New Zealand’s long-awaited consumer data right (CDR) legislation is still at the draft stage, whereas other jurisdictions are already a long way down the implementation track. Despite demand for CDR, New Zealanders might still have to wait a few more years before they too can enjoy open access to their own, valuable data.
To recap, CDR is data portability, which when enacted, will give consumers the rights to the vast amounts of information businesses and other organisations hold on them. Legislation to ensure customers have the right to their own data underpins important financial innovation like Open Banking.
Australia already has CDR, with the European Union having the General Data Protection and Regulation (GDPR) that Brexited Britain is looking at following; California introduced data portability early on, in 2018, with the Consumer Privacy Act (CCPA).
The Ministry of Business, Innovation and Employment (MBIE) says "customer data holds enormous value and opportunity," and management consultants McKinsey estimates economies that implement CDR look set to benefit to the equivalent of 1% to 5% of their GDP by 2030.
New Zealand however is taking the slow road to CDR, aiming to get the complex legislation right from the get-go, learning from the experience of for example Australia and the UK, co-founder of open finance infrastructure provider Akahu, Josh Daniell, said.
Nevertheless, the progress on CDR has undeniably been slow since 2017 when the concept was first mooted. Daniell points to the banks not exactly racing to deliver on CDR and open banking.
"They did a good job of saying that the industry will deliver it, so there's no need for regulator involvement," Daniell said.
He is concerned that while the draft legislation looks good, there’s still a risk of spanners in the works.
"One issue with the proposed CDR framework is that MBIE may delegate authority to Payments NZ, which is owned and funded by the banks, to continue the development of open banking standards."
"That would result in similar delays and bank-friendly rules that we've seen over the last seven years."
Daniell is guessing that next year, the high-level legislation will be enacted. This might be followed in 2025 by lower-level regulations to be finalised for the banking sector.
Initial deadlines for bank compliance with requirements should appear in 2026, Daniell expects, although the big four banks might do it sooner as they’ve committed to delivering a basic payments and data application programming interface (API) by next year that developers can use.
"It's important to note that CDR is likely to roll out in phases - that's how it's happening in Australia. So the day one functionality won't cater for all use cases," Daniell said.
Daniell hopes that the legislation will be designed so that existing activity and providers can migrate to the new framework from day one, instead of having a sluggish start the first few years while issues are being ironed out, which is what happened in jurisdictions that have already implemented data portability.
Compelling benefits to CDR
Will it be worth the wait? Daniell is upbeat about NZ’s proposed CDR law.
"MBIE has done an excellent job with the draft legislation. They've avoided many of the issues with initial versions of open banking regulation in the UK and Australia," Daniell said.
"Specifically, they rely on the Privacy Act to govern the use of data, and see the new legislation as a way to govern the ability for customers to share data."
“That's the correct distinction to draw, and makes it far easier to use the new regulated system,” he added.
Some of the benefits that Daniell expects to see from CDR include bank payments becoming more competitive against card transactions. This will lower the cost of payments across the economy, Daniell said.
Furthermore, consumers having the rights to access and share their data will make it easier for them to compare and switch to better services.
This will enable consumers to leverage their financial data, for example in budgeting tools or when applying for loans, Daniell said.
Data portability requires holders of the information to store it in a structured format for sharing. Access to data will need to be standardised and secure, so that customers don’t need to hand over for example their internet banking login credentials, with providers storing them which is a major security risk should a data breach take place.
How this will look is yet to be determined.
"There are no technical implementation details yet. I expect that they'll get the legislative framework enacted before publishing any draft details about the rules for the banking sector," Daniell said.
A clear liability regime will also be part of the CDR legislation, with accreditation of providers, and security posture requirements, Daniell pointed out.
This will be an improvement on today’s protections, which Daniell described as "messier" and which can make it difficult for consumers to raise disputes and get appropriate resolution for them.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.