails, third-party governance mechanisms and embedded opt-out functionalities would further reinforce consumer agency and transparency, enabling users to maintain granular control and visibility over their financial data. Unlike Australia’s burdensome firm-by-firm implementation, a single, interoperable dashboard is more feasible in the U.S. context given the prevalence of contractual data-sharing arrangements between aggregators, financial institutions and FinTech’s. It would, however, also entail privacy and security risks as a single platform would become a target for bad actors. The design, costs, and security of such a system are beyond the scope of this article and are an important area for future research. Leveraging these existing commercial integrations, a Section 1033-compliant, centralized model, privately owned, created, and managed, could retain the normative strengths of Australia’s rights-based approach while mitigating the operational burdens and fragmentation that have limited its scalability.
Embedding these consent obligations directly into enforceable regulation under Section 1033, rather than leaving them subject to commercial discretion, would further reinforce consumer protection and ensure consistent implementation across the diverse U.S. financial market. Eliminating screen scraping in favor of mandated secure API-based data exchanges would significantly enhance transparency and security, aligning U.S. practices with global standards. Nevertheless, there remain issues regarding obtaining genuine informed consent from consumers (see, e.g., Paul 2025; Solove 2013; Barocas and Nissenbaum 2014; Bergemann 2017).
Ultimately, whilst full-scale transplantation of Australia’s dashboard-mediated consent model is impractical within the U.S. context, its underlying principles provide a compelling regulatory foundation. A hybrid approach, adapting Australia’s rights-based consent protections to the operational realities of the U.S. market, represents both a normatively desirable and practically viable solution. This calibrated adaptation can effectively reconcile robust consumer protections with the agility and innovation central to the U.S. financial services ecosystem.

5. Conclusions

Ultimately, whilst Australia’s CDR regime offers a strong regulatory model in theory, its transplantation into the United States via Section 1033 of the Dodd-Frank Act faces structural, cultural and regulatory barriers. Success hinges not only on legal harmonization but on regulatory infrastructure and institutional willingness to support such a shift. This is particularly true for NBLs, whose inclusion is essential to achieving Open Banking’s goals.
The Trump administration’s rollback of the Bureau’s 2024 Rules illustrates the fragility of reform in the absence of legislative entrenchment. Subsequently, the U.S. currently lacks enforceable consumer data rights. However, the centralized nature of Australia’s model, with complex consent processes, burdensome accreditation and high compliance costs, risks limiting widespread NBL participation and failing to accommodate the speed, diversity and innovation of a pluralistic, NBL-driven market in the U.S. Therefore, the U.S. should not fully transplant Australia’s CDR regime but selectively adopt its key protections including tiered accreditation and consent dashboards within a hybrid model. This advances equitable data access and consumer data rights, whilst supporting the growth, transparency and diversity of NBL offerings in its traditionally decentralized, innovation-led system.

Author Contributions

Conceptualization, R.O.; methodology, R.O., C.W.; investigation, R.O.; writing—original draft preparation, R.O.; writing—review and editing, C.W.; visualization, R.O., C.W.; supervision, C.W. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data was created in this study.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. ABA. 2024. CDR Strategic Review. Sydney: Australian Banking Association. [Google Scholar]
  2. Abubakar, Lastuti, and Tri Handayani. 2022. The Urgency of Open Application Programming Interface Standardization in the Implementation of Open Banking to Customer Data Protection for the Advancement of Indonesian Banking. Padjadjaran Jurnal Ilmu Hukum 9: 67–88. [Google Scholar]
  3. ACCC. 2023. Consumer Data Right Accreditation Checklist. Canberra: Australian Competition and Consumer Commission. [Google Scholar]
  4. Amalia, Camila, Esha Gianne Poetry, Mochamad Kemal Kono, Dadang Arief Kusuma, and Alex Kurniawan. 2022. Legal issues of personal data protection and consumer protection in open api payments. Journal of Central Banking Law and Institutions 1: 323–52. [Google Scholar] [CrossRef]
  5. American Bankers Association. 2023. New York Fed: Fintech Firms Drove Increase in Unsecured Lending. American Bankers Association. Available online: https://bankingjournal.aba.com/2023/11/new-york-fed-fintech-firms-drove-increase-in-unsecured-lending/ (accessed on 1 November 2025).
