The regulator already said this is broken
In August 2025, the Privacy Commissioner issued a compliance comment that should have alarmed every utility retailer in the country. The finding was blunt: fraudsters were opening electricity accounts, editing contact details on existing ones, accruing debt in victims’ names, and passing that debt to collection agencies. In some cases, only a full name and date of birth were needed to access an account.
The breaches often went undetected for months. Victims discovered the fraud only when their credit scores collapsed, loan applications were declined, or debt collectors came calling. The Commissioner found that Information Privacy Principle 5, which requires reasonable safeguards against unauthorised use of personal information, was not being met.
This is not a binding ruling. It is a compliance comment. But it puts every retailer on documented notice that their verification processes are inadequate. Ignoring it now is a conscious choice.
Utilities sit in a regulatory blind spot
The reason verification standards are so weak is partly structural. Power accounts do not fall under the Credit Contracts and Consumer Finance Act, which imposes deeper customer profiling obligations on lenders. There is no statutory requirement for electricity retailers to cross-reference government identity databases or use digital verification services at account opening.
The Privacy Act 2020 does apply, but enforcement has historically been reactive. The Commissioner’s recommended fixes included Identity Verification as a Service (IDVaaS), password requirements, and increasing the number and type of personal information required. Nine months later, there is no public evidence that the sector has adopted these at scale.
Documented cases illustrate the consequences. In one reported instance, a photo of a driver’s licence taken from a handbag was enough to open multiple power accounts, phone accounts, and obtain consumer credit. The fraud went undetected for seven months. In another case, a Rotorua woman discovered her identity had been stolen only when she was declined by a new electricity provider due to credit damage.
The fraud plugs straight into your bank account
The problem does not stop at utility billing. In May 2026, CAFCA revealed that more than $19,000 was fraudulently withdrawn from its Westpac account through the Preferred Initiator Direct Debit model. The structural flaw: banks delegate responsibility for verifying account authority to the third-party organisation setting up the direct debit. That organisation is often a utility retailer, and the retailer typically relies on unverified customer-supplied information.
So a fraudster who opens a power account in your name can potentially set up a direct debit from your bank account, and the bank’s own framework treats the utility’s non-existent verification as sufficient. CAFCA described this as “a clear abdication of banks’ fiduciary duty to their customers.”
The New Zealand Banking Association was debating updates to its Identity Verification Code of Practice in January 2026, with the industry body cautioning that some proposed changes would increase friction and be “cumbersome” for larger entities. That framing tells you where the priorities sit.
Open electricity data will multiply the exposure
Here is where the timeline gets uncomfortable. The government’s Customer and Product Data Act 2025 requires all electricity retailers supplying more than 1,000 ICPs to provide customer data to accredited third parties from 1 July 2027. That data includes unique customer identifiers, contact details, tariff structures, and consumption data in half-hourly increments across more than two million ICPs.
The regime’s set-up and ongoing costs are estimated at $4-6 million per year, recovered through fees and levies. Regulations and standards are being developed through 2026.
The implication is straightforward. If someone can open an account today with a name and date of birth, from mid-2027 they will also be able to request detailed consumption data, tariff information, and half-hourly usage patterns through an accredited requestor. The open data regime is being built on an identity verification layer that the Privacy Commissioner has already found to be inadequate.
The cost lands on everyone except the company that failed
The credit file contamination mechanism is automatic. Arrears data flows from retailers to credit agencies like Centrix and Equifax with no human review gate. When Meridian Energy’s billing platform migration wrongly flagged approximately 470 customers as in arrears, the incorrect data went straight to credit agencies. Fraud produces the same outcome through a different pathway.
Victims face a structural injustice: they cannot contact credit bureaus directly to dispute fraudulent entries. Only the service provider that opened the fraudulent account can do so. The victim depends on the cooperation of the organisation that failed to verify identity in the first place.
For any business that extends credit, processes direct debits, or relies on credit bureau data for lending decisions, this is not someone else’s problem. Fraudulently opened utility accounts generate debt that gets written off and socialised through pricing, damage credit files that inform your own lending decisions, and consume debt collection resources chasing the wrong people. The retailer that skipped the ID check bears almost none of the downstream cost.
The Privacy Commissioner has named the problem. The open data regime is expanding the attack surface. The banking sector is still debating whether better verification would be too “cumbersome.” Every month this stays unfixed, the bill gets bigger for everyone except the companies that could actually prevent it.
Sources
- NZBA: Discussion Paper – Updating the Identity Verification Code of Practice (2026-01-16)
- NZ Herald: ID theft puts debt collector in the same boat as those she usually chases
- NZ Herald: Identity thief racks up thousands in bills
- NZ Herald: Meridian billing glitch wrongly flags 470 customers as in arrears on credit agency files