Based in Australia, Payble helps businesses increase their revenue by offering their customers flexible payment options as required. The Payble platform uses open banking to identify consumers who would benefit from flexible payment options and engages them with installment plans or payment extensions.
Navigating the Journey to CDR Compliance
When Australia lawmakers signed the Consumer Data Right (CDR) initiative into law in 2020, financial services firms across the country became eligible for open banking—the practice of giving consumers access to and control over their banking data. However, to receive customer open banking data, banks and other institutions needed to become accredited as a Data Recipient (ADR) by the Australian Competition and Consumer Commission (ACCC), by implementing stringent privacy safeguards and rules to ensure secure protection and management of data. This path to CDR accreditation is complex and time-consuming.
It’s a challenge Payble knows all too well. The Australian fintech uses open banking technology to help customers prevent missed or late payments before they happen. CDR data is a critical component of Payble’s solution. “CDR is incredibly complex, and because it’s new in Australia, there’s no easy method to copy and implement,” says Elliott Donazzan, CEO of Payble. “In addition to specific requirements, there are nuances that don’t apply to the general regulations we’re accustomed to. Plus, a lot of work is required to build the right technology to support everything. CDR is not our core business, so we needed the right partners to help achieve accreditation.”
Collaborating with AWS Partners to Solve the CDR Challenge
Payble has been running on the Amazon Web Services (AWS) Cloud since the company’s inception, using a range of AWS services to support its application environment. Through its relationship with AWS, Payble was introduced to a group of AWS Partners that specialize in accelerating the financial technology industry’s CDR accreditation and technology solutions. This network of partners includes DNX Solutions, an AWS Advanced Consulting Partner; AssuranceLab, a modern assurance firm that provides accreditations for CDR and global standards; Astero, a cybersecurity company specializing in open banking and CDR; and Adatree, a proprietary, AWS-built CDR Platform for Data Recipients. “We had conversations with Adatree and began sharing engineering strategies,” says Helder Klemp, CEO of DNX. “After discussing with AWS about some of the other partners that we could work with, we decided to jointly develop a solution to help businesses become accredited.”
Developing CDR in a Box Solution
The partners created CDR in a Box, an AWS-based, compliant CDR platform. The modular platform is based on the AWS Well-Architected Framework and features core AWS security components including AWS Security Hub, Amazon GuardDuty, AWS Identity and Access Management (IAM), and AWS Key Management Service (KMS).
CDR in a Box includes the ADR Accelerator, a business solution jointly developed by Adatree and Astero. The template-based solution is designed to help enterprises accelerate their Accredited Data Recipient (ADR) application, a key part of CDR compliance. An accredited data recipient is a business that has been accredited by the ACCC to receive data from a data holder.
Adatree’s platform is built on AWS and runs on a range of AWS services.
Astero used its cybersecurity expertise to support CDR in a Box with security solutions including technical security documentation and controls assessment services required for accreditation. “CDR in a Box ensures customers follow a security and risk-first approach to compliance,” says Sandeep Kumar, CEO of Astero. “This starts by helping customers define the boundary and data flows of their CDR data environment, performing threat assessments, and implementing appropriate security controls.”
AssuranceLab contributed to CDR in a Box by using its accreditation expertise and skillset to build the required technical security documentation for CDR audits. “As a group, we brought four expert offerings together into one seamless solution for Payble,” says Paul Wenham, CEO of AssuranceLab. “By understanding each other’s approach, and working effectively together, it removed the guesswork and business disruption for Payble to focus on what they do best.”
Payble used the ADR Accelerator to provide the business readiness documentation for the company’s ADR application audit. DNX also supported Payble throughout the auditing process, offering automated compliance capabilities. The overall combined partner offering includes guidance and support specifically tailored to Payble’s business.
Building Audit-Ready CDR Environment in 4 Weeks
Because the AWS partners worked together to build a well-architected AWS solution for ADR applicants, Payble gained an audit-ready environment and a completed audit, in four weeks. AssuranceLab carried out the audit, in parallel to the implementation activities before the audit took place.
Payble also took advantage of ADR Accelerator to provide business readiness documentation for the company’s ADR application six months faster than the normal timeframe for accreditation. “The sentiment in the industry in Australia is that the CDR is too hard to get into because of cost and time commitments, but startups need it in order to provide something compelling to market,” Kumar says. “We’re trying to make CDR access simpler while still meeting all the compliance requirements.”
“As a startup, we need to move quickly and access the benefits of CDR compliance as fast as possible,” says Donazzan. “By working with AWS partners to complete the ADR application process faster than we could have by ourselves, we can focus on our core business instead of the accreditation process.” In addition to accreditation, Payble benefits from having a strong security and compliance foundation for its business, built by DNX based on AWS Well-Architected principles.
Eliminating the Need to Hire Specialized Staff
Payble reduced the need to hire specialized internal audit staff due to the AWS partners’ combined controls assessment, technology, documentation, and security services. “We only have one point person to work on compliance issues, and the AWS partner solution helped us avoid hiring more people to work on the accreditation process,” says Donazzan.
The solution has streamlined the engagement between Payble and compliance auditors. “Becoming CDR compliant is important, but startups don’t necessarily have the resources to hire a fulltime security compliance person or expensive engineers,” says Kumar. “By using our solution’s automation, Payble did not have to begin with a blank sheet and try to understand CDR rules and create security policies. They could move quickly on the entire process.”
Cuts Accreditation Costs by 50%
Rather than investing time and money into hiring a specialized compliance professional, learning everything required for CDR, and preparing all the documentation, Payble streamlined the entire process via the CDR in a Box solution on AWS. “We were considering a compliance solution that would’ve cost twice as much as the AWS partner option,” says Donnazan. Overall, Payble spent less than $90,000 on infrastructure, documentation, and audit costs. “In the financial services industry, complete compliance solutions can cost many, many times more than that,” says Kumar.
As of November 2021, Payble received accreditation as an unrestricted Data Recipient. Weeks later, it reached Active Status through Adatree’s platform. This required passing of technical conformance tests to ensure compliance with the rigorous technical standards. This the only business in Australia to reach this status through an intermediary.
The four AWS partners are continuing to work alongside Payble. “Audits can be complex and painful, but as a team, we worked together to simplify the process,” says Kumar. “Our relationship with Payble will continue into the future.”
- Builds audit-ready CDR environment in 4 weeks
- Provides ADR application documentation 6 months faster than industry average
- Eliminates the need to hire specialized staff
- Reduces accreditation costs by 50 percent
AWS services used
“By working with AWS partners to complete the ADR application process faster than we could’ve by ourselves, we can focus on our core business instead of the accreditation process.”