  6. Antosz, Danielle. 2023. Why Fintech Lenders Are Transforming the Lending Industry [Online]. Plaid. Available online: https://plaid.com/resources/lending/fintech-lenders/ (accessed on 1 November 2025).
  7. Australian Commonwealth Treasury. 2024. Expanding the CDR to Non-Bank Lending and Narrowing the Scope of CDR Data in Banking: Information Sheet. Parkes: Australian Commonwealth Treasury. [Google Scholar]
  8. Australian Finance Industry Association. 2024. Submission to Treasury: CDR Expansion to NBL Sector. Sydney: Australian Finance Industry Association. [Google Scholar]
  9. Australian Government Treasury. 2018. Consumer Data Right: Giving Consumers Greater Control over Their Data. Canberra: Australian Government Treasury. [Google Scholar]
  10. Australian Government Treasury. 2021. Consumer Data Right. Canberra: Australian Government Treasury. [Google Scholar]
  11. Australian Government Treasury. 2024a. Consumer Data Right Rules Expansion Amendments—Version 5 Consultation. Canberra: Australian Government Treasury. [Google Scholar]
  12. Australian Government Treasury. 2024b. Explanatory Memorandum, Exposure Draft, Treasury Laws Amendment (Consumer Data Right Enhancements) Regulations 2024. Canberra: Australian Government Treasury. [Google Scholar]
  13. Australian Government Treasury. 2025. Consumer Data Right Rules—Non-Bank Lenders and Banking Data Scope: Summary of Consultation Outcomes. Canberra: Australian Government Treasury. [Google Scholar]
  14. Bajrektarevic, Anis H., Umi Khaerah Pati, Mellisa Towadi, and Anugrah Muhtarom Pratama. 2022. Costumer Explicit Consent Under Indonesian Open Banking Regulations. Jambura Law Review 4: 176–94. [Google Scholar] [CrossRef]
  15. Bank Policy Institute. 2025. Data Aggregators Issue Summary [Online]. Bank Policy Institute. Available online: https://bpi.com/data-aggregators-issue-summary/ (accessed on 1 November 2025).
  16. Barocas, Solon, and Helen Nissenbaum. 2014. Big data’s end run around procedural privacy protections. Communications of the ACM 57: 31–33. [Google Scholar] [CrossRef]
  17. Bergemann, Benjamin. 2017. The consent paradox: Accounting for the prominent role of consent in data protection. In IFIP International Summer School on Privacy and Identity Management. Cham: Springer International Publishing, pp. 111–31. [Google Scholar]
  18. Bird, Joanna. 2011. Regulating the regulators: Accountability of Australian regulators. Melbourne University Law Review 35: 739–72. [Google Scholar]
  19. Board of Governors of the Federal Reserve System. 2023. Assets and Liabilities of Commercial Banks in the United States—H.8 Release. Washington, DC: Board of Governors of the Federal Reserve System. [Google Scholar]
  20. Booysen, Sandra. 2021. Financial advice and investor protection: A comparative overview. In Financial Advice and Investor Protection. Cheltenham: Edward Elgar Publishing Ltd., pp. 2–18. [Google Scholar] [CrossRef]
  21. Borgogno, Oscar, and Giuseppe Colangelo. 2020. Data, Innovation and Competition in Finance: The Case of the Access to Account Rule. European Business Law Review 31: 573–609. [Google Scholar] [CrossRef]
  22. Breg, Mihaela. 2019. The Hidden Value of Greater Standardization for the EU-Wide FinTech Market. Available online: https://onlinelibrary.wiley.com/doi/10.1002/9781119551973.ch24 (accessed on 1 November 2025).
  23. Brodsky, Laura, and Liz Oakes. 2022. Data Sharing and Open Banking [Online]. McKinsey & Company. Available online: https://www.mckinsey.com/industries/financial-services/our-insights/data-sharing-and-open-banking (accessed on 1 November 2025).
