NZ to adopt ‘Australia-aligned’ data-sharing framework; Aus Treasury relaxes CDR rules

New Zealand Consumer Data Right CDR

In a bid to strengthen “consumer control over their data”, the New Zealand Government has announced it has commenced work on legislation to establish a home-grown consumer data right (CDR) – a scheme that will largely be in alignment with Australia’s own data-sharing framework.

NZ’s Ministry of Business, Innovation and Employment (MBIE) said the proposed CDR scheme will empower Kiwi consumers “to securely share data that is held about them with trusted third parties, using standardised data formats and interfaces.”

Australia’s economy-wide CDR was introduced in 2019, starting with the banking sector (a phase known informally as ‘Open Banking’); it is currently being overseen by the Treasury, in co-regulation with the federal competition watchdog (ACCC) and information commissioner (OAIC).

Echoing Australia’s own CDR rollout, the NZ Government will also adopt a “sector-by-sector approach”, setting out relevant markets (e.g. banking, energy) in legislation to come. This process will also define the type of consumer and product data in question for each market, as well as the functionality enabled.

Work is currently underway to determine which sectors should be considered or designated first, said Minister of Commerce and Consumer Affairs, Dr David Clark, in a statement on Monday.

The MBIE further held that data recipients will need to be accredited with a “range of information protection safeguards” introduced to uphold the security of data transfers, consumer privacy, and commercial confidentiality.

With consumer consent said to be a key part of the regime, the MBIE stressed that consent must be “express (i.e. through a clear opt-in), informed and time-limited”, where consumers are able to review and amend or withdraw consent at any time.

Where consent is concerned, like in Australia, Kiwi consumers will be able to authorise both ‘read’ and ‘write’ access (that is, ‘action initiation’) permissions to their data for accredited third parties.

“Action initiation will allow consumers to, for example, ask a third-party payment provider to action a bank funds transfer from the consumer’s bank account to a business’s bank account when paying for goods or services,” MBIE’s website explained.

In Australia, write access is expected to be enabled for third parties in early 2022 through the Mandated Payments Service (MPS).

Meanwhile, Minister Clark revealed his intention that the CDR work “hand-in-hand” with the Digital Identity Trust Framework announced earlier in the year, setting out rules governing the delivery of digital identity services in New Zealand.

The NZ Government confirmed it would make a second round of detailed policy decisions on the CDR framework later in the year, with legislation to be introduced in 2022.

Prior to deciding that it would establish a Government-led CDR scheme, erstwhile Minister of Commerce and Consumer Affairs, Kris Faafoi, was, since 2018, noted to be actively engaged with New Zealand’s banking sector to advance an industry-led Open Banking initiative.

However, industry progress on the scheme was wanting, according to Faafoi, who penned an open letter in end-2019 chiding New Zealand’s banks for dragging their feet on API-enabled data sharing.

Treasury expands ADR pathways

Meanwhile, Australia’s own Open Banking scheme hit its second major milestone last week, with the July 1 deadline passing for non-major authorised deposit-taking institutions (ADIs) to join the CDR as accredited data holders, alongside the big four banks.

However, a recent report by iTNews revealed that a significant number of tier two lenders have delayed their CDR participation, having been granted exemptions to push their entry into the scheme out until July 2022 or later.

To date, 16 active data holders are currently registered under the scheme, with the addition over the past two weeks of AMP Bank, Macquarie Bank, Suncorp, Citigroup, AMP, Judo Bank, Bendigo & Adelaide’ (and Up) Bank and Volt Bank.

In a bid to lower barriers to participation for businesses seeking to be data recipients, Treasury this week proposed three alternative entry pathways – a “sponsored accreditation model”, the “CDR representative model” and an “outsourced service providers” model.

The sponsored accreditation model will see accredited data recipients (ADRs) vouch for other parties as accredited “affiliates”; here, sponsors would undertake due diligence on affiliates (who must also conduct information security self-assessments) prior to making any binding arrangements.

The CDR representative model, meanwhile, would see an ADR make a deal with a “CDR representative” who could offer goods or services on behalf of the ADR, or themselves; this includes banking-as-a-service.

Finally, the outsourced service provider model allows ADRs to engage unaccredited third parties to collect CDR data on their behalf, thus removing the need to build and operate relevant APIs connecting to data holders.

Treasury said the proposed changes aim to “encourage greater uptake of the CDR by both participants and consumers while maintaining trust in the security and integrity of the CDR system.”

“The consumer benefits of the CDR are intrinsically linked to establishing a vibrant ecosystem of accredited data recipients (ADRs) and other participants,” it noted.

To date, just 13 ADRs are active in the Open Banking or CDR ecosystem, according to ACCC’s register.

Consultation on Treasury’s proposed changes, set out in draft legislation, remains open until 30 July.