CDR Policy

This Policy outlines how we collect, hold, use and disclose data that you consent to share with us under the Consumer Data Right (CDR), and provides information about the type of data, how you can request changes or deletion of your data, the events that will trigger the process to delete your data, and how you may make a complaint if you are dissatisfied with how your data has been handled.

The CDR has been designed to give consumers a secure way to control which businesses have access to their data, including financial information. A key aim of the CDR is to improve the way in which consumers can compare and switch between products and services.

Only entities accredited by the Australian Competition and Consumer Commission (ACCC) can offer services (including sharing and receiving data) under the CDR.

NextGen.Net Pty Ltd (NextGen) is Australia’s leading provider of lending and finance technology, and is an Accredited Data Recipient (ADR) (Accreditation Number: ADRBNK2013) under the CDR.

The ACCC is the lead regulator of the CDR, and is responsible for implementing the CDR ecosystem, accrediting entities, and enforcing the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules). Strong privacy protections have also been built into the CDR and are enforced by the Office of the Australia Information Commissioner (OAIC) and the ACCC.

Scope

NextGen provides lending application services, and with your consent, may access your personal banking data (hereafter referred to as CDR data) securely via the CDR to assist us in providing those services. This Policy sets out how NextGen will manage your CDR data.

This Policy is distinct from our Privacy Policy. Please refer to it for information about how we manage your personal information.

Collection of personal banking data

NextGen adopts a data minimisation approach and only collects CDR data that is necessary to provide its lending application services, such as the NextGen ‘Financial Passport’ that provides a view of your financial position.

There are no fees for accessing your CDR data and NextGen does not accept consumer requests to access any additional data such as voluntary product or consumer data that a bank may have but is not obligated to supply under the CDR Rules.

All CDR data collected, with a person’s consent, is used in providing NextGen lending application services via an Application Programming Interface (API) and web applications. In this context, CDR data which NextGen will access for the duration of the consent comprises:

• Consumer and account information;
• Bank balances;
• Transactions made to and from the bank account nominated; and
• Contact details

A consent dashboard is provided for the management of your consents, which includes a receipt of the consent, its scope and duration, and a summary of the CDR data received. You can revoke your consent at any time from the consent dashboard.

Classes of CDR data

The following classes of data are held by NextGen and used to provide lending application services through its API and web applications:

Account balance and details:

• Name of account
• Type of account
• Account balance
• Account number
• Interest rates
• Fees
• Discounts
• Account terms
• Account email address

Transaction details:

• Incoming and outgoing transactions
• Amounts
• Dates
• Descriptions of transactions
• Who you have sent money to and received money from (e.g. Account name, BSB, Account number)

Name, occupation, and contact details:

• Name
• Occupation
• Phone
• Email address
• Mail address
• Residential address

We will always tell you if we need a particular type of information to deliver services to you.

Purposes of CDR data

NextGen may collect, hold, use or disclose your CDR data with your consent to provide insights on your finances via a detailed Financial Passport that may be used when applying for loans.

CDR data is held and stored on your behalf in secure systems, located in Australia. We do not share this information with anyone else without your consent.

Disclosure

To provide a positive consumer experience and ensure consumer control over their CDR data, NextGen does not provide information to third parties to engage in direct marketing.

NextGen employs stringent up-to-date information security practices and does not disclose or use your CDR data for commercial purposes or any other purpose other than the purpose for which you provided consent.

Trusted advisers

As a consumer you may nominate certain people as your ‘trusted adviser’ and provide consent for NextGen to disclose CDR data with that adviser.

Trusted advisers are persons that belong to a number of defined classes listed in Rule 1.10C(2) of the CDR Rules, such as mortgage brokers (as defined in the National Consumer Credit Protection Act 2009), practising solicitors, qualified accountants, financial advisers, and registered tax agents.

Outsourced service providers

An Outsourced service provider is a separate business with which we have a CDR outsourcing arrangement to assist us in providing services to consumers under the CDR.

It is our policy to only use outsourced service providers based in Australia who have entered into a written agreement with us that meets the requirements set out in the CDR Rules.

As at the date of this Policy, we use the following outsourced service provider:

Frollo

Frollo Australia Pty Ltd (Frollo) is Australia’s leading provider of Open Banking technology and an ADR (Accreditation Number: ADRBNK000002) under the CDR. NextGen is Frollo’s parent company.

Frollo helps us collect CDR data from data holders and manage CDR consents. In providing these services, Frollo will, with your permission, collect your account information, transaction details and contact details on behalf of NextGen, and assist with surfacing insights on your finances, including producing your Financial Passport.

Frollo deletes your CDR data after it has provided the services to us and does not disclose or use consumers’ CDR data for commercial purposes or any other purpose other than the purpose for which the consent was provided.

Learn more about how they do this in their Frollo CDR Policy: https://frollo.com.au/cdr-policy

Accessing and correcting your CDR data

You may request access and/or correction of your CDR data held by us by sending a request via email to: [email protected].

In the case of a correction request, sufficient details must be provided in order to assess the issue and make corrections. We will acknowledge receipt of your correction request as soon as practicable. Within 10 business days after receipt of the correction request, notice will be given over email that states what we did in response to the request, including any corrective action or comments, and your ability to make a complaint if you are not satisfied with our response. Where any of the source data is inaccurate, out-of-date or incomplete, we may need to refer you to the data holder to have the source data corrected. We can then collect the correct CDR data if we have your consent. If you are an individual, you also have the right to access and correct personal information we hold about you. Please refer to our Privacy Policy for more information.

