Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Dec 2021
LinkedIn Created with Sketch. Twitter Created with Sketch.

New Zealand: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. INTRODUCTION

The updated Privacy Act 2020 ('the Act') came into effect on 1 December 2020 and is New Zealand's primary law on the collection, storage, and use of personal information, generally, by all persons or agencies (including financial institutions). Personal information is information about an identifiable individual, and, therefore, relates to a broad variety of information, including financial information. Section 22 of the Act contains 13 information privacy principles ('IPPs') dealing with collecting, holding, using, and disclosing personal information.

The Act applies to New Zealand entities (called 'agencies'), as well as overseas agencies in relation to any action taken by the agency in the course of 'carrying on business in New Zealand.'

Privacy law specific to the financial sector

The Act has general application across the financial sector. In broad terms, other than the Act, there is no domestic statutory-level privacy or data protection requirements specific to the financial sector. However, prudential supervision or the conditions of a licence issued by the Reserve Bank of New Zealand ('RBNZ') and the Financial Markets Authority ('FMA') may implicitly (through requirements to manage operational risk and governance) or explicitly impose data protection and other privacy requirements on regulated entities.

1.1. Legislation

As noted, the Act is the primary law on the collection, storage, and use of personal information, generally, by all persons or agencies (including financial institutions). However, there is other legislation which does impose obligations on the collection, storage, and use of information, such as the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 ('the AML/CFT Act').

1.2. Supervisory authorities

The Act is overseen by the Office of the Privacy Commissioner ('OPC'), which is an independent Crown Entity (i.e. a statutory body independent of the Government of New Zealand ('the Government')). Breach of an IPP is grounds for a complaint to the OPC.

The regulation and supervision (including prudential supervision) of banks, insurers, and other financial institutions in New Zealand is undertaken by the RBNZ and the FMA. In their regulatory and supervisory capacities, the RBNZ and FMA monitor the operational risk and governance of regulated entities, which includes requirements to appropriately manage cybersecurity and data protection risks. The supervision also extends to the relevant 'reporting entities' under the AML/CFT Act, which includes monitoring those reporting entities' obligations for record keeping. See section 3 below for further information.

2. PERSONAL AND FINANCIAL DATA MANAGEMENT

2.1. Legal basis for processing

The collection, storage, use, and disclosure of personal information (personal financial data) are governed by the Act. At the core of the Act are the 13 IPPs.

Under IPP1, financial institutions may only collect personal information for a lawful purpose connected with a function or activity of their organization, and if the collection of the information is necessary for that purpose. If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual's identifying information, the financial institution may not require the individual's identifying information.

The requirement of necessity is generally a low standard and has been satisfied by cases where the collection of information was merely connected to the purpose of the agency.

IPP2 requires financial institutions to collect all personal information directly from the customer whose personal information it is, unless an exception applies, such as where the information is publicly available, where the customer has consented to the collection of the information from someone else, or where the information will not be used in a form in which the individual will be identified or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual.

Under IPP3, certain notifications are required when the financial institution collects personal information (see section 2.2. below).

IPP4 provides that financial institutions may only collect personal information by lawful means, or by means that are fair and do not intrude to an unreasonable extent on the personal affairs of the individual (particularly where personal information is being collected from children or young persons).

IPP5 requires the financial institution to ensure that the personal information it holds is protected by reasonable security safeguards against loss or unauthorized access, use, modification, or disclosure, or other misuse. If it is necessary for the information to be given to a person in connection with the provision of a service, IPP5 requires the financial institution to do everything reasonably within its power to prevent unauthorized use or disclosure.

IPP11 prohibits financial institutions from disclosing customers' personal information to third parties (i.e. transfer of personal information) unless authorized by the individual concerned or another exception applies, such as where:

  • the disclosure is one of the purposes for which the information was collected;
  • the information is publicly available and it would not be unfair or unreasonable to disclose it;
  • the disclosure is necessary to maintain the law, for the protection of public revenue, or to enable an intelligence and security agency to perform its functions; or
  • the information will not be used in a form in which the individual will be identified or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual.

IPP11 is subject to IPP12, which places restrictions on disclosure of personal information to non-New Zealand entities (i.e. cross-border transfers). A financial institution may disclose personal information to a foreign person or entity only if certain exceptions apply, which generally relate to the information being protected by similar safeguards to those in the Act. See section 7 below for further details.

2.2. Privacy notices and policies

There are no sector-specific requirements for financial institutions to provide customers with notice of the institution's privacy policies and practices. General privacy law applies.