  24. Burdon, Mark, and Tom Mackie. 2020. Australia’s Consumer Data Right and the uncertain role of information privacy law. International Data Privacy Law 10: 222–35. [Google Scholar] [CrossRef]
  25. Cantatore, Francina, and Brenda Marshall. 2021. Safeguarding consumer rights in a technology driven marketplace. Adelaide Law Review 42: 467–501. [Google Scholar]
  26. Casanova, John, Max Savoie, and Tanaan Quek. 2025. The Regulatory Framework for Payment Services in the EU and UK. Cheltenham: Edward Elgar Publishing. [Google Scholar]
  27. CCA. 2010. Competition and Consumer Act 2010 (Cth). Canberra: Australian Government. [Google Scholar]
  28. CDR. 2010. Competition and Consumer Act 2010 (Cth) pt IVD. Canberra: Australian Government. [Google Scholar]
  29. CDRR. 2020. Competition and Consumer (Consumer Data Right) Rules 2020 (Cth). Canberra: Australian Government. [Google Scholar]
  30. CFPB. 2017. Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation. Washington, DC: Consumer Financial Protection Bureau. [Google Scholar]
  31. CFPB. 2020. Consumer Access to Financial Records (Advance Notice of Proposed Rulemaking, Docket No CFPB-2020–0034, 22 October 2020). Washington, DC: Consumer Financial Protection Bureau. [Google Scholar]
  32. CFPB. 2023. Personal Financial Data Rights (Notice of Proposed Rulemaking, 27 October 2023). Washington, DC: Consumer Financial Protection Bureau. [Google Scholar]
  33. CFPB. 2024a. CFPB Finalizes Personal Financial Data Rights Rule to Boost Competition, Protect Privacy and Give Families More Choice in Financial Services. Washington, DC: Consumer Financial Protection Bureau. [Google Scholar]
  34. CFPB. 2024b. Required Rulemaking on Personal Financial Data Rights [Online]. Consumer Financial Protection Bureau. Available online: https://www.consumerfinance.gov/personal-financial-data-rights/ (accessed on 1 November 2025).
  35. CFPB. 2024c. Required Rulemaking on Personal Financial Data Rights. Federal Register 89: 82532. [Google Scholar]
  36. CFPB. 2024d. Required Rulemaking on Personal Financial Data Rights. Industry Standard Setting. Available online: https://www.consumerfinance.gov/personal-financial-data-rights/ (accessed on 1 November 2025).
  37. Chandrashekeran, Sangeetha, and Svenja Keele. 2024. Making markets from the data of everyday life. Environment and Planning A 56: 288–310. [Google Scholar] [CrossRef]
  38. Chartered Accountants Australia and New Zealand, CPA Australia, and Institute of Public Accountants. 2024. Joint Submission to Treasury: Expanding the Consumer Data Right to Non-Bank Lending and Narrowing the Scope of CDR Data in Banking. Canberra: Chartered Accountants Australia and New Zealand. Southbank: CPA Australia. Melbourne: Institute of Public Accountants. [Google Scholar]
  39. CMA. 2017. The Retail Banking Market Investigation Order 2017. London: UK Competition and Markets Authority. [Google Scholar]
  40. Colangelo, Giuseppe. 2024. Open Banking goes to Washington: Lessons from the EU on regulatory-driven data sharing regimes. Computer Law and Security Review 54: 106018. [Google Scholar] [CrossRef]
  41. Colangelo, Giuseppe, and Oscar Borgogno. 2024. Shaping Interoperability for the Internet of Things: The Case for Ecosystem-Tailored Standardisation. European Journal of Risk Regulation 15: 137–52. [Google Scholar] [CrossRef]
  42. Commonwealth of Australia. 2024. Consumer Data Right Accreditation Guidelines (Version 5, 8 August 2024). Canberra: Australian Government. [Google Scholar]
  43. Commonwealth of Australia. 2025. Compliance Guide for Data Holders in the Banking and Non-Bank Lender Sectors (Guide) [2.2.1]. Canberra: Australian Government. [Google Scholar]
  44. Connolly, Joanna. 2021. The right to erasure: Comparative perspectives on an emerging privacy right. Alternative Law Journal 46: 58–63. [Google Scholar] [CrossRef]
  45. Cotterrell, Roger. 2001. Is there a logic of Legal Transplants? Adapting Legal Cultures 71: 82. [Google Scholar]
  46. Crosman, Penny. 2020. What Happens If Mastercard and Visa Gobble Up All the Data Aggregators? New York: American Banker. [Google Scholar]
  47. Dahdal, Andrew Mazen, and Bruno Zeller. 2021. Open Banking and Open Data: Global Context, Innovation, and Consumer Protection. Banking Law Journal 138: 385–412. [Google Scholar]
  48. Didenko, Anton, Natalia Jevglevskaja, and Ross P. Buckley. 2024. Customer Data Sharing Frameworks: Twelve Lessons for the World. Abingdon: Routledge. [Google Scholar]
  49. Directive-2015/2366. 2015. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on Payment Services in the Internal Market [2015] OJ L 337/35 (‘PSD2’). Available online: https://eur-lex.europa.eu/eli/dir/2015/2366/oj/eng (accessed on 24 February 2026).
