Contents
The open banking regime to apply in New Zealand will be largely set by regulation under the Customer and Product Data Act 2025 (the Act). Draft regulations inviting industry input into the design have been put out by the Ministry of Business, Innovation and Employment (MBIE) with submissions due by 29 August.
Scope
The consultation covers:
- the Customer and Product Data (General Requirements) Regulations 2025 (the General Regulations), and
- the Customer and Product Data (Banking and other Deposit-Taking) Regulations 2025 (the Banking Regulations).
The General Regulations have broad, cross-industry application and set out high-level requirements applying to Accredited Requestors as well as their access to data holders’ systems and accreditation application matters. The fee structure to apply under the Act is still being developed, creating a continuing area of uncertainty (as we discuss below).
The Banking Regulations are specific to the banking sector. They confirm the designation timeline of 1 December 2025 for the four largest banks and for Kiwibank; 1 June 2026 for payments and 1 December 2026 for customer data. Other deposit takers may opt in.
They also set out:
- the data types to be designated as customer data
- the actions designated banks must perform at a customer’s request, and
- the accreditation requirements for these data and actions, including a new intermediary accreditation class.
Because both sets of regulations are high level in scope, we expect further technical standards to be issued as additional detail is required – e.g., in respect of security requirements.
Key areas of uncertainty
- Bank charges for API access: Cabinet has agreed in principle to cap the charges banks can levy for API access but is still considering what caps would be appropriate. The draft regulations will be updated once these decisions have been taken.
- Liability: Stakeholders who were hoping for clarification on how the liability provisions in the Act will be applied – e.g., guidance on recovering small losses; the specific duties of banks or Accredited Requestors to avoid, mitigate, or remedy loss or damage, and how these duties will be allocated between them – will be disappointed.
- Authorisation: Some welcome clarity is provided in the General Regulations around customer authorisation. The requirement to send customers written reminders about their consents every year will sit with Accredited Requestors (not banks). But little detail is available around how Accredited Requestors and banks can be certain that customers have provided express and informed initial and ongoing authorisation.
More detail for Accredited Requestors
In addition to the customer authorisation provisions discussed above, the General Regulations also include:
- requirements in respect of the criteria to be considered by the Chief Executive of MBIE when assessing applications from prospective Accredited Requestors. These include a requirement that applicants demonstrate that they have reasonably adequate insurance or guarantees to cover penalties or similar liabilities under the Act. However, there is no requirement for resources to cover contractual disputes, and
- matters that Accredited Requestors must report to the Chief Executive of MBIE, such as major transactions or insolvency.
The Banking Regulations provide that an Accredited Requestor acts as an intermediary if they:
- provide a non-accredited person with identifiable customer data received under the Act, and/or
- facilitate a payment from the customer’s account to the non-accredited person’s account (or both), and
- the non-accredited person has a contract to provide goods or services to the customer.
However, the definition of “acting as an intermediary” appears to cover only situations where the intermediary facilitates payments directly to the party accessing the service, not to third parties. For example, if a service wants to enable payments to multiple third parties, it would either need to become an Accredited Requestor or process payments through its own accounts before passing them on.
For applications for accreditation to act as an intermediary, the applicant must also satisfactorily establish that it has adequate processes to verify the identity of each non-accredited recipient of intermediary services, and it can provide reasonable assurance that each non-accredited recipient has appropriate processes and safeguards in respect of specific matters including security, compliance with the Act, and deception risks.
Next steps
Stakeholders should consider how the proposed rules may affect their business, particularly if they are considering seeking accreditation as a requestor or intermediary, or if they are a bank that will be subject to the designation. The absence of firm rules on API charges is a key area to watch, as further regulatory developments are expected.
If you would like to discuss the draft regulations and their implications, or require assistance with preparing a submission, please contact our team.
This article is intended as a summary and does not constitute legal advice. For further information, please refer to the MBIE consultation documents or contact us directly.
With thanks to Charlotte Montgomerie and Maggie Churm for her assistance in preparing this article.
