AI is moving from advice to action.
For three years, AI in financial services has mostly recommended. It scored, ranked, flagged and drafted, and a person decided what to do with the output. That boundary is about to blur, and the place it blurs first in Australia is a regime most compliance teams still file under data sharing. The Consumer Data Right.
The Consumer Data Right, or CDR, is gaining write access. Until now it has been read-only. With a consumer's consent, an accredited provider could see their banking data. The next phase, called action initiation, lets an accredited provider act on that consumer's instruction. As Ashurst describes the reform, action initiation "allows a consumer to permit a service provider to initiate actions on their behalf", and the listed actions include initiating payments, opening or closing accounts, switching providers and submitting applications for products and loans. Read access let software see. Write access lets software do.
Put an autonomous AI agent on the end of that pipeline and you have a system that does not just suggest a better savings account. It opens it.

What the Consumer Data Right is becoming
Action initiation became law through the Treasury Laws Amendment (Consumer Data Right) Act 2024, which received assent on 26 August 2024. The Act builds the legal scaffolding for a consumer to authorise a provider to initiate actions, with the government to designate which actions are switched on, and for which sectors, by later declaration and rules. The Assistant Treasurer's stated priority areas are borrowing decisions, energy switching and accounting services for small businesses.
Two things follow that matter for a compliance function. First, the actions are not live yet. The Act is in force, but no action has been designated, so nobody is initiating CDR payments today. That is exactly why now is the time to build controls, with no live exposure. Second, the perimeter is already widening on the read side. The CDR is expanding into open finance beyond the banks. On the rollout published at cdr.gov.au, product data sharing obligations apply in the non-bank lenders sector from 13 July 2026, followed by consumer data sharing obligations from 9 November 2026 for initial providers and from 10 May 2027 for large providers. MinterEllison traces that timetable to the 3 March 2025 amendments to the Competition and Consumer (Consumer Data Right) Rules. More data holders, more accredited recipients, more pipes, and the action layer waiting behind them.
The Australian Competition and Consumer Commission accredits data recipients and monitors compliance with the CDR rules and standards, and consumers' identity is verified in the consent flow, including by a one-time password. This is a tightly governed regime, which is the point. When action initiation arrives, the rails an agent would drive are already wrapped in accreditation, consent and standards. The open question is whether your AI governance reaches into them.
Where AI agents change the picture
The reason this is a 2026 problem and not a 2028 one is that the AI has caught up with the rails. Agentic AI, which can chain steps and take actions through tools rather than only producing text, is exactly the technology that would sit on a write-access pipeline. And the conduct regulator has noticed.
In its Key issues outlook 2026, published on 27 January 2026, ASIC wrote that while agentic AI can help people shop around, "it can also compound risk given its capability to independently plan and act". It added that consumers increasingly face risks from "automated decisions, AI-driven interactions, and scams amplified by technology". Read those statements next to the CDR action-initiation reform and the supervisory direction is not subtle. A regulator already uneasy about AI that can plan and act is looking at a regime that is about to let accredited software act on a consumer's money.
Picture the practice. A consumer gives a money-management app a standing instruction to keep their savings in the best available account. Today the app reads balances and suggests a switch. Under action initiation, an agent inside it could detect a better rate, open the new account, move the balance and close the old one, without the consumer touching it again. Useful, and within consent. Also a sequence of regulated actions no human reviewed at the moment they happened.
There is a clean line here, and compliance has to hold it. An AI that recommends is a familiar control problem. You govern the model, the data and the human who acts on the output. An AI that executes is a different problem, because the human who would catch the error may no longer be in the loop by default. The shift from recommend to execute is the shift that changes your control framework.

What this means for compliance functions
The temptation is to wait: the actions are not designated, so why build controls yet? Because the gap ASIC has documented is a governance gap, not a technology gap. In REP 798, its 2024 review of AI governance, ASIC looked at 624 AI use cases across 23 licensees and found that the maturity of governance and risk management "does not always align with the nature and scale" of licensees' AI use. That was for AI that mostly advised. The bar rises sharply for AI that acts.
