Updated @November 9, 2023
These guidelines provide examples for how to implement the authorisation flow in relation to joint accounts.
On this page
Overview
According to rule 1.7, a joint account is a joint account with a data holder for which there are 2 or more joint account holders, each of which is an individual who:
(i) so far as the data holder is aware, is acting in their own capacity and not on behalf of another person; and
(ii) is eligible in relation to the data holder; but does not include a partnership account with a data holder.
Division 4.2A sets out the three disclosure options (pre-approval option, co-approval option and non-disclosure option), with the default option being the pre-approval option.
The guidelines in this section provide examples of how to implement requirements for the authorisation flow for disclosing data from joint accounts.
For further guidance, see ACCC's Revised joint account implementation guidance.
The Consent Model
Wireframes and guidelines
Note: The wireframes shown are examples of how to implement key rules, standards, and guidelines. Use the on-screen functions to adjust zoom level or expand the wireframes to be viewed at full screen.
Default example (pre-approval option)
The following wireframes show a basic example of the authorisation flow where account holder A (AH-A) authorises to share data from a joint account with pre-approval disclosure option. Variations can be found in the below sections.
Note: Other requirements related to authorisation apply to this flow. Check the latest CDR Rules, CX Standards and Guidelines on authorisation for guidance.
‣
| Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MAY | (1) Disclosure of joint account data may be authorised only as permitted by the disclosure option that applies to the joint account. This may be any of the following:
(a) the pre-approval option, under which joint account data may be disclosed in response to a valid consumer data request on the authorisation of the requester without the approval of the relevant account holders | CDR Rule 4A.5(1)(a) | 3AU2.01.01 | |
02 | CDR Rule | MUST | (2) The data holder must provide for the pre-approval and non-disclosure options to be available for a joint account. | CDR Rule 4A.5(2) | 3AU2.01.02 | |
03 | CDR Rule | MUST | (4) For the purposes of rule 4A.12, where the pre-approval option applies to a joint account and the requester authorises the disclosure of joint account data in response to a valid consumer data request:
(a) each relevant account holder is taken to have approved the disclosure; | CDR Rule 4A.5(4)(a) | 3AU2.01.03 | |
04 | CDR Rule | MUST | (5) Unless a sector Schedule provides otherwise, the pre-approval option applies to a joint account by default. | CDR Rule 4A.5(5) | 3AU2.01.04 | |
05 | CDR Rule | MAY | The disclosure option that applies to a joint account may be changed in accordance with rule 4A.7 or 4A.8. | CDR Rule 4A.5(6) | 3AU2.01.05 | |
06 | CDR Rule | MUST | (1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that allows the joint account holder to:
(a) change the disclosure option that applies to the account in accordance with rule 4A.7; and
(b) propose a change in the disclosure option to the other joint account holders in accordance with rule 4A.8; | CDR Rule 4A.6(1)(a), (b) | 3AU2.01.06 | |
07 | CDR Rule | MUST | (1) For this rule, an approval notification is a notice given by the data holder:
(a) to a relevant account holder, to inform them that the requester has given, amended or withdrawn an authorisation, or that the authorisation has expired;
in accordance with the data standards. | CDR Rule 4A.14(1)(a) | 3AU2.01.07 | |
08 | CDR Rule | MUST | (2) The data holder must make the appropriate approval notification to a joint account holder in relation to an event mentioned in subrule (1):
(a) as soon as practicable after the event occurs, unless the joint account holder has selected an alternative schedule of notifications; and
(b) through its ordinary means of contacting the joint account holders. | CDR Rule 4A.14(2) | 3AU2.01.08 | |
09 | CDR Rule | MUST | ordinary means of contacting an account holder by a data holder means:
(a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and
(b) otherwise—the default means by which the data holder contacts the account holder in relation to the account. | CDR Rule 1.7(1) | 3AU2.01.09 | |
10 | CX Standard | MUST | Data holders MUST alert a joint account holder where an action they are about to perform may result in the other joint account holder(s) being notified.
This standard applies to the authorisation flow, consumer dashboards, and the disclosure option management service where notifications to the other joint account holder(s) may be triggered.
The precise wording of this notification is at the discretion of the data holder. | 3AU2.01.10 | ||
11 | CX Standard | MAY | For the content of the approval notification, data holders MAY provide the consumer with instructions for how any relevant authorisation(s) or approval(s) can be reviewed. | 3AU2.01.11 | ||
12 | CX Standard | MAY | Data holders MAY provide a mechanism or entry point for a notification schedule to be amended from or in relation to the notification itself.