Under IPP2 of the Act, financial institutions must collect the personal information directly from the individual concerned (subject to some limited exceptions), and (under IPP3) take reasonable steps to ensure that the individual concerned is aware of:

  • the fact that the information is being collected;
  • the purpose for which the information is being collected;
  • the intended recipients of the information;
  • the name and address of the financial institutions collecting the information and the agency that will hold the information (note that under Section 11 of the Act this remains the collecting financial institutions if it is held on such financial institution's behalf for storage or processing, as discussed in section 7 below);
  • the consequences (if any) for that individual if all or part of that information is not provided;
  • the rights of access to, and correction of, personal information as provided under the IPPs; and
  • if information is authorized or required by or under law, the particular law and whether it is voluntary or mandatory.

This notification should occur before the information is collected or, if that is not practicable, as soon as practicable after the information is collected from the individual. This would usually be contained in a primary privacy policy and then referenced at the point of collection. Additional disclosures may also be appropriate at that time to supplement the primary privacy policy.

2.3. Data security and risk management

As mentioned above, in broad terms, other than the Act there are no domestic statutory-level privacy or data protection requirements specific to the financial sector. However, prudential supervision or the conditions of a licence issued by the RBNZ and FMA may implicitly (through requirements to manage operational risk and governance) or explicitly impose data protection and other privacy requirements on regulated entities.

2.4. Data retention/record keeping

Under IPP9, an agency must not keep personal information for longer than is required for the purposes for which the information may lawfully be used.

Licences issued by regulatory bodies, such as the RBNZ and the FMA, may be subject to standard conditions that prescribe certain record-keeping practices.

See section 3 below for information on the record-keeping requirements under the AML/CFT Act.

3. FINANCIAL REPORTING AND MONEY LAUNDERING

The AML/CFT Act

A reporting entity is an entity which, in the ordinary course of its business, undertakes activities captured by the AML/CFT Act. Under the AML/CFT Act, a reporting entity is required to keep records of its activities captured by the AML/CFT Act. These records must be kept either in written form in English, or in a way that the records can be readily accessible and convertible into written form in English.

Customer due diligence

A reporting entity must conduct customer due diligence on its customer, any beneficial owner of the customer, and any person acting on behalf of the customer. There are three levels of customer due diligence a reporting entity can conduct, namely (1) simplified, (2) standard, and (3) enhanced.

Based on the level of customer due diligence required, a reporting entity is required to obtain the following information:

  • information on the nature and purpose of the proposed business relationship between the customer and reporting entity; and
  • sufficient information to determine whether the customer should be subject to enhanced customer due diligence.

Based on the level of customer due diligence required, a reporting entity is required to obtain and verify some, or all, of the following identity information:

  • a person's/customer's full name;
  • a person's/customer's date of birth;
  • a person's relationship to the customer (if the person is not the customer);
  • a person's/customer's address or registered office;
  • a person's/customer's company identifier or registration number;
  • information relating to the customer's source of funds or wealth;
  • the name and date of birth of each beneficiary (if the customer is a trust that is not a discretionary or charitable trust, or has more than ten beneficiaries);
  • a description of each class or type of beneficiary (if the customer is a trust that is a discretionary or charitable trust, or has more than ten beneficiaries); and
  • the objects of the trust (if the customer is a trust that is a charitable trust).

In addition to the above, where a reporting entity is transferring NZD 1,000 (approx. €566) or more on behalf of a person, the reporting entity is required to obtain the following information:

  • the person's full name;
  • the person's account number which allows the transaction to be traced back to that person;
  • the name of the beneficiary of the transaction;
  • the beneficiary's account number which allows the transaction to be traced to that beneficiary; and
  • any one of the following:
    • the person's address;
    • the person's national identity number;
    • the person's customer identification number; or
    • the person's place and date of birth.

The identity information above is required wherever appropriate. For example, it is not possible for a reporting entity's customer that is a company to have a date of birth. However, the reporting entity will need to obtain and verify the date of birth of the company's director (as a person acting on behalf of the customer).

Transaction records

A reporting entity must keep the records of every transaction to enable that transaction to be readily reconstructed at any time. Records must contain the following information:

  • the nature of the transaction;
  • the amount of the transaction and the currency it was denominated;
  • the date the transaction was conducted;
  • the parties to the transaction;
  • the facility through which the transaction was conducted (if any), and any other facilities (whether or not provided by the reporting entity) directly involved in the transaction; and
  • the name of the officer, employee, or agent of the reporting entity who handled the transaction if that officer, employee, or agent has face-to-face dealings with any of the parties to the transaction (in relation to the transaction) and has formed a suspicion about the transaction.