A function that waits until designation will retrofit controls onto a live payment rail under time pressure. A function that starts now designs them into the operating model before any money can move. The work is not exotic. It is the discipline you already apply to delegations and payment authorities, extended to a non-human actor.
There is also a nearer-term reason to start. The read-side expansion is not waiting. More of your customers' data, and more third-party connections to it, come inside the perimeter from 13 July 2026. Every new accredited connection is a relationship to govern under the CDR rules, and a potential future action surface. Treat the expansion as the dress rehearsal for the action layer, and build the inventory and consent discipline on the read side, where the stakes are lower.
Two regulators sit over this. The ACCC accredits CDR participants and enforces the CDR rules, while ASIC governs the conduct and licensing of the financial-services activity wrapped around them. An AI agent initiating a regulated action touches both, which means your control evidence has to satisfy both lenses, not one.
Five controls to build before the actions are designated

- Inventory where an agent could act, not just see. Map every current and planned use of the CDR in your business, and mark which touchpoints are read-only and which would become action-capable when initiation is switched on. You cannot govern an actor you have not located.
- Separate propose from authorise. Decide, as policy, that an AI agent may assemble and propose an action but may not be the thing that authorises it. The trigger for anything that moves money or changes a product sits with a human, or with a hard-coded, consent-bound, logged control with explicit thresholds. It is the single most important design decision, and the cheapest to make before the rail is live.
- Capture consent and purpose at the action, not just the connection. A standing consent to share data is not a consent to act. Build a record that ties each initiated action to a specific, current consent and a defined purpose, so you can show the action was authorised and bounded, not inferred from a broad permission given months earlier.
- Keep an immutable audit trail of who instructed what. For every action, log whether the instruction originated from a human or an agent, which agent, on what data, against which consent. When an agent acts, "the system did it" is not an answer a regulator will accept. The audit trail is what turns an autonomous action into an accountable one.
- Name an accountable owner for the agent. Someone has to own the agent's behaviour, its authority limits and its failures, the way a person owns a payments function. Anonymous automation is unaccountable automation.
A worked example: mapping the action surface
The inventory is the easiest control to start, and a task an AI assistant genuinely speeds up. Here is how it runs end to end at a de-identified mid-sized lender, call it [ORGANISATION].
The situation. [ORGANISATION] is a non-bank lender that comes inside the CDR perimeter with the July 2026 expansion. Its compliance analyst holds a register of nine systems and third-party integrations that touch product or customer data. Nobody has marked which could become action surfaces.
The prompt. The analyst pastes the register list, stripped of any customer data, into ChatGPT, Claude or an equivalent assistant:
What came back. A classified inventory in about a minute: seven items read-only, two future action-capable (the budgeting-app partnership with its standing consents, and a broker platform that submits loan applications), and one flagged unclassifiable because the register entry did not describe the data flow. Each carried a draft risk rating and a one-line rationale.
What the human verified and decided. The analyst checked both action-capable items against contracts and integration architecture. One correction: the model had classed a direct-debit gateway as a CDR touchpoint when it runs on separate rails outside the regime, so it came off the inventory with a file note. One confirmation with a consequence: the budgeting partnership's consents were connection-level, not action-level, so a remediation item went on the register. The finished inventory was filed under the analyst's name, with the model's draft kept as a working paper.
That is the shape of every defensible AI-assisted compliance task. The model does the assembling, the human does the verifying, and the record shows both.
Draft the policy before the rail goes live
The second control worth starting now is the policy position that an agent never holds the trigger. Writing it down early is most of what makes designation day uneventful. A drafting prompt for your next policy cycle:
Treat the output as a first draft for legal review, never as the policy. The decision it encodes is the one your risk committee needs to make on the record, while the stakes are still hypothetical.
