Banking the first sector to apply the newly enacted Consumer Data Right

The Consumer Data Right (CDR) is now the law of the land, after lengthy deliberation and debate. Scott Simpson, the Minister of Commerce and Consumer Affairs, envisages the CDR will be a "monumental step forward for Kiwi consumers," leading to greater competition and better choice.

“The days of manually searching the internet for the best electricity plan, or painstakingly going line by line through months of bank statements when applying for a mortgage, could soon be over. Using your own data shouldn’t be that difficult, and it won’t be in the future,” Simpson said after the CDR bill was passed into law.

What the CDR promises to do is to empower individuals and businesses to control access to their personal and organisational data held by service providers.

That data can then be securely shared with accredited third parties, making it easier and faster to switch providers. In theory, if consumers - and providers - embrace the CDR, we could enjoy enhanced choice, improved competition, and drive innovative new products and services.

Australia has had a CDR since 2019, covering the banking, telecommunications, energy and non-bank lending sectors, but other regions such as the European Union have also enacted data privacy, portability and personal information rights laws, along with the United Kingdom.

Now it's New Zealand's turn.

Banking is the first sector to comply with the CDR, and Simpson expects open banking to be fully operational by the end of the year, before the June 2026 target set by the Commerce Commission.

It might not be the entire banking sector, however. The big four banks will be designated as data holders under the CDR by December 1 this year, but Kiwibank has been given until June 2026 to comply.

Steve Wiggins, the chief executive of Payments NZ, which is owned by ANZ, ASB, BNZ, Citibank, HSBC, Kiwibank, TSB Bank and Westpac, welcomed the CDR going into law.

"Payments NZ strongly supports the objectives of this legislation, and the vision of a robust consumer data regime for Aotearoa New Zealand — one that enables innovation and competition while maintaining a strong focus on safety and security," Wiggins said.

If the organisation is to be believed, we're already moving ahead with open banking, even though CDR which is needed for the concept wasn't enacted until last week.

"As the operator of the API [application programming interface] Centre, Payments NZ has been leading the development of industry-led open banking in Aotearoa since 2019. In the past 18 months, we’ve seen meaningful growth in the use of open banking payments. Some of our standards users have shared that their transaction volumes are now tracking ahead of those seen in comparable markets such as Australia and the UK," Wiggins said.

Open banking technology provider Akahu co-founder Josh Daniell said the wait is finally over for his company, after being forced to operate in an unregulated environment for the past five years.

Daniell believes the regulation is well-designed, and that consumer adoption will be faster in New Zealand, compared to the UK and Australia.

"The open banking regulation introduces multiple benefits. The most important is that consumers will be able to use open banking-enabled services without needing to share their bank login credentials (banks will be required to provide purpose-built open banking APIs to enable this)," Daniell explained.

"Another benefit is that open banking-enabled services won’t need to negotiate a contract with each bank - instead, they’ll get accredited through the regime, and will then have a right to access bank APIs when a customer grants their consent," he added.

Akahu has provided unregulated open banking services to more than 60 government, corporate and fintech organisations for the past five years, Daniell said. It will now migrate as many of its customers as it can to the new regime.

Big end of the town law firm Bell Gully, meanwhile, said CDR data holders and third-party accredited requestors need to ensure they're familiar with the new law, with regulations and new standards being issued by December 1 this year.

This to maximise opportunities and to reduce the risks arising from the new regime, Bell Gully said.

Bell Gully warned implementing the CDR will "require substantial effort from both industry and regulators to establish an effective framework."

"As with any wholly new legislative framework (but particularly in this context given the significance and value of customer data), prospective data holders and accredited requestors will undoubtedly face a number of operational challenges and untested legal questions as they get to grips with the many details of the new Act," Belly Gully wrote.

Electricity is the next sector to be covered by the CDR, probably by 2026, with Simpson citing the comparison site Powerswitch that it is still difficult for consumers to swap providers, as not all retailers play ball and share information.

Mobile and broadband companies also got a serve from Simpson, who said the Commerce Commission found in a study that nearly a third of customers have not switched providers because it was simply too hard.