All Posts

Consumer Data Right

What “Covered Products” Really Mean for Non-Bank Lenders Under CDR

A compliance guide for non-bank lenders.

Contents

  1. Introduction: Why “covered product” causes confusion
  2. The regulatory frame for non-bank lenders
  3. The three-factor test for covered products
  4. Mandatory vs voluntary data sharing
  5. Asset finance and other commonly misunderstood products
  6. Trial products and temporary exemptions
  7. Initial vs large provider obligations
  8. Making in-scope products available via CDR
  9. Practical compliance checklist
  10. Common misconceptions clarified
  11. Maintaining a living covered product register

1. Introduction: Why “covered product” has everyone confused

CDR’s expansion into the non-bank lending sector has triggered one of the most common and persistent questions from lenders, product teams and compliance leaders:

What exactly counts as a “covered product”?

It sounds straightforward. It isn’t.

The confusion stems from three issues:

  1. “Covered product” is a term of art under the CDR Rules, not a colloquial industry description.
  2. Being a covered product does not automatically mean you must share data for that product. Some categories are mandatory; others are voluntary.
  3. A product can be commercially familiar but still fall outside scope because it fails one of the criteria in the Rules or because it’s offered in a non-standard way.

The ACCC’s latest guidance recognises this confusion and lays out how data holders in both banking and non-bank lending must assess whether a product is in scope. It centres on a clear three-factor test, supported by concrete examples across personal lending, business finance, asset finance, negotiated facilities, BNPL and more.

This guide breaks that guidance into a practical, compliance-ready workflow.

If you are a credit, legal, or product owner wondering:

  • “Do we need to expose this product via CDR APIs?”
  • “Is this product mandatory or voluntary?”
  • “Does negotiation take it out of scope?”
  • “Do our fleet, novated lease or commercial equipment products count?”

Important note: ACCC guidance reflects current regulatory expectations but does not replace the legal effect of the CDR Rules or the Act.

2. The regulatory frame in one page

2.1 Where “covered product” sits in the CDR stack

For banking and non-bank lending, product scope is defined in:

  • Competition and Consumer (Consumer Data Right) Rules 2020
    • Specifically Schedule 3, which sets out:
      • the list of product types,
      • the definition of “covered product”, and
      • which data classes are required for sharing.
  • Sector designations
    • These determine which entities and products are captured.
    • For non-bank lenders: Consumer Data Right (Non-Bank Lenders) Designation 2022.
  • ACCC guidance
    • The ACCC’s Assessing whether a banking or non-bank lending product is in scope for CDR guidance is the clearest operational interpretation for data holders.
  • ACCC fact sheets for non-bank lenders (May 2025)
    • These clarify what obligations apply, when they start, and which entities qualify as data holders.

Within this structure, “covered product” is the gatekeeper concept that determines whether required product and consumer data exists for a product at all.

  • If a product is not a “covered product”, the data holder has no CDR obligation for that product.
  • If it is a covered product, you must then determine whether the category is mandatory or voluntary.

Only after these steps do you progress to questions like:

  • “Do we hold required consumer data?”
  • “Are we an initial or large provider?”
  • “When do our obligations commence?”

2.2 The definitions that matter

To avoid talking past each other, here are the definitions that matter for compliance assessments.

Covered product
A product listed in Schedule 3, clause 1.4 and publicly offered and offered under a standard form contract.
If it fails any of the three elements, it is not a covered product.

Required product data
Non-consumer-specific information about the features, pricing, terms, eligibility and conditions of covered products. If a covered product falls into a mandatory category, required product data must be shared.

Required consumer data
Consumer-specific data for a covered product (e.g. balances, transactions, fees, repayments), provided the data holder actually holds that data for that product type.

Voluntary product and consumer data
Some covered products are designated as voluntary only under the Rules.
Meaning: even if a valid CDR request is made, the data holder is not required to disclose product or consumer data for that category.

Initial and large providers
A relevant non-bank lender only becomes a data holder with obligations when it meets the thresholds for initial or large provider status. This sits outside the covered product test but determines whether the entity must share data at all.

3. The three-factor test: Is this a covered product at all?

The ACCC is explicit: a banking or non-bank lending product is a covered product only if it meets all three criteria.

This is the precise mechanism that narrows the scope from “every lending product we offer” to “those products for which we must enable CDR data”.

