From Open Banking to Open Finance: Welcoming non-bank lenders to the next phase of CDR
For a system that’s often labelled as slow, the Consumer Data Right has a habit of quietly progressing in ways that materially change the shape of the market.
The expansion into non-bank lending for regulated data access is one of those turning points. At Fat Zebra, we’re seeing growing demand from businesses preparing for this next phase of CDR as the scope of accessible data expands.
It doesn’t come with the same noise as Open Banking in 2020, but it arguably matters more. CDR is stepping properly outside the traditional banking perimeter and into the broader reality of how credit is actually delivered in Australia today. This is where Open Finance stops being a roadmap and starts becoming real.
CDR was always designed to be economy-wide, banking was just the starting point. Energy followed. And now, with non-bank lending, we’re seeing the first meaningful expansion into financial services beyond banks: where a large and growing portion of consumer and business lending activity already sits.
Lenders & CDR – What is happening and when?
At a regulatory level, non-bank lenders are being brought into CDR as designated data holders, meaning they will be required to make both product data and consumer data sharing available.
All in-scope non-bank lenders will be required to publish product data from 13 July 2026, marking the first point where their products become visible and comparable within the CDR ecosystem. Consumer data follows shortly after.
For the largest providers, consumer data sharing obligations begin on 9 November 2026. For the next cohort, they begin on 10 May 2027, with further staged rollout extending into late 2027.
Initial vs large providers: who must participate?
One of the more important (and often misunderstood) parts of the rollout is that not all non-bank lenders are treated equally.
The regime introduces two key categories: initial providers and large providers. The rollout is structured by entity size and product type, just like banking and energy.
Initial providers are the largest players in the market — those with more than $10 billion in their loan portfolio. These are the first to move.
They must:
- publish product data from 13 July 2026, and
- begin sharing consumer data from 9 November 2026.
Large providers sit just below that tier. These are lenders with more than $1 billion in their loan portfolio and at least 1,000 customers, but who don’t meet the initial provider threshold.
They follow a slightly delayed timeline:
- product data still from 13 July 2026, and
- consumer data from 10 May 2027, or later depending on when they meet the threshold
The logic is simple. Start with the largest and most systemically important participants (where the data has the most impact and the most account holders) and then expand outward.
Below that, smaller lenders may not be mandated immediately, but they can still opt in voluntarily.
What consent looks like (and what doesn’t change)
Despite the expansion into a new sector, the consent model remains unchanged.
CDR is deliberately consistent across industries. The same CX standards apply whether a customer is sharing banking data, energy data, or (soon!) non-bank lending data.
That means the experience remains familiar: customers decide what data is shared, for what purpose, and for how long. The complexity sits behind the scenes (with the Data Holders and Data Recipients). The front-end experience does not change, other than selecting new data sources.
That consistency is one of the reasons the regime can scale. Each new sector doesn’t introduce a new model; it plugs into the same one.
What this means in practice
The inclusion of non-bank lenders changes the shape of the dataset more than anything else.
Up until now, CDR has provided a partial view of a customer’s financial position - strong on banking, increasingly useful, but incomplete. A meaningful portion of liabilities has sat outside the system, and that starts to change from mid-2026 onwards.
As non-bank lending data becomes available, use cases that rely on a complete financial picture (like lending and affordability) become significantly more viable. It reduces the need for workarounds, manual data collection, sharing statements or (eek!) sharing passwords.
And importantly, it moves CDR closer to being what it was always intended to be: a single, trusted layer for data sharing and financial decisioning.
Where to from here?
First of all, not all CDR intermediaries will access non-bank lenders as data sources. If this is important to you, ask your CDR provider about connectivity.
Second of all, Non-bank lending is not the end state. It’s the first real step into the world of Open Finance.
Superannuation and general insurance have both been signalled as future areas for expansion. They’re not designated yet, but it’s hard to see a CDR where they aren’t included.
Each new sector does two things:
- it expands the datasets available, and
- it increases the value of everything already connected.
Which means the real shift isn’t just regulatory, it’s structural. CDR is moving from a set of point integrations into banks, to a growing, economy-wide data network. The inclusion of non-bank lenders is where that becomes obvious.
