Buried in the pre-Christmas rush, the Office of the Minister of Commerce and Consumer Affairs released a Cabinet paper late last year making recommendations on key aspects of the upcoming consumer data right (CDR) legislation (the CDR Bill).
The Cabinet paper gives interesting insights into how the CDR will likely be administered and enforced in New Zealand. It also seeks formal agreement for banking to be the first sector designated under the CDR Bill.
As the political year has now kicked off with a bang – and in anticipation of draft legislation being unveiled shortly – we take a detailed look at the latest CDR developments.
A consumer data right
A legislative CDR has been mooted by the Government since July 2021. It will allow consumers to compel data holders to securely share their consumer data with trusted third parties, on the consumer’s request and with their consent. To protect consumers, data will have to be shared using standardised technology and consent mechanisms, and data recipients will need to be accredited.
The CDR will be rolled out sector by sector, with the Minister of Commerce and Consumer Affairs “designating” markets, industries, and sectors to which the CDR applies. For each sector, this legislative designation will specify the types of data and functionality that are covered and the rules and standards that govern the transfer of that data.
The Government believes that giving consumers more control over their data will make it easier for them to “shop around”, which should lead to a wider range of products and services being made available at more competitive prices. It should also give consumers greater access to new and innovative products and services, which is expected to be particularly beneficial for small businesses.
In November last year the Government announced that the banking sector will be the first in New Zealand to implement a new CDR, in an executive push towards “open banking”. You can read more about open banking here.
The Cabinet paper formalises this position, proposing that banking be the first sector nominated for designation under the CDR because of the already recognised opportunities and benefits of open banking, and the ease and speed with which the CDR could be implemented in that sector. The paper notes that the banking sector in New Zealand has “already made significant progress towards open banking” but also says that “progress has stalled and there are presently obstacles to banks entering into the necessary bilateral agreements with fintechs”, which a CDR is intended to remove.
Nominating banking as the first sector to implement the CDR will allow work to begin on the specific designation requirements for the sector (which will require extensive consultation with the industry) while the CDR Bill is still before Parliament.
The Cabinet paper also names other sectors that ranked highly for designation and would be “logical next steps” for the CDR: wider financial services, energy, and health.
Administration of the CDR
The Cabinet paper proposes that MBIE be the administering department for the CDR. This is on the basis that MBIE is the “closest functional fit” and already has a strong focus on regulatory systems relating to consumers and small businesses. MBIE is already working to develop the CDR legislative framework, and already currently performs a range of licensing and registry functions.
Most CDR functions will sit with MBIE, including advising on secondary legislation (such as designations and regulations), licensing data recipients, providing registry services and promoting the CDR. MBIE will also be responsible for developing the data standards for each sector participating in the CDR regime. For banking-related standards, the paper notes that the standards already developed by the Payments NZ API Centre would be the “natural starting point”.
This is a helpful observation, as significant work has gone into these standards over the last few years as part of the project to implement an industry-led form of open banking – which should not go to waste.
However, it’s worth noting that the API Centre operates a fundamentally different model from that proposed for CDR – with banks able to enter into bilateral commercial arrangements with data recipients and no overarching accreditation regime.
Compliance and enforcement
There will be no new centralised enforcement scheme for breaches of CDR obligations, although this was considered by the Government.
Instead, the Commerce Commission will be the general enforcement agency for the CDR and will be given a full range of compliance and enforcement powers to ensure the integrity of the CDR regime. These will include powers aimed at supporting willing compliance (such as education), and powers aimed at deterrence and penalising non-compliance.
However, the Commerce Commission will not deal with privacy-related matters. These will fall under the jurisdiction of the Privacy Commissioner.
Privacy and information security
It’s expected that most of the disputes consumers will have about the CDR will be privacy related. The Cabinet paper makes clear that:
- The full set of obligations under the Privacy Act 2020 will apply to data holders and data recipients under the CDR; and
- The Privacy Commissioner will be able to exercise all existing functions and powers in relation to participants in the CDR regime.
The CDR Bill will state this for the avoidance of doubt.
In addition, the Privacy Commissioner will have enforcement and redress powers over any obligations in the CDR Bill that relate to privacy safeguards (over and above those safeguards in the Privacy Act itself) – so individual consumers will be able to go directly to the Privacy Commissioner for all CDR privacy related breaches. The Government proposes to achieve this by providing that Part 5 of the Privacy Act applies to breaches of CDR obligations as if they were breaches of information privacy principles. In this way the powers, processes, and remedies available to the Privacy Commissioner do not change – they remain the same but are extended to a different set of privacy related obligations.
Given the Privacy Commissioner’s prior public statements around the adequacy (or otherwise) of the penalties and enforcement powers under the recently updated Privacy Act, we may see calls for an enhanced regime for CDR – given the step change in the scope of commercial data sharing that could be ushered in by this legislation.
