Australian startup, Payble, accelerated its path to CDR compliance, with Citadel
September 16, 2022

About Payble

Payble helps businesses to avoid the costs associated with late fees by providing its customers with flexible payment alternatives. The platform uses open banking to identify consumers who would benefit from flexible payment options then engages them with instalment plans or payment extensions.

Challenge: Achieving CDR accreditation

Consumer Data Right (CDR) and open banking have enabled Australian Fintechs to launch their applications and serve their customers better since 2020. 

With its recent introduction in Australia, there has been no simple method for those aiming to become Accredited Data Recipients (ADR) through the Australian Competition and Consumer Commission (ACCC). 

Payble’s business model relies heavily on open banking, making CDR accreditation a must-have to operate.

Despite being vital to their operation, CDR was not a priority none a strength at the time, meaning having the right partners to help with achieving accreditation was much needed.

Time was of the essence; making accreditation in a timely manner a key consideration for Payble as they engaged Citadel as their trusted partner.

The Solution

Collaborating with Ecosystem Partners to achieve CDR

Citadel works with a range of partners in order to deliver customised solutions. With Payble, selected partners created CDR in a Box, a compliant CDR platform in which all stages of the journey to becoming an ADR were taken care of.

Citadel provided the cloud infrastructure platform meeting CDR standards in an automated and simplified way, and worked together with four others to deliver the holistic solution.

The partnership consisted of: Delivery Partner DNX Solutions, an AWS Advanced Consulting Partner; Auditor Partner AssuranceLab, a modern assurance firm that provides accreditations for CDR and global standards; Governance Partner Astero, a cybersecurity company specialising in open banking and CDR, and Independent Software Vendor (ISV) Partner Adatree, a proprietary, AWS-built CDR Platform for Data Recipients.

How Citadel supports CDR in a Box Solution

Payble has been running on the Amazon Web Services (AWS) Cloud since its inception, using a range of AWS services to support its application environment. 

As an AWS-built platform applying the AWS Well-Architected Framework, Citadel fit in seamlessly with Payble’s existing environment. First, Citadel built and deployed a compliant and secure cloud-infrastructure against the CDR standard with an automated Infrastructure-as-Code (IaC) and DevSecOps pipeline, providing Payble's team more control over their systems. After onboarding, Citadel's five stacks were automatically deployed: Audit, Baseline, Identity, Network, and Platform.

These stacks are responsible for building a compliant and secure cloud-infrastructure that can be easily accessed later for the auditing process, as they meet the CDR accreditation guidelines, covering topics such as security, boundaries of the CDR data environment, information security capability, controls assessment, security controls, and others. In addition, Citadel provided Payble with customised auditing support offering automated compliance capabilities.

Within two weeks, Payble saw the following;

  • Highly secure and segregated accounts built with a dedicated Audit account, enabling the auditing team access while maintaining integrity.
  • Integration and management of AWS account/s through the Citadel platform.
  • Adaptability and scalability due to the platform utilisation of 100% Infrastructure-as-Code (IaC), modular approach, and dedicated CI/CD for infrastructure.
  • A ready-to-go environment allowing future customers to deploy or build new applications, regardless of the stack, app blueprint, software language, or Continuous Integration and Continuous Delivery (CI/CD) services.
  • Fine-grained access control leveraging principles such as least-privilege permissions, role-based model, and temporary credentials.
  • Setup network using security best practices for VPC, a secure dedicated and isolated subnet for the database with access restrictions.
  • Automated and centralised security checks and alerts, monitoring for anomalous or malicious activity, tracking user activity and API use, analysing and visualising of security data.

“By working with Citadel and their partners to complete the ADR application process faster than we could’ve by ourselves, we can focus on our core business instead of the accreditation process.” Elliott Donazzan, CEO, Payble 


Audit-Ready CDR Environment in 4 Weeks 

As a startup, speed is crucial to Payble. Compliance timeframes usually range between 12-18 months, however through the solution offered by Citadel and their partners, Payble had an audit-ready environment, and a completed audit carried out by AssuranceLab, within just 4 weeks.

ADR application documentation provided 6 months faster than the industry average Payble utilised ADR Accelerator, a template-based solution that provides business readiness documentation for the company’s ADR application up to six months faster than the normal timeframe for accreditation.

Compliant foundation

Beyond accreditation, Payble now benefits from having a strong security and compliance foundation for its business, built by Citadel and based on AWS Well-Architected principles.

Dedicated focus and specialisation

Through combining the skills and expertise of each partner working on the solution, Payble eliminated the need to hire specialised staff to focus on compliance and auditing, allowing a single internal staff member to work on compliance related issues.

Accreditation costs cut by 50%

Through the streamlined process of the CDR in a Box solution, Payble spent less than $90,000 on infrastructure, documentation and audit costs. This amount was half that of a solution that had previously been considered.

Maintain focus on core business 

This holistic solution was delivered in its entirety whilst the internal Payble team remained focused on their core business. Minimal business disruption allows for the provision of quality service on a continuous basis, upholding Payble’s reputation.

Formal Consumer Data Right (CDR) accreditation achieved

In November 2021, Payble received accreditation as an unrestricted Data Recipient. It then quickly reached Active Status through Adatree’s platform. Payble is the first consumer payments app to receive CDR accreditation in Australia.


Learn More With Our Related Resources

Ready To Dive In?
Get In Touch Today.