3.1 Factor 1: Is the product listed in Schedule 3, clause 1.4?

The product must fall within one of the recognised product categories for the banking and non-bank lending sectors. Examples include:

  • Personal credit or charge card accounts
  • Business credit or charge card accounts
  • Residential home loans
  • Investment property loans
  • Mortgage offset accounts
  • Personal loans
  • Business finance
  • Lines of credit (personal and business)
  • Overdrafts (personal and business)
  • Asset finance (including standard vehicle finance and leases)
  • Consumer leases
  • Reverse mortgages
  • Buy Now Pay Later (BNPL)

If the product is not a type listed in clause 1.4, it is not a covered product. No further assessment is required.

Being listed does not automatically impose mandatory obligations. It simply means the product enters the “covered product” assessment.

3.2 Factor 2: Is the product publicly offered?

The CDR Rules do not define when a product is considered “publicly offered”. However, the ACCC generally considers this criterion should be interpreted broadly.

A product is publicly offered if it:

  • is available to consumers generally (even if eligibility criteria apply),
  • is listed on a website or provided through normal distribution channels,
  • is marketed to the public or to a defined customer segment, or
  • can be applied for through standard sales channels.

Important clarifications from the guidance:

  • A product may be publicly offered even if only certain customers qualify.
  • Business-only products can still be publicly offered.
  • Products offered to SMEs through a relationship manager may still be publicly offered if they are broadly available and follow standard processes.

A product is usually not publicly offered if:

  • it is available only to invited customers,
  • it is bespoke and only provided through one-to-one negotiation with corporate or institutional clients,
  • it is a confidential facility not marketed to the public.

The ACCC guidance stresses that most banking and non-bank lending products available to consumers will satisfy this test.

3.3 Factor 3: Is the product offered under a standard form contract?

This is the factor that generates the most debate across credit, legal and product teams.

Under the ACCC’s approach, a product is offered under a “standard form contract” where:

  • the lender uses largely uniform terms,
  • the customer has little to no ability to negotiate key terms, and
  • any negotiation that does occur is minimal or insubstantial.

The ACCC points to section 27 of the Australian Consumer Law as the appropriate benchmark for interpreting this.

Negotiation does not automatically remove a product from scope

Minor negotiation on interest rates, credit limits, fees or standard options does not stop the contract being a standard form contract.

A product is likely not standard form if:

  • the terms are heavily negotiated,
  • the contract is unique to each customer or materially customised,
  • it is a bespoke facility for a corporate or institutional borrower,
  • the lender tailors the structure, security package or facility composition to the customer’s commercial situation.

In other words: where negotiation extends beyond pricing and into core contractual rights and obligations, even if templates are reused.

3.4 A simple compliance decision path

Apply the factors in order:

  1. Does it fit into a clause 1.4 product category?
  2. Is it publicly offered?
  3. Is it offered under standard form contract terms?

If yes to all three: the product is a covered product.
If no to any factor: the product is not a covered product and CDR does not apply.

Only once a product is confirmed as a covered product should teams move on to determining:

  • whether the product is mandatory or voluntary,
  • whether the entity is an initial or large provider,
  • whether the lender actually holds required product or consumer data, and
  • whether the product is a trial product.

4. Once a product is covered: mandatory vs voluntary sharing

Determining that a product is a covered product is only the first compliance step. The next question is whether sharing for that product is:

  • Mandatory: you must disclose required product and consumer data, or
  • Voluntary: you may disclose the data, but you are not obliged to.

This distinction matters because several product categories in the banking and non-bank lending sectors are covered products but always voluntary.

4.1 Which covered products are voluntary only?

Under Schedule 3 and the ACCC’s guidance, these categories are covered but voluntary for both product data and consumer data:

  • Foreign currency accounts
  • Consumer leases
  • Reverse mortgages
  • Margin loans
  • Asset finance that is non-standard vehicle finance, including:
    • novated leases
    • fleet finance
    • other bespoke vehicle financing structures

If a valid CDR request is made for these products, the data holder may respond but is not required to.

This is intentional. Treasury carved out these categories because they either:

  • have complex structures,
  • are not suited to standardisation across lenders,
  • are used by specialised customer segments, or
  • do not align with the policy goal of enabling frictionless consumer switching.

4.2 Asset finance: the category that causes the most confusion

“Asset finance” is listed as a covered product category in clause 1.4, but not all asset finance is equal under CDR.