This MAY, for example, allow a consumer to stop receiving the type of notification(s) from the notification itself.
The notification MAY also, for example, include a link to amend the notification schedule or instructions to direct the consumer to the appropriate place. | 3AU2.01.12 | ||
13 | CX Standard | MAY | In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder. | 3AU2.01.13 | ||
14 | CX Guideline | MAY | Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with CDR Rule 4A.15. | 3AU2.01.14 | ||
15 | CX Guideline | MAY | Data holders should refer to disclosure options using plain language. A description of the disclosure option should be provided where possible.
These artefacts use 'single consent' to represent pre-approval disclosure option, 'joint consent' to represent co-approval disclosure option, and 'stop all sharing from this account' or 'data sharing disabled' to represent a non-disclosure option. | 3AU2.01.15 | ||
16 | CX Guideline | MAY | Data holders should provide instructions for how a disclosure option can be changed. | 3AU2.01.16 | ||
17 | CX Guideline | MAY | Email is shown as an example notification only. Data holders must use ordinary means of contacting the relevant account holder(s) as outlined in CDR Rules 4A.14(2)and 1.7(1).
A data holder may agree with the account holder on a “particular means of contacting the account holder for the purposes of the relevant provision”.
Data holders are required to provide an online disclosure option management service, and may negotiate to provide joint account notifications online in line with this provision even where the consumer otherwise receives notifications via non-digital channels. | 3AU2.01.17 | ||
18 | CX Guideline | MAY | Data holders should include information about data sharing with the CDR. | 3AU2.01.18 | ||
19 | CX Guideline | MAY | Data holders should provide information about the ADR to relevant account holders. This should include the ADR's name, accreditation number and a link to the their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | CX Research: 2020 Phase 3, Round 3 report | 3AU2.01.19 | |
20 | CX Guideline | MAY | Where an alternative notification schedule is provided as per CDR Rule 4A.14(3), this notification may be omitted at the consumer's request. | 3AU2.01.20 | ||
21 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 3AU2.01.21 |
‣
Note: The prototype shown only reflects joint account related interactions. To see the complete prototype, view the default flow in Authorisation to disclose
Authorisation flow for vulnerable requesters
The following wireframes show an example of the authorisation flow where rule 4A.15 is leveraged to allow account holder A (AH-A), a vulnerable requester, to share their joint account data as if it were an individual account.
The standards and guidelines outlined below represent one possibility for supporting vulnerable consumers. This may apply, for example, where the Data Holder recognises that notifying the other joint account holder(s) of joint account sharing may put a vulnerable requester at risk.
This approach may not be appropriate for other scenarios concerning vulnerability. Data Holders should assess the appropriateness of this optional implementation pattern based on their existing protocols for dealing with vulnerability.
‣
| Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MUST | A data holder is not liable under these rules for a failure to comply with this Part if it considered that the relevant act or omission was necessary in order to prevent physical, psychological or financial harm or abuse to any person. | CDR Rule 4A.15 | 3AU2.02.01 | |
02 | CX Standard | MUST | Where rule 4A.15 is leveraged to allow a vulnerable requester to share their joint account data as if it were an individual account, the data holder MUST alert the requester, in the context of the authorisation flow, that the other joint account holder(s) will not be notified.
This alert SHOULD be applied where appropriate for joint account management in general, including the consumer dashboard and the Disclosure Option Management Service (DOMS). | 3AU2.02.02 | ||
03 | CX Standard | MAY | In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder. | 3AU2.02.03 | ||
04 | CX Guideline | MAY | Data holders may choose to leverage CDR Rule 4A.15 by allowing a vulnerable joint account holder to share joint account data as if it were from an individual account.
This may mean that the other account holder(s) are not alerted to the sharing of that data, and are not provided with an equivalent dashboard as per CDR Rule 4A.13.
The CX research and community consultation suggested that such an approach would support vulnerable consumers in accessing and benefitting from the CDR. | 3AU2.02.04 | ||
05 | CX Guideline | MAY | Data holders should outline that sharing arrangements made by the vulnerable requester will not be visible to the other relevant account holder(s) on their consumer dashboard(s). | 3AU2.02.05 | ||
06 | CX Guideline | MAY | Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with CDR Rule 4A.15. | 3AU2.02.06 | ||
07 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 3AU2.02.07 |
Authorisation flow with co-approval joint accounts
The following wireframes show an example where account holder A (AH-A) authorises to share data from a joint account with co-approval disclosure option, requiring account holder B (AH-B) to respond to this request before data from the joint account can be accessed.
