Governing AI Agents Before the Consumer Data Right Lets Them Act, practitioner guidance from TheAICommand
← GRC
Regulatory analysis

Governing AI Agents Before the Consumer Data Right Lets Them Act

The Consumer Data Right is gaining write access. Once actions are designated, an accredited provider, or an AI agent behind it, could initiate payments and switch products on a consumer's instruction. The controls for agent-initiated actions are far cheaper to build now, before any money can move.

·Last reviewed: 3 July 2026·monthly

GRC content. Written for compliance, risk, and audit professionals in Australian financial services. General information. Not legal or compliance advice.

Quick answer

Australia's Consumer Data Right now has a legal framework for action initiation, write access that will let accredited providers, and AI agents behind them, make payments and switch products on a consumer's instruction. No actions are designated yet. Compliance teams should build agent controls now: inventory, propose versus authorise separation, action-level consent, immutable audit trails and named ownership.

AI is moving from advice to action.

For three years, AI in financial services has mostly recommended. It scored, ranked, flagged and drafted, and a person decided what to do with the output. That boundary is about to blur, and the place it blurs first in Australia is a regime most compliance teams still file under data sharing. The Consumer Data Right.

The Consumer Data Right, or CDR, is gaining write access. Until now it has been read-only. With a consumer's consent, an accredited provider could see their banking data. The next phase, called action initiation, lets an accredited provider act on that consumer's instruction. As Ashurst describes the reform, action initiation "allows a consumer to permit a service provider to initiate actions on their behalf", and the listed actions include initiating payments, opening or closing accounts, switching providers and submitting applications for products and loans. Read access let software see. Write access lets software do.

Put an autonomous AI agent on the end of that pipeline and you have a system that does not just suggest a better savings account. It opens it.

A cinematic scene of a softly glowing robotic hand poised over a luminous trigger above a regulated financial pipeline, deep navy mood with sky highlights
Read access let software see. Write access lets it act.

What the Consumer Data Right is becoming

Action initiation became law through the Treasury Laws Amendment (Consumer Data Right) Act 2024, which received assent on 26 August 2024. The Act builds the legal scaffolding for a consumer to authorise a provider to initiate actions, with the government to designate which actions are switched on, and for which sectors, by later declaration and rules. The Assistant Treasurer's stated priority areas are borrowing decisions, energy switching and accounting services for small businesses.

Two things follow that matter for a compliance function. First, the actions are not live yet. The Act is in force, but no action has been designated, so nobody is initiating CDR payments today. That is exactly why now is the time to build controls, with no live exposure. Second, the perimeter is already widening on the read side. The CDR is expanding into open finance beyond the banks. On the rollout published at cdr.gov.au, product data sharing obligations apply in the non-bank lenders sector from 13 July 2026, followed by consumer data sharing obligations from 9 November 2026 for initial providers and from 10 May 2027 for large providers. MinterEllison traces that timetable to the 3 March 2025 amendments to the Competition and Consumer (Consumer Data Right) Rules. More data holders, more accredited recipients, more pipes, and the action layer waiting behind them.

The Australian Competition and Consumer Commission accredits data recipients and monitors compliance with the CDR rules and standards, and consumers' identity is verified in the consent flow, including by a one-time password. This is a tightly governed regime, which is the point. When action initiation arrives, the rails an agent would drive are already wrapped in accreditation, consent and standards. The open question is whether your AI governance reaches into them.

Where AI agents change the picture

The reason this is a 2026 problem and not a 2028 one is that the AI has caught up with the rails. Agentic AI, which can chain steps and take actions through tools rather than only producing text, is exactly the technology that would sit on a write-access pipeline. And the conduct regulator has noticed.

In its Key issues outlook 2026, published on 27 January 2026, ASIC wrote that while agentic AI can help people shop around, "it can also compound risk given its capability to independently plan and act". It added that consumers increasingly face risks from "automated decisions, AI-driven interactions, and scams amplified by technology". Read those statements next to the CDR action-initiation reform and the supervisory direction is not subtle. A regulator already uneasy about AI that can plan and act is looking at a regime that is about to let accredited software act on a consumer's money.

Picture the practice. A consumer gives a money-management app a standing instruction to keep their savings in the best available account. Today the app reads balances and suggests a switch. Under action initiation, an agent inside it could detect a better rate, open the new account, move the balance and close the old one, without the consumer touching it again. Useful, and within consent. Also a sequence of regulated actions no human reviewed at the moment they happened.

