WEMONEY CDR POLICY

1. ABOUT THIS POLICY

New regulations were introduced for the banking industry to implement the Consumer Data Right (CDR) which is known as “open banking”, that provides consumers with rights to access specified data that relates to them (CDR data) held by the organisations that are accredited data holders participating in the Consumer Data Right regime.

The intent of the CDR regime aims to provide greater choices and control for Australian consumers over how their data is collected, used and disclosed. It allows consumers to access particular data in a usable form and to direct a business to securely transfer that data to another business in a manner that is compliant with the CDR Regime.

Under the CDR consumers can authorise the sharing of their CDR data to organisations accredited by the ACCC under the Consumer Data Rights (accredited data recipients), as well as providers collecting CDR data from, or on behalf of, an accredited recipient. In this policy both are referred to as an accredited data recipient.

In simple terms the implementation of CDR allows you as the consumer to share with your consent your data for specific purposes with any other organisation that is accredited under the CDR regime.

WeMoney Pty Ltd ACN 633 007 860, Australian Credit Licence 526330 (WeMoney or we or us) is an accredited data recipient participating in the government’s open banking scheme under the CDR regime.   

WeMoney provides its services which is a smart money management service that connects all of your financial accounts in one place, tracks your overall financial health including providing users (you and your) with details about your credit score as well as information and tools using your financial data to compare for you a range of products, credit providers and services and make your aware of financial options available to you for your consideration. We may also tell you about products or promotions from our connected network of product providers. WeMoney provides its services via its website and mobile applications (the Services).

WeMoney has created this Consumer Data Right (CDR) Policy (CDR Policy) in accordance with the requirements of Division 5 of Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 and the CDR Privacy Safeguard Guidelines (CDR Legislation). In this CDR Policy, we will illustrate how we will manage your CDR data and describe how you can access and correct your CDR data or make a complaint.

2. CONSUMER DATA RIGHT INFORMATION

The CDR Data we collect from you and hold are classified as your “required consumer data” within your banking records which may include:

(a)      your contact details;

(b)      Occupation;

(c)       account information;

(d)      transaction records;

(e)      specific information about the financial products you may have with an organisation; or

(f)       CDR data that includes data that may be derived from the original account information and transaction details.

WeMoney as an accredited organisation under the CDR regime allows you as our consumer to share with your consent your selected financial data for specific purposes with or from other accredited organisations.

The great benefit is that you control and decide when to share your CDR data, what CDR data you share, with whom you want to share your CDR data with and for how long.

As an accredited data recipient, we will only receive your CDR data with your consent.

We will also continue to manage your personal information in line with WeMoney’s Privacy Policy and our obligations under the Privacy Act (1988). Please visit our Privacy Policy at www.wemoney.com.au/privacypolicy for further information.

3. HOW WE HOLD CDR DATA

WeMoney collects and holds your data that you provide to us as our consumer, which enables us and assists us to provide you with our Services.

This data that we hold and collect, may include data that is classified as “CDR data” upon us receiving it after you have given your consent as an accredited data recipient under the CDR regime.

Under the CDR regime a:

Data holder: is the organisation that holds your data and upon your consent shares your data with an accredited data recipient, for e.g., your financial services provider.

Data recipient: is an accredited organisation under the CDR regime (for e.g., other banks and financial services organisations) that you have provided your consent to receive and use your CDR data from the Data holder. This is WeMoney.

When you provide your consent to an accredited organisation to collect and use your CDR data, it's important to know that you are then entering into an agreement with them.

At WeMoney, we will hold your data for a period of time as specified by you when you provide your consent or until you withdraw your consent. Once you withdraw your consent or the period of time that you have specified in your consent has expired, we will delete your CDR data that we hold about you, unless that data has previously been de-identified (see section 9. Data Enhancement).

WeMoney does not accept consumer requests to access additional voluntary products or consumer data that our Services does not already make available.

4. YOUR PRIVACY AND SECURITY ‍

We will keep your CDR data in a cloud-based, or other types of networked or electronic storage centres. The security of your CDR data is important to us. We will take appropriate technical and organisational precautions to secure your CDR data as required under the CDR regime.

