WEMONEY CDR POLICY
1. ABOUT THIS POLICY
New regulations were introduced for the banking industryto implement the Consumer Data Right (CDR)which is known as “open banking”, that provides consumers with rights to access specified data that relates to them(CDR data) held by the organisations that are accredited data holders participating in the Consumer Data Right regime.
The intent of the CDR regime aims to provide greater choices and control for Australian consumers over how their data is collected, used and disclosed. It allows consumers to access particular data in a usable form and to direct a business to securely transfer that data to another business in a manner that is compliant with the CDR Regime.
Under the CDR consumers can authorise the sharing of their CDR data to organisations accredited by the ACCC under the Consumer Data Rights (accredited data recipients), as well as providers collecting CDR data from, or on behalf of, an accredited recipient. In this policy both arereferred to as an accredited data recipient.
In simple terms the implementationof CDR allows you as the consumer to share with your consent your data for specific purposes with any other organisation that is accredited under the CDR regime.
WeMoney Pty Ltd ACN 633 007 860, Australian Credit Licence 526330 (WeMoney or we or us) is an accredited data recipient participating in the government’s open banking scheme under the CDR regime.
WeMoney provides its services which is a smart money management service that connects all of your financial accounts in one place, tracks your overall financial health including providing users (you and your) with details about your credit score as well as information and tools using your financial data to compare for you a range of products, credit providers and services and make your aware of financial options available to you for your consideration. We may also tell you about products or promotions from our connected network of product providers. WeMoney provides its services via its website and mobile applications (the Services).
WeMoney has created this Consumer Data Right (CDR) Policy (CDR Policy) in accordance with the requirements of Division 5 of Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (ConsumerData Right) Rules 2020 and the CDR Privacy Safeguard Guidelines (CDR Legislation). In this CDR Policy, we will illustrate how we will manage your CDR data and describe how you can access and correct your CDR data or make a complaint.
2. CONSUMER DATA RIGHT INFORMATION
The CDR Data we collect from you and hold are classified as your “required consumer data” withinyour banking records which may include:
(a) your contact details;
(c) account information;
(d) transaction records;
(e) specific information aboutthe financial products you may have with an organisation; or
(f) CDR data that includes data that may be derived from the original account information and transaction details.
WeMoney as an accredited organisation under the CDR regime allows you as our consumer to share with your consent your selected financial data for specific purposes with or from other accredited organisations.
The great benefit is that you control and decide when to share your CDR data, what CDR data you share, with whom you want to share your CDR data with and for how long.
As an accredited data recipient, we will only receive your CDR data with your consent.
3. HOW WE HOLD CDR DATA
WeMoney collects and holds your data that you provide tous as our consumer, which enables us and assists us to provide you with our Services.
This data that we hold and collect, may include data thatis classified as “CDR data” upon us receiving it after you have given your consent as an accredited data recipient under the CDR regime.
Under the CDR regime a:
Data holder: is the organisation that holds your data and upon your consent shares your data with an accredited data recipient, for e.g., your financial services provider.
Data recipient: is an accredited organisation under the CDR regime (for e.g., other banks and financial services organisations) that you have provided your consent to receive and use your CDR data from the Data holder. This is WeMoney.
When you provide your consent to an accredited organisation to collect and use your CDR data, it's important to know that you are then entering into an agreement with them.
At WeMoney, we will hold your data for a period of time as specified by you when you provide your consent or until you withdraw your consent. Once you withdraw your consentor the period of time that you have specified in your consent has expired, we will delete your CDR data that we hold about you, unless that data has previously been de-identified by WeMoney (see section 9. Data Enhancement).
WeMoney does not accept consumer requests to access additional voluntary products or consumer data that our Services does not already make available.
4. YOUR PRIVACY AND SECURITY
We will keep your CDR data in a cloud-based, or other types of networked orelectronic storage centres. The security of your CDR data is important to us. We will take appropriate technical and organisational precautions to secure your CDR data as required under the CDR regime.
5. CONSENT TO RECEIVING YOUR CDR DATA
5.1 Sharing your CDR Data
You can choose toshare your CDR data with WeMoney so we can provide you with our Services.