1) Only some asset finance is mandatory

Mandatory obligations apply only to:

  • standard loans for typical on-road vehicles
  • simple, standardised consumer products (e.g., a common car loan)

Treasury’s policy intent is that CDR supports simple like-for-like switching for vehicle finance — not the entire asset finance ecosystem.

2) Most other asset finance is covered but voluntary

Examples include:

  • Agricultural equipment finance (e.g., tractors, harvesters)
    • Covered, but voluntary
  • Commercial truck finance
    • Covered, but voluntary (particularly when primarily commercial in nature)
  • Inventory / floorplan finance
    • May not be covered at all if individually negotiated; if part of a standard SME offer, possibly covered but voluntary
  • Novated leases
    • Covered but voluntary because they involve a multi-party payroll-linked structure and are considered non-standard vehicle finance
  • Fleet finance
    • Covered but voluntary, given bespoke structuring and multiple parties involved

3) Negotiated facilities generally remain out of scope

Where the asset finance product:

  • involves significant negotiation,
  • is tailored to a business’s operations, or
  • includes custom security arrangements,

it typically fails the standard form contract test and therefore is not a covered product at all.

This is particularly relevant for:

  • high-value commercial equipment finance,
  • structured asset facilities,
  • wholesale asset programs.

4.3 A compliance matrix teams can use internally

Maintain a register categorising each product as:

Product Type Covered? Mandatory or voluntary Rationale
Consumer car loan Yes Mandatory Listed category + publicly offered + standard form
SME unsecured loan Yes Mandatory Business finance + standard terms + broad offer
Novated lease Yes Voluntary Non-standard vehicle finance
Agricultural finance Yes Voluntary Asset finance but not standard on-road vehicle finance
Invoice finance facility Sometimes Often out of scope May not be publicly offered; often heavily negotiated
Structured investment loan No N/A Not publicly offered and not standard form
Warehouse / wholesale facility No N/A Bespoke and negotiated

This record becomes part of the organisation’s defensible compliance position and is essential for audit readiness.

5. Trial products: when obligations are deliberately switched off

The CDR Rules include a deliberate carve-out for trial products, recognising that some lenders need to test a product in market before being required to expose that product through CDR APIs.

A covered product is a trial product if it meets all of the following criteria:

  1. It is supplied to 1,000 customers or fewer for the purposes of the trial.
  2. It is offered with the description “pilot” or “trial”.
  3. It includes an explicit statement that:
    • the trial period is 6 months or less, and
    • the product may be terminated early, in which case CDR data may not be available.

If a product meets these criteria, CDR obligations do not apply to it while the trial is underway.

This means:

  • No requirement to provide product data.
  • No requirement to provide consumer data.
  • No need to update the public CDR product reference data.
  • No need to expose the product via discovery APIs.

5.1 When does a trial product become in scope?

A trial product becomes an in-scope covered product the moment:

  • it is offered beyond 6 months, or
  • it is supplied to more than 1,000 customers, or
  • the lender chooses to convert it to a generally available product.

Once this occurs:

  • All mandatory obligations apply from the relevant commencement date for that data holder.
  • The data holder must retrospectively be able to respond to CDR requests for data generated during the trial period.

5.2 Why trial products matter from a CDR engineering perspective

Trial products mean:

  • You must design product and data systems so a product can transition from out of scope to in scope without re-architecting your CDR platform.
  • You need a mechanism to identify products in trial and track customer volumes against the 1,000-customer threshold.
  • You must preserve consistent data schemas during the trial to support retrospective sharing once mandatory obligations apply.

This is one of the reasons why robust API infrastructure like Fiskil’s Data Provider is beneficial — it makes the flip from voluntary to mandatory operationally consistent.

6. Products usually out of scope: bespoke and highly negotiated facilities

The ACCC guidance clarifies categories that are typically out of scope altogether, even if they look like lending products at first glance.

These products fail the test for one or more of:

  • publicly offered, or
  • standard form contract.

6.1 Common examples of products usually out of scope

1) Bespoke commercial and institutional lending facilities

These often fail both factor 2 (publicly offered) and factor 3 (standard form contract).

Examples:

  • Multi-million dollar commercial property facilities
  • Structured investment loans
  • Corporate acquisition finance
  • Bespoke bilateral credit lines
  • Individually negotiated asset or equipment finance programs

These products are not marketed broadly, involve material negotiation, and are built around a customer-specific credit profile.