Do this Monday
- Export the register. Pull every product, app and third-party integration that touches CDR data today or is planned to. If no such register exists, that absence is Monday's finding.
- Run the inventory prompt. Paste the list, with no customer data, into ChatGPT, Claude or equivalent using the prompt above, and save the raw output as a working paper.
- Verify every classification against contracts and architecture documents, and correct the misses. The verified version goes into the controls register, not the model's draft.
- Test one consent chain. Ask the consent-record owner whether your CDR consents are connection-level or action-level, and log the gap if they are connection-level.
- Take propose versus authorise to committee. Put a one-page paper to your next risk committee proposing that an agent may propose but never authorise, attaching the drafting prompt output.
- Name an owner. For any AI or automated component in the inventory, nominate a draft accountable owner and record their authority limits, even provisionally.
- Diarise the designation watch. Set a quarterly check of cdr.gov.au and Treasury announcements for any declaration of action types.
The evidence file to build
When internal audit, a regulator or a designation consultation asks what you have in place for agent-initiated actions, this is the file that answers:
- An inventory of every CDR touchpoint, marked read-only or action-capable, with a named reviewer and review date
- A committee-approved policy separating propose from authorise, with explicit thresholds for any automated trigger
- Consent records that tie each future action type to a specific, current consent and purpose, not just a connection
- An audit-trail design capturing the originating instruction, human or agent, the agent identifier, the data relied on and the consent reference
- A named accountable owner for each agent or automated component, with documented authority limits
- An escalation path for out-of-authority proposals, tested at least on paper
- A quarterly designation watch covering cdr.gov.au and Treasury announcements
- A readiness note for the 13 July 2026 non-bank lender expansion, if it touches your perimeter
The line that has to hold
Strip away the acronyms and the governance question is simple. An AI agent can be genuinely useful inside the CDR. It can watch a consumer's accounts, find a better product, prepare the switch and present it. Every one of those is propose. The moment it crosses into execute on a regulated action, a human judgement has to have authorised the class of action, a current consent has to cover it, a log has to record it, and a named person has to own it. AI can do the assembling. Accountability does not transfer to the model. A logged, consent-bound control can stand in for the click, but it cannot stand in for the person who answers when an action goes wrong.
The reforms are not asking compliance teams to slow innovation. They are asking them to decide, while the stakes are still hypothetical, where the human stays in the loop and where the trigger lives. Make those decisions now, write them into the AI governance framework and the CDR control set, and the day action initiation is designated becomes a configuration change rather than a crisis.
Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from the ACCC, ASIC, Treasury, or the relevant regulatory authority.
Primary sources
- Treasury Laws Amendment (Consumer Data Right) Act 2024 (Cth), No. 75, 2024. Federal Register of Legislation, C2024A00075. https://www.legislation.gov.au/C2024A00075/asmade
- Treasury, Consumer Data Right rollout: non-bank lenders sector (cdr.gov.au). https://www.cdr.gov.au/rollout/cdr-non-bank-lenders-sector
- ASIC, Key issues outlook 2026, 27 January 2026. https://www.asic.gov.au/about-asic/news-centre/news-items/key-issues-outlook-2026/
- ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 29 October 2024. https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/
- ACCC, The Consumer Data Right (banking and finance). https://www.accc.gov.au/by-industry/banking-and-finance/the-consumer-data-right
- Ashurst, Action initiation under Australia's Consumer Data Right becomes law. https://www.ashurstperkinscoie.com/en/insights/action-initiation-under-australia-consumer-data-right-becomes-law/
- MinterEllison, Consumer Data Right: Open finance expansion (timetable per the 3 March 2025 amendments to the Competition and Consumer (Consumer Data Right) Rules). https://www.minterellison.com/articles/consumer-data-right-open-finance-expansion
TheAICommand. Intelligence, At Your Command.