‣
| Wireframe ref | Type | Requirement level | Statement | Reference | Checklist ref | Focus area |
|---|---|---|---|---|---|---|
01 | CDR Rule | MAY | (1) Disclosure of joint account data may be authorised only as permitted by the disclosure option that applies to the joint account. This may be any of the following:
(b) the co-approval option, under which joint account data may be disclosed in response to a valid consumer data request only after:
(i) the requester has authorised the disclosure; and
(ii) each of the relevant joint account holders has approved the disclosure; | CDR Rule 4A.5(1)(b) | 3AU2.03.01 | |
02 | CDR Rule | MAY | (3) The data holder may provide for the co-approval option to be available for a joint account. | CDR Rule 4A.5(3) | 3AU2.03.02 | |
03 | CDR Rule | MAY | (6) The disclosure option that applies to a joint account may be changed in accordance with rule 4A.7 or 4A.8. | CDR Rule 4A.5(6) | 3AU2.03.03 | |
04 | CDR Rule | MUST | (1) For each joint account to which this Part applies, the data holder must provide a service to each joint account holder that allows the joint account holder to:
(a) change the disclosure option that applies to the account in accordance with rule 4A.7; and
(b) propose a change in the disclosure option to the other joint account holders in accordance with rule 4A.8; | CDR Rule 4A.6(1)(a), (b) | 3AU2.03.04 | |
05 | CDR Rule | MUST | (4) If the co-approval option applies to the joint account, the data holder must, subject to subrule (5):
(a) ask the requester for authorisation in accordance with rule 4.5 and Division 4.4; | CDR Rule 4A.10(4)(a) | 3AU2.03.05 | |
06 | CDR Rule | MUST | (4) If the co-approval option applies to the joint account, the data holder must, subject to subrule (5):
(b) if the authorisation is given, invite the approval of the relevant account holders in accordance with rule 4A.11 | CDR Rule 4A.10(4)(b) | 3AU2.03.06 | |
07 | CDR Rule | MUST | (4) If the co-approval option applies to the joint account, the data holder must, subject to subrule (5):
(c) if all the relevant account holders give their approval, or are taken to have given their approval, comply with rules 4.6 to 4.7. | CDR Rule 4A.10(4)(c) | 3AU2.03.07 | |
08 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(a) indicate that an accredited person has requested disclosure of CDR data that relates to the joint account on behalf of the requester; | CDR Rule 4A.11(a) | 3AU2.03.08 | |
09 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(b) indicate that:
(i) the requester has authorised, under Division 4.4, the disclosure of the joint account data; and | CDR Rule 4A.11(b)(i) | 3AU2.03.09 | |
10 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(b) indicate that:
(ii) a co-approval option applies to the joint account; | CDR Rule 4A.11(b)(ii) | 3AU2.03.10 | |
11 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(c) indicate the matters referred to in paragraphs 4.23(1)(a), (b), (c), (d) and (e) so far as they relate to the request; | CDR Rule 4A.11(c) | 3AU2.03.11 | |
12 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(d) ask the relevant account holder to approve or not approve disclosure of the joint account data; | CDR Rule 4A.11(d) | 3AU2.03.12 | |
13 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(e) specify the time by which the data holder needs to receive any approval, and inform them that if an approval is not received by that time, the joint account data will not be disclosed; | CDR Rule 4A.11(e) | 3AU2.03.13 | |
14 | CDR Rule | MUST | For the purposes of paragraph 4A.10(4)(b), the data holder must, through its ordinary means of contacting each relevant account holder:
(f) inform them that any relevant account holder may, at any time, withdraw the approval using their consumer dashboard
(g) indicate what the effect of removing the approval would be. | CDR Rule 4A.11(f), (g) | 3AU2.03.14 | |
15 | CDR Rule | MUST | (1) For this rule, an approval notification is a notice given by the data holder:
(a) to a relevant account holder, to inform them that the requester has given, amended or withdrawn an authorisation, or that the authorisation has expired;
in accordance with the data standards. | CDR Rule 4A.14(1)(a) | 3AU2.03.15 | |
16 | CDR Rule | MUST | (2) The data holder must make the appropriate approval notification to a joint account holder in relation to an event mentioned in subrule (1):
(a) as soon as practicable after the event occurs, unless the joint account holder has selected an alternative schedule of notifications; and
(b) through its ordinary means of contacting the joint account holders. | CDR Rule 4A.14(2) | 3AU2.03.16 | |
17 | CDR Rule | MUST | ordinary means of contacting an account holder by a data holder means:
