Key friction points with open finance: a view from the coalface

Note: This article was first published by Deloitte and FintechNZ in the New Zealand Fintech Pulsecheck report which was released on 7 July 2022. A webinar was held at the same time and a recording can be viewed here.

Is this another wafty opinion piece?


This article identifies 5 key friction points between open finance stakeholders, and presents some spiky views on how these issues should be addressed.

A quick introduction

I lead the team at Akahu - an intermediary that provides open finance infrastructure for New Zealand. We give consumers a simple way to connect their financial accounts to trusted products.

To deliver open finance infrastructure, we maintain a suite of data integrations with financial institutions. This work began in 2013. Over the last 9 years, our team has had a front row seat as open finance has developed in New Zealand.

Let’s get into the nitty gritty.

Friction point #1: Whether API Centre standards should be folded into Consumer Data Rights

In the late 2010s, pressure started mounting on banks to “open up” and make APIs available to customers. This pressure came from international trends, and from products like Xero where customers were clearly seeing value from having connected bank feeds. 

The major New Zealand banks own a company called Payments NZ (PNZ), which is tasked with managing payment clearing systems. In 2018, work began to develop common API standards for New Zealand, and this work transitioned to a new PNZ subsidiary called API Centre in 2019. A generous interpretation is that the banks wanted to proactively develop open banking in New Zealand for the benefit of consumers. A sceptical interpretation is that the banks wanted to proactively develop open banking to control the process and avoid the rules being dictated to them through legislation.

Then the Government turned up the heat. In late 2019, the Minister of Consumer Affairs warned banks of “concerns that the current pace and scope of progress risk not delivering the full benefits that could be realised with open banking for consumers”. In 2020, the Government began public consultation around potential “consumer data rights” (CDR), which would set legislative account connectivity rules for banking and other sectors. In 2022, the Government confirmed that it will implement CDR.

Now that it’s clear that rules will be set through CDR, the banks are advocating for the API Centre standards to be folded into CDR.

I agree that CDR should largely adopt the latest version of the API Centre standards. It makes sense to leverage the good work that’s already been done by API Centre to develop these standards, and by some of the participating banks that have been developing APIs to meet them.

But some aspects of the standards need to be changed. For example the payment consent rules require the destination bank account to be defined at the time a consumer grants consent. This excludes some valuable use cases that have sprung up overseas such as peer-to-peer payments, payouts, and marketplace payments.

We should use the API Centre standards as a starting point for banking CDR rules, but should make sure to understand and correct any aspects that will prevent important use cases.

Friction point #2: Who will be the governing bodies for CDR

There’s an open question regarding the entities that will govern CDR in New Zealand.

In Australia, where a similar CDR regime began rolling out in 2020, the responsibilities are shared across the Office of the Australian Information Commissioner (OAIC), the Australian Competition and Consumer Commission (ACCC), and the Data Standards Body (which is part of Treasury).

I don’t have a strong view on who should govern CDR in New Zealand. But here are the important attributes:

  • The standards should be developed by a Government entity that can demonstrate arm’s length independence from industry and focus on the interests of consumers.
  • This work will require specialised knowledge, so it makes sense to build up this capability in a single Government entity rather than duplicating across multiple entities (like in Australia).
  • We should use existing frameworks and entities where appropriate. For example if the accreditation rules include dispute resolution requirements, it makes sense to use the existing dispute resolution schemes.

Friction point #3: Whether Government will take a stance on traditional methods of account connectivity

I think it'll be about 3 years before CDR offers a viable connectivity option. This rough estimate is based on time required to:

  1. Enact the primary CDR legislation.
  2. Designate and write detailed rules for the first sector (which I’ve assumed will be banking).
  3. Enable data holders to build APIs to meet the detailed rules. 

API compliance deadlines may be phased in over time, like in Australia and the UK. If that’s the case, then it may take even longer for CDR to cover payment initiation, joint accounts, business accounts, and other functionality that tends to be pushed back into later phases.

While we wait for CDR to rollout and mature, there are 2 traditional methods to deliver account connectivity that don’t rely on purpose-built functionality from banks:

  1. Screenscraping web apps: This is widely used in NZ for home loan and personal loan applications, one-off online payments, and personal finance apps.
  2. Reverse engineering mobile app APIs: This is how Akahu provides connectivity for enduring access use cases like recurring payments and ongoing data feeds.