You will need to give your consent to WeMoney as an accredited data recipient to receive your CDR data from your nominated financial institutionor financial services provider (CDR data holder).
Prior to actioning your request to share your CDR data with WeMoney, we will:
(a) need to identify you first using our authentication methods;
(b) obtain your consent to sharing your CDR data from your nominated financial institution or financial services provider with WeMoney;
(c) ask you to choose which accounts/information you would like to share with WeMoney; and
(d) what period of time you want to share your CDR data with WeMoney,
IMPORTANT: Please note that your CDR data holder will have their terms and conditions that you need to comply with when requesting to share your data with WeMoney.
5.2 Manage your CDR data sharing with you CDR data holder
You can log in with your CDR data holder and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing.
6. CDR DATA SHARING BY WEMONEY
WeMoney usesthe entities listed below as its service providers to provide the following services:
Name of Service Provider
Description of Services provided by the Service Provider
Yodlee Inc (Yodlee)
Manage its consent process with respect ofaccessing CDR data as an accredited data recipient. When you give WeMoney consent to access your CDR data this consent process is done through Yodlee’s platform.
Accredited Data Recipient
Google Australia Pty Ltd
Providing services for sending push notifications appropriate to users, some of which may be triggered or contain de-identified derived data. All data is de-identified and the data is not processed via the CDR regime.
Look Who’s Charging Pty Ltd (a subsidiary of Experian Australia Pty Ltd)
Providing spending insightsby enhancing merchant identification and category details around your transactions using de-identified data. All data is de identified see section 9 for further details and the data is not processed via the CDR regime.
We may with your consent disclose your CDR datato other accredited data recipients that you may authorise from time to time, and we will seek your consent and provide you with a link to their CDR policy before you provide your consent.
IMPORTANT: Only accredited data recipients authorised by you are able to access your CDR data. The website www.cdr.gov.au gives you more information regarding the accreditation process.
7. HOW YOU CAN ACCESS YOUR SHARED CDR DATA WITH WEMONEY
CDR data that wehave received will be made available to you securely via our Services. Inaddition, WeMoney allows you to update specific CDR data such as account holder information securely via our Services. Please note that for any data updates to other organisations that are CDR data holders you will need to contact them directly to correct and update your CDR data.
You can log in inthe WeMoney Services and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing with us and any accredited data recipient that you have authorised for us to share your CDR data with.
8. HOW WE USE YOUR CDR DATA
WeMoney offers its Service online, which enables users to manage their personal finances. Features include account aggregation of Australian bank accounts, calculating a user’s net worth, defining and tracking savings goals, and participating in the WeMoney community.
WeMoney uses your data to deliver its Services to you and to improve the overall service quality in the long-term.
Wewill only collect and use the CDR data that is reasonably needed to provide our Services to you. Any CDR data not required to provide our Services to you willbe destroyed.
9. DATA ENHANCEMENT
One of the services provided by our Services is to help you understand your expenditures and assist you with identifying and categorising your expenditures.
WeMoney will use your CDR data in a de-identified form and will share it with Experian Australia Pty Ltd (Experian) for enrichment.The enrichment of the data allows us to provide you accurate spending insights by enhancing merchant identification and category details around your transactions.
All of the transactions are de-identified and any personal information that canbe used to identify you is removed. We also remove any transaction attributes that could potentially be combined with other data to identify you as an individual.
The de-identified data is then processed by Experian and the results are returned to WeMoney so we can provide you with the enhanced data insights. The de-identified data is not retained by Experian. Should any de-identified data be retained by Experian and once such data is no longer used and becomes redundant, it cannot be deleted, however such data cannot be used to identify you as an individual and will continue to be held in the de-identified form.
10. OVERSEAS STORAGE PRACTICES
11. HOW WE NOTIFY CONSUMERS
On several occasions, you will receive notifications viathe Services. Such notifications will include:
(a) relevant lifecycle events regarding your CDR data (which includes when you set up, amend, stop sharing and where your CDR data sharing arrangement expires);
(b) requesting your consent to use your CDR data;
(c) the withdrawal of your consent;
(d) the collection of your CDR data, i.e., when updating your financial transactions;
(e) if you request and we correct your CDR data; and
(f) if our CDR accreditation is surrendered, suspended or revoked.
