First Published: 05 September, 2025
Banking and Electricity marketers should take special note of this new legislation.
When businesses like banks and electricity companies provide us with services, data is created – for example, account histories, transaction records, or information on usage. This is ‘customer data.’ Customer data holds enormous value and opportunity, but only if customers can make full use of it by having access to it and being able to share it with applications and people they trust.
The Act establishes an overarching framework to enable greater access to, and sharing of, customer and product data between businesses. The Government applies the Act to individual sectors (such as banking and electricity) through a designation process. The Act sets out the basic requirements that will apply to all sectors that are designated, and it has provisions that allow the Government to make regulations and standards that set out additional requirements.
Once a sector is designated, businesses in that sector that hold designated data are required to provide that data in a standardised, machine-readable format to the customer and accredited data requestors, with the customer’s authorisation.
Exceptions are provided to allow refusal of requests in some circumstances, such as when there is a risk that disclosure of data would create a significant likelihood of harm.
The Act also enables accredited requestors to initiate designated actions on behalf of the customers, such as making a payment, or switching a plan.
For example, when the Act is applied to the banking sector, bank customers might be able to view an analysis of their spending in a mobile app that helps them to budget, and make payments directly from their bank account through a payment app.
The Act also enables the Government to require businesses in designated sectors to make information about their products, such as pricing, available in standardised, machine-readable formats. This will enable easy product comparison and switching.
The Act provides protections to ensure data transfers are secure and requestors can be trusted.
Customer data can only be shared with the customer’s express and informed authorisation to the accredited data requestor. Authorisations must be confirmed with the data holder.
Data requestors must be accredited by MBIE, who will check that they comply with accreditation criteria. These criteria include that the requestor’s directors and senior managers are of good character, and that it has adequate security.
Data must be requested and transferred in accordance with data standards that ensure that data transfers are secure and are only made to customers and accredited requestors.
Easier data sharing will lead to greater competition and better choice for New Zealanders.
New Zealanders will have greater ownership of the data that businesses hold about them, and it will be easier to shop around for the best deals. The Act will spur growth in New Zealand’s economy by breaking down the barriers for innovative technology companies, enabling them to offer new data-driven products and services.
Other jurisdictions have equivalent legislation, including Australia, Europe, and the United Kingdom.
The Government expects that the banking sector will be the first sector designated by the CDR and has indicated that the banking regulations can be expected to be in place before Christmas 2025.
Source: MBIE website
Category
Contact us if you have any suggestions on resources you would like to see more of, or if you have something you think would benefit our members.
Get in TouchSign up to receive updates on events, training and more from the MA.