Open banking has come a step closer with the introduction of the Customer and Product Data Bill to Parliament in May. But a full open banking system is still a long way down the track, with some experts saying it could take another five years to fully implement.

The bill proposes to create a consumer data right (CDR), liberating consumers’ data from banks, power companies, telcos and potentially other industries. It will set up an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses.

The idea is to create greater competition within sectors such as banking, making it easier for consumers to shop around for better products and services.

A survey conducted by Consumer NZ in 2022 revealed only 4% of customers had switched banks in the previous 12 months and only 14% were likely to shift in the next 12 months. Reasons for not moving included the perception of a lack of difference between banks, that there was no obvious benefit in moving and the hassle involved in changing banks.

The CDR will turn on its head the idea that banks and other industries own their customers’ data. It is years overdue, however, and the pace towards creating a CDR has been “torturously slow”, says Consumer NZ chief executive Jon Duffy.

Once the legislation and subsequent regulations come into force, designated industries will be instructed to open gateways called application programming interfaces (APIs) to third parties approved by the Ministry of Business, Innovation and Employment (MBIE) to access customer data.

Instant switch

For the first industry to be designated, which will be banking, those third parties might be budget apps, financial advisers and comparison services. They could be lenders who use the data to better assess credit applications.

Open data enables product comparison sites to find the best deals, using customers’ actual data. It will also enable customers to switch banks and, later, utility providers almost instantly.

The other arm of open banking involves instant payments from bank accounts to third parties. In theory, customers will be able to authorise payments services such as POLi, Account2Account and Windcave, and then use biometrics at the checkout for subsequent purchases. It removes the need for Paywave and other credit card charges. Currently, the banks say customers using these payment services breach their terms and conditions.

Nuts and bolts

The legislation is designed to create a high-level framework, meaning it can work for any industry, not just banking. Regulations will spell out how the CDR works in practice for each industry, which will have its own sector-specific rules.

Andrew Dentice, a partner at Hudson Gavin Martin, says the Act, and regulations, will:

• standardise how data is exchanged through APIs; and
• ensure those who request access to data are accredited as trustworthy

“When you force banks and other corporates to make data available, you must have a regime that ensures the people accessing the data are credible and secure and doing things in the right way,” Dentice says.

Part 2 of the bill outlines the duties of data holders and accredited requestors. Part 3 outlines protections. Sharing data also raises privacy concerns and in Subpart 11 there are amendments to the Privacy Act 2020.

Multi-year project

Although the big four banks are planning to release their Payment Initiation Version 2.1.1 in November, full open banking will take time.

In its draft Personal Banking Services market study, the Commerce Commission called for open banking to be fully operational by June 2026. Duffy, however, expects it could be another five years before the regulations come into force.

Overseas, in countries such as the UK where open banking has been up and running since 2018, it has opened the markets to digital or challenger banks such as Monzo, Starling Bank and First Direct, which have high levels of customer satisfaction ratings, Duffy says.

Throughout the 2010s the banks here in New Zealand did what Newsroom once described as “sweet FA”. Frustrated at New Zealand’s slow pace towards open banking, then Commerce and Consumer Affairs Minister Kris Faafoi told the banks in 2017 to get on with it.

But according to Duffy, Faafoi made the same fatal error that current Consumer Affairs Minister Andrew Bayly is making with scams.

“He wrote a letter to the banking industry and said, ‘it would be good if you can do something here’. The banking industry filed that letter away.

“The banks regularly execute master classes on slowing things down [while] appearing to play ball and cooperate and drop little breadcrumbs of progress,” Duffy says. “They’ve moved torturously slowly.”

He says while the European Union, Brazil and Australia launched their versions of open banking in the wake of the UK, New Zealand banks moved so slowly, they had to be forced by legislation.

Asked why the banks haven’t moved more quickly, Duffy cites a comment from Simplicity founder Sam Stubbs: “Turkeys won’t vote for Christmas,” Stubbs told RNZ. “They won’t do it themselves. They have to be forced to do it.” Open banking will disrupt the banks’ cosy oligopoly. ASB, ANZ, BNZ and Westpac control an estimated 80% of the market.

Missed deadlines

Dentice is more forgiving of the banks. He says there is a lot of complexity around open banking and even in the UK, which is much lauded for its approach, some banks have missed open banking deadlines imposed by the regulator. “Having said all that, I think everyone involved in the New Zealand program would say that seven years is probably too long.”

Payments NZ, which is creating open banking APIs on behalf of the big four banks and other participants, launched its first pilot in 2018. Asked why open banking has taken so long, Payments NZ said in the five years since its API Centre was established in 2019, it has “helped to create a modern, secure open banking framework that follows best practice for connecting banks and third-party businesses and protecting customer data.

“We’ve focussed from the start on building the right foundations for open banking and making sure it’s safe and in line with best practice for data sharing. Getting this right has taken time, but we’re proud of what we have achieved within five years, entirely driven by the industry.”