2) Multi-option facilities (e.g., corporate MOCAs)

Even if individual sub-products under a multi-option facility resemble standard products (e.g., overdrafts or lines of credit), the umbrella facility:

  • is highly negotiated,
  • is tailored to a single customer, and
  • cannot be considered a standard form contract.

Therefore, the facility as a whole is not a covered product.

3) White-label products where the underlying arrangement is bespoke

If a financial institution manufactures a facility exclusively for a partner brand, and that facility is:

  • not publicly advertised,
  • not generally available to consumers, or
  • materially negotiated between the parties,

then the underlying product may fall out of scope even if consumers use it.

4) Highly negotiated invoice finance and receivables facilities

Some invoice finance is standardised and broadly marketed (covered products), while others are tailored, negotiated, relationship-only products (out of scope).

This underscores the need for product-by-product assessment, not a blanket category rule.

6.2 Why documentation matters

Because many product categories sit in a grey zone — particularly in business and asset finance — lenders must:

  • maintain documented reasoning for why each product is categorised as “covered”, “not covered”, “voluntary”, or “mandatory”,
  • reference the specific factor(s) that fail the test,
  • ensure evidence is available for audits,
  • repeat assessments when products are redesigned, repriced, or made available to new customer segments.

Your covered product register is a living compliance artefact, not a one-time classification exercise.

7. Linking product scope to your status as an initial or large provider

Understanding whether a product is a covered product is one side of the compliance equation. The other is whether your organisation is actually a data holder with obligations.

For non-bank lenders, obligations apply only to entities that meet the definition of:

  • Initial provider, or
  • Large provider

as defined in the CDR Rules and the May 2025 non-bank lender fact sheet.

A lender may offer a covered product, but if it is not an initial or large provider, it has no mandatory obligations to share data for that product.

7.1 Initial providers

A relevant non-bank lender is an initial provider if it met the following criteria on 4 March 2025:

  • It held more than $10 billion in combined resident loans and resident finance leases for the most recent APRA-reporting month before that date, and
  • It averaged more than $10 billion across the prior 12 months.

If a lender did not meet these criteria on that date, it will never become an initial provider.

7.2 Large providers

A relevant non-bank lender becomes a large provider if, on 4 March 2025 or any 1 July thereafter:

  • it is not an initial provider,
  • it has more than 1,000 customers, and
  • it has more than $1 billion in resident loans and finance leases (both monthly and 12-month average thresholds).

Once a lender becomes a large provider, it remains one permanently unless it ceases to be a relevant non-bank lender.

7.3 When a provider holds no required data

An entity may meet the criteria to be an initial or large provider yet:

  • hold no required consumer data, or
  • hold no required product data

for the products it offers.

In these cases, although the entity is an initial or large provider, it is not expected to meet data sharing obligations until it actually holds in-scope data.

This often applies to entities offering:

  • margin lending products,
  • bespoke commercial credit products only, or
  • product types that fall exclusively within voluntary categories.

7.4 Voluntary participation

Even if not required, a relevant non-bank lender may choose to participate voluntarily. Once it does, it must comply with all applicable CDR Rules and Standards.

8. Making in-scope products accessible to eligible consumers

Once a lender has:

  1. identified a covered product, and
  2. determined it is mandatory to share product and consumer data, and
  3. confirmed it is an initial or large provider, and
  4. confirmed it holds the required data,

it must make the product accessible to eligible CDR consumers via the prescribed data sharing channels.

8.1 The obligation to provide a consumer data request service

A data holder must provide an accredited data recipient with a way to request consumer data on behalf of a CDR consumer. This includes:

  • enabling consent-driven requests,
  • authenticating the consumer,
  • validating authorisations, and
  • providing responses conforming to the Data Standards.

Product data must also be made discoverable via the Product Reference Data APIs.

For mandatory categories:

  • product reference data must be publicly available, and
  • consumer data must be disclosed when requested (unless an exception applies).

For voluntary categories:

  • data may be disclosed,
  • but data holders must still comply with CDR Rules and Data Standards when doing so.

8.2 Alignment with the Data Standards

Data holders must ensure:

  • endpoints adhere to the Consumer Data Standards (structure, fields, formats),
  • all data shared (mandatory or voluntary) meets the same technical and security requirements,
  • consent, authorisation and response flows align with the Standards.

Voluntary participation is not a lighter regulatory path.

8.3 Complex requests: a carve-out for non-bank lenders

For now, non-bank lenders do not have obligations to respond to “complex requests”.