  50. Dodd-Frank. 2010. Dodd-Frank Wall Street Reform and Consumer Protection Act. Washington, DC: United States Government. [Google Scholar]
  51. DPA. 2018. Data Protection Act 2018 (UK). Available online: https://www.legislation.gov.uk/ukpga/2018/12/contents (accessed on 24 February 2026).
  52. DSB. 2019. Consumer Data Right: CX Guidelines v1.0.0. Data Standards Body. Available online: https://dsb.gov.au/sites/consumerdatastandards.gov.au/files/uploads/2019/09/CX-Guidelines-v1.0.0.pdf (accessed on 24 February 2026).
  53. EU. 2018. European Union (Withdrawal) Act 2018 (UK). Available online: https://www.legislation.gov.uk/ukpga/2018/16/contents (accessed on 24 February 2026).
  54. Ewald, William. 1995. Comparative jurisprudence (II): The logic of legal transplants. The American Journal of Comparative Law 43: 489–510. [Google Scholar] [CrossRef]
  55. Farrell, Scott. 2022. A Systemic Perspective for U.S. Open Banking: Ensuring Participation, Access, and Stability. Florida Journal of International Law 34: 1. [Google Scholar]
  56. Federal Reserve Bank of St Louis. 2024. Bank Concentration for United States (DDOI01USA156NWDB) [Online]. Federal Reserve Bank of St Louis. Available online: https://fred.stlouisfed.org/series/DDOI01USA156NWDB (accessed on 1 November 2025).
  57. Financial Stability Oversight Council. 2024. Report on Nonbank Mortgage Servicing. Washington, DC: US Department of the Treasury. [Google Scholar]
  58. Finicity. 2017. Finicity and Wells Fargo Ink Data Exchange Deal [Online]. Finicity. Available online: https://www.finicity.com/in-the-news/finicity-wells-fargo-ink-data-exchange-deal/ (accessed on 1 November 2025).
  59. FinTech Australia. 2020. Submission to the ACCC: CDR Participation of Third Party Service Providers. Sydney: FinTech Australia. [Google Scholar]
  60. FinTech Australia. 2024. Submission to Treasury: Consumer Data Right Rules—Non-Bank Lending and Banking Data Scope. Sydney: FinTech Australia. [Google Scholar]
  61. Forbes Advisor Australia. 2024. Big Four Banks Explained—Forbes Advisor Australia [Online]. Forbes Advisor Australia. Available online: https://www.forbes.com/advisor/au/banking/big-four-banks/ (accessed on 1 November 2025).
  62. Freeman, Edward H. 2005. Data Protection and the Commerce Clause. Information Security Journal: A Global Perspective 13: 5–9. [Google Scholar] [CrossRef]
  63. Gauci, Rachel. 2019. Is Europe a Good Example of Open Banking? Hoboken: Wiley. [Google Scholar]
  64. GDPR. 2018. UK General Data Protection Regulation. Available online: https://www.legislation.gov.uk/eur/2016/679/conte (accessed on 1 November 2025).
