Open banking payments: important Commerce Commission updates

The Commerce Commission is considering setting rules for open banking payments. These rules would require banks to provide payment interfaces, and regulate the terms of access to those interfaces.

This may become New Zealand's first open banking regulation.

What's the background here?

Since 2017, the major New Zealand banks have generally held the position that there is no need for open banking regulation, because the industry is committed to delivering open banking functionality themselves.

But the delivery of open banking APIs[1], and the ability for third parties to access those APIs, has been very limited.

Using new powers acquired through the Retail Payment System Act 2022, the Commerce Commission can "designate" a payment system, and then set rules for participants in that system.

In July 2023, the Commerce Commission published a consultation document regarding payments between bank accounts. This consultation paper cited a lack of payment innovation compared to other countries, and noted the slow progress from industry-led attempts to develop an open banking ecosystem. This was the first step towards "designation".

Here's a link to Akahu's commentary and submissions on that initial consultation.

Ok, what's new?

On 22 February 2024, the Commerce Commission released an update on its work. The heart of it is "we do not currently have confidence that [...] industry alone will deliver the minimum requirements to allow a thriving API enabled payments ecosystem to flourish".

There are two key parts to the update:

1. Continuing the "designation" process: The Commerce Commission clarified that it is proceeding to the next stage of the designation process. This involves a second round of consultation on the proposed scope of the rules.
2. Guidance for Payments NZ and the five largest banks: This section sets out non-binding expectations of how the Commerce Commission would like these organisations to behave in the interim period.

Does the update provide any other important details?

Yes!

The Commerce Commission sets out its views on the minimum requirements for a thriving open banking API ecosystem. The following components are notable:

• Authentication: A consumer should be able to login directly with their bank, rather than having an intermediary handle their login credentials. This is by far the most important upgrade versus the current forms of open banking. It's only possible if banks provide an "authentication API" though. If that sounds unfamiliar, it's like the "log in with Google" process, but for your bank.
• Comprehensive API functionality: The Commerce Commission refers to the existing open banking activity in New Zealand, and states that bank APIs should have sufficient functionality to serve the existing activity. This is a critical point. The best way to gain rapid adoption of a regulated open banking system is to migrate all of the existing non-regulated activity. That will be a win for consumers (who get the authentication upgrade described above), and will reduce the payback period on the cost of regulation and API development. We don't want to go backwards on functionality with regulated APIs - the whole point is to enable products that promote competition and innovation. Some of the current activity in New Zealand is world-leading. So it's huge that the Commerce Commission has marked current activity as the baseline in its minimum requirements.
• "Other" API requirements: The details really matter with APIs. For example if one or more banks have low payment limits, then a product like automated payroll payments or tax payments will not be viable. Or if the APIs go offline frequently or are too slow, then a payment product will not be able to compete effectively with card scheme payments. The Commerce Commission calls out that these "non-functional" components need to be standardised, mandatory, and of sufficient quality.
• Access to APIs: So the banks are expected to deliver APIs that provide authentication, facilitate the current market activity, and are of high quality. But what if there are blockers to actually accessing those APIs? At the moment, each third party provider needs to negotiate a bilateral contract with each bank. This leaves banks with full control over who can access APIs. Over the longer term, the Commerce Commission expects that a centralised accreditation process will be necessary. This would avoid each third party provider needing to negotiate a bilateral contract with each bank. In the interim, the Commerce Commission expects banks to not put up arbitrary barriers, and to not impose terms that are unduly onerous for third parties.

In my view, the Commerce Commission has done an excellent job at identifying and describing the minimum requirements for a thriving API ecosystem.

Hold on, you've been talking about payments this whole time. What about open banking data APIs?

The Commerce Commission's powers under the Retail Payment System Act 2022 are related to payment systems, so this designation process will not result in rules regarding data APIs.

However I'm hopeful that API Centre and banks will apply the Commerce Commission expectations, and any rules that it subsequently develops, to data APIs too.

Over the longer term, the Customer and Product Data Bill is expected to codify open banking requirements, including for data APIs.

Ok, any criticism of the Commerce Commission's update?

It's a great update. I have only two critiques to offer.

"First mover disadvantage"

The update talks about ensuring that all large banks deliver APIs soon, to minimise any "first mover disadvantage" for banks that deliver APIs first.

I think that "disadvantage" is the wrong way to think about it. Wouldn't a bank want to give its customers a secure authentication method? Wouldn't a bank want to enable its customers to access their data on-demand? Wouldn't a bank want to enable its customers to securely use third party products that deliver value to them, such as accounting solutions, budgeting tools, and payroll services? These are advantages for a bank's customers.

If banks are describing these purpose-built APIs as a disadvantage, they're not acknowledging the fact that over 1m Kiwi use unregulated forms of open banking every year (a significant portion of this activity is applying for bank loans). Customers would prefer the ability to authenticate directly with their bank, instead of having to share login credentials with an intermediary in order to establish a connection to their bank account. So we should be clear that if a bank is describing a "first mover disadvantage", they're talking about their own interests, rather than the interests of their customers.

Pricing

The update states that prices "should enable viable business models for both parties", meaning that prices should be viable for both banks and third party providers that want to use the APIs.

I think that will be unachievable if open banking APIs are assessed as a siloed bank business unit. For example, here is Westpac Australia saying that it would cost them AU$200m (🙄) to deliver APIs to comply with open banking regulation in Australia. If banks are claiming these types of costs, and saying they need to be spread (with a profit margin) across third parties in order to make the APIs viable, then the resulting pricing will not be viable.

I think that access to regulated APIs should be free, like in the UK and Australia:

• Data APIs: This is the customer's data, and it should be free to access programatically. When a customer gives their consent to a third party to access that data, the third party is acting as an agent of the customer, so it should still be free.
• Payment APIs: Banks will sometimes talk about not charging significant fees for payments. But that's a bit like Google saying that they don't charge users for doing a Google search - you need to look at the bigger picture to understand the monetisation. Banks make the bulk of their profits by paying low rates of interest to retail depositors, and lending those deposits out at much higher rates. This provides an enormous incentive to provide depositors with good payment functionality, in order to continue attracting those cheap deposits. When you look at the bigger picture, payment APIs are clearly commercially viable for banks when provided at no cost.

Final words

The Commerce Commission update is a very positive development for New Zealand and open banking.

If you have an interest in this topic, you can subscribe for updates on Commerce Commission's website, and then you'll be notified when the next consultation document is available.

[1] An API is an “application programming interface”. It defines a way for two computers to communicate with each other. Here’s a great article to get a better feel for APIs.