Customer and Product Data Bill: a game-changer

Key elements

The draft Bill has three main elements:

• To improve customers’ access to and control of their own data;
• To standardise how data is exchanged, including a requirement that businesses ensure that any product information they provide can be automatically processed by a computer; and
• To ensure those who request data are accredited as trustworthy, competent and secure.

We look at each element in more detail below.

Customer consent settings

Data can be shared only where the customer has provided consent that is express and informed. The consent must be easily withdrawable at any time.

Suggested obligations on data holders and requestors include that:

• All parts of the consent process must be outlined in a clear and accessible way and customers must be informed that they can withdraw their consent at any time;
• Customers must have access to an easily accessible information platform (e.g., a dashboard) to view and end their consent, and this must be supported (the “boomer provision”?) by a simple, alternative method of communication – e.g., phone or email;
• Ending consent must not be harder than agreeing to consent; and
• If a request to withdraw consent is received, the customer must be advised of any and all consequences of that decision and be notified once the withdrawal has been actioned.

Many matters will be set in regulation and will be consulted on separately. Among these are:

• Whether there should be a maximum timeframe after which all consents will automatically expire. The Australian CDR law specifies 12 months. The UK open banking system stipulated a 90-day limit but changed this last year to require only a yes/no confirmation of consent every 90 days;
• Whether certain modifications of consent should be available – e.g., changing the expiry date; and
• Whether particular events should trigger a loss of authorisation/consent – e.g., when the customer closes an account or if an accredited requestor loses accreditation.

Standards

The creation of standardised safeguards, processes and penalties around the electronic exchange of customer data are important to public confidence. These are to be set by MBIE as part of the designation procedure and will be sector specific.

The intention in relation to the banking sector is to build on the work of the Payments NZ API Centre, discussed above.

The Bill provides only a high-level framework for setting regulation and standards, but MBIE must consult the Privacy Commissioner and those people or groups who will be substantially affected by them.

Trust/accreditation of requestors

Trust, competence, security and reliability will be critical because the draft Bill allows for “action initiation”, meaning that authorised third parties can make and activate decisions on behalf of customers.

An accreditation regime will be created to ensure that only trusted people with robust systems can make binding data or action requests. A two-tier structure is envisaged:

• Class One – requestors with this accreditation would be able to access, hold, view, change and use data, and
• Class Two - requestors with this accreditation would only be able to access, view and hold data.

The criteria for accreditation will be set by regulation and are likely to include: a fit and proper person test and an ability to demonstrate adequate information protection and security measures (which may require the applicant to pass a system security test or complete a self-report). They may also include appropriate business insurance.

When developing the regulations MBIE will seek to promote interoperability with other jurisdictions.

From here

The Government hopes to introduce legislation this year. It will be a bit of a squeeze to get a Bill in the House before Parliament rises for the 14 October elections but it is do-able and we do not think that a change of government would have much impact on the outcome anyway as the policy has bi-partisan support.

Separate opportunities for input are being promised at the regulation-setting stages and – of course – when the Bill goes to select committee.

Chapman Tripp comment

New Zealand is late to the party by international comparison with the Australian CDR Law passed on 1 August 2019.

However, significant work has been done by the industry-led API Centre.  Rather than replacing the work of the API Centre, the Bill is expected to provide the final piece of the open banking puzzle, mandating banks to commit the necessary resources to enabling customer consented access to their data and product information, while addressing the important customer consent issues at a regulatory level.

Creating a legislated CDR is no simple task. International experience has been littered with standards, supplements, delays and deferrals. New Zealand has the opportunity to learn from these course corrections – but to do so we must carefully consider what has worked overseas, what has not, and what a New Zealand-centric approach requires.

It will be important to get the regime right from the start because customer trust, once lost, may be hard to regain.

As we noted in our publication of April this year The banking industry – a look ahead, open banking will encourage further innovation and integration between banks and third parties, but it will also expose the banks to more competition, remove their data advantages, and require them to invest more in data protection mechanisms to address the increased privacy risks.