(a) if the data holder has agreed with the account holder on a particular means of contacting the account holder for the purposes of the relevant provision—that means; and
(b) otherwise—the default means by which the data holder contacts the account holder in relation to the account. | CDR Rule 1.7(1) | 3AU2.03.17 | |
18 | CDR Rule | MUST | Obligation for data holder to provide relevant account holders with consumer dashboard
(1) Where:
(a) this Division applies in relation to a consumer data request; and
(b) either the co-approval option or the pre-approval option applies, or has applied, to the joint account;
the data holder must provide each relevant account holder with an online service that:
(c) contains the details referred to in paragraph 1.15(1)(b) that relate to the joint account data; and
(d) has a functionality that:
(i) can be used by the relevant account holder to manage approvals in relation to each authorisation to disclose joint account data made by a requester; and
(ii) allows for withdrawal, at any time, of such an approval; and
(iii) is simple and straightforward to use; and
(iv) is prominently displayed; and
(v) as part of the withdrawal process, displays a message relating to the consequences of the withdrawal in accordance with the data standards. | CDR Rule 4A.13 | 3AU2.03.18 | |
19 | CX Standard | MUST | Data holders MUST alert a joint account holder where an action they are about to perform may result in the other joint account holder(s) being notified.
This standard applies to the authorisation flow, consumer dashboards, and the disclosure option management service where notifications to the other joint account holder(s) may be triggered.
The precise wording of this notification is at the discretion of the data holder. | 3AU2.03.19 | ||
20 | CX Standard | MUST | Where an account requires further actions or approvals before data can be disclosed, data holders MUST indicate this to the user visually and MUST provide an explanation of what is required or expected.
This MAY, for example, be achieved with a visual icon to indicate that the account is ‘pending’. This indication MUST be accompanied by an in-context explanation to describe what the status means. This explanation SHOULD include any required actions and any specified time frames. | 3AU2.03.20 | ||
21 | CX Standard | MAY | In relation to the joint account alert standards in this section, data holders MAY provide further information about any services or processes in place for supporting vulnerable consumers or reporting risks of physical, psychological, or financial harm or abuse to the data holder. | 3AU2.03.21 | ||
22 | CX Standard | MAY | For the content of the approval notification, data holders MAY provide the consumer with instructions for how any relevant authorisation(s) or approval(s) can be reviewed. | 3AU2.03.22 | ||
23 | CX Guideline | MAY | CDR Rules allow, but do not require data holders to provide a co-approval disclosure option. Data holders may want to consider offering co-approval to align with consumer expectations, as identified in CX research and concerns raised by the community. | CX Research: 2019 Phase 2, Stream 1 report; 2020 Phase 3, Round 1 and 2 report; 2020 Phase 3, Round 3 report; 2020 Phase 3, Round 6 report; Joint accounts & the Consumer Data Right (Consumer Policy Research Centre) | Submissions: Design Paper: an ‘opt-out’ data sharing model for joint accounts in the banking and energy sectors #176; Consumer Data Right rules amendments (version 3), Exposure Draft | 3AU2.03.23 | |
24 | CX Guideline | MAY | Data holders should refer to disclosure options using plain language. A description of the disclosure option should be provided where possible.
These artefacts use 'single consent' to represent pre-approval disclosure option, 'joint consent' to represent co-approval disclosure option, and 'stop all sharing from this account' or 'data sharing disabled' to represent a non-disclosure option. | 3AU2.03.24 | ||
25 | CX Guideline | MAY | Community consultation suggested that identifying the specific account holder may raise privacy concerns in some instances. Data holders may identify the specific account holder in relation to the relevant rules requirement, but may also deem it necessary to omit these details in certain scenarios in accordance with CDR Rule 4A.15. | 3AU2.03.25 | ||
26 | CX Guideline | MAY | Data holders should provide instructions for how a disclosure option can be changed. | 3AU2.03.26 | ||
27 | CX Guideline | MAY | A push notification is shown as an example notification only. Data holders must use ordinary means of contacting the relevant account holder(s) as outlined in CDR Rules 4A.11(a) and 1.7(1).