People grumble about these traditional methods, because they require consumers to share their login credentials in order to connect their accounts. The grumblings are fair - sharing login credentials is a suboptimal solution, and it means that consumers need to have high trust in the intermediary and the product they’re connecting their accounts to. The problem is that there’s no better alternative available in New Zealand yet. 

In Australia, the topic of screenscraping and reverse engineered integrations was explicitly discussed in Senate hearings as the Australian CDR rules developed. Australian regulators made it clear that there was no intention to restrict or block those existing methods, and that gave fintechs more confidence to get started or keep going, rather than waiting for CDR. I think that the Government should take a similar public stance in New Zealand.

That’s a self-serving point, given that most of Akahu’s account connectivity relies on these methods. But here’s why I think it’s a defensible position.

First, these methods have operated in New Zealand for over a decade without evidence of consumer harm. Estimates run as high as 1 in 3 Kiwis having used a screenscraping service. For example:

  • Some banks use these methods to automate online loan applications. All retail banks use these methods in their supply chains - around 50% of home loans are originated via brokers, and most of these application processes use screenscraping to collect the data.
  • POLi and account2account are widely-used products that use screenscraping to initiate a one-off online payment. Over 4,000 merchants use these services including The Warehouse, PB Tech, Mighty Ape, Spark, Bunnings, Air New Zealand, Auckland Council, and Waka Kotahi (NZTA).
Screen from Heartland Bank

Second, we should pay attention to countries that already have a thriving open finance ecosystem. For example in the US, more than 1 in 4 adults have connected bank accounts to other products like Venmo, Cash App, Coinbase, and Robinhood using traditional methods. International experience points towards positive outcomes through traditional methods (which matches the New Zealand experience to date).

Third, the most important way to bring open finance to life in New Zealand is through great products like Xero, where bank account connectivity was harnessed to significantly improve the UX of accounting. We’ll hold back our local fintech market if we don’t continue to build momentum before CDR.

Consumers should be very clear about how these traditional methods work. And where possible, products should provide alternative options alongside account connectivity. But these methods should not operate in a grey zone, and Government acknowledgement would clear that up.

Friction point #4: Whether our fintech ecosystem can make pre-CDR progress via contractual access with data holders

Bank’s may choose to offer API access through a contractual arrangement. Xero is an example of an organisation that grew big and powerful enough to negotiate contractual access with New Zealand banks.

Contractual access can be better than connecting via the web apps or mobile APIs of the banks. The key reason is that the end user completes authentication and authorization directly with the bank, rather than via an intermediary like Akahu.

From Akahu’s perspective, there are two prerequisites to arranging contractual access with banks.

1. The bank's APIs must be feature-complete

There’s no point switching from traditional methods to contractual access if it’s a backwards step in terms of functionality.

The banks are all at differing stages of API-readiness. Only one of the major New Zealand banks has a suite of APIs that we consider to be somewhat functional (shoutout to BNZ). Most fintech products are not viable with that patchy coverage. So right now, we can’t support our app customers through contractual access alone. 

API readiness of New Zealand banks

2. The bank's contractual terms must be reasonable

Even if a bank has feature-complete APIs, contractual access can be prohibitive for Akahu and our app customers if the terms are unreasonable. 

These are the difficult aspects that we’ve experienced:

  • It’s very time-consuming to negotiate contractual terms with each bank. 
  • Unless you’re a large and influential organisation, there’s an imbalance in negotiating power because there’s no real incentive for a bank to increase consumption of their APIs.
  • In the contractual terms that we’ve seen, a bank will always retain the right to decline any of our app customers. In my view this is anti-competitive, and there is no good rationale for a bank to restrict its customers from interacting with a legal product.

Direct contractual access will be largely swept away by CDR, which will install an accreditation process and set the terms of access. But in the interim, these issues make it difficult to provide account connectivity through contractual access.

Final words

These are some of the current issues that we’re seeing debated (publicly or privately) at the coalface. If you’ve read this far, I hope I’ve delivered on the promise of spiky views and a non-wafty opinion piece.

To the innovators in this space, I can’t wait to see what you build.

Talk with us

Our team is here to answer any questions that you may have.

Get in touch