Australia implemented a consumer data right (CDR) regime in 2019 and New Zealand is in the process of developing one - for essentially the same reasons. By enabling consumers to have the right to ‘own’ and share their financial data securely with accredited companies, the Government hopes to increase competition and innovation through the development of new products and services that will create more choice and value for consumers.
What is Action Initiation?
Significantly, the CDR regime in New Zealand will cover both data sharing and action initiation, whereas in Australia the CDR was originally data sharing only.
Action Initiation is a game changer and means consumers and small businesses will be able to safely and conveniently instruct accredited third parties to initiate CDR‑powered actions with their consent and on their behalf. Essentially, it provides a pathway for removing the everyday friction and tedious manual administration that takes up so much of a person’s life and forces providers to further innovate to ensure they're delivering the very best products for their customers, or risk losing them to those who will. The types of actions could include:
making a payment;
opening and closing an account;
switching providers; and
updating personal details (such as an address).
Action Initiation will be a critical pivot for the CDR regimes in either country and presents significant new opportunities for providers. The industries where consumers can potentially secure the most value from new products and services are banking, financial services, energy and telecommunications, hence these are the initial focus in both countries.
Progress in New Zealand
In June 2021, the NZ Office of the Minister of Commerce and Consumer Affairs released a cabinet paper proposing the establishment of a NZ CDR similar to the Australian consumer data right: a high-level framework that would apply across the entire economy, that is turned on for particular sectors as they are designated through new legislation.
Following a cabinet paper released in mid-2022, the NZ Ministry of Business Innovation and Employment (MBIE) released an exposure draft of the Customer and Product Data Bill (CDR Bill) and sought feedback on whether the proposed drafting is practically workable and achieves its policy intent. Submissions closed on 24 July 2023 and a total of 54 were received. The CDR Bill confirms the proposed NZ CDR regime will be broadly similar to that of Australia.
The Government went into a lockdown period during the NZ General Election and subsequent negotiations for Government, meaning work is only now able to resume on reviewing the submissions and finalising the legislation.
Progress in Australia
In 2020 the Australian Government first floated the idea of Action Initiation which would enable fintechs and other service providers to instruct accredited organisations to action requests on behalf of a consumer. Draft enabling legislation has passed the lower house and is currently before a senate committee that was expected to report by early May 2023.
Treasury and the Data Standards Body (DSB) also hosted a Payment Initiation Workshop, which saw 90 members from the CDR community and 30 attendees from the ACCC, DSB, Office of the Australian Information Commissioner (OAIC) and Treasury log in to discuss and understand prospective use cases.
Treasury is currently weighing industry concerns about current CDR data quality, the implications of other ongoing developments in financial services regulation including the New Payments Platform and the potential cybersecurity implications of action initiation.
One of the key similarities between the Australian and New Zealand regimes is their application to the banking industry first, which means banks and financial services providers operating in both countries should be able to leverage learnings from the Australian CDR into the NZ context. The NZ CDR will also be rolled out on a sector-by-sector basis to designated industries. Other sectors that may be designated include insurance, financial services, electricity and gas, health, telecommunications and loyalty schemes.
However, there are some notable differences, and note these may be subject to change, especially as the NZ CDR continues to be developed.
This means that the NZ CDR will provide the ability for third parties who wish to participate in the CDR to be accredited for either read only access and/or action initiation. In Australia, third parties who wish to collect, use and disclose CDR data must be accredited and the legislation doesn’t yet contemplate action initiation.
In Australia, third parties can participate via alternative means such as representative arrangements, sponsorship arrangements, CDR insights etc. The NZ CDR BIll does not include alternative methods.
Also significant is the NS CDR Bill does not require reciprocity. In Australia, accredited providers may be subject to reciprocal data holder obligations (ie they may be required to share particular CDR data in accordance with the obligations of a data holder). This reciprocity requirement is one of the key motivators for an organisation to consider how and when to become part of the regime.
In Australia, bespoke CDR Privacy Safeguards apply to personal information within the CDR Regime, and the Australian Privacy Principles (APPs) as set out in Privacy Act 1988 (Cth) otherwise apply. This creates a complicated set of obligations for organisations to adhere to. In New Zealand the existing Privacy Act 2020 (NZ) protection will apply to personal information within the CDR Regime.
Oversight and Enforcement
In Australia, the Treasury is responsible for rule development, the Australian Competition and Consumer Commission (ACCC) is responsible for administration and enforcement, the Office of the Information Commissioner (OAIC) is responsible for privacy-related matters, and the Data Standards Body (DSB) is responsible for sharing standards.
There is a tiered enforcement model, with the breaches of the Privacy Safeguards attracting penalties up to the greater of AUD$10 million or 3x times the value of the benefit or 10% of the adjusted turnover in the preceding 12-month period (if the benefit can’t be ascertained).
In New Zealand, the Ministry of Business Innovation and Employment (MBIE) is responsible for administration, the Commerce Commission is responsible for enforcement, the Office of the Privacy Commissioner (OPC) is responsible for any consumer redress function and privacy-related matters.
There is also a tiered enforcement model, with the most serious breaches attracting penalties of up to the greater of NZD $5million or 3x times the value of the commercial gain or 10% of the turnover in the period (if commercial gain can’t be ascertained).
Considerations for providers
The banking sector will be the first designated, so we advise providers in this space to start thinking about getting ready. This is an opportunity to win new customers by taking advantage of the opportunity to use consumer data to develop some innovative new products and services. Rest assured, if you don’t, others will - and you could end up months, if not years, behind in terms of your ability to receive or hold consumer financial data. In this scenario you’ll be fighting to hold onto your customers instead of building market share and customer loyalty.
Wych can help you navigate these uncertain waters. We have extensive experience in the Australian regime and we’re supporting many clients to best take advantage of the CDR. Let us know if we can help you too.