The Customer and Product Data Bill, now out for consultation as an exposure draft, is a potential game-changer, which will give consumers more choice and increase their ability easily to switch between providers.
It will be applied on an industry-specific basis through a designation process.
First up is the banking sector (where it will significantly advance the move toward open banking), with the energy, insurance, finance and health sectors flagged by the Ministry of Business, Innovation and Employment (MBIE) as likely future candidates.
Submissions close on 24 July 2023.
We provide an overview of the proposed Bill and identify the key features, with particular reference to the banks. It will be interesting to see whether the Commerce Commission will take into account the increased agency the legislation promises to provide to consumers as it conducts its market study into retail banking.
The release of the Bill is timely as it follows the publication of the API Centre’s Minimum Open Banking Implementation Plan, setting firm timeframes for New Zealand’s largest banks to standardise and ready their systems for open banking from May 2024. Some banks (notably, BNZ) are already forging ahead toward this goal.
Under the draft Bill, customers (including businesses) would be able to require their supplier (the bank) to share their customer information with an accredited requestor acting on the customer’s behalf in order to, for example:
- Compare products in real time and offer tailored advice or product recommendations;
- Manage accounts across different providers simultaneously; and
- Open new accounts and switch between providers seamlessly.
Key design issues
MBIE has posed the following key issues in the discussion document:
- What should the requirements be to ensure that consent to data exchange is express and informed?
- How might tikanga values make these rules stronger?
- How do we decide which customer and which product data to bring into the system?
- What should the process be for setting the more detailed rules about data exchange?
- How do we build on industry work to date, while ensuring that the standards work for all data holders and customers?
- Who can be accredited to connect to data holders?
We note that a successful Customer Data Right (CDR) will require high levels of technical standardisation, considerable resource, a robust approach to data security and high levels of consumer trust. The CDR design needs to provide certainty of scope, process and responsibility to data holders, accredited requestors and customers.
The draft Bill has three main elements:
- To improve customers’ access to and control of their own data;
- To standardise how data is exchanged, including a requirement that businesses ensure that any product information they provide can be automatically processed by a computer; and
- To ensure those who request data are accredited as trustworthy, competent and secure.
We look at each element in more detail below.
Customer consent settings
Data can be shared only where the customer has provided consent that is express and informed. The consent must be easily withdrawable at any time.
Suggested obligations on data holders and requestors include that:
- All parts of the consent process must be outlined in a clear and accessible way and customers must be informed that they can withdraw their consent at any time;
- Customers must have access to an easily accessible information platform (e.g., a dashboard) to view and end their consent, and this must be supported (the “boomer provision”?) by a simple, alternative method of communication – e.g., phone or email;
- Ending consent must not be harder than agreeing to consent; and
- If a request to withdraw consent is received, the customer must be advised of any and all consequences of that decision and be notified once the withdrawal has been actioned.
Many matters will be set in regulation and will be consulted on separately. Among these are:
- Whether there should be a maximum timeframe after which all consents will automatically expire. The Australian CDR law specifies 12 months. The UK open banking system stipulated a 90-day limit but changed this last year to require only a yes/no confirmation of consent every 90 days;
- Whether certain modifications of consent should be available – e.g., changing the expiry date; and
- Whether particular events should trigger a loss of authorisation/consent – e.g., when the customer closes an account or if an accredited requestor loses accreditation.
The creation of standardised safeguards, processes and penalties around the electronic exchange of customer data are important to public confidence. These are to be set by MBIE as part of the designation procedure and will be sector specific.
The intention in relation to the banking sector is to build on the work of the Payments NZ API Centre, discussed above.
The Bill provides only a high-level framework for setting regulation and standards, but MBIE must consult the Privacy Commissioner and those people or groups who will be substantially affected by them.
Trust/accreditation of requestors
Trust, competence, security and reliability will be critical because the draft Bill allows for “action initiation”, meaning that authorised third parties can make and activate decisions on behalf of customers.
An accreditation regime will be created to ensure that only trusted people with robust systems can make binding data or action requests. A two-tier structure is envisaged:
- Class One – requestors with this accreditation would be able to access, hold, view, change and use data, and
- Class Two - requestors with this accreditation would only be able to access, view and hold data.
The criteria for accreditation will be set by regulation and are likely to include: a fit and proper person test and an ability to demonstrate adequate information protection and security measures (which may require the applicant to pass a system security test or complete a self-report). They may also include appropriate business insurance.
When developing the regulations MBIE will seek to promote interoperability with other jurisdictions.
These are additional safeguards to be applied in circumstances where the information is being used for research or statistical purposes or sold or rented to third parties. Two options are offered.
Option One: making it a condition of accreditation that a requestor’s systems and policies ensure data and action initiation are used ethically, responsibly and appropriately. MBIE notes that for banks, this could be modelled on the fair conduct principle in the Financial Markets (Conduct of Institutions) Amendment Act 2022.
Option Two: A requirement on requestors and data holders to request and receive consent before a customer’s data is de-identified for statistical or research use.
Regulatory structure, penalty regime
MBIE will be the primary regulator as it will be responsible for standard setting, the accreditation framework and for the compliance and enforcement functions but the Office of the Privacy Commission will also have a role where the Privacy Act is breached.
Proposed penalties are:
- Up to $50,000 for technical contraventions, and
- Up to $5m (or three times the value of any gain, or 10% of turnover during the period the breach occurred, whichever is the greater) for serious offences.
The Government hopes to introduce legislation this year. It will be a bit of a squeeze to get a Bill in the House before Parliament rises for the 14 October elections but it is do-able and we do not think that a change of government would have much impact on the outcome anyway as the policy has bi-partisan support.
Separate opportunities for input are being promised at the regulation-setting stages and – of course – when the Bill goes to select committee.
Chapman Tripp comment
New Zealand is late to the party by international comparison with the Australian CDR Law passed on 1 August 2019.
However, significant work has been done by the industry-led API Centre. Rather than replacing the work of the API Centre, the Bill is expected to provide the final piece of the open banking puzzle, mandating banks to commit the necessary resources to enabling customer consented access to their data and product information, while addressing the important customer consent issues at a regulatory level.
Creating a legislated CDR is no simple task. International experience has been littered with standards, supplements, delays and deferrals. New Zealand has the opportunity to learn from these course corrections – but to do so we must carefully consider what has worked overseas, what has not, and what a New Zealand-centric approach requires.
It will be important to get the regime right from the start because customer trust, once lost, may be hard to regain.
As we noted in our publication of April this year The banking industry – a look ahead, open banking will encourage further innovation and integration between banks and third parties, but it will also expose the banks to more competition, remove their data advantages, and require them to invest more in data protection mechanisms to address the increased privacy risks.