12. CONSEQUENCES OF WITHDRAWING CONSENT
You can withdraw your consent authorisation to share your CDR data with or by WeMoney at any time via the Services or simply by letting us know by email that you are withdrawing your consent. Our email address to withdraw consent is email@example.com.
You may also withdraw your consent by:
(a) disconnecting an individual bank account within the Services or by withdrawing your consent remotely via your financial institution; or
(b) by deactivating your WeMoney account altogether.
Once WeMoney receives your consent withdrawal in any form, we will permanently delete your CDR data from our systems within 30 days of your request.
Once the data is permanently deleted you will not be able to access it unless you provide consent again to us to receive your CDR data.
13. CONTACTING US OR MAKING A COMPLAINT
WeMoney is here to help! If you want to know how we hold and manage your CDR data please contact us via either our Services, call us on 1300629 510 or email us at firstname.lastname@example.org.
If you are concerned about how we have handled your CDR data or you want to make a complaint or provide us with any feedback, you can talk to us by writing to us at email@example.com. We will attempt to the best of our abilities to resolve any issue that you may have.
In order for us to assist you, please include your fullname, email and contact details, as well as a preferred contact method in your email to us. We may ask for additional information to identify you. Please notea WeMoney representative will never ask you for your log-in account information such as your password via phone or email.
We will do our best to:
(a) try and resolve your complaint immediately, if possible;
(b) resolve your complaint within 5 business days. If this isn’t possible, we will confirm the outcome with you in writing. We will aim to resolve your complaint within 30 days. If we can’t meet these timeframes, we will explain to you why and will provide to youan expected date for the outcome of your complaint. We will keep you informedof progress; and
(c) We will explain to you about our decision with respect to your complaint and notify in writing for all complaints that are not resolved within 5 business days.
If you are not satisfied with the final outcome, you may choose to lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides a free and independent dispute resolution service for individuals and small business consumers who are unable to resolve their complaints directly with WeMoney.
Australia Financial Complaints Authority
Phone: 1800 931 678
Mail: GPO Box 3, Melbourne, VIC3001
You may also raise any CDR concerns directly with the Office of the Australian Information Commissioner (OAIC). OAIC acts as an impartial third party when investigating and resolving a complaint in relation to the handling of your CDR data. You can contact the OAIC on:
Office of Australian Information Commissioner
Mail: GPO Box 5218, Sydney, NSW2001
Phone: 1300 363 992
14. NOTIFIABLE DATA BREACHES
From February 2018, the Privacy Act includes a new Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC)of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).
The NDB scheme requires us to notify you about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.
If we believe there has been a CDR data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy. If we believe there has been an information security incident, we will notify the Australian Cyber Security Centre (ACSC) as soon as practicable and in any case no later than 30 days after becoming aware of the security incident.
If you believe that any personal informationin the CDR data that we hold about you has been impacted by a data breach, you can contact us using the contact details below.
This CDR Policyis available electronically by selecting “Settings”, then “CDR Policy” within our Services. It is also available on the WeMoney website by visiting www.wemoney.com.au/cdrpolicy, and on request by contacting us at firstname.lastname@example.org. WeMoney does not provide hard copies.
We reserve the right to change this CDR Policy, at any time and when we do, we will post the current version on our website and will be available in “Settings”,then “CDR Policy” within our Services.
The revised CDR Policy shall apply from the date of publication of the revised CDR Policy on our website, and is made available in “Settings”, then “CDR Policy” within our Services. You here by waive any right you may otherwise have to be notified of, or to consent to, revisions of the CDR Policy.
Any subsequent access to, or use by you, of the WeMoney website or any of our Services will constitute acceptance of any varied or modified CDR Policy.
We will not file a copy of the CDR Policy specifically in relation to each user or consumerand, if we update the CDR Policy, the version to which you originally agreed may no longer be available on our WeMoney website or made available in “Settings”, then “CDR Policy” within our Services. We recommend that you consider saving a copy of the CDR Policy for future reference.
This CDRPolicy is Version 3.1 dated 4 August 2023.