The records must be kept for a period of at least five years after the completion of the transaction, or any longer period as specified by the AML/CFT Supervisor for the reporting entity, or the Commissioner of the New Zealand Police ('the Commissioner of Police').

Customer due diligence records

Where a reporting entity is required to identify and verify the identity of a person in accordance with the AML/CFT Act, the reporting entity is required to keep records to enable the nature of the evidence to be readily identified at any time.

Identification and verification records for the purposes of establishing a business relationship must be kept for at least five years after the end of that business relationship. Identification and verification records for the purposes of conducting an occasional transaction or activity must be kept for at least five years after the completion of that occasional transaction or activity.

Other records

In addition to the above, a reporting entity must keep the following records:

  • records that are relevant to the establishment of a business relationship;
  • records relating to a reporting entity's risk assessments, AML/CFT programmes, and audits; and
  • any other records relating to, and obtained during, the course a business relationship that are reasonably necessary to establish the nature, purpose, and activities of the business relationship.

Suspicious activity reports

If a reporting entity reports a suspicious activity, the reporting entity must keep a copy of that report for at least five years after the report is made or any longer period specified by the reporting entity's AML/CFT Supervisor or the Commissioner of Police.

Other records

Records relating to a reporting entity's risk assessments, AML/CFT programmes, and audits must be kept for at least five years after the date on which they ceased to be used on a regular basis.

Destruction of records

Unless there is a lawful reason for retaining those records, a reporting entity must take all practicable steps to ensure that every record retained in accordance with the AML/CFT Act is destroyed as soon as practicable after the expiry of the period for which the reporting entity is required to retain that record.

FATCA

Under the U.S. Foreign Account Tax Compliance (United States of America) Act, 2018 ('FATCA'), which aims to reduce tax evasion by US citizens, tax residents, and other US entities, New Zealand financial institutions with FATCA obligations are required to register with the Internal Revenue Service ('IRS'), carry out due diligence on their financial accounts, and provide the IRS with information on the reportable accounts of US citizens/residents and certain other entities who have specified foreign financial assets above certain thresholds. The information is reported by financial institutions to the New Zealand Inland Revenue Department ('IRD') at least annually, and is then passed on to the IRS under the Agreement between the Government of the United States of America and the Government of New Zealand to Improve International Tax Compliance and to Implement FATCA. Legislation was passed in New Zealand to allow financial institutions to meet their FATCA obligations without breaching the Act's IPPs relating to the collection and disclosure of client information.

Common Reporting Standard ('CRS')

The CRS is a global framework for the collection, reporting and exchange of financial account information for people and entities investing outside of their tax residence jurisdiction. New Zealand financial institutions are required to carry out due diligence on their financial accounts to identify those accounts held and/or, in certain circumstances, controlled by relevant foreign tax residents. They must then collect prescribed identity and financial account information about these people and accounts. If the New Zealand financial institution determines they have CRS reporting obligations, they must then register with the IRD and provide the IRD with information on the reportable accounts on an annual basis. New Zealand will send relevant information to the tax authority of each jurisdiction New Zealand has an Automatic Exchange of Information exchange agreement with.

4. BANKING SECRECY AND CONFIDENTIALITY

Over and above their obligations under the Act, bankers owe customers an additional duty of confidentiality. This duty exists both as an implied term of contract and as an equitable duty. The duty applies to information about businesses, as well as individuals.

Implied term

The duty of confidentiality implied in the banker-customer contract provides wide coverage, necessitating confidentiality for bank account details, all transactions that go through the bank account, and information that was obtained from other sources. There are four exceptions to the duty of confidentiality (as established in the 1924 UK case of Tournier v. National Provincial and Union Bank of England), being:

  • where disclosure is compelled by law, for example when a financial institution is required to give evidence about a customer's accounts in court; one of the following:
    • when required to give information to the IRD (under the Tax Administration Act 1994) or to a company liquidator (under the Companies Act 1993);
    • when required to report suspicious transactions to the police (under the AML/CFT Act); or
    • where the financial institution has a public duty to disclose confidential information, for example when there is a danger to the state or when the wider public needs protection against a crime;
  • where the interests of the bank require disclosure; and
  • with customer consent (express or implied) to the disclosure.

