Introduction

1. When businesses provide us with goods and services, data is created. For example, banks, power companies and mobile phone companies hold our account histories, transaction data and product usage information. This is ‘customer data’.

2. Customer data holds enormous value and opportunity for individuals, businesses, iwi and hapū, and our broader economy and society. By enabling customers to access and exchange their data with other businesses of their choice, it can be used to enhance overall customer experiences and meet individual, business and social needs.

3. For example, new and innovative services can use customer data and digital connections to:

• make it easier for customers – including small businesses – to shop for services, such as banking, electricity, and telecommunications. For example, electricity usage information can help people to find the cheapest power company and plan. Bank records allow customers to compare financial products and services using personalised data, and then streamline the process for applying
• offer tailored advice and insights or product recommendations, which could boost productivity and efficiency for businesses and save individuals time and effort
• action customer decisions, like opening new accounts or switching providers.

4. We are seeking feedback on the draft law which aims to make this potential a reality. It does this by giving customers more access to and control over their data, standardising methods of exchanging that data, and accrediting those who are trusted to request or edit customer data.

5. Customer consent and control over access will remain central. The draft law strengthens Privacy Act protections and extends some of the protections to all designated customer data.

6. If the customer consents, the draft law will require businesses that hold designated customer data (data holders) to provide that data to accredited requestors, subject to privacy and security safeguards. The draft law will also require product data to be made available electronically on request. It will require businesses to perform actions in response to electronic requests, such as opening accounts or changing customer plans.

7. The draft law will support innovators in our economy to create new products and services and increase competition. This in turn will benefit customers by leading to reduced prices, improved product offerings, and greater productivity. The draft law also creates opportunity to support by-Māori, for-Māori data initiatives, business-to-business applications, and improved accessibility and inclusion.

8. Once the draft law is passed, specific data can be brought under the new law one sector at a time. Banking data will be brought in first.^[1]

9. The Ministry of Business, Innovation and Employment (MBIE) is seeking feedback on how the overall system should work (Chapter One). We also want feedback on the draft law itself (Chapter Two). We ask questions throughout the document and page 61 sets out how to make a submission. Your feedback will inform the design of the draft law as well as future regulations, and the standard setting processes.

How is customer data and product data currently exchanged and used?

10. There are already innovative products and services that use customer data to benefit customers by helping them manage their finances, compare product offerings, or more easily switch from one provider to another. However, the way that customer data is accessed at present has problems.

11. In the banking sector, customers currently use their bank data and make payments in a variety of ways which can be insecure and inefficient. For example, when people want to provide their bank transaction records to another business (eg a lender or financial adviser), they can:

• Download statements of their transactions (eg PDF or CSV spreadsheets) and e-mail or upload them. These require customers and often receivers to undertake many manual steps. The resulting information may not be in a standard format and can be tampered with. It is only provided at a point in time and quickly falls out of date.
• Enable ‘screen scraping’ by sharing their online banking credentials (eg login and password) with the receiver. Providing login details to a third party generally is a breach of a customer’s banking terms and conditions and is also a significant privacy and security risk. The receiver uses special software to capture transactions from an internet banking website or mobile banking system and convert them to a format which can be absorbed into their own software system.
• Ask the bank to send the transaction details securely, in a standard format that integrates directly with the receiver’s software (ie using an Application Programming Interface^[2] or API). Financial technology (fintech) businesses offer products and services that support a lender or adviser receiving details in this manner. However, this requires fintechs get agreements with each individual. It also requires the bank to have invested in their data systems.^[3] Only limited numbers of customers currently have access to this option.

12. A number of sectors have been developing standards for safe and efficient data exchange, and the Privacy Act already protects personal information.^[4] However, progress within individual sectors has been relatively slow and has not delivered the full range of potential benefits available for customers. The current regulatory settings, or lack thereof in some cases, is holding back electronic access to customer data and product data in standardised and secure formats.

What will the draft law improve?

13. The draft law seeks to make direct, secure and standardised transfer of customer and product data from one organisation to another available to all customers. The draft law seeks to standardise privacy protections for data exchanged using the draft law, make these standards enforceable, as well as provide a pathway for redress if things go wrong. The aim is to build upon existing innovation while also accelerating standard, secure, efficient ways for customers to:

• access their own customer data
• transfer their customer data to other businesses of their choice – for example when switching providers, seeking advice or add-on services
• monitor or update their consent settings for who can access their data
• access product data in a format which can be automatically read and processed by a computer
• direct businesses to take actions like opening accounts or making payments
• access redress and be confident that the system participants are subject to monitoring and enforcement for breaches of the law.

Visual summaries

14. Summaries of the current and proposed future exchange of customer and product data are set out on the following pages.

Navigating this document

15. This discussion document is divided into two chapters. We are seeking feedback on how the overall system should work (Chapter 1) and on technical matters and system settings (Chapter 2). A range of detailed rules will be subject to further engagement and consultation in due course. At this stage, we want to know whether the draft law sets the right framework for the overall system.

Chapter 1: Overview and key issues

16. Chapter One provides a map of the proposed customer and product data framework. Submitters who would like to learn more about how the draft law will work more generally, including how it will fit with other laws and Te Tiriti of Waitangi/the Treaty of Waitangi (Te Tiriti/the Treaty), may wish to read this.

17. Submitters may wish to provide feedback on:

• how the draft law respects and protects customers’ authority over their data, enables standards to care for data during exchange, and the potential requirements for accreditation
• how the design of the draft law can best enable by-Māori for-Māori uses of data, support business-specific needs, as well as ensure diverse customer needs and interests are met
• whether and how ethical use protections could be incorporated in the draft law.

Chapter 2: Technical matters

18. Includes technical questions about the draft law. Submitters who are interested in having a say on technical components or the drafting of specific provisions may wish to read this section.

19. Chapter 2 also includes information on the proposed system settings of the draft law. Submitters who would like to have a say on the regulatory system design may wish to provide feedback on this section.

Footnotes

[1] In due course, there will be a dedicated engagement process to explore what data, and which data holders in the banking sector should be designated.

[2] A good explanation of an Application Programming Interface is in this video: https://www.youtube.com/watch?v=s7wmiS2mSXY(external link)

[3] ANZ, ASB, BNZ and Westpac have agreed to implement Payments NZ API Centre’s open banking standards over the next 18 months, including the account information API standard. See more at https://www.apicentre.paymentsnz.co.nz/news/articles/open-banking-implementation-timeline-set-for-largest-banks/(external link)

[4] The Privacy Act protects personal information by requiring secure handling and storage of personal information, and protecting the collection, retention, use, accuracy and disclosure of our personal information. It ensures individuals can access and seek correction of their own personal information, as well as allows representatives to seek access and correction to the individual’s personal information.

< Executive Summary: Unlocking value from our customer data | Chapter 1: Overview and key issues for the proposed customer and product data framework >