  65. GLBA. 1999. Gramm–Leach–Bliley Act. 6802. Available online: https://www.sec.gov/about/laws/glba.pdf (accessed on 1 November 2025).
  66. Grainger-Marsh, J. 2024. CFPB Section 1033 Open Banking Rule—A Guide for Banks [Online]. Fiskil. Available online: https://blog.fiskil.com/cfpb-section-open-banking-rule-guide-for-banks (accessed on 1 November 2025).
  67. Graziadei, Michele. 2006. Comparative law as the study of transplants and receptions. The Oxford Handbook of Comparative Law 442: 442–61. [Google Scholar]
  68. Grimm, John. 2024. CFPB Open Banking Personal Financial Data Rule: What You Need to Know [Online]. Thales Group. Available online: https://cpl.thalesgroup.com/blog/access-management/cfpb-open-banking-personal-financial-data-rule (accessed on 1 November 2025).
  69. Gross, Jason. 2022. Open Banking Can Become a Reality in 2022. Bloomberg Law, January 13. [Google Scholar]
  70. Hermawan, Sapto, Zenia Aziz Khoirunisa, and Kukuh Tejomurti. 2023. Triangular Insight on Open Banking in Indonesia, Singapore, and Australia. International Journal of Legal Information 51: 197–215. [Google Scholar] [CrossRef]
  71. Hogan, Kelly. 2023. Navigating the Potential Regulatory Landscape Under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act for Fintechs. Newark: Seton Hall University School of Law. [Google Scholar]
  72. ICA. 2010. Australian Information Commissioner Act 2010 (Cth). Canberra: Australian Government. [Google Scholar]
  73. ILLION. 2020. Submission to the ACCC Consultation of the CDR Rules Expansion Amendments. Sydney: ILLION. [Google Scholar]
  74. Iman, Nofi, Sahid Susilo Nugroho, Eddy Junarsin, and Rizky Yusviento Pelawi. 2023. Is technology truly improving the customer experience? Analysing the intention to use open banking in Indonesia. International Journal of Bank Marketing 41: 1521–49. [Google Scholar] [CrossRef]
  75. Jevglevskaja, Natalia, and Ross Buckley. 2022a. Australia’s Consumer Data-Sharing Regime: A World-Leading Reform. University of New South Wales Law Journal. [Google Scholar]
  76. Jevglevskaja, Natalia, and Ross Buckley. 2022b. The consumer data right: How to realise this world-leading reform. University of New South Wales Law Journal 45: 1589–622. [Google Scholar] [CrossRef]
  77. Jiang, Huiqin, Casey Watters, and Charlie Xiao-Chuan Weng. 2022. Regulating Weighted Voting Rights in Asia: Pragmatism or a Race to Bottom? Hong Kong LJ 52: 207. [Google Scholar]
  78. Keegan, Cobun, and Calli Schroeder. 2019. Unpacking Unfairness: The FTC’s Evolving Measures of Privacy Harms. Journal of Law, Economics, and Policy 15: 19. [Google Scholar]
  79. Kelly, Elizabeth. 2022. Statutory Review of the Consumer Data Right. Canberra: Australian Government Treasury. [Google Scholar]
  80. KPMG. 2024. Australian Fintech Landscape 2024 [Online]. KPMG Australia. Available online: https://kpmg.com/au/en/home/insights/2024/12/australian-fintech-landscape.html (accessed on 1 November 2025).