Equitable

Banks' customers' personal information will be subject to the equitable duty of confidentiality as it:

  • has the necessary quality of confidence about it;
  • is imparted in circumstances importing an obligation of confidence; and
  • the unauthorized use of the information will be to the detriment of the customer.

The duty of confidentiality also arises where:

  • the customer has a reasonable expectation of confidentiality or privacy; and
  • the financial institution has agreed to keep the information confidential or has notice of its confidentiality.

Code of Banking Practice

The Code of Banking Practice (April 2021) ('the Banking Code') stipulates additional sector-specific obligations on its member banks. Among other things, the Banking Code states that banks will respect the privacy of the individual, keep their information confidential, and keep the individual's information and the way that they bank secure. Further details will be set out in the terms and conditions of each bank.

Any disclosure of a bank customer's information must not breach privacy or confidentiality. Accordingly, for the purposes of the Banking Code, whether a bank is able to disclose information to a third party in other than an aggregated or truly de-identified form is entirely dependent on whether the bank obtains sufficient informed consent from individuals through its terms and conditions.

5. INSURANCE

There are no privacy rules or regulations specific to the insurance sector.

6. PAYMENT SERVICES

There are no privacy rules or regulations specific to the payment services industry.

7. DATA TRANSFERS AND OUTSOURCING

IPP11 prohibits financial institutions from disclosing customer personal information to third parties (i.e. transfer of personal information) unless authorized by the individual concerned or another exception applies.

IPP12 established a cross-border data transfer regime, which regulates a financial institution's ability to disclose personal information outside of New Zealand to a foreign person or entity. IPP12 does not apply in the case of a transfer of personal information to a recipient who will solely store or process the personal information on behalf of the financial institution (e.g. a cloud service provider) and not for its own purposes, as such transfer is not a 'disclosure' for the purposes of the Act. A financial institution will only be permitted to disclose information to a foreign person or entity if:

  • the individual concerned authorizes the disclosure to the recipient after being expressly informed by the financial institution that the recipient may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Act;
  • the recipient is carrying on business in New Zealand and, in relation to the information, the financial institution believes on reasonable grounds that the recipient is subject to the Act;
  • the financial institution believes on reasonable grounds that the recipient is subject to privacy laws that, overall, provide comparable safeguards to those in the Act;
  • the financial institution believes on reasonable grounds that the recipient is a participant in a 'prescribed binding scheme' (at the time of writing, there are no 'prescribed binding schemes' specified by regulation);
  • the financial institution believes on reasonable grounds that the recipient is subject to privacy laws of a 'prescribed country' specified by regulation (at the time of writing, there are no 'prescribed countries' specified by regulation); or
  • the disclosing agency otherwise believes on reasonable grounds that the recipient is required to protect the information in a way that, overall, provides comparable safeguards to those in the Act (for example, pursuant to an agreement entered into between the financial institution and the recipient).

However, under Section 11 of the Act, where a third party (such as a cloud service provider) holds information solely as an agent for the financial institution (for example, for safe custody or processing the information held on behalf of the financial institution), and does not use or disclose the information for its own purposes, the information is deemed to be held by the financial institution (on whose behalf the information is held or processed), rather than being treated as a 'disclosure' under the Act, and thus IPP11 and IPP12 would not apply to the transfer of information to or from the service provider.

The OPC has issued model contract clauses and guidance on model contract clauses which can be used by financial institutions in agreements with recipients where information is being transferred overseas.

Note that other entities within the financial institution's group need to be considered as 'third parties' in the analysis of the Act's application.

Under IPP5, the financial institution must take reasonable steps to ensure personal information is protected by such security safeguards as are reasonable in the circumstances. Under this IPP, the financial institution must do everything reasonably within its power to prevent unauthorized disclosure of that information. The contractual arrangements with the third party or cloud service provider should address this issue. Part 8 of the Act provides that the OPC may prohibit a transfer of personal information from New Zealand to another country where New Zealand is used as a conduit for transfers of personal information from overseas to destinations which do not provide comparable safeguards to those in the Act.

There are further specific restrictions in relation to electronic business and tax records under:

8. BREACH NOTIFICATION

In some circumstances, a severe data breach by a New Zealand financial institution may require self-reporting to the applicable regulatory body (generally the RBNZ in the case of banks and insurers, and the FMA for most other financial service providers).

Part 6 of the Act provides for mandatory reporting of privacy breaches that have caused, or are likely to cause, serious harm to an individual. 'Notifiable privacy breaches' must be notified to the OPC, and in most cases to the affected individuals (or public notice given) as soon as practicable after the financial institution becomes aware of the breach.

