The Privacy Act 1988 (Cth) gives Australian individuals and, in some contexts, entities rights over their personal information. The Consumer Data Right (CDR) framework extends those rights into specific data domains. Trade credit has not historically been a focus of data portability regulation, but the principles of data ownership and consent are increasingly relevant to how lender networks design their applicant onboarding and data management processes.
The current data ownership problem
When an SME applies for trade credit from Lender A, the application data, including company details, director information, uploaded financial statements, signed guarantees, and consent records, is typically held by Lender A. It is their data, in their system, managed by their processes. If the applicant later applies to Lender B, whether for additional trade credit or because they are changing suppliers, they start entirely from scratch.
This model has a structural inefficiency: Lender B separately purchases bureau reports that Lender A already holds. The applicant separately re-enters information that Lender A already has. Two compliance checks are run on the same entity by two independent teams. From an economy-wide perspective, this duplication represents significant wasted resource, and from the applicant's perspective, significant wasted time.
The consent model is the foundation. Applicant data portability does not mean Lender B automatically gets access to Lender A's records. It means the applicant can authorise Lender B to receive a copy of their profile, covering the information they provided, the verification that was done, and the documents they uploaded, subject to explicit, recorded consent. Without consent from the applicant, nothing is shared.
What applicant-owned data means for lenders
For lenders in a network that supports applicant-owned profiles, the business benefit is significant. A returning applicant, meaning one who has previously applied to another seller node in the network, can re-apply with a pre-populated form. The credit officer reviewing the application sees a complete, verified profile rather than a blank form. The time-to-credit for returning applicants drops from days to hours.
The risk consideration is reciprocal: if the platform allows applicants to carry their profile out of the network to a competitor, lenders need to think about what proprietary analysis or credit judgment is embedded in that profile. The answer is: the applicant's own submitted data and the verified facts about their entity should be portable. The lender's internal risk assessment, credit notes, and approved limit are not part of the applicant's profile and do not travel with it.
Consent tracking and revocation
The operational backbone of applicant-owned data is a consent ledger: a systematic record of: what the applicant authorised, for which specific lender, for which specific searches and data uses, and when that consent was given or expires. Consent must be specific and informed. 'I consent to the provider running an Equifax commercial credit enquiry on my trading entity' is materially different from 'I consent to the provider using my data'.
Revocation must be equally straightforward. An applicant who withdraws consent for ongoing monitoring checks should be able to do so clearly, and the system should stop triggering bureau refreshes for that entity from the moment revocation is recorded. The revocation record itself must be preserved; removing it would itself be a privacy breach.
Key takeaway
Applicant-owned credit data is coming, whether the trade credit industry designs for it or not. The CDR framework, the Privacy Act's evolving interpretation, and growing applicant expectations are all pointing in the same direction. Lender networks that build their platforms with consent-first data architecture, where applicant data is explicitly authorised rather than assumed to be owned by the lender, will be positioned for that environment. Those that do not will face a more disruptive transition when regulatory pressure arrives.