  81. Levitin, Adam J. 2012. The consumer financial protection bureau: An introduction. Review of Banking & Financial Law 32: 321. [Google Scholar]
  82. Lin, Xiangyu, Sarah Zhang, and Markos Zachariadis. 2025. Open data and API adoption of U.S. banks. Journal of Financial Intermediation 63: 101162. [Google Scholar] [CrossRef]
  83. Lux, Marshall, and Olivia Zhao. 2025. Open Banking: Lessons, Challenges, and Opportunities. Washington, DC: Georgetown University’s Psaros Center for Financial Markets and Policy. [Google Scholar]
  84. Maj, Anna. 2019. How open banking and payment touchpoints will save banks. In The PayTech Book: The Payment Technology Handbook for Investors, Entrepreneurs and FinTech Visionaries. Hoboken: Wiley. [Google Scholar]
  85. Manyika, James, Michael Chui, Peter Groves, Diana Farrell, Steve Van Kuiken, and Elizabeth Almasi Doshi. 2013. Open data: Unlocking innovation and performance with liquid information. McKinsey Global Institute 21: 116. [Google Scholar]
  86. Marciniak, Stanley A., III. 2021. Too Big to Protect: A Dodd-Frank Framework for Protecting 21st Century American Consumer Privacy Rights. Duquesne Law Review 59: 329–33. [Google Scholar]
  87. Marsh, Stuart. 2022. Commonwealth Bank Launches Digital Home Loan with 10-Minute Application [Online]. 9 News. Available online: https://www.9news.com.au/national/commonwealth-bank-launches-10-minute-digital-home-loan/8d446d73-3e9d-4b06-91d6-83ff00525c68 (accessed on 1 November 2025).
  88. Meese, James, Punit Jagasia, and James Arvanitakis. 2019. Citizen or consumer? Contrasting Australia and Europe’s data protection policies. Internet Policy Review 8: 1–16. [Google Scholar] [CrossRef]
  89. Mobilefirst, Ubaid. 2023. Plaid vs. Yodlee: A Deep Dive into the Leading Banking APIs for FinTech [Online]. Medium. Available online: https://medium.com/@ubaid.mobilefirst/plaid-vs-yodlee-a-deep-dive-into-the-leading-banking-apis-for-fintech-9ce5cf9c5a11 (accessed on 1 November 2025).
  90. Mordor Intelligence. 2024. United States Fintech Market—Growth, Trends, COVID—19 Impact, and Forecasts (2024–2029) [Online]. Mordor Intelligence. Available online: https://www.mordorintelligence.com/industry-reports/us-fintech-market (accessed on 1 November 2025).
  91. Myers, Andreas. 2022. Banks Are “Open” for Business: Recommended Revisions to Section 1033 of the Dodd-Frank Act. North Carolina Journal of Law and Technology 24: 70–81. [Google Scholar]
  92. Nicholls, Rob. 2022. Reform in Australia: A Focus on Informed Consent. Global Privacy Law Review 3: 177–89. [Google Scholar] [CrossRef]
  93. OAIC. 2022. Sponsored Accreditation Model: Privacy Obligations of an Affiliate [Online]. Office of the Australian Information Commissioner. Available online: https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/privacy-obligations/sponsored-accreditation-model-privacy-obligations-of-an-affiliate (accessed on 1 November 2025).
  94. OAIC. 2024a. Consumer Data Right Data [Online]. Office of the Australian Information Commissioner. Available online: https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions/consumer-data-right-data (accessed on 1 November 2025).
  95. OAIC. 2024b. Consumer Data Right Participants [Online]. Office of the Australian Information Commissioner. Available online: https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation%2C-regulation-and-definitions/consumer-data-right-participants (accessed on 1 November 2025).
  96. PA. 1988. Privacy Act 1988 (Cth). Available online: https://www.legislation.gov.au/C2004A03712/latest/text (accessed on 1 November 2025).
