Banks rolling out their own open banking services are playing a delaying game, hindering independent fintechs and locking in their market power, says the Commerce Commission.
"We are concerned that, while providing an uptick in innovation, this trend will not deliver any material enhancement of competition because the major banks would remain in control," the Commission says in its latest open banking progress report.
The report says there are "a handful" of payment and banking services already in the market that are "suboptimal" because they use less secure methods than open banking.
The Commission wants them to use the more secure methods furnished by open banking "as soon as possible."
The banks "have cemented control" of GetVerified, New Zealand's provider of Confirmation of Payee Services.
"We consider Confirmation of Payee a utility service that should be available to all users in a timely manner," the report says.
The Commission in April met each of the major bank CEOs "to seek better conduct on progressing open banking."
"While we have seen improved conduct from most of the major banks, we are concerned that BNZ has not met our expectations on this issue."
BNZ, unlike the other majors, has not yet partnered with entities who would continue to use the less secure methods for instances the more secure methods don't yet support, the report says.
"This is disappointing, we consider BNZ have been the leading bank on progressing open banking as a whole."
BNZ has responded that the matter is one of security, which is a "paramount" issue for the bank - see below.
The banks have begun to roll out their own open banking services, which will provide support to the emerging payment network, the Commission says.
"However, bank-owned products will have ready access to other payments channels, placing fintechs at a competitive disadvantage," the report says.
For an example it cites BNZ's Payap, which has access to scheme networks (Visa and Mastercard) as well as open banking.
"This means Payap has near-ubiquitous coverage of New Zealand consumers, which purely open banking fintechs will not have in the short to medium term."
The Commission is proposing a deadline, 2027, for smaller banks to deploy APIs.
The Big Four banks will be regulated from 1 December this year, while Kiwibank has a 1 June, 2026 deadline.
The Ministry of Business, Innovation and Employment's Consumer Data Right regime currently allows for smaller banks and deposit takers to opt in to the regulatory regime.
The report comments on the "handful" of banking service providers using "suboptimal" access methods. It says suboptimal access on the interbank payment network is not in the long-term interests of consumers as it requires consumers to share their bank login credentials.
While the report doesn't name names, some such services, which use screenscraping rather than APIs, require users to enter their online banking passwords.
A BNZ spokesman said;
"The safety and security of our customers’ information is paramount, and in an environment where fraud and scams are increasingly prevalent, we believe if open banking is to succeed, customers need to be able to trust their data is safe. Without trust, open banking will fail."
"That’s why we are committed to the highest safety standards and to ensuring that customer data is protected. In line with these commitments, we remain unwilling to partner with entities who won’t commit to stopping the use of unsecure methods to access BNZ’s customer data. We think our customers would expect nothing less of us," says BNZ.
"We are pleased to see the Commerce Commission acknowledge that suboptimal access is not in the long-term interest of consumers as it requires consumers to share their bank login credentials."
"We are also pleased the Commerce Commission has agreed with BNZ’s position that entities using suboptimal methods must make it clear to consumers, so they understand the risks and liabilities."
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.