5. CONSENT TO RECEIVING YOUR CDR DATA

5.1 Sharing your CDR Data

You can choose to share your CDR data with WeMoney so we can provide you with our Services.

You will need to give your consent to WeMoney as an accredited data recipient to receive your CDR data from your nominated financial institution or financial services provider (CDR data holder).

Prior to actioning your request to share your CDR data with WeMoney, we will:

(a)     need to identify you first using our authentication methods;

(b)     obtain your consent to sharing your CDR data from your nominated financial institution or financial services provider with WeMoney;

(c)      ask you to choose which accounts/information you would like to share with WeMoney; and

(d)     what period of time you want to share your CDR data with WeMoney.

IMPORTANT: Please note that your CDR data holder will have their terms and conditions that you need to comply with when requesting to share your data with WeMoney.

5.2 Manage your CDR data sharing with you CDR data holder

You can log in with your CDR data holder and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing.

6. CDR DATA SHARING BY WEMONEY

WeMoney uses the entities listed below as its service providers to provide the following services:

We may with your consent disclose your CDR data to other accredited data recipients that you may authorise from time to time, and we will seek your consent and provide you with a link to their CDR policy before you provide your consent.

IMPORTANT: Only accredited data recipients authorised by you are able to access your CDR data. The website www.cdr.gov.au gives you more information regarding the accreditation process.

7. HOW YOU CAN ACCESS YOUR SHARED CDR DATA WITH WEMONEY

CDR data that we have received will be made available to you securely via our Services. In addition, WeMoney allows you to update specific CDR data such as account holder information securely via our Services. Please note that for any data updates to other organisations that are CDR data holders you will need to contact them directly to correct and update your CDR data.

You can log in in the WeMoney Services and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing with us and any accredited data recipient that you have authorised for us to share your CDR data with.

8. HOW WE USE YOUR CDR DATA

WeMoney offers its Service online, which enables users to manage their personal finances. Features include account aggregation of Australian bank accounts, calculating a user’s net worth, defining and tracking savings goals, and participating in the WeMoney community.

WeMoney uses your data to deliver its Services to you and to improve the overall service quality in the long-term.

We will only collect and use the CDR data that is reasonably needed to provide our Services to you. Any CDR data not required to provide our Services to you will be destroyed.

9. DATA ENHANCEMENT

One of the services provided by our Services is to help you understand your expenditures and assist you with identifying and categorising your expenditures.

WeMoney will share your CDR data with Experian for enrichment. The enrichment of the data allows us to provide you accurate spending insights by enhancing merchant identification details around your transactions.

All of the transactions are de-identified by Experian and any personal information that can be used to identify you is removed. Experian also removes any transaction attributes that could potentially be combined with other data to identify you as an individual.

The de-identified data is then processed by Experian and the results are returned to WeMoney so we can provide you with the enhanced data insights. The de-identified data is retained by Experian to improve the enrichment service. Should any de-identified data be no longer used and becomes redundant, it cannot be deleted; however such data cannot be used to identify you as an individual and will continue to be held in the de-identified form.

10. OVERSEAS STORAGE PRACTICES

WeMoney holds and stores data with SOC2 and ISO27000 compliant data centres in Australia and the USA. We will keep your CDR data stored securely and encrypted in electronic form in accordance with WeMoney’s Privacy Policy and complying with the CDR regime.

11. HOW WE NOTIFY CONSUMERS

On several occasions, you will receive notifications via the Services. Such notifications will include:

(a)     relevant lifecycle events regarding your CDR data (which includes when you set up, amend, stop sharing and where your CDR data sharing arrangement expires);

(b)     requesting your consent to use your CDR data;

(c)      the withdrawal of your consent;

(d)     the collection of your CDR data, i.e., when updating your financial transactions;

(e)     if you request and we correct your CDR data; and

(f)       if our CDR accreditation is surrendered, suspended or revoked. 

12. CONSEQUENCES OF WITHDRAWING CONSENT

You can withdraw your consent authorisation to share your CDR data with or by WeMoney at any time via the Services or simply by letting us know by email that you are withdrawing your consent. Our email address to withdraw consent is hello@wemoney.com.au.