How to contact us

For any queries that you may have relating to CDR (other than in relation to a complaint), please contact us via email: [email protected].

Once we have received your email, we will respond as soon as practicable.

How to make a complaint

Complaints about the way we handle your CDR data

If you have a complaint about how your CDR data is being handled by us, please contact us first by submitting your complaint via email: [email protected].

Please include the following information when submitting your complaint.

• Your name;
• Your contact details;
• Your preferred contact method (phone or email or letter);
• The details of your complaint; and
• If any additional assistance is required with lodging your complaint.

A CDR complaint can be made at any time. Once your complaint is received, NextGen will follow its internal dispute resolution policy and procedure.

NextGen will acknowledge receipt of the complaint within two (2) business days of being received.

NextGen will investigate your complaint and attempt to resolve the complaint within five (5) business days of receipt of your complaint.

If we can’t fix things within five (5) business days, we will respond to you to keep you informed of the progress of your complaint.

Unless the complaint remains outstanding, you will receive a ‘final response’ letter within 30 calendar days of receipt of your complaint, informing you of:

• The final outcome of your complaint or dispute;
• Your right to take your complaint or dispute to an external dispute resolution scheme (such as the Australian Financial Complaints Authority – AFCA); and
• Contact details for AFCA, should you wish to lodge a complaint with it.

If your complaint is not resolved within 30 calendar days, NextGen will write to you to inform you of:

• The reasons for the delay;
• The extra time that is needed to complete the investigation and provide a written response;
• Your right to take your complaint or dispute to an external dispute resolution scheme; and
• The contact details for AFCA should you wish to lodge a complaint with them.

How to contact AFCA

NextGen is a member of the Australian Financial Complaints Authority (AFCA). Member number: 79967. You may contact AFCA as follows:

Online: www.afca.org.au
Email: [email protected]
Phone: 1800 931 678
Mail: GPO Box 3, Melbourne VIC 3001

Complaints about the way we handle your Personal Information

If you have a complaint about how your personal information has been handled by us, please contact us first by submitting your complaint via email: [email protected].

Further information about this process can be found in our Privacy Policy.

If your complaint regarding how we have handled your personal information is not resolved by us to your satisfaction within 30 days, you may complain to the OAIC.

How to contact OAIC

You may contact the Office of Australian Information Commissioner (OAIC) as follows:

Online: www.oaic.gov.au
Email: [email protected]
Phone: 1300 363 992
Mail: GPO Box 5288, Sydney NSW 2001

Options for Redress

Where you are dissatisfied with our service and have raised a complaint with us, we will work constructively with you to understand your complaint and explore what options for redress may be available. Possible remedies will depend on the particular circumstances, and may include:

• Providing you with an explanation of the circumstances giving rise to the complaint;
• Providing you with an apology;
• Correcting incorrect or out-of-date data held in relation to you by NextGen;
• Deleting data held in relation to you by NextGen; and
• Providing you with further assistance and support.

Notifications

We will notify you when you:

• Consent to collect, use and/or disclose your CDR data;
• Amend or withdraw a consent; and
• Request a correction of your CDR data.

We will also notify you every 90 days to let you know that a consent is still current, and will notify you when your consent expires.

Further, we will notify you when we:

• Disclose your CDR data to any accredited persons;
• Disclose your CDR data to any non-accredited entities, with your consent and in accordance with the CDR Rules;
• Access your CDR data – Your consent dashboard will be updated so that you can see when your CDR data was last accessed in your linked account.

Finally, in the event that an eligible data breach under the Notifiable Data Breach Scheme occurs in respect of your CDR data, we will notify you about this promptly so that you can take appropriate action.

Withdrawing consent

You may withdraw your consent at any time through the consent dashboard within your Frollo account, or by sending a request via email to: [email protected].

When you withdraw your consent and stop sharing your CDR data with NextGen, we will stop collecting CDR data from your bank accounts. We will also delete any of your CDR data that has not been used as part of a lending application.

Without this CDR data, we will be limited in our ability to provide further services to you.

Further, NextGen will stop disclosing your CDR data with your trusted adviser when you withdraw consent. Your trusted adviser may keep a record of CDR data already disclosed up to that date, but they will no longer have access to an up-to-date view of your finances. This includes having up-to-date access to your Financial Passport.

Consequence of withdrawing consent

Transaction Details

If you stop sharing these details we will no longer be able to identify how much money you have spent.

Direct Debits and Scheduled Payments

If you stop sharing these details we will no longer be able to identify the amount of regular payments you make.

Contact Details

If you stop sharing these details we will no longer be able to identify your name, occupation, phone, email, mail and residential address.

Circumstances when we will delete your CDR data

Unless we are required by law to retain your CDR data, we will delete all CDR data collected and held in accordance with your consent, within one (1) business day of the following events:

• You withdraw your consent;
• Your consent for access to your CDR data expires;
• You request your bank to stop sharing your CDR data, before the consent expires;
• You delete your Frollo account;
• Your bank notifies us that you cease to be their customer; or
• Your CDR data becomes redundant.

When any of the above events occur, we will also ensure that Frollo deletes from its systems all CDR data collected in accordance with your consent.

NextGen will delete your CDR data using a scheduled daily process. The process irretrievably destroys all CDR data for the accounts which consent was provided for.

Data is held in backup systems (which we and Frollo maintain for business continuity and risk management purposes) that whilst cannot practically be deleted, is put beyond use. This means your data contained in backup systems is not accessible to anyone without invoking business continuity procedures, which may occur during a significant disaster or cyber security event.