WEMONEY CDR POLICY

1. ABOUT THIS POLICY

New regulations were introduced by the Federal Government to implement the Consumer Data Right (CDR) which is known as “open banking”, that provides consumers with rights to access specified data that relates to them (CDR data) held by the organisations that are accredited by the ACCC as data holders participating in the Consumer Data Right regime.

The intent of the CDR regime aims to provide greater choices and control for Australian consumers over how their data is collected, used and disclosed. It allows consumers to access particular data in a usable form and to direct a business to securely transfer that data to another business in a manner that is compliant with the CDR Regime.

Under the CDR consumers can authorise the sharing of their CDR data to organisations accredited by the ACCC under the Consumer Data Rights (accredited data recipients), as well as providers collecting CDR data from, or on behalf of, an accredited recipient. In this policy both are referred to as an accredited data recipient.

In simple terms the implementation of CDR allows you as the consumer with your consent to share your data for specific purposes with any other organisation that is accredited under the CDR regime.

WeMoney Pty Ltd ACN 633 007 860, Australian Credit Licence 526330 (WeMoney or we or us) is an accredited data recipient participating in the government’s open banking scheme under the CDR regime.   

WeMoney provides its services which is a smart money management service that connects all of your financial accounts in one place, tracks your overall financial health including providing users (you and your) with details about your credit score as well as information and tools using your financial data to compare for you a range of products, credit providers and services and make you aware of financial options available to you for your consideration. We may also tell you about products or promotions from our connected network of product providers. WeMoney provides its services via its website and mobile applications (the Services).

WeMoney has created this Consumer Data Right (CDR) Policy (CDR Policy) in accordance with the requirements of Division 5 of Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 and the CDR Privacy Safeguard Guidelines (CDR Legislation). In this CDR Policy, we will illustrate how we will manage your CDR data and describe how you can access and correct your CDR data or make a complaint as well as when we de-identify your data, how we use it de-identified, and when we destroy your CDR data.

2. CONSUMER DATA RIGHT INFORMATION

The CDR Data we collect from you and hold is classified as your “required consumer data” within your banking records which may include:

(a)      your contact details;

(b)      occupation;

(c)       account information;

(d)      transaction records;

(e)      specific information about the financial products you may have with an organisation; or

(f)       CDR data that includes data that may be derived from the original account information and transaction details.

WeMoney as an accredited organisation under the CDR regime:

(a)      allows you to give your consent to shae your selected financial data for specific purposes with or from other accredited organisations in order for us to be able to provide our Services to you; and

(b)      with your consent, is able to use the de-identified data for general research and disclose the de-identified data as outlined in this policy;

We also set out in this CDR Policy how we will treat your data when it becomes redundant.

The great benefit is that you control and decide when to share your CDR data, what CDR data you share, with whom you want to share your CDR data with and for how long.

As an accredited data recipient, we will only receive your CDR data with your consent.

We will also continue to manage your personal information in line with WeMoney’s Privacy Policy and our obligations under the Privacy Act (1988). Please visit our Privacy Policy at www.wemoney.com.au/privacypolicy for further information.

3. HOW WE HOLD CDR DATA

WeMoney collects and holds your data that you provide to us as our consumer, which enables us and assists us to provide you with our Services.

This data that we hold and collect, may include data that is classified as “CDR data” upon us receiving it after you have given your consent as an accredited data recipient under the CDR regime.

Under the CDR regime a:

Data holder: is the organisation that holds your data and upon your consent shares your data with an accredited data recipient, for e.g., your financial services provider.

Data recipient: is an accredited organisation under the CDR regime (for e.g., other banks and financial services organisations) that you have provided your consent to receive and use your CDR data from the Data holder. This is WeMoney.

When you provide your consent to an accredited organisation to collect and use your CDR data, it's important to know that you are then entering into an agreement with them.

At WeMoney, we will hold your data for a period of time as specified by you when you provide your consent or until you withdraw your consent. Once you withdraw your consent or the period of time that you have specified in your consent has expired, or we can no longer hold it under the CDR regime we will delete your CDR data that we hold about you, unless that data has been de-identified or has become redundant (see section 10. De-identified or Redundant Data).

WeMoney does not accept consumer requests to access additional voluntary product or consumer data that our Services does not already make available.

4. YOUR PRIVACY AND SECURITY ‍

We will keep your CDR data in a cloud-based, or other types of networked or electronic storage centres. The security of your CDR data is important to us. We will take appropriate technical and organisational precautions to secure your CDR data as required under the CDR regime.

5. CONSENT TO RECEIVING YOUR CDR DATA

5.1 Sharing your CDR Data

You can choose to share your CDR data with WeMoney so we can provide you with our Services.

You will need to give your consent to WeMoney as an accredited data recipient to receive your CDR data from your nominated financial institution or financial services provider (CDR data holder).