  97. Park, Grace. 2019. The changing wind of data privacy law: A comparative study of the European Union’s General Data Protection Regulation and the 2018 California Consumer Privacy Act. UC Irvine Law Review 10: 1455. [Google Scholar]
  98. Pati, Umi Khaerah, and Anugrah Muhtarom Pratama. 2025. Indonesia’s Open Banking Future: Designing Effective Regulatory Approaches. Jambe Law Journal 8: 27–60. [Google Scholar] [CrossRef]
  99. Paul, Naimy. 2025. Smokescreens of digital markets—Choice manipulation and the illusion of consent. Journal of European Competition Law & Practice 16: 208–22. [Google Scholar] [CrossRef]
  100. Pearson, Gail. 2015. Innovations in Financial Services Regulation for Consumer Protection. IJCLP 3: 70. [Google Scholar]
  101. Schauer, Frederick. 2000. The Politics and Incentives of Legal Transplantation. Cambridge: Harvard University. [Google Scholar]
  102. Select Committee on Financial Technology and Regulatory Technology. 2020. Interim Report. Canberra: Australian Senate. [Google Scholar]
  103. Shacheendran, V., Alan Lukose, Josiah John, Dawn Joseph, and Jeena Joseph. 2025. The Rise of Open Banking: A Comprehensive Analysis of Research Trends and Collaborative Networks. International Journal of Economics and Financial Issues 15: 295–307. [Google Scholar]
  104. Shanahan, R. 2025. RE: Interview with Rory O’Callaghan. Brisbane: Personal Interview, June 11. [Google Scholar]
  105. Shift. 2024. Submission to Treasury: CDR Expansion to Non-Bank Lenders. Shift. Available online: https://treasury.gov.au/sites/default/files/2025-03/c2024-598346-shift-financial.pdf (accessed on 1 November 2025).
  106. Skript. 2024. Submission to the Australian Government Treasury, Review of the Consumer Data Right Rules. Skript. Available online: https://treasury.gov.au/sites/default/files/2024-11/c2024-600257-skript.pdf (accessed on 1 November 2025).
  107. Solia, Bruno, and Sarah Summers. 2021. Consumer Data Right: Key Items for Consultation [Online]. MinterEllison. Available online: https://www.minterellison.com/articles/consumer-data-right-key-items-for-consultation (accessed on 1 November 2025).
  108. Solove, Daniel J. 2013. Introduction: Privacy self-management and the consent dilemma. Harvard Law Review 126: 1880–903. [Google Scholar]
  109. Sugarda, Paripurna P., and Muhammad Rifky Wicaksono. 2023. Enhancing the competitiveness of indonesia’s financial services sector in the digital era through open banking: Lessons learned from the uk’s experience. Journal of Central Banking Law and Institutions 2: 153–78. [Google Scholar] [CrossRef]
  110. Sullivan, Clare. 2022. The New Australian Consumer Data Right: An Exemplary Model for Open Banking? CFPB Asks Court to Vacate Section 1033 Data Sharing Rule. WIREs Forensic Science 4: e1458. [Google Scholar] [CrossRef]
  111. Teubner, Gunther. 1998. Legal irritants: Good faith in British law or how unifying law ends up in new divergencies. The Modern Law Review 61: 11–32. [Google Scholar] [CrossRef]
  112. Tiimely Pty Ltd. 2024. Submission to the Australian Government Treasury, Review of the Consumer Data Right Rules. Adelaide: Tiimely Pty Ltd. [Google Scholar]
  113. TLA. 2019. Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth). Available online: https://www.legislation.gov.au/C2019A00063/asmade/text (accessed on 1 November 2025).
  114. Torun, Melike, and Onur Duygu. 2020. Globalization 4.0 and banking sector. In Current Issues in Finance, Economy and Politics (Peter Lang 2020). Edited by Cagatay. Available online: https://www.researchgate.net/profile/Melike-Torun-2/publication/361987010_Globalization_40_and_Banking_Sector/links/62d011fbf819dc50eaaf7a87/Globalization-40-and-Banking-Sector.pdf (accessed on 1 November 2025).
  115. Treasury. 2021. Inquiry into Future Directions for the Consumer Data Right. Parkes: Australian Government Treasury. [Google Scholar]
  116. Treasury. 2024a. Expanding the Consumer Data Right to Non-Bank Lending: Design Paper. Canberra: Australian Government Treasury. [Google Scholar]
  117. Treasury. 2024b. Summary of Consultation Outcomes—Consent and Operational Enhancements. Canberra: Australian Government Treasury. [Google Scholar]
  118. Vaske, Ronald K. 2025. CFPB Will “Kill” Section 1033 Open Banking Rule. Available online: https://www.consumerfinancemonitor.com/2025/05/28/cfpb-will-kill-section-1033-open-banking-rule/ (accessed on 1 November 2025).