There is a clean line here, and compliance has to hold it. An AI that recommends is a familiar control problem. You govern the model, the data and the human who acts on the output. An AI that executes is a different problem, because the human who would catch the error may no longer be in the loop by default. The shift from recommend to execute is the shift that changes your control framework.

A side-by-side split divided by a thin sky line, one half a hand reviewing a suggested account switch labelled recommend, the other half a machine completing the same switch labelled execute
The control problem changes the moment AI stops advising and starts acting.

What this means for compliance functions

The temptation is to wait: the actions are not designated, so why build controls yet? Because the gap ASIC has documented is a governance gap, not a technology gap. In REP 798, its 2024 review of AI governance, ASIC looked at 624 AI use cases across 23 licensees and found that the maturity of governance and risk management "does not always align with the nature and scale" of licensees' AI use. That was for AI that mostly advised. The bar rises sharply for AI that acts.

A function that waits until designation will retrofit controls onto a live payment rail under time pressure. A function that starts now designs them into the operating model before any money can move. The work is not exotic. It is the discipline you already apply to delegations and payment authorities, extended to a non-human actor.

There is also a nearer-term reason to start. The read-side expansion is not waiting. More of your customers' data, and more third-party connections to it, come inside the perimeter from 13 July 2026. Every new accredited connection is a relationship to govern under the CDR rules, and a potential future action surface. Treat the expansion as the dress rehearsal for the action layer, and build the inventory and consent discipline on the read side, where the stakes are lower.

Two regulators sit over this. The ACCC accredits CDR participants and enforces the CDR rules, while ASIC governs the conduct and licensing of the financial-services activity wrapped around them. An AI agent initiating a regulated action touches both, which means your control evidence has to satisfy both lenses, not one.

Five controls to build before the actions are designated

A left-to-right flow of five sky pill nodes reading propose, consent, authorise, act and log, with a small gold lock on the authorise node
An agent may propose. A human or a logged, consent-bound control authorises.
  1. Inventory where an agent could act, not just see. Map every current and planned use of the CDR in your business, and mark which touchpoints are read-only and which would become action-capable when initiation is switched on. You cannot govern an actor you have not located.
  2. Separate propose from authorise. Decide, as policy, that an AI agent may assemble and propose an action but may not be the thing that authorises it. The trigger for anything that moves money or changes a product sits with a human, or with a hard-coded, consent-bound, logged control with explicit thresholds. It is the single most important design decision, and the cheapest to make before the rail is live.
  3. Capture consent and purpose at the action, not just the connection. A standing consent to share data is not a consent to act. Build a record that ties each initiated action to a specific, current consent and a defined purpose, so you can show the action was authorised and bounded, not inferred from a broad permission given months earlier.
  4. Keep an immutable audit trail of who instructed what. For every action, log whether the instruction originated from a human or an agent, which agent, on what data, against which consent. When an agent acts, "the system did it" is not an answer a regulator will accept. The audit trail is what turns an autonomous action into an accountable one.
  5. Name an accountable owner for the agent. Someone has to own the agent's behaviour, its authority limits and its failures, the way a person owns a payments function. Anonymous automation is unaccountable automation.

A worked example: mapping the action surface

The inventory is the easiest control to start, and a task an AI assistant genuinely speeds up. Here is how it runs end to end at a de-identified mid-sized lender, call it [ORGANISATION].

The situation. [ORGANISATION] is a non-bank lender that comes inside the CDR perimeter with the July 2026 expansion. Its compliance analyst holds a register of nine systems and third-party integrations that touch product or customer data. Nobody has marked which could become action surfaces.

The prompt. The analyst pastes the register list, stripped of any customer data, into ChatGPT, Claude or an equivalent assistant:

Prompt
You are assisting a compliance officer at an Australian financial services organisation preparing for action initiation, the write-access phase of the Consumer Data Right.

Here is our register of products, apps and third-party integrations that touch CDR data or are planned to: [PASTE_REGISTER_LIST].

For each item, produce an inventory entry with:
1. Whether it is read-only today, or could become action-capable when action initiation is designated (payments, switches, account opening or closing, product applications).
2. The consent type it appears to rely on, and whether that consent would cover an initiated action.
3. Whether an AI or automated component sits anywhere in the flow, and whether it recommends or could execute.
4. A draft risk rating of low, medium or high, with one sentence of reasoning.

Format the output as a plain list I can paste into a controls register. Where the register entry lacks the information to classify, say so and list the missing detail rather than guessing. Do not include or infer any customer data.