A request is “complex” if it:

  • is made by or for a secondary user,
  • relates to a joint account,
  • relates to a partnership account, or
  • is made on behalf of a consumer with a nominated representative.

The Rules exclude complex requests for initial and large providers in the non-bank lender sector.

This carve-out may be revisited in future rule-making phases.

9. A practical compliance checklist for product and legal teams

To streamline decision-making, adopt a repeatable assessment workflow aligned with ACCC guidance.

Step 1: Catalogue all products

  • Maintain a full inventory of lending, leasing, and credit products.
  • Include variants — even those targeted at specific segments.

Step 2: Apply the three-factor test

For each product, determine:

  1. Is it listed in clause 1.4?
  2. Is it publicly offered?
  3. Is it offered under a standard form contract?

If “yes” to all three: covered product.
If “no” at any stage: out of scope.

Step 3: Determine whether the product is voluntary-only

Check whether the product is:

  • a foreign currency account
  • a consumer lease
  • a reverse mortgage
  • a margin loan
  • non-standard vehicle asset finance (novated or fleet)

If yes: covered but voluntary only.

Step 4: Identify trial products

For products labelled “pilot” or “trial”, monitor:

  • customer count (≤1,000),
  • trial duration (≤6 months),
  • early termination conditions.

Only when thresholds are exceeded do obligations switch on.

Step 5: Check organisational status

Confirm whether your organisation is:

  • an initial provider,
  • a large provider, or
  • neither.

If neither: no mandatory obligations apply.

Step 6: Confirm whether you hold required data

Even if the product is covered:

  • you may not hold required consumer or product data,
  • in which case obligations do not yet apply.

Step 7: Document reasoning and maintain audit trails

For each product:

  • record the assessment,
  • capture the rationale for the classification,
  • include relevant Rule references and guidance points.

Step 8: Review assessments regularly

Reassess whenever:

  • a product is redesigned,
  • eligibility changes,
  • distribution channels change,
  • trial products convert to permanent products, or
  • your organisation moves into initial or large provider status.

10. Common misconceptions (and how the guidance resolves them)

Misconception 1: “If a product is for business customers, it’s out of scope.”

Incorrect.

Business finance products are expressly listed in clause 1.4. If they are publicly offered and offered under largely standard terms, they are covered products.

Misconception 2: “Any negotiation means the contract is not standard.”

Incorrect.

Minor negotiation (interest rates, fees, standard variations) does not remove the product from scope. The test is whether the contract is materially negotiated.

Misconception 3: “All asset finance is mandatory.”

Incorrect.

Only standard consumer vehicle finance is intended to be mandatory. Much asset finance is covered but voluntary, and heavily negotiated asset finance often falls out of scope.

Misconception 4: “If our product is bespoke, it must be voluntary.”

Incorrect.

Bespoke products are usually out of scope, not voluntary. Voluntary applies only to products that are covered but designated as voluntary in the Rules.

Misconception 5: “BNPL is not in scope yet.”

Incorrect.

BNPL is explicitly listed as a product category. Mandatory dates vary, but BNPL is part of the designated product set for non-bank lenders.

Misconception 6: “If we don’t hold required consumer data, we still need to build everything.”

Incorrect.

If you hold no required consumer or product data for that product type, you are not expected to meet data holder obligations until you do.

11. Turning a static compliance decision into a living artefact

The concept of a “covered product” is not something lenders can determine once and forget.

Product portfolios evolve, new variations emerge, and distribution channels change. What is out of scope today may be in scope six months from now — particularly as:

  • products exit trial periods,
  • customer numbers grow,
  • organisations cross thresholds into large provider status, or
  • the ACCC releases updated guidance or rule amendments.

A robust CDR compliance framework treats the covered product assessment as a living artefact, reviewed regularly and shared across product, compliance, risk, engineering and legal functions.

At the same time, comprehensive and stable API infrastructure is essential. A data holder must be confident that when a product moves from out-of-scope to in-scope (or from voluntary to mandatory) the technical capability is already in place to support secure, standards-aligned data sharing.

This is where platforms like Fiskil’s Data Provider make a measurable difference.

A modern, high-performance data sharing layer ensures:

  • fast implementation for new categories,
  • consistent handling of both voluntary and mandatory data,
  • automatic alignment with changing Standards, and
  • reduced operational and regulatory risk when obligations switch on.

The result is a compliance posture that is not just defensible, but operationally resilient — and a data sharing experience that strengthens consumer trust and positions your organisation for the next phase of open data innovation.