Finch CDR Policy


The FinchXP data intelligence platform processes datasets that are independently sourced and provided to us.

We are not a data aggregator and do not source customer data.

To support Open Banking Clients with compliant data enrichment services, we have outlined our CDR Policy below.

2. CDR Privacy Safeguards

a) Identifiable data

CDR Privacy Safeguards apply to CDR data where a CDR consumer can be “identifiable or reasonably identifiable”.

FinchXP does not require “identifiable or reasonably identifiable” data to provide enrichment services.

Instead, we leverage data intelligence to identify transactions using our proprietary database of over 1 million Australian merchants and 2 billion transactions.

b) Non-identifiable data or de-identified data

As such, the sharing of de-identified data is not subject to the same CDR compliance obligations and is not defined as an Outsourced Service Provider (OSP) arrangement.

In accordance with CDR Privacy Safeguards, de-identified data is permitted to be disclosed to any person under CDR Rule 7.5.1.e (see below)

  1. e) disclosing (by sale or otherwise), to any person, CDR data that has been de-identified in accordance with the CDR data de-identification process.

3. Sharing your data safely

All user, account, or transaction identification provided by the ADR must be de-identified prior to sending to Finch, in accordance with Rule 1.17 and Rule 7.5 (1) (e). For information regarding the required de-identified fields or the de-identification process, please contact us at

On occasion, Transfers may contain information in the transaction description (e.g. name or partial address of the intended recipient) that could be interpreted as data protected under the CDR privacy safeguards. To maintain CDR compliance, we do not support Transfers from ADR Customers.

4. Contact us

In case of any questions regarding this Policy, please contact us at