What came back. A classified inventory in about a minute: seven items read-only, two future action-capable (the budgeting-app partnership with its standing consents, and a broker platform that submits loan applications), and one flagged unclassifiable because the register entry did not describe the data flow. Each carried a draft risk rating and a one-line rationale.

What the human verified and decided. The analyst checked both action-capable items against contracts and integration architecture. One correction: the model had classed a direct-debit gateway as a CDR touchpoint when it runs on separate rails outside the regime, so it came off the inventory with a file note. One confirmation with a consequence: the budgeting partnership's consents were connection-level, not action-level, so a remediation item went on the register. The finished inventory was filed under the analyst's name, with the model's draft kept as a working paper.

That is the shape of every defensible AI-assisted compliance task. The model does the assembling, the human does the verifying, and the record shows both.

Draft the policy before the rail goes live

The second control worth starting now is the policy position that an agent never holds the trigger. Writing it down early is most of what makes designation day uneventful. A drafting prompt for your next policy cycle:

Prompt
You are helping the compliance team at an Australian financial services organisation draft a policy section titled Agent authority for Consumer Data Right actions.

Context: under CDR action initiation, an accredited provider may initiate payments, switches and account changes on a consumer's instruction. Our position is that an AI agent may assemble and propose an action but may never authorise it. Authorisation sits with a human, or with a hard-coded, consent-bound, logged control with explicit thresholds.

Draft the policy section with:
1. Definitions of propose, authorise, act and log as separate control stages.
2. The authority rule for [ACTION_TYPE, for example a savings account switch], including worked threshold examples using [CURRENCY_LIMIT].
3. The records that must exist for every initiated action: the originating instruction and whether it came from a human or an agent, the agent identifier, the data relied on, the consent reference and the timestamp.
4. An escalation path for when an agent proposes an action outside its authority.

Keep it under 600 words in plain Australian English, and mark every assumption for legal review. This is a drafting aid only; the accountable policy owner approves the final text.

Treat the output as a first draft for legal review, never as the policy. The decision it encodes is the one your risk committee needs to make on the record, while the stakes are still hypothetical.

Do this Monday

  1. Export the register. Pull every product, app and third-party integration that touches CDR data today or is planned to. If no such register exists, that absence is Monday's finding.
  2. Run the inventory prompt. Paste the list, with no customer data, into ChatGPT, Claude or equivalent using the prompt above, and save the raw output as a working paper.
  3. Verify every classification against contracts and architecture documents, and correct the misses. The verified version goes into the controls register, not the model's draft.
  4. Test one consent chain. Ask the consent-record owner whether your CDR consents are connection-level or action-level, and log the gap if they are connection-level.
  5. Take propose versus authorise to committee. Put a one-page paper to your next risk committee proposing that an agent may propose but never authorise, attaching the drafting prompt output.
  6. Name an owner. For any AI or automated component in the inventory, nominate a draft accountable owner and record their authority limits, even provisionally.
  7. Diarise the designation watch. Set a quarterly check of cdr.gov.au and Treasury announcements for any declaration of action types.

The evidence file to build

When internal audit, a regulator or a designation consultation asks what you have in place for agent-initiated actions, this is the file that answers:

  • An inventory of every CDR touchpoint, marked read-only or action-capable, with a named reviewer and review date
  • A committee-approved policy separating propose from authorise, with explicit thresholds for any automated trigger
  • Consent records that tie each future action type to a specific, current consent and purpose, not just a connection
  • An audit-trail design capturing the originating instruction, human or agent, the agent identifier, the data relied on and the consent reference
  • A named accountable owner for each agent or automated component, with documented authority limits
  • An escalation path for out-of-authority proposals, tested at least on paper
  • A quarterly designation watch covering cdr.gov.au and Treasury announcements
  • A readiness note for the 13 July 2026 non-bank lender expansion, if it touches your perimeter

The line that has to hold

Strip away the acronyms and the governance question is simple. An AI agent can be genuinely useful inside the CDR. It can watch a consumer's accounts, find a better product, prepare the switch and present it. Every one of those is propose. The moment it crosses into execute on a regulated action, a human judgement has to have authorised the class of action, a current consent has to cover it, a log has to record it, and a named person has to own it. AI can do the assembling. Accountability does not transfer to the model. A logged, consent-bound control can stand in for the click, but it cannot stand in for the person who answers when an action goes wrong.

