By Tom Maasland & Richard Wells*
It is clear that the data protection landscape in the European Union under the General Data Protection Regulation (GDPR) provides greater control to individuals over their personal data – in the sense that use by agencies is further restricted. At the same time, data portability and Open Banking initiatives (also with their genesis in the European Union) take the concept of individual control even further – but in a contrasting sense – to provide the individual with the power to require those agencies to share an individual’s data with third parties.
Open Banking will enable an individual to direct a bank to transfer data it holds about them to a third party, in a usable machine readable form. This could release the value of that data to individuals and open up banking innovation and competition (between banks and with non-banks, particularly technology offerings). Products will be offered that allow a customer an aggregated view of its financial position. Competing financial institutions will be able to offer products based on a full view of actual transaction information. Transacting on a single interface connected to multiple underlying providers will become possible. These are just some of the innovations that are expected from Open Banking.
The Australian Government released a report in February 2018 on the Review into Open Banking in Australia, which follows the release of a similar report in the UK in 2016. Subsequently, preparations to roll out Open Banking in the UK begin this year.
If Open Banking is implemented in Australia, it sets out the likely scope, what the regulatory framework would look like, what safeguards may be in place, and the technological mechanisms by which it should be achieved. If Open Banking is implemented in New Zealand, our regulators are likely to look closely at how it has been adopted in Australia (particularly given that the country’s four largest banks have Australian parents).
Work is already underway with the involvement of the major New Zealand banks, through Payments NZ, to develop and pilot the use of payment-related application programming interfaces (APIs). These would essentially allow third parties, with the customer’s approval, to access customer information held by banks. The pilot will feed in to the creation of a common industry framework for open banking, which the participants no doubt hope will provide them control over the outcomes and stave off regulation.
Opening access to banking data (that has historically been well protected by banks in New Zealand) introduces greater risks of hackers or fraudsters accessing data through the newly created APIs or new third party players in the market applying lower security standards. Critical for the success of these open initiatives are suitable protocols and governance, even regulation, implemented around the technical aspects.
Certainly this is reported to be a key concern of the proposed governance framework to be developed by Payments NZ on behalf of the industry.
In addition, there will no doubt be difficulties ensuring that there is informed consent in all cases so that the individual understands the implications of data sharing before approving the data transfer. What obligations will fall on banks tasked with sending the data as opposed to the recipients (but who may also be competing banks)? Will “click to accept” be enough?
There is a clear connection between the more precise consent requirements under GDPR and the consent controls that may well be part of any Open Banking initiative given the sensitivity of that data. As the time for Open Banking in New Zealand draws nearer, banks (and others in financial services) will be wanting to start investigating technology and processes that address modern data management trends holistically, and not just those aspects that fall within the Bill.
The competing requirements for data processors to both share and restrict the sharing of personal data will be a challenging line to tread, meaning that early engagement on these matters and building a culture and practices around compliance should be a focus for the years ahead. This will become particularly pressing if and when the mandatory breach notifications become a reality.
*Tom Maasland and Richard Wells are corporate and commercial partners at law firm MinterEllisonRuddWatts.