Prior to actioning your request to share your CDR data with WeMoney, we will:

(a)     need to identify you first using our authentication methods;

(b)     obtain your consent to sharing your CDR data from your nominated financial institution or financial services provider with WeMoney;

(c)      ask you to choose which accounts/information you would like to share with WeMoney; and

(d)     what period of time you want to share your CDR data with WeMoney.

IMPORTANT: Please note that your CDR data holder will have their terms and conditions that you need to comply with when requesting to share your data with WeMoney.

5.2 Manage your CDR data sharing with you CDR data holder

You can log in with your CDR data holder and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing.

6. CDR DATA SHARING BY WEMONEY

WeMoney uses the entities listed below as its service providers to provide the following services:

We may with your consent disclose your CDR data to other accredited data recipients that you may authorise from time to time, and we will seek your consent and provide you with a link to their CDR policy before you provide your consent.

IMPORTANT: Only accredited data recipients authorised by you are able to access your CDR data. The website www.cdr.gov.au gives you more information regarding the accreditation process.

7. HOW YOU CAN ACCESS YOUR SHARED CDR DATA WITH WEMONEY

CDR data that we have received will be made available to you securely via our Services. In addition, WeMoney allows you to update specific CDR data such as account holder information securely via our Services. Please note that for any data updates to other organisations that are CDR data holders you will need to contact them directly to correct and update your CDR data.

You can log in in the WeMoney Services and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing with us and any accredited data recipient that you have authorised for us to share your CDR data with.

8. HOW WE USE YOUR CDR DATA

WeMoney offers its Service online, which enables users to manage their personal finances. Features include account aggregation of Australian bank accounts, calculating a user’s net worth, defining and tracking savings goals, and participating in the WeMoney community.

WeMoney uses your data to deliver its Services to you and to improve the overall service quality in the long-term.

We will only collect and use the CDR data that is reasonably needed to provide our Services to you.

We may also use your data that has been de-identified or become redundant as set out in section 10 (De-identified or Redundant Data).

9. DATA ENHANCEMENT

One of the services provided by our Services is to help you understand your expenditures and assist you with identifying and categorising your expenditures.

WeMoney will share your CDR data with Experian for enrichment. The enrichment of the data allows us to provide you accurate spending insights by enhancing merchant identification details around your transactions.

All of the transactions are de-identified by Experian and any personal information that can be used to identify you is removed. Experian also removes any transaction attributes that could potentially be combined with other data to identify you as an individual.

The de-identified data is then processed by Experian and the results are returned to WeMoney so we can provide you with the enhanced data insights. The de-identified data is retained by Experian to improve their enrichment services. Should any de-identified data be no longer be used and becomes redundant, it cannot be deleted (including upon expiry or revocation of your consent); however such data cannot be used to identify you as an individual and will continue to be held in the de-identified form by Experian.

10. DE-IDENTIFIED OR REDUNDANT DATA

10.1 De-identified Data

During the consent process we will also seek your consent to use the de-identified data for the following uses:

(a)     use the de‑identified data for our general research purposes; and

(b)    disclose the de‑identified data with respect of our general research purposes.

and once the data has been de-identified and used for the purposes outlined above, such de‑identified data cannot be deleted once it becomes redundant data. However this de-identified data cannot be used to identify you as an individual and will continue to be held in the de-identified form.

For the purposes of this section of this CDR Policy, use by WeMoney of de-identified data for general research purposes includes providing feedback to the ACCC and participants of various data standard workgroups regarding WeMoney’s CDR connection statistics as well as using high level de-identified data for statistics with respect of CDR connection and uses mentioned in any WeMoney press releases. Use of the data for general research purposes allows WeMoney to identify opportunities for improvement on how it collects, handles and uses CDR data as well as providing improvements of our Services to you.

10.2 Redundant Data

Any data that we no longer need for the uses as disclosed in this policy or in respect of which we have no other legitimate reason under the CDR regime for holding such data, then such data becomes redundant data. During the consent process you may elect to have your redundant CDR data be deleted by us in accordance with this policy. Should you choose not to have your redundant CDR data deleted we may at our discretion either delete your redundant CDR data or de-identify it appropriately. Please note that once your CDR data has been de-identified cannot be deleted upon expiry or revocation of your consent as it will no longer be able to be used to identify you as an individual. Given this, it will continue to be held in the de-identified form.

‍11. OVERSEAS STORAGE PRACTICES

WeMoney holds and stores data with SOC2 and ISO27000 compliant data centres in Australia and the USA. We will keep your CDR data stored securely and encrypted in electronic form in accordance with this policy complying with the CDR regime and WeMoney’s Privacy Policy.