The reforms are not asking compliance teams to slow innovation. They are asking them to decide, while the stakes are still hypothetical, where the human stays in the loop and where the trigger lives. Make those decisions now, write them into the AI governance framework and the CDR control set, and the day action initiation is designated becomes a configuration change rather than a crisis.

Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from the ACCC, ASIC, Treasury, or the relevant regulatory authority.

Primary sources

  • Treasury Laws Amendment (Consumer Data Right) Act 2024 (Cth), No. 75, 2024. Federal Register of Legislation, C2024A00075. https://www.legislation.gov.au/C2024A00075/asmade
  • Treasury, Consumer Data Right rollout: non-bank lenders sector (cdr.gov.au). https://www.cdr.gov.au/rollout/cdr-non-bank-lenders-sector
  • ASIC, Key issues outlook 2026, 27 January 2026. https://www.asic.gov.au/about-asic/news-centre/news-items/key-issues-outlook-2026/
  • ASIC, REP 798 Beware the gap: Governance arrangements in the face of AI innovation, 29 October 2024. https://www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-798-beware-the-gap-governance-arrangements-in-the-face-of-ai-innovation/
  • ACCC, The Consumer Data Right (banking and finance). https://www.accc.gov.au/by-industry/banking-and-finance/the-consumer-data-right
  • Ashurst, Action initiation under Australia's Consumer Data Right becomes law. https://www.ashurstperkinscoie.com/en/insights/action-initiation-under-australia-consumer-data-right-becomes-law/
  • MinterEllison, Consumer Data Right: Open finance expansion (timetable per the 3 March 2025 amendments to the Competition and Consumer (Consumer Data Right) Rules). https://www.minterellison.com/articles/consumer-data-right-open-finance-expansion

TheAICommand. Intelligence, At Your Command.

Frequently asked questions

What is action initiation under the Consumer Data Right?
Action initiation, sometimes called write access, lets a consumer authorise an accredited provider to initiate actions on their behalf, such as making payments, switching providers, opening or closing accounts and submitting product applications. It became law through the Treasury Laws Amendment (Consumer Data Right) Act 2024, but individual action types must still be designated by the government before anyone can use them.
Can an AI agent initiate CDR payments today?
No. The Act is in force but no action type has been designated, so no provider, human or AI, is initiating payments or switches through the CDR yet. That gap is the opportunity. Compliance teams can design the authorisation, consent and audit controls for agent-initiated actions before any money can move, rather than retrofitting them onto a live rail under time pressure.
Who regulates AI agents acting under the Consumer Data Right?
Two regulators share the field. The ACCC accredits CDR data recipients and monitors compliance with the CDR rules and standards, while ASIC governs the conduct and licensing of the financial services activity wrapped around them. An AI agent initiating a regulated action touches both, so control evidence needs to satisfy both lenses. ASIC has also flagged agentic AI as a key 2026 supervisory concern.
What controls should compliance teams build before actions are designated?
Five. An inventory of every CDR touchpoint marked read-only or action-capable. A policy separating propose from authorise so an agent never holds the trigger. Consent captured at the action, not just the connection. An immutable audit trail recording whether a human or an agent instructed each action. And a named accountable owner for every agent, with documented authority limits.
When does the CDR expand beyond banking?
The read side is widening now. Under the CDR rules, product data sharing obligations apply to non-bank lenders from 13 July 2026, with consumer data sharing from 9 November 2026 for initial providers and 10 May 2027 for large providers. Every new accredited connection is a potential future action surface, which makes the expansion a useful dress rehearsal for the action layer.

Context

The CDR began in 2020 as open banking, a read-only right to move your data. Action initiation is the second act, turning the data right into something closer to the United Kingdom's payment-initiation model. The intent is mobility and competition. The consequence is a regulated rail an autonomous agent can drive.

AI angle

The reforms create the first regulated pipeline in Australian financial services where an AI agent could not just recommend a switch or payment but execute it on a consumer's standing instruction. The compliance task is to build the authorisation, consent and audit controls for agent-initiated actions before the actions are designated, not after.

Primary sources

Consumer Data RightAction InitiationOpen FinanceASICACCCAgentic AIAI GovernanceFinancial Services
← Back to GRC

Content disclaimer: This article is for general educational and informational purposes only. It does not constitute legal advice, regulatory guidance, or a substitute for professional compliance judgement. Regulatory obligations vary by entity type, licence, and circumstance. Always refer to primary source guidance from APRA, ASIC, or the relevant regulatory authority.