It’s clear from the Cabinet paper that the Privacy Commissioner and the Commerce Commission will have overlapping jurisdiction under the CDR regime. For example, a breach of an obligation to obtain consumer consent under the CDR may give rise to specific privacy implications for individual consumers. It may also be of interest to the Commerce Commission where the breach threatens the integrity of the CDR system. But the Commerce Commission will not seek to resolve individual privacy complaints. And the Privacy Commissioner will not deal with complaints from legal entities, such as companies, or with non-privacy related breaches of the CDR. These will be dealt with by the Commerce Commission or by existing industry dispute resolution schemes e.g., the Banking Ombudsman.
It will be important to provide clarity to the banking sector about the respective roles of the enforcement agencies before the CDR is implemented. The Government contemplates that a memorandum of understanding between the two agencies will be required.
Banks and fintech companies already have a complex web of regulation and regulators to deal with. In addition to the more traditional but ever-expanding conduct and prudential oversight of the FMA and the Reserve Bank, recent legislation has extended regulatory remits across the retail payment system, ‘buy now pay later’ services and credit contracts (to name a few).
It’s fair to say these developments – in combination with a CDR – will test the resources and capability of both industry and regulators over the coming years.
Penalties for breach
The Cabinet paper outlines significant penalties for breaches of the CDR regime based on an escalating hierarchy of liability, with the most egregious breaches (involving deliberate or reckless behaviour) being subject to serious criminal offences.
Four tiers of liability are proposed:
Tier 1 breaches are infringement offences, representing contraventions of basic compliance obligations that do not have serious consequences (such as a failure to maintain transaction records). Infringement fees of up to $20,000 and fines (following a Court prosecution) of up to $50,000 are payable.
Tier 2 and Tier 3
Tier 2 and Tier 3 breaches relate to conduct that is more serious than an infringement offence but not sufficiently egregious to warrant the use of serious criminal offences, for example:
- a data holder failing to properly authenticate the identity of a consumer or data recipient (Tier 2);
- a data recipient disclosing CDR data for a use that is prohibited under the CDR rules (Tier 2);
- a data holder failing to provide a CDR service to consumers and accredited persons (Tier 3); or
- a person misleading or deceiving another person into believing that a person is a CDR consumer for CDR data (Tier 3).
Fines of up to $200,000 (Tier 2) and $500,000 (Tier 3) apply to individuals, and up to $600,000 (Tier 2) and $2,500,000 (Tier 3) apply to body corporates.
Tier 4 breaches involve egregious contraventions where the conduct is done recklessly, knowingly, or intentionally (such as a person fraudulently holding themselves out as an accredited person), and may constitute a criminal offence. Penalties include imprisonment for a term of up to five years and a fine of up to $1,000,000 for an individual; and for a body corporate, the greater of $5,000,000 and either (a) three times the value of any commercial gain, or (b) 10% of the turnover in the periods in which the breach occurred if commercial gain cannot be ascertained.
The full list of breaches within each tier will be determined during drafting of the CDR Bill and its regulations. However, it is already clear that there will be a focus on strong penalties to promote trust in the CDR regime, which is regarded as essential for its success.
The Government will need to be careful that this focus on penalties (and what could go wrong) does not have the opposite effect on consumer trust. Experience from overseas suggests that consumers are naturally sceptical of open banking and data sharing, even though when done in a regulated and secure way it is designed purely with their best interests in mind.
In marketing speak, this regime needs a clear WIIFM (“what’s in it for me”) to capture both consumer and corporate interest. In setting out a detailed penalty regime while remaining silent on large aspects of the policy detail, the Cabinet paper was a slightly jarring read in this regard.
Lawmakers should also look overseas to understand the effectiveness of penalties in similar regimes. For example, recent media stories from Australia suggest that a lack of focus on data quality in the enforcement regime is hampering the rollout of its own CDR.
It will be a complex task to ensure the NZ version strikes the right balance between carrot and stick for all participants.
What about accreditation?
The Cabinet paper flags that:
- Data recipients will need to apply for an accreditation from an accreditation body;
- Accreditation may expire after a period, requiring renewal;
- There is likely to be some form of “tiered” accreditation (based on risk);
- Accreditations may need to be modified over time (to reflect changing risk);
- A fee will be charged to data recipients when applying for or changing an accreditation; and
- Accreditation may be suspended or revoked, or have additional conditions imposed, if data recipients breach CDR obligations.
But the Government is yet to provide any further details on how accreditation will be implemented and managed.
The Cabinet paper also proposes that the CDR Bill will enable levies to be charged on a sector by sector basis to help fund the design, implementation, and enforcement of the regime.
An exposure draft of the CDR Bill will next be released to give interested parties the opportunity to consider and comment on the detailed implementation of the overall CDR regime. We would expect an exposure draft soon given it was originally set down for 2022.
A final interesting post script is the recent replacement of the Minister responsible for CDR. As David Clark is retiring from Government after this year’s election, his Commerce and Consumer Affairs portfolio has been handed to Duncan Webb in the Prime Minister’s latest reshuffle. The new Minister is not part of Cabinet, and it will be worth following how this change (and of course the election itself – particularly any change of government) affects the CDR’s progress this year.