The Consumer Data Right (CDR) is an Australian government framework that gives consumers the right to share their data with accredited third parties. For the banking sector, CDR enables open banking — the secure, standardised, API-based transfer of bank transaction data from financial institutions to software applications.
For Australian bookkeepers, CDR is the mechanism behind modern bank feeds: instead of a client downloading a CSV file and emailing it, the bank sends transactions directly to the bookkeeping software in real time, with coverage going back 12 months on first connection.
By mid-2026, CDR bank feeds cover all major Australian banks and a growing list of smaller institutions and credit unions. This guide explains how CDR works, what it means for bookkeeping practices, and how Reconlink's Basiq integration uses the framework.
How CDR bank feeds work (without the jargon)
Before CDR, bank data reached bookkeeping software through three methods:
- Screen scraping: The software logged into the client's online banking and extracted transaction data — unreliable, insecure, and legally grey
- Manual file download: The client downloaded a CSV or OFX file and uploaded it to the accounting software
- Direct bank feeds: Bilateral agreements between specific banks and specific software vendors — only available for major banks and major software platforms
CDR replaces all three with a standard API that any accredited data recipient can use. The mechanics:
- The client logs into their bank's website or app and consents to sharing their data with a named accredited recipient (Basiq, in Reconlink's case)
- The bank's API sends transaction data directly to Basiq
- Basiq passes the data to Reconlink
- The bookkeeper sees transactions in their Reconlink dashboard — no CSV, no manual upload
The client controls which accounts are shared and can revoke consent at any time through their bank's website. The consent is time-limited (typically 90 days per consent) and must be renewed.
CDR coverage in 2026
The Australian Competition and Consumer Commission (ACCC) administers the CDR and publishes the register of accredited data recipients and the rollout schedule for data holders (the banks).
As of mid-2026, CDR coverage includes:
Tier 1 (fully compliant since 2020):
- Commonwealth Bank (CBA)
- ANZ
- Westpac (including Bank of Melbourne, BankSA, St George)
- National Australia Bank (NAB)
Tier 2 (joined 2021–2022):
- Macquarie Bank
- Bendigo and Adelaide Bank
- Bank of Queensland (including Virgin Money Australia)
- AMP Bank
- ING Australia
Tier 3 and non-major ADIs (rolling in 2022–2024):
- HSBC Australia
- ME Bank
- Suncorp Bank
- Beyond Bank
- Credit unions and mutual ADIs under the phased timeline
Still outside CDR or limited compliance:
- Some smaller credit unions and mutual banks
- Some neobanks and payment fintechs that are not Authorised Deposit-taking Institutions (ADIs)
- Superannuation and investment accounts (CDR for finance broader than banking is still rolling out)
For bookkeepers with clients at institutions not yet on CDR, manual CSV/Excel/PDF import remains the fallback. Reconlink supports per-client email inbox import — the client forwards a statement to their unique inbox address and it auto-imports.
The Basiq layer: what it adds
Reconlink uses Basiq as its CDR data intermediary. Basiq is an accredited CDR data recipient and holds the consumer data access agreements required by the ACCC. Basiq's role:
Data aggregation: Basiq connects to the CDR APIs of multiple financial institutions through a single integration. Reconlink doesn't need to build and maintain individual integrations with 40+ banks — Basiq handles the normalisation and serves consistent data to Reconlink.
Refresh and enrichment: CDR data is refreshed on Basiq's schedule (typically daily for most institutions). Basiq also enriches raw transaction descriptions — normalising bank-channel prefixes and extracting vendor identifiers.
Consent management: The client consent flow (what a client sees when authorising bank data sharing) is managed through Basiq's consumer-facing portal, which presents the consent in clear language and records the client's authorisation.
Non-CDR fallback: For banks not yet on CDR, Basiq maintains legacy feed connections for some institutions while CDR rollout continues.
Client consent: what the bookkeeper needs to do
One friction point in the transition to CDR bank feeds is the consent requirement. Under CDR rules, the client must authorise the data sharing — the bookkeeper cannot authorise it on the client's behalf, even as an agent.