More legislation

The Commerce Commission gave an update earlier this year on its work around open banking-enabled payments between bank accounts.

The commission is considering how it could use its regulatory power to address barriers to third parties offering new ways for consumers and businesses to make and receive payments from bank accounts.

It is looking increasingly likely, but not certain, that the commission will designate the interbank payment network under the Retail Payment System Act, says former Bell Gully lawyer Josh Daniell, who founded Akahu, an open finance platform.

Such regulation would give customers the ability to make and receive payments to and from their bank accounts using third-party services.

“If the Commerce Commission does proceed with that designation, that will go to Minister Bayly for a decision. It would give [the commission] the ability to set rules for payment-related APIs.” The commission could also address the fees issue, Daniell says.

After leaving Bell Gully, Daniell went on to found Snowball Effect and, more recently Akahu, which is poised to link third party apps to open banking APIs.

It integrates financial apps and payments systems at one end to banks and other financial providers at the other. The service, part-funded by Westpac, was launched in 2021 in anticipation of open banking being nearer to reality than it has proven to be.

Payments NZ said it did not think designation was necessary.

“We share the Commerce Commission’s goals of a thriving open data ecosystem and widespread open banking,” it said in a statement. “We don’t think full designation of the whole interbank network is needed and we’ve made a submission to the commission on how we can ensure its end goals are achieved and that progress on open banking continues.”

The commission released a paper in regards to this in February, which can be found here. An update is expected in August.

The twilight zone: screen scraping

As the introduction of open data and payment systems drags on, customers continue to have to breach banks’ terms and conditions to use their services of choice.

That includes budgeting apps, which access bank data through platforms such as Akahu, and modern third-party payment methods such as those provided by payments services, Windcave, Account2Account and POLi. The use of these apps and services demonstrates the pent-up demand.

Until APIs are opened, providers of these services and their intermediary platforms are forced to use sub-optimal workarounds such as screen-scraping to access bank data.

Screen-scraping involves customers entering their banking credentials via a window and the data is then scraped from their accounts. The irony in the case of Akahu is that Westpac is one of its funders, but the workaround Akahu is forced to use now breaches Westpac’s terms and conditions.

“It’s preferable to transition to purpose-built APIs where a consumer can log in directly with their bank instead of via an intermediary,” he says. Daniell hopes the API release from Payments NZ, due for November, will go ahead on time. “If they stick to that timeframe and the API performs properly, and the data quality is okay, and the terms of access are okay, and the fees [don’t] make it infeasible.

“If all those wrinkles are cleared, then some of our customers can start using the [bank] API. Not all of them, because the version that’s being released on November 30 doesn’t do everything we can currently do.” Kiwibank also has two extra years to get up to speed.

That means New Zealand customers will continue to use payments that operate in a banking twilight zone. In the UK and Europe, open banking laws mandate banks to allow screen-scraping where their APIs do not enable accredited third parties to obtain the data they are entitled to under the law, Daniell says.

Charging like wounded bulls

Another issue that could plague open banking, even once the law, regulations, and technology are in place, is the cost of the service.

One payment provider, who did not want to be named, said the charges from New Zealand banks could be too high to make transitioning affordable.

The worry, says Duffy, is that the fintechs will not be able to afford the charges, with banks using price as a barrier to entry. “The legislation and the regs have to make sure that price can’t be a barrier to entry. “There is a danger that the legislation leaves too much control in the hands of the banks and they can, again, act as gatekeepers, using this to increase their profits even more by charging extortionate amounts to get into the game for the new entrants.”

Privacy Act or CDR

Sharing data and credentials comes with inherent privacy risks. The bill has privacy safeguards and is designed to complement the Privacy Act 2020. But interested parties have questions about how the two regimes will interact.

The plan is for the regime to be regulated by MBIE and the Privacy Commissioner. MBIE will be responsible for the accreditation of third parties, while the Privacy Commissioner will have investigative, guidance, enforcement and redress powers over obligations under the Privacy Act 2020.

Dentice believes there is a question mark over the interrelationship between the two pieces of legislation. “That’s something that will need to be looked at in more detail during the parliamentary process for the new bill,” he says. “The regime relies on existing laws and obligations relating to data wherever possible. Importantly, the Privacy Act will continue to apply to personal information in the same way.

“However, in the areas of consent, security and accreditation, as well as the proposed enforcement and penalty regime, it’s clear that the [bill] imposes a significant extra layer of compliance on top of existing data-sharing and privacy frameworks. This begs the question whether New Zealand is creating a two-tier system for data privacy and security.”

He questions whether the Privacy Act is still fit for purpose in a rapidly changing world.

“The Privacy Act has relatively limited teeth. Then there’s a regime that is going to essentially open up a whole lot of data flows that haven’t been in existence before. [The question is] if the Privacy Act is enough of a backstop in that context.” ■