A data holder may agree with the account holder on a “particular means of contacting the account holder for the purposes of the relevant provision”.
Data holders are required to provide an online disclosure option management service, and may negotiate to provide joint account notifications online in line with this provision even where the consumer otherwise receives notifications via non-digital channels. | 3AU2.03.27 | ||
28 | CX Guideline | MAY | The invitation to approve data sharing (CDR Rule 4A.10(4)(b)) and the approval notification (CDR Rule 4A.14(1)(a)) can be provided in the same notification. This notification can also relate to more than 1 joint account.
Where an alternative notification schedule is provided as per CDR Rule 4A.14(3), the approval notification may be omitted at the consumer's request. | 3AU2.03.28 | ||
29 | CX Guideline | MAY | Data holders should include information about data sharing with the CDR. | 3AU2.03.29 | ||
30 | CX Guideline | MAY | Data holders should provide more information about the ADR to relevant account holders. Doing so can help remove a key barrier to co-approval data sharing requests.
In addition to the ADR's name, data holders should also include the ADR's accreditation number and a link to their specific page on www.cdr.gov.au/find-a-provider for accreditation verification purposes. | CX Research: 2020 Phase 3, Round 3 report | 3AU2.03.30 | |
31 | CX Guideline | MAY | Data holders should provide a pathway for relevant account holders to find out how their data will be handled by the data recipient. | 3AU2.03.31 | ||
32 | CX Guideline | MAY | Where there are multiple joint accounts, data holders should provide a way for the relevant account holder(s) to select which joint accounts they approve for data sharing. | 3AU2.03.32 | ||
33 | CX Guideline | MAY | Data holders should inform the requester when approval has been given by the relevant account holder(s). | 3AU2.03.33 | ||
34 | CX Guideline | MAY | Data holders can refer to accounts using recognised nicknames, icons, account numbers, and account type. They can also include information on other elements the account may refer to such as any related plans, services, properties, numbers, and products. | 3AU2.03.34 |
Download open source asset
Open sources design assets are created in Figma for the purposes of assisting implementation. This Figma file contains annotated wireframes and working prototypes for Authorisation to disclose joint account data, including:
- Default flow
- Authorisation flow for vulnerable requester
- Authorisation flow with co-approval joint accounts
Download design asset
| Item | File | Date released | Version introduced |
|---|---|---|---|
March 17, 2022 | 1.16.0 |
For past versions, refer to .Change log
‣
Open sources design assets are provided in the form of version-controlled Figma files. These assets contain the annotated wireframe and working prototype published on this page, and have been reviewed for accessibility compliance. Assets are partially conformant to Web Content Accessibility Guidelines (WCAG) 2.1 level AA. These assets do not tend to accessible code and instead focus on visual presentation and readability.
The assets use the GOLD Design System; component rationale, accessibility support, and code documentation is available in the GOLD Design System website.
For more details, see .Open Source Assets
References
These CX Guidelines were informed by consultations and research conducted in 2019 to 2021, including the following:
- Consultations
- ACCC 2020, Draft v2 Rules consultation (see concept 7.1 Joint accounts)
- Treasury 2021, Draft v3 Rules consultation
- DSB 2021, Noting Paper 157 - CX Standards Arising from v2 Rules
- DSB 2021, Noting Paper 207 - Draft v3 Rules Analysis | Anticipated Data Standards
- DSB 2021, Decision Proposal 162 - CX Standards | Joint Accounts (see concept Authorisation flow)
- DSB 2021, CX Workshop: Joint Accounts
- DSB 2021, Design Paper 176: an ‘opt-out’ data sharing model for joint accounts in the banking and energy sectors
- CX research
- GippsTech 2019, Phase 2, Stream 1 report
- DSB 2020, Phase 3, Round 1 and 2 report
- DSB 2020, Phase 3, Round 3 report
- DSB 2020, Phase 3, Round 6 report
- Other
- Nielsen Norman Group 2019, 10 Usability Heuristics for User Interface Design (Visibility of system status)
- CPRC 2020, Joint accounts & the Consumer Data Right
- ACCC 2021, CDR Support Portal: Revised joint account implementation guidance
Quick links to CX Guidelines:
The Consumer Data Standards Program is part of Treasury. Copyright © Commonwealth of Australia 2023.
The information provided on this website is licensed for re-distribution and re-use in accordance with Creative Commons Attribution 4.0 International (CC-BY 4.0) Licence.