Reconlink's consent flow:
- The bookkeeper adds a bank account to the client's profile in Reconlink
- Reconlink generates a consent link that is sent to the client (via the Reconlink client portal or via email)
- The client clicks the link, logs into their bank's CDR portal, and approves the data sharing
- Transaction data begins flowing to Reconlink within minutes
For new clients, this step is part of the onboarding workflow. For existing clients migrating from CSV imports to CDR feeds, it's a one-off consent action that the bookkeeper can explain and facilitate.
Consent renewal: CDR consents expire after the period the client authorised (often 90 days). Reconlink will notify the bookkeeper when a consent is approaching expiry. Clients need to renew consent to maintain the feed — a minor friction point but one that most clients do without issue once they understand the purpose.
What CDR means for manual statement imports
CDR does not eliminate the need for manual statement imports — it reduces it. Even as CDR coverage grows, bookkeepers encounter accounts outside CDR:
- Business credit cards from some providers
- International bank accounts for clients with overseas revenue
- Loan accounts not included in CDR banking scope
- Payment processors (Stripe, Square, PayPal) that are not ADIs
- Superannuation accounts (CDR for superannuation is in design, not deployed)
Reconlink supports three manual import formats alongside CDR feeds:
- CSV (most banks, download and forward)
- Excel (XLSX/XLS, for banks that export in Excel format)
- PDF (Reconlink's PDF parser supports 12 bank statement templates, with NAB fully production-ready)
For clients with a mix of CDR and non-CDR accounts, the reconciliation workflow handles both in the same interface.
CDR and data security
One concern bookkeepers sometimes raise is whether CDR data sharing creates new security risks. The answer is broadly no — and in some respects CDR is more secure than prior methods.
Screen scraping required the client's actual login credentials to be held by the software provider. CDR replaces this with token-based authorisation — the software never sees the client's password.
CSV downloads introduce a file that can be intercepted in email or stored insecurely. CDR sends data directly via encrypted API.
CDR accreditation requires data recipients to meet the ACCC's data security standards and undergo ongoing compliance monitoring. Basiq, as Reconlink's CDR intermediary, holds accredited data recipient status.
Client data in Reconlink is stored in Australian data centres (ap-southeast-2, Sydney) and subject to the Australian Privacy Act 1988. CDR rules impose additional data minimisation and consent withdrawal obligations on accredited recipients.
The future of CDR for bookkeepers
The ACCC's phased CDR roadmap extends beyond banking. Future phases will bring CDR to:
- Superannuation data (in design as of mid-2026 — would allow automatic import of super fund transaction records)
- Energy sector (already in early rollout — less directly relevant to bookkeeping)
- Insurance and other financial products (planned for later CDR phases)
For bookkeepers, the most significant near-term development is CDR for credit accounts — business credit cards, trade finance facilities, and overdraft accounts. As these come online, the case for manual statement imports continues to shrink.
Practices that build CDR-first workflows now — connecting every client's bank accounts via Basiq rather than requesting CSV files — will benefit immediately as new institutions join the scheme, without any workflow changes required.
Frequently asked questions
Does the client have to reconnect every time CDR consent expires?
Yes, but Reconlink's notification system alerts the bookkeeper before expiry so the client can be prompted to renew. Most clients take under 5 minutes to renew consent through their bank's portal.
What if a client's bank isn't on CDR yet?
Use Reconlink's manual import. The client forwards their bank statement to their Reconlink inbox address (CSV, Excel, or PDF) and it auto-imports. The reconciliation workflow is identical to CDR-sourced transactions.
Can I access a client's bank feed without their consent?
No. CDR rules require explicit consumer consent. The bookkeeper cannot authorise data sharing on behalf of the client, even under an agent authority. The client must complete the consent flow themselves.
Is CDR only for personal accounts?
No. CDR includes both personal and business bank accounts. Business banking CDR implementations vary by institution — some banks rolled out business account access alongside personal; others staged business accounts later. Check the specific bank's CDR status with Basiq or the ACCC register.
This article was last reviewed on 27 May 2026. CDR coverage and requirements change as the ACCC's phased rollout continues. Confirm current bank coverage at cdr.gov.au. This is general guidance, not legal advice.