The Consumer Data Right and what it could mean for Aotearoa's data privacy
In 2018, The Reserve Bank declared 'an open mind on open banking'. Though it could be argued that such a statement positioned the Bank for the future of payment technologies, progress has been slow.
While the Bank attempted to get ahead of the game by addressing the possible benefits and challenges of adopting an open banking system, change, it seems, was at odds with the rapidly-evolving tech space. But legislation is starting to catch up, and the discussion about open banking is just one part of a broader discussion about open data sharing and what is called the Consumer Data Right.
The Consumer Data Right describes a new legislative framework set out by the New Zealand Government. This framework aims to help consumers share their data with trusted third parties. This requires a secure and common way of ensuring data is both machine-readable and accessible to third parties, such as trusted banking providers. A CDR will also work in conjunction with the Digital Identity Services Trust Framework, also in development.
In July 2021, Minister for the Digital Economy and Communications, David Clark, said that consumers need to control how their personal information is used with third parties. That is what the CDR is designed to achieve.
"Any data shared through the consumer data right will only take place with a person's informed consent, and would be strictly used for the reasons agreed upon. For example, if a person was seeking financial advice, they could ask their bank to share data, such as transaction information, with their chosen adviser," Clark noted.
"The businesses and services wishing to receive this data would also have to meet a number of safeguards to ensure the information could be handled safely and securely.
Why a CDR, and why now?
Australia first launched the CDR in November 2017 as a multi-year rollout plan. It also aims to ensure adults aged 18 and older can opt into sharing data with businesses and withdraw consent at any time. Australia's CDR was first applied to the banking sector in July 2020. The energy and telecommunications sectors are next in line.
Australia and New Zealand both recognise that banking - particularly the rise of open banking - is one of the major forces driving discussions CDRs.
A Payments NZ API Centre spokesperson says, "What's unfolding with open banking in Aotearoa will eventually go further than banking, wider into other areas of finance and other sectors like telco and energy—supported by the upcoming CDR.
"We believe the open data revolution and with consumers' interests at the forefront, we can only strengthen our country's economic prosperity and individual financial wellbeing.
A closer look at data privacy and security
When Minister David Clark declared in his 2021 speech that businesses using the CDR would need to ensure data safety and security, he did not specify what kinds of safeguards could be required.
However, what Clark was alluding to is the underlying principle that New Zealanders' data is protected and secured, no matter who is sharing the data and through what systems they use. It also means businesses must follow other privacy and security regulations, such as the Privacy Act 2020.
A spokesperson from the Ministry of Business, Innovation and Employment (MBIE) says, "Consumers can be assured that the protections and principles in the Privacy Act will apply to CDR data collection, storage, sharing and disposal. The CDR closely relates to Information Privacy Principle 6 – the right that people have to access and use their own information.
"The CDR regime will also have additional privacy protections built into it (for example, requiring that consumer consent be informed, express and time limited; having specific security requirements for accredited data recipients).
In 2020, The Ministry of Business, Innovation and Employment (MBIE) opened public feedback on the CDR concept. There were 59 submissions from individuals and organisations, including ASB, Equifax, Fidelity Life, Genesis, Google, Paymark, and technology companies such as Microsoft and Ping Identity. These Submissions were generally in support of the CDR; the diverse range of voices contributed to a wide breadth of suggestions and concerns.
A common concern is that a CDR cannot take a blanket approach to data sharing or security - it must be differentiated to suit every sector individually.
Spark, for example, also points to a ripple effect inherent to the CDR: Organisations such as retailers may share customer information with third parties; therefore, all of those third parties must also be able to use and protect data in line with the CDR.
Spark states in its submission, "We fully support the need for robust privacy and security requirements. We note that the way that such requirements are structured and implemented will significantly impact both compliance (and consumer privacy) outcomes and organisational compliance costs.
The Office of the Privacy Commission's submission also notes that the Privacy Act gives the Commissioner the power to issue compliance notices against organisations that are unable to uphold the Privacy Act. that any CDR framework would need to consider "security standards for transfer of consumer data and the role of the receiving organisation in verifying that the data has been received successfully". In other words, the OPC is concerned about how data is protected during the data sharing process and how the organisation that receives the data makes sure the data is legitimate.
A fundamental technical point of the CDR is the technical means for how data will be shared, displayed, shared, and protected. This is where an application programming interface (API) comes into play. Such an API would be used to connect organisations to each other, and the consumer.
The Payments NZ API Centre unpacks the privacy and security issues of API security:
"There are two broad aspects which make up an API standard. The security profile forms only one part of this picture. Much of the API Centre's standards focus on what action is being done, for example, initiating a payment or setting up a data sharing arrangement. The security profile of the API standards covers a different aspect – the how. It is a technical standard that sets out how the API Centre's Third Party Standards Users can technically use APIs to connect to banks. The security profile's purpose is to set out how banks can securely make APIs available when they connect with third parties. It is a technical safeguard to protect the consumer and the organisations involved."
The API Centre also notes that in terms of privacy, fraud and security, it is vital for consumers to know what they are consenting to, what information is being shared, who will get that data, and for what purpose it's being shared.
"Some of these customer consent issues are managed technically in the Centre's standards through the security profile. Other parts will be managed more through business rules. Overall, it adds up to the customer being well-informed and in control of their data at all times."
Why would people want to share their data?
In 2020, the API Centre conducted a survey that found 84% of New Zealanders are either unsure or uncomfortable with sharing banking data. These fears stem from issues such as cybercrime, distrust of third parties, unwanted data sharing, error accountability, and consumers would rather stay in control of their data.
The Payments NZ API Centre says, "The payments industry knows, based on the experiences of other, similar jurisdictions to Aotearoa, that consumer trust is an essential ingredient of successful open banking ecosystems.
"The more trust there is in the safety and security of the payment system, the more willing consumers will be to use open banking products and services and vice versa.
But there is one major challenge: ask any Kiwi what open banking means to them, and you'll quickly discover that public awareness of open banking remains reasonably low. This is because open banking is a regulatory and industry term that hasn't translated well into a more consumer-friendly concept. In the meantime, the Centre continues to work with the industry to develop high-trust open banking systems.
"Establishing and nurturing consumer and end user trust is at the core of all our activities, from the management of customer consent in the standards, through to ensuring that all our Standards Users apply the same customer safeguards and good practices through our API standards and supporting documentation."
What next's for the CDR?
MBIE expects the Government to address the Consumer Data Right this year by first deciding how it will be implemented. A Bill is also expected to be introduced to Parliament sometime this year.
"This will include decisions on which institutions have a role in implementation and developing rules and standards, and measures for enforcing the consumer data right. The Government will also consider which sectors should be assessed first for the potential application of the CDR," says MBIE.
Payments NZ concludes, "We're hoping with Aotearoa's CDR lessons will be taken from Australia and other jurisdictions to ensure ours is principles-based and simple. It is important to the industry that our resources and efforts made in developing a progressive, innovative, and trusted open banking ecosystem will help inform CDR developments and continue to play a core role in open banking and API standards development in Aotearoa.