You may also withdraw your consent by:

(a)     disconnecting an individual bank account within the Services or by withdrawing your consent remotely via your financial institution; or

(b)     by deactivating your WeMoney account altogether.

Once WeMoney receives your consent withdrawal in any form, we will permanently delete your CDR data from our systems within 30 days of your request. 

Once the data is permanently deleted you will not be able to access it unless you provide consent again to us to receive your CDR data.

13. CONTACTING US OR MAKING A COMPLAINT

WeMoney is here to help! If you want to know how we hold and manage your CDR data please contact us via either our Services, call us on 1300 629 510 or email us at hello@wemoney.com.au.

If you are concerned about how we have handled your CDR data or you want to make a complaint or provide us with any feedback, you can talk to us by writing to us at hello@wemoney.com.au. We will attempt to the best of our abilities to resolve any issue that you may have.

In order for us to assist you, please include your full name, email and contact details, as well as a preferred contact method in your email to us. We may ask for additional information to identify you. Please note a WeMoney representative will never ask you for your log-in account information such as your password via phone or email.

We will do our best to:

(a) try and resolve your complaint immediately, if possible;

(b) resolve your complaint within 5 business days. If this isn’t possible, we will confirm the outcome with you in writing. We will aim to resolve your complaint within 30 days. If we can’t meet these timeframes, we will explain to you why and will provide to you an expected date for the outcome of your complaint. We will keep you informed of progress; and

(c) We will explain to you about our decision with respect to your complaint and notify in writing for all complaints that are not resolved within 5 business days.

If you are not satisfied with the final outcome, you may choose to lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides a free and independent dispute resolution service for individuals and small business consumers who are unable to resolve their complaints directly with WeMoney.

Australia Financial Complaints Authority

Online: www.afca.org.au

Email: info@afca.org.au

Phone: 1800 931 678

Mail: GPO Box 3, Melbourne, VIC 3001 

You may also raise any CDR concerns directly with the Office of the Australian Information Commissioner (OAIC). OAIC acts as an impartial third party when investigating and resolving a complaint in relation to the handling of your CDR data. You can contact the OAIC on:

Office of Australian Information Commissioner

Mail: GPO Box 5218, Sydney, NSW 2001

Phone: 1300 363 992

Online: www.oaic.gov.au

Email: enquiries@oaic.gov.au

14. NOTIFIABLE DATA BREACHES

From February 2018, the Privacy Act includes a new Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC)of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).

The NDB scheme requires us to notify you about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.

If we believe there has been a CDR data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy. If we believe there has been an information security incident, we will notify the Australian Cyber Security Centre (ACSC) as soon as practicable and in any case no later than 30 days after becoming aware of the security incident.

If you believe that any personal information in the CDR data that we hold about you has been impacted by a data breach, you can contact us using the contact details below.

15. AVAILABILITY

This CDR Policy is available electronically by selecting “Settings”, then “CDR Policy” within our Services. It is also available on the WeMoney website by visiting www.wemoney.com.au/cdrpolicy, and on request by contacting us at hello@wemoney.com.au. WeMoney does not provide hard copies.

We reserve the right to change this CDR Policy, at any time and when we do, we will post the current version on our website and will be available in “Settings”, then “CDR Policy” within our Services.

The revised CDR Policy shall apply from the date of publication of the revised CDR Policy on our website, and is made available in “Settings”, then “CDR Policy” within our Services. You here by waive any right you may otherwise have to be notified of, or to consent to, revisions of the CDR Policy.

Any subsequent access to, or use by you, of the WeMoney website or any of our Services will constitute acceptance of any varied or modified CDR Policy.

We will not file a copy of the CDR Policy specifically in relation to each user or consumer and, if we update the CDR Policy, the version to which you originally agreed may no longer be available on our WeMoney website or made available in “Settings”, then “CDR Policy” within our Services. We recommend that you consider saving a copy of the CDR Policy for future reference.

This CDR Policy is Version 4.0 dated 27 February 2024.