With Citadel, the Australian startup Payble accelerated its path to CDR compliance.
Elliot Donazzan, CEO at Payble:
“By working with Citadel and their partners to complete the ADR application process faster than we could’ve by ourselves, we can focus on our core business instead of the accreditation process.”
Payble is a platform that uses open banking to identify consumers who can benefit from flexible payment options, such as installment plans or extensions, and avoid late fees.
Challenge: Achieving CDR accreditation
Since 2020, Consumer Data Right (CDR) and open banking have enabled consumers to opt-in to share their data with accredited businesses, creating a trustworthy and secure ecosystem.
But there is no simple method for a business to become an Accredited Data Recipient (ADR) through the Australian Competition and Consumer Commission (ACCC).
Payble’s business model relies heavily on open banking and requires CDR accreditation. But Payble didn’t have the time, knowledge or resources to acquire it.
Therefore, Payble approached Citadel, who worked with selected partners to create a compliant CDR platform.
Citadel collaborated with their ecosystem partners to achieve CDR for Payble. Firstly, Citadel provided the audit-ready cloud infrastructure platform, meeting CDR standards in an automated and simplified way. Then the partners took over, consisting of: DNX Solutions, an AWS Advanced Consulting Partner for the delivery; AssuranceLab, an auditor partner and modern assurance firm that provided accreditations for CDR and global standards; Astero, a cybersecurity company, who specializes in open banking and CDR, as a governance partner; and Adatree,, an independent software vendor (ISV) partner, who provided a proprietary AWS-built CDR Platform for Data Recipients.
How Citadel supports immediate CDR
Since its inception, Payble has been running on the Amazon Web Services (AWS) cloud, using a range of AWS services to support its application environment.
As an AWS-built platform applying the AWS Well-Architected Framework, Citadel fit in seamlessly with Payble’s existing environment. Firstly, Citadel built and deployed a compliant and secure cloud-infrastructure against the CDR standard, with an automated Infrastructure-as-Code (IaC) and DevSecOps pipeline, providing Payble's team more control over their systems. After onboarding, Citadel's five stacks were automatically deployed: Audit, Baseline, Identity, Network, and Platform.
These stacks are responsible for building a compliant and secure cloud-infrastructure that can be easily accessed later for the auditing process, as they meet the CDR accreditation guidelines, covering topics such as security, boundaries of the CDR data environment, information security capability, controls assessment, security controls, and others. In addition, Citadel provided Payble with customized auditing support, offering automated compliance capabilities.
Within 2 weeks, Payble saw the following;
- Highly secure and segregated accounts built with a dedicated Audit account, enabling the auditing team access while maintaining integrity
- Integration and management of AWS accounts through the Citadel platform
- Adaptability and scalability due to the platform utilisation of 100% Infrastructure-as-Code (IaC), modular approach, and dedicated CI/CD for infrastructure
- A ready-to-go environment allowing future customers to deploy or build new applications, regardless of the stack, app blueprint, software language, or Continuous Integration and Continuous Delivery (CI/CD) services
- Fine-grained access control leveraging principles such as least-privilege permissions, role-based model, and temporary credentials
- A setup network using security best practices for VPC, a secure dedicated and isolated subnet for the database with access restrictions
- Automated and centralized security checks and alerts, monitoring for anomalous or malicious activity, tracking user activity and API use, analyzing and visualizing of security data.
Audit-Ready CDR Environment in 4 Weeks
As a startup, speed is crucial to Payble. Compliance timeframes usually range between 12–18 months; however, through the solution offered by Citadel and their partners, Payble had an audit-ready environment, and a completed audit carried out by AssuranceLab, within just 4 weeks.
ADR application documentation was provided 6 months faster than the industry average. Payble utilized ADR Accelerator, a template-based solution that provides business readiness documentation for a company’s ADR application up to six months faster than the normal timeframe for accreditation.
Beyond accreditation, Payble now benefits from having a strong security and compliance foundation for its business, built by Citadel and based on AWS Well-Architected principles.
Dedicated focus and specialization
Through combining the skills and expertise of each partner working on the solution, Payble eliminated the need to hire specialized staff to focus on compliance and auditing, allowing a single internal staff member to work on compliance related issues.
Accreditation costs cut by 50%
Through the streamlined process of the CDR in a Box solution, Payble spent less than $90,000 on infrastructure, documentation and audit costs. This amount was half that of a solution that had previously been considered.
Maintain focus on core business
This holistic solution was delivered in its entirety while the internal Payble team remained focused on their core business. Minimal business disruption allows for the provision of quality service on a continuous basis, upholding Payble’s reputation.
Formal Consumer Data Right (CDR) accreditation achieved
In November 2021, Payble received accreditation as an unrestricted Data Recipient. It then quickly reached Active Status through Adatree’s platform. Payble is the first consumer payments app to receive CDR accreditation in Australia.