9. FINTECH

The FinTech sector is subject to general confidentiality and privacy law as outlined above. For example, where a FinTech business is regulated or licensed by the FMA, the conditions of its licence may implicitly (through requirements to manage operational risk and governance) or explicitly impose data protection and other privacy requirements.

At present, there are no legislative or regulatory privacy requirements specific to the FinTech sector. However, in July 2021, the Government announced it will implement a legislative framework for a consumer data right. This announcement followed public consultation on a possible consumer data right in late 2020. A consumer data right would allow for a consumer to freely and securely share their data, held by one person (for example, their bank), with a trusted third party (for example, another bank the consumer is interested in doing business with) using standardised data formats and interfaces. This right is expected to strengthen existing privacy and data protections by giving individuals and businesses greater choice in relation to, and control over, the information held about them.

The consumer data right will be introduced on a sector-by-sector basis, with the Government designating the sectors to which it will apply. Primary legislation will provide the main framework of the right, which will create basic obligations that apply to those within a designated sector. The designation will provide the type of data that is covered, with further detailed obligations set out in rules and data standards. Third-party data recipients will need to be accredited in order to read consumer data, or to initiate action with consumer consent. A range of information protection safeguards are also expected to be introduced.

The right will focus on consumer consent and data control. At this stage, it is expected that consumer consent will need to be express through an opt-in process, informed, and time-limited. Consumers will also need to be given the ability to review and amend or withdraw consent at any time.

Further information on the consumer data right is expected to be announced by the Government in due course. A bill on the right will be introduced in 2022, which we expect to include some of the privacy and data protection obligations.

Separately, an industry-led initiative, the API Centre, has been launched by Payments NZ Limited ('Payments NZ'). Payments NZ is primarily owned by the big four banks (ANZ Bank New Zealand Limited, Westpac New Zealand Limited, Bank of New Zealand, and ASB Bank Limited) registered in New Zealand. The API Centre was developed to provide standardisation of application programming interfaces ('API') for payment-related services that are used by consumers. Joining the API Centre is voluntary, although there is strong government encouragement for entities to participate in respect of banking or payment-related services.

Entities can join the API Centre either as an API provider (being a New Zealand registered bank, New Zealand non-bank deposit taker, or an entity prudentially regulated by the RBNZ or the FMA) ('API Provider') or as a third party. If an entity joins the API Centre, they are subject to contractual terms and conditions that provide for some data protection obligations. For example, the API Provider and the Third Party can only use a customer's data in accordance with the customer's consent.

10. ENFORCEMENT

People who are concerned about privacy breaches can make a complaint to the OPC alleging an interference with privacy.

Currently, under the Act, the OPC has no ability to impose fines or prosecute anyone. Instead, the OPC helps parties settle privacy disputes; the settlement may include damages if the breaching agency agrees. However, in cases where there is a serious breach of the Act, or the matter is not settled, the OPC may refer the matter to the Director of the Office of Human Rights Proceedings ('OHRP'), who considers whether proceedings should be brought in the Human Rights Review Tribunal ('the Tribunal'). An individual may also initiate proceedings in the Tribunal (after an investigation by the OPC) if the Director of the OHRP does not consider that the claim has substance.

The remedies sought in cases that are brought in the Tribunal may include compensatory damages up to NZD 350,000 (approx. €197,704). The Tribunal may also award damages where the agency does not respond to an information request by an individual in a timely manner (or at all).

The OPC can also publicly name agencies when appropriate, such as when they have breached the Act, as a means of ensuring future compliance by the agencies concerned and to set an example for others.

Certain fines up to NZD 10,000 (approx. €5,649) can be imposed for offences under the Act, including for:

  • obstructing the OPC or anyone else in exercising their powers under the Act;
  • failure to comply with a requirement of the OPC;
  • making a false or misleading statement to the OPC;
  • falsely representing that the person holds authority under the Act;
  • failure to comply with an access order;
  • failure to notify the OPC of a notifiable privacy breach;
  • failure to comply with a compliance notice issued by the Tribunal;
  • failure to comply with a transfer prohibition notice; and
  • destroying a document containing personal information, knowing that a request has been made in respect of that information for access or correction.

In extreme cases, a privacy breach by a financial institution could lead to sanctions, such as the suspension or revocation of a licence.

11. ADDITIONAL AREAS OF INTEREST

Not applicable.

Hayley Miller Partner
[email protected]
Kensington Swan, Auckland

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback