Australian Startup Payble Accelerates Path to CDR Compliance by Collaborating with AWS Partners

When Australian lawmakers signed the (CDR) initiative into law in 2020, financial services firms across the country became eligible for open banking—the practice of providing consumers access to and control over their banking data. However, to receive customer open banking data, banks and other institutions needed to become an Accredited Data Recipient (ADR) by the Australian Competition and Consumer Commission (ACCC). This involves implementing stringent privacy safeguards and rules to ensure secure protection and management of data.

The path to CDR accreditation is complex and time-consuming, a challenge Payble knows all too well. The Australian fintech’s mission is to end billxiety—the avoidable feeling of distress and anxiety caused by a bad billing or payment experience. Its innovative billing add-on helps businesses and local government offer their customers convenient flexible payment options.

“The fact that CDR is relatively new in Australia, means there's no easy method to copy and implement,” says Elliott Donazzan, co-founder and managing director of Payble. “In addition to specific requirements, there are nuances that don’t apply to the general regulations we’re accustomed to. Plus, a lot of work is required to build the right technology to support everything. CDR is not our core business, so we needed the right partners to help achieve accreditation.”

Payble has been running on the Amazon Web Services (AWS) Cloud since the company’s inception and uses a range of its services to support its application environment. Through this relationship, Payble was introduced to a network of AWS Partners that specialise in accelerating the financial technology industry’s CDR accreditation and technology solutions. This network includes DNX, a cloud technology consulting firm; AssuranceLab, a modern assurance firm providing accreditations for CDR and global standards; Astero, a cybersecurity company specialising in open banking and CDR; and Adatree, a proprietary, AWS-built CDR Platform for Data Recipients. Helder Klemp, CEO of DNX, says, “We had conversations with Adatree and began sharing engineering strategies. After discussing with AWS about some of the other partners that we could work with, we decided to jointly develop a solution to help businesses become accredited.”

The partners created “CDR in a Box”, a solution focused on helping companies become CDR compliant and an ADR. The solution includes a partner platform based on the AWS Well-Architected Framework and feature core AWS security components including AWS Security Hub, Amazon GuardDuty, AWS Identity and Access Management (IAM), and AWS Key Management Service (KMS).

“CDR in a Box” includes the ADR Accelerator, a template-based business solution jointly developed by Adatree and Astero, designed to help enterprises accelerate their ADR application. Adatree offers a template pack for ADR readiness, focused on business applications required to become accredited. Adatree’s platform is also built on AWS and runs on a range of AWS services.

Astero used its cybersecurity expertise to support “CDR in a Box”, including technical security documentation and controls assessment services required for accreditation. “CDR in a Box ensures customers follow a security and risk-first approach to compliance,” says Sandeep Kumar, CEO of Astero. “This begins by helping customers define the boundaries and data flows of their CDR data environment, perform threat assessments, and implement appropriate security controls.”

AssuranceLab contributed to “CDR in a Box” by using its accreditation expertise and skillset to construct the required technical security documentation for CDR audits. “As a group, we combined four expert offerings into one seamless solution for Payble,” says Paul Wenham, CEO of AssuranceLab. “By understanding each other’s approach and working effectively together, it removed the guesswork and business disruption, allowing Payble to focus on what they do best.”

Payble used the ADR Accelerator to provide the business readiness documentation for the company’s ADR application audit. DNX also supported Payble throughout the auditing process, offering automated compliance capabilities. The overall combined partner offering includes guidance and support specifically tailored to Payble’s business.

By leveraging Adatree’s Industry Sandbox, and the well-architected solution jointly developed by the AWS partners, Payble developed an audit-ready environment in just four weeks. “The sentiment in the industry in Australia is that CDR is too difficult to get into due to cost and time commitments. But startups need it in order to provide something compelling to market,” Kumar says. “We’re trying to simplify CDR access while still meeting all compliance requirements.”

“As a startup, we need to move fast and access the benefits of CDR compliance as quickly as possible,” says Donazzan. “Working with AWS partners allowed us to complete the ADR application ahead of schedule, meaning we could focus on our core business instead of the process to connect to the CDR.” Alongside accreditation, Payble also benefits from having a robust security and compliance foundation for its business.

Payble reduced the need to hire specialised internal audit staff due to the AWS partners’ combined controls assessment, technology, documentation, and security services. “We only have one point person to work on compliance issues, and the AWS partner solution helped us avoid hiring more people to work on the accreditation process,” says Donazzan.

The solution has also streamlined engagement between Payble and compliance auditors. “Becoming CDR compliant is important, but startups don’t necessarily have the resources to hire a fulltime security compliance person or expensive engineers,” says Kumar. “By using our solution’s automation capabilities, Payble didn’t have to start from scratch when trying to understand CDR rules and create security policies. Instead, they could move quickly and effectively on the entire process.”

“CDR in a Box” on AWS allowed Payable to streamline the entire process, removed the need for a costly specialised hire, and prevented time consuming excursions into constructing technology and preparing documentation. “We were considering a compliance solution that would’ve cost twice as much as the option provided by the AWS partners,” says Donazzan. Overall, Payble spent less than $90,000 on infrastructure, documentation, and audit costs. “In the financial services industry, complete compliance solutions can cost many times more than that,” says Kumar.

As of November 2021, Payble received accreditation as an Unrestricted Data Recipient. Weeks later, it achieved Active Status through Adatree’s platform. This makes Payble the first company in Australia to achieve this via an intermediary. Kumar concludes, “Audits can be complex and painful, but as a team we worked together to simplify the process. Our relationship with Payble will continue far into the future.”

 To learn more, visit aws.amazon.com/compliance.