Consumers will have the right to greater choice and control over their own data – that’s the driving force behind the upcoming consumer data right (CDR) legislation. The Government recently released the draft Customer and Product Data Bill for consultation which will provide the framework for a CDR. The new legislation could cause significant changes in the way New Zealanders pay, bank and shop, according to Worldline – the paytech experts who introduced Eftpos to New Zealand back in the 1980s.

In particular, the CDR may ban the use of ‘screen scraping’ – a payment method where online shoppers enter their bank log-in details into a third-party platform, which uses the log-in data to access the account and debit the money.

Screen scraping is already prohibited for payments in the EU and the UK where other methods of safe access and payments are regulated, and Australia is considering a ban as part of its own CDR – so it won’t be a surprise to see a screen scraping ban in our upcoming CDR framework, says Julia Nicol, Head of Public Affairs and Regulatory at Worldline.

Nicol says this payment style is surprisingly common considering the threats it poses to customers’ private information: “It’s such a risk to hand over your online banking details to a third party,” says Nicol. “We see it on the payment pages of trusted brands websites, and we’ve seen financial advisors asking for it to gather information for mortgage applications.

“But if something goes wrong and there’s a data breach, who is to blame? You. Your bank certainly won’t tell you it’s okay to hand out your log-in details to someone else.”

With the CDR framework in place, banking is the first industry where it will be in use, because the CDR is a vital piece of the puzzle when it comes to enabling open banking. With open banking and a CDR in place, shoppers can approve payments from their banking apps, without ever sharing their log-in details with anyone else.

“With a fully integrated API, your data is safe, and payments are secure and reliable,” Nicol says. “There’s no more screen scraping and handing over your bank passwords to anyone else.”

For shoppers, the CDR will enable more online payment options without surcharges, provide the ability to share data with a financial adviser, and shop around for financial products like mortgages and insurance.

For merchants, advantages include (in addition to an increasing number of low-fee payment options) the fact the CDR will make it easier to hold onto data captured by their ecommerce platform.

“A lot of ecommerce businesses find it challenging to move ecommerce gateways because the gateways won’t release, or they charge a fortune for, the tokens they store on file. These tokens represent an encrypted version of a customer’s credit card details. Requiring customers to re-enter this information often leads to check out abandonment” Nicol explains.

“Ecommerce businesses can be in a difficult position when the gateway won’t release these, and this inhibits competition because retailers are trapped into staying with the incumbent ecommerce provider. Under the CDR, businesses will have access to their business data on reasonable terms – which we hope will enable them to shop around for gateway providers more easily.”

Better health, telco & energy services

With the right established for New Zealanders to control their own data and share it securely, the CDR will apply to a wide range of situations beyond banking and finance.

In the future, it’s likely New Zealanders will see a local version of Australia’s My Health Record – a centralised platform available online and as an app. There all a patient’s tests, referral letters and other health data can be accessed. This enables patients to move between doctors and specialists more smoothly and share data with other healthcare providers if they choose to.

Nicol says the Department of Internal Affairs is also interested in how the CDR and the new digital identity services legislation will work together to make the online world safer.  Every New Zealander should have access to their own core data such as your name, date of birth and citizenship status in the form of a verifiable credential.

That way, she says, your identity can be verified before you access and share, for example, health information.  Sensitive information should not get into the hands of fraudsters or those seeking to cause harm.

In future, the CDR should enable consumers to shop around for the best telco or energy provider based on their individual circumstances. This is expected to drive more competition and allow consumers to better leverage their electricity, gas, internet and mobile data when choosing products and bundle solutions that suit their needs. The combination of banking, energy and telecommunications data in the CDR will generate crosssectoral use cases and enable development of new products and services.

Don’t hand over your bank passwords

And don’t ask your customers to do it. Recent data breaches have highlighted the risks associated with unsafe data management. Individuals need to protect their bank login details, and businesses also have a responsibility to protect customer data from breaches and potential cybercrime.

The CDR is an important tool in giving consumers control of their data and minimising risky practices like screen scraping and writing down customer banking details.

Nicol says businesses should prioritise data security and only use payment networks that are secure, trusted and reliable: “We’ve been engaging with the Ministry of Business, Innovation and Employment and working closely with Payments New Zealand to develop the open banking payments standards for New Zealand.

“We have fully integrated APIs with the big four banks, plus some smaller ones. This means that when someone buys something with Online EFTPOS, our online payment method which is connected to the banks via these APIs, the end to end process is highly secure and never puts the customers banking details at risk.   Members of our technology team have been part of the API Centre since the beginning and helped develop the API standards and specifications for the industry, so we know our technology meets the highest criteria for safe and secure data sharing.”

Since it was first proposed in 2020, the consumer data right has been flying under the radar. But, now the draft legislation has been released, this might be the perfect time for businesses to review their approach to consumer data security.

Talk to New Zealand’s most experienced Paytech

If your business needs trusted, secure and reliable payment options to help grow your business, talk to the team at Worldline.