The draft Bill sets out significant new rights for consumers and small businesses to control access to their data. The proposed CDR regime will initially focus on the banking sector, and is likely to facilitate the growth in third party fintechs offering services to banking customers, including budgeting tools, comparison services, and customised financial insights. It will be extended to other sectors in due course, which the Government notes “may include the energy, finance, insurance, and health sectors”.
Significantly, the draft Bill proposes “action initiation” – allowing authorised third parties to make decisions on behalf of customers. For example, fintechs could be authorised to initiate customer payments, or change a customer’s online profile, with the customer’s prior consent.
In this article, Bell Gully’s Consumer, Regulatory and Compliance (CRC) team explain the key features of the draft Bill and the implications for sectors likely to be designated.
Overview of the CDR regime
The introduction of the much-anticipated draft Bill follows an initial consultation in 2020 and a series of detailed policy decisions in 2021. For further details of the background to the CDR regime, please see our previous article here.
In brief, the CDR is intended to create a statutory right for consumers and small businesses to require entities holding their data such as banks (“data holders”) to share that information with accredited third party services such as product comparison websites (“accredited requestors”).
Under the proposed CDR regime:
- Data holders within a designated sector will be required to put in place systems and processes that enable customer data to be shared in a standardised, machine-readable format via APIs, to facilitate the transfer of that data to accredited requestors. The first designated sector will be the banking sector, but the CDR will also be extended in due course to other sectors, likely to include telecommunications, energy, insurance, and health.
- Accredited requestors would be required to meet various criteria for the purposes of accreditation, including ensuring that directors and senior managers meet ‘fit and proper’ person standards (consistent with those under financial services legislation), detailed security requirements, and potential new insurance obligations.
The draft Bill provides that it is intended to “realise the value of certain data for the benefit of individuals and society” and to “promote competition and innovation for the long-term benefit of customers”.
Key points from the draft Bill
- Structure: The draft Bill establishes an overarching high-level framework applying across the economy, which will then be supplemented by “designation regulations”, applying the CDR regime to specific sectors, categories of product data, and actions. The draft Bill provides, as an example, that regulations may designate: banks as “data holders”; transaction records as “designated customer data”; home loan interest rates as “designated product data”; and payments or opening new accounts as “designated actions.”
- Scope: The draft Bill applies to data about “customers,” which includes any person (whether an individual or a business) that acquires goods or services from a data holder. The draft Bill does not exhaustively define what customer data is subject to the CDR regime, although provides that customer data will include personal information within the meaning of the Privacy Act. Notably, the discussion paper accompanying the draft Bill explains that “derived data” is intended to be subject to the CDR regime. We expect that may prove a contentious issue. In Australia, a similar proposal was criticised by the Australian Banking Association on the basis that it may compromise data holders’ proprietary insights (i.e. data enriched by the institution using their own internal models or other IP).
- Action initiation: The CDR regime will allow certain classes of accredited requestors (subject to “more stringent requirements”) to take steps and make decisions on the customer’s behalf, if directed to do so by the customer. This is referred to as “action initiation” or “write access” (as opposed to “read access” which would simply allow customers to view data across multiple accounts). The Government considers that action initiation, which is also expected to be implemented in Australia later this year under the equivalent CDR regime, will have various benefits, e.g., facilitating applications for new products or services, or enabling new payment methods.
- Designated Sectors: Under the proposed law, the Government can designate specific industry sectors to which the proposed CDR regime will apply. In announcing the draft Bill, the Government confirmed that the banking sector will be the “first cab off the rank”. This reflects growing interest in open banking, and is expected to enable new applications and services (e.g. processes for assessing affordability for credit applications, budgeting tools, or comparison services). Positively, the discussion document indicates that the design of technical standards for data holders in designated sectors will build on existing industry-led initiatives (such as standards developed by the Payments NZ API Centre). Based on the 2020 consultation, it appears likely that either the telecommunications or electricity sectors will be the next sectors designated in due course.
- Privacy safeguards: The discussion paper proposes that additional privacy safeguards will be needed to ensure the protection of customer data transferred to accredited requestors (e.g. security standards, and robust consent procedures) which will be set out in regulations. The draft Bill also provides that regulations may specify a maximum duration for customer consents (after which all consents must expire) and the paper invites feedback on what maximum durations should apply before updated consents are required.
- Multiple regulators: The discussion paper proposes a multiple-regulator model, as in Australia. The paper confirms that MBIE will be responsible for standard setting, accrediting requestors, and promoting the use and uptake of regulated data services (and also for compliance and enforcement functions). Where breaches relate to personal information, the Privacy Commissioner and Human Rights Review Tribunal will also have a compliance and enforcement remit under the Privacy Act.
- Enforcement consequences: The Bill proposes four main tiers of enforcement consequences with differing penalties depending on the seriousness of the breach. At the lower end, fines of up to NZ$50,000 apply for technical contraventions (e.g. a failure to maintain transaction records). The most serious cases carry penalties of up to NZ$5 million (or, if greater, either three times the value of any commercial gain, or 10% of the turnover in the period in which the breach occurred if commercial gain cannot be ascertained). This is reserved for egregious contraventions where the conduct occurs recklessly, knowingly, or intentionally (e.g. where a party fraudulently holds itself out as being an accredited recipient).
The CDR has potentially profound implications for customer behaviour within designated sectors. We expect that many businesses will be interested in participating in the consultation (particularly within the banking, energy, telecommunications, insurance, and health sectors, as well as fintechs and other prospective “accredited requestors”) to assist in shaping a framework that safeguards consumer rights while suitably accounting for industry needs and operational considerations.
Submissions are due by Monday, 24 July 2023. The Government will then aim to finalise the consultation and introduce the Bill to the House of Representatives by the end of 2023.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team are closely monitoring the development of the CDR regime. If you would like further details on the proposed changes, or assistance in making submissions, please get in touch with the authors or your usual Bell Gully adviser.