12. HOW WE NOTIFY CONSUMERS

On several occasions, you will receive notifications via the Services. Such notifications will include:

(a)     relevant lifecycle events regarding your CDR data (which includes when you set up, amend, stop sharing and where your CDR data sharing arrangement expires);

(b)     requesting your consent to use your CDR data;

(c)      the withdrawal of your consent;

(d)     the collection of your CDR data, i.e., when updating your financial transactions;

(e)     if you request and we correct your CDR data; and

(f)      if our CDR accreditation is surrendered, suspended or revoked. 

13. CONSEQUENCES OF WITHDRAWING CONSENT

You can withdraw your consent authorisation to share your CDR data with or by WeMoney at any time via the Services or simply by letting us know by email that you are withdrawing your consent. Our email address to withdraw consent is hello@wemoney.com.au.

You may also withdraw your consent by:

(a)     disconnecting an individual bank account within the Services or by withdrawing your consent remotely via your financial institution; or

(b)     by deactivating your WeMoney account altogether.

Once WeMoney receives your consent withdrawal in any form, we will permanently delete your CDR data from our systems within 30 days of your request, unless it has been de-identified as described in Section 10 above.

Once your CDR data is permanently deleted you will not be able to access it unless you provide a new consent for us to receive your CDR data.

14. CONTACTING US OR MAKING A COMPLAINT

14.1 Contacting Us

WeMoney is here to help! If you want to know how we hold and manage your CDR data or you want to request a copy of your CDR data, please contact us via either our Services, call us on 1300 629 510, email us at hello@wemoney.com.au or by writing to us at WeMoney Pty Ltd, 81-83 Campbell Street, Surry Hills, NSW 2010, Australia.

14.2 Making a Complaint to Us

If you are concerned about how we have handled your CDR data or you want to make a complaint or provide us with any feedback, you can contact us on the details outlined in section 14.1 above. We will attempt to the best of our abilities to resolve any issue that you may have.

In order for us to assist you, please include your full name, email and contact details, as well as a preferred contact method in your email to us. We may ask for additional information to identify and verify you. Please note a WeMoney representative will never ask you for your log-in account information such as your password via phone or email.

We will do our best to:

(a) try and resolve your complaint immediately, if possible;

(b) resolve your complaint within 5 business days. If this isn’t possible, we will confirm the outcome with you in writing. We will aim to resolve your complaint within 30 days. If we can’t meet these timeframes, we will explain to you why and will provide to you an expected date for the outcome of your complaint. We will keep you informed of progress; and

(c) We will explain to you about our decision with respect to your complaint and notify in writing for all complaints that are not resolved within 5 business days.

If you are not satisfied with the final outcome, you may choose to lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides a free and independent dispute resolution service for individuals and small business consumers who are unable to resolve their complaints directly with WeMoney.

Australia Financial Complaints Authority

Online: www.afca.org.au

Email: info@afca.org.au

Phone: 1800 931 678

Mail: GPO Box 3, Melbourne, VIC 3001 

You may also raise any CDR concerns directly with the Office of the Australian Information Commissioner (OAIC). OAIC acts as an impartial third party when investigating and resolving a complaint in relation to the handling of your CDR data. You can contact the OAIC on:

Office of Australian Information Commissioner

Mail: GPO Box 5218, Sydney, NSW 2001

Phone: 1300 363 992

Online: www.oaic.gov.au

Email: enquiries@oaic.gov.au

15. NOTIFIABLE DATA BREACHES

From February 2018, the Privacy Act includes a new Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC)of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).

The NDB scheme requires us to notify you about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.

If we believe there has been a data breach that impacts your CDR data and/or your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy. If we believe there has been an information security incident, we will notify the Australian Cyber Security Centre (ACSC) as soon as practicable and in any case no later than 30 days after becoming aware of the security incident.

If you believe that your CDR data or personal information has been the subject of a data breach, you can contact us using the contact details outlined in Section 14.1 above.

16. AVAILABILITY

This CDR Policy is available electronically by selecting “Settings”, then “CDR Policy” within our Services. It is also available on the WeMoney website by visiting www.wemoney.com.au/cdrpolicy, and on request by contacting us at hello@wemoney.com.au.

We reserve the right to change this CDR Policy, at any time and when we do, we will post the current version on our website and will be available in “Settings”, then “CDR Policy” within our Services.

The revised CDR Policy shall apply from the date of publication of the revised CDR Policy on our website, and is made available in “Settings”, then “CDR Policy” within our Services. You here by waive any right you may otherwise have to be notified of, or to consent to, revisions of the CDR Policy.

Any subsequent access to, or use by you, of the WeMoney website or any of our Services will constitute acceptance of any varied or modified CDR Policy.

We will not file a copy of the CDR Policy specifically in relation to each user or consumer and, if we update the CDR Policy, the version to which you originally agreed may no longer be available on our WeMoney website or made available in “Settings”, then “CDR Policy” within our Services. We recommend that you consider saving a copy of the CDR Policy for future reference.

This CDR Policy is Version 5.1 dated 1 July 2024.