  119. Xero. 2024. Submission to Treasury: Consumer Data Right—Non-Bank Lending Sector. Wellington: Xero. [Google Scholar]
  120. Yallen, Jordan. 2019. Untangling the Privacy Law Web: Why the California Consumer Privacy Act Furthers the Need for Federal Preemptive Legislation. Loyola. LA Law Rev. 53: 787. [Google Scholar]
  121. Yang, Qinshun, Michał K. Lemański, and Casey Watters. 2025. The Impact of Climate Change on the Insurance Industry: Perceptions of Industry Experts and Corporate Responses. Journal of Risk and Financial Management 18: 516. [Google Scholar] [CrossRef]
  122. Ziegler, Tania. 2021. Implementation of Open Banking Protocols Around the World. Cham: Springer International Publishing. [Google Scholar]
1
Although The Bureau finalized a proposed rule in 2024 to operationalize s 1033, the Trump administration has since moved to withdraw it. This reversal reinforces the broader regulatory fragility and underscores the persisting absence of enforceable consumer data rights in the U.S.
Laws 15 00016 g001
Figure 1. Publications by Jurisdiction.
Figure 1. Publications by Jurisdiction.
Laws 15 00016 g001
Laws 15 00016 g002
Figure 2. CDR Existing Data Sharing Process (OAIC 2024a).
Figure 2. CDR Existing Data Sharing Process (OAIC 2024a).
Laws 15 00016 g002
Table 1. Scopus Publications on Open Banking and API Usage by Discipline.
Table 1. Scopus Publications on Open Banking and API Usage by Discipline.
DisciplineTotalArticles
Social Sciences9(Pati and Pratama 2025; Casanova et al. 2025; Colangelo and Borgogno 2024; Sugarda and Wicaksono 2023; Hermawan et al. 2023; Amalia et al. 2022; Abubakar and Handayani 2022; Bajrektarevic et al. 2022; Borgogno and Colangelo 2020)
Economics, Econometrics and Finance9(Lin et al. 2025; Shacheendran et al. 2025; Sugarda and Wicaksono 2023; Amalia et al. 2022; Ziegler 2021; Torun and Duygu 2020; Gauci 2019; Maj 2019; Breg 2019)
Business, Management and Accounting6(Iman et al. 2023; Ziegler 2021; Torun and Duygu 2020; Gauci 2019; Maj 2019; Breg 2019)
Table 2. Australia and US Focused Searches.
Table 2. Australia and US Focused Searches.
Search TermsTotalArticles
“Consumer Data Right” OR “Financial Data Right” AND Australia11(Pati and Pratama 2025; Didenko et al. 2024; Chandrashekeran and Keele 2024; Nicholls 2022; Jevglevskaja and Buckley 2022b; Dahdal and Zeller 2021; Connolly 2021; Cantatore and Marshall 2021; Burdon and Mackie 2020; Gauci 2019; Meese et al. 2019)
“Financial Data Right” OR “Consumer Data Right” OR 1033 AND “Dodd-Frank” AND US OR “United States”1(Colangelo 2024)
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

O’Callaghan, R.; Watters, C. Transplanting Australia’s Consumer Data Right: A Viable U.S. Open Banking Model? Laws 2026, 15, 16. https://doi.org/10.3390/laws15020016

AMA Style

O’Callaghan R, Watters C. Transplanting Australia’s Consumer Data Right: A Viable U.S. Open Banking Model? Laws. 2026; 15(2):16. https://doi.org/10.3390/laws15020016

Chicago/Turabian Style

O’Callaghan, Rory, and Casey Watters. 2026. "Transplanting Australia’s Consumer Data Right: A Viable U.S. Open Banking Model?" Laws 15, no. 2: 16. https://doi.org/10.3390/laws15020016

APA Style

O’Callaghan, R., & Watters, C. (2026). Transplanting Australia’s Consumer Data Right: A Viable U.S. Open Banking Model? Laws, 15(2), 16. https://doi.org/10.3390/laws15020016

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop