.svg)
New Zealand’s open banking regulations have come into force, activating mandatory data sharing and payment initiation rules under the Customer and Product Data (CPD) Act 2025.
The regulations came into effect on December 1, 2025, imposing customer and product data sharing obligations on the country’s four largest banks: ANZ; ASB; BNZ; and Westpac.
This means that, with customer consent, accredited data requestors can now access account information and initiate payments via secure APIs.
“The regulations, released in October, align with global best practice and build on successful models in Australia and the UK, where open banking has sped up home loan approvals and enabled new consumer-friendly apps,” said Scott Simpson, New Zealand’s minister for commerce and consumer affairs.
“Importantly, the regulations ensure that security of consumer data is paramount. Data can only be shared under the customer's explicit consent, and third-party requestors (such as fintechs) must be accredited by the Ministry of Business, Innovation and Employment.”
In addition to requiring the four major banks to offer the mandated open banking capabilities, the regulations obligate state-owned Kiwibank to provide payment services by June 2026 and full open banking services by December 2026.
All other banks and deposit-takers may opt in voluntarily from the launch of the regime.
The Ministry of Business, Innovation and Employment (MBIE) will oversee the open banking regime, including the accreditation process, and is accepting applications from organisations seeking to become accredited data requestors.
The bigger picture
The MBIE consulted on two drafts of the open banking regulations in August 2025. The first outlined plans to designate specific banks and other deposit-takers as data holders and defined designated customer data, specified certain payments via the Bulk Electronic Clearing System (BECS) as designated actions and set out accreditation classes.
The second draft set out operational obligations for accredited requestors, including timeframes for accessing customer data, event-reporting duties and conditions for accreditation applications, liability cover and information-sharing with other agencies.
As data holders, the major banks must meet standards for account, transaction and product data. They also face obligations on uptime, performance, dispute handling and consent mechanisms.
For their part, data requestors must meet requirements on accreditation, security standards and liability arrangements.
The government set several objectives for the new open banking framework. It wants to encourage competition and innovation, as well as empower consumers and promote cross-sector data portability.
In its statement on the launch of the open banking framework, the MBIE said the regulations “aim to support innovation and enhance competition in the banking sector by creating opportunities for secure customer-centric services.”
Announcing the launch of the regulations, Simpson highlighted the advantages for consumers, including budgeting tools, faster mortgage comparisons and potentially lower-cost payment options. He also noted that open banking makes it easier to switch banks by giving customers a safe, regulated way to share their financial information.
In addition, he highlighted the opportunity for fintechs and smaller financial firms to deliver services that traditional banks have been slow to offer.
The government is also seeking alignment with international open banking trends, having fallen behind comparable jurisdictions such as the UK, the EU and Australia.
Open banking is well established in the UK, where mandatory data sharing was introduced in 2018 under the revised Payment Services Directive (PSD2) and supported by the Open Banking Implementation Entity, which was succeeded by Open Banking Limited (OBL).
According to OBL’s Impact Report 7, published in May 2025, there were 13.3m active open banking users in the UK as of March 2025, a 40 percent increase on the same point the previous year.
The EU is similarly advanced in terms of open banking, and is in the process of updating its framework, moving from PSD2 to PSD3 and the Payment Services Regulation (PSR) and aiming to address gaps in data access, API performance and identity assurance.
Since 2020, Australia has implemented open banking through the Consumer Data Right (CDR), which allows consumers to share their banking data securely with accredited providers for improved comparison, switching and financial management services.
The framework being introduced in New Zealand opens the door for new payment initiation products such as account-to-account (A2A) alternatives to card rails.
It is expected to reshape competitive dynamics, as regulated access to consumer data will create new opportunities for fintechs, and incumbent banks will face additional operational and compliance demands.
Early operational challenges include ensuring API infrastructure meets performance standards and building consumer awareness of the benefits and risks of open banking.
Why should you care?
The launch of open banking in New Zealand will affect a range of organisations across the country’s financial services sector.
Banks must ensure that their API infrastructure meets mandatory security, performance and data governance requirements.
They will need to prepare for increased compliance exposure, including privacy and consent-handling risks, and plan for an evolving cross-sector designation model.
For fintechs and payment service providers (PSPs), the new regulated pathways for A2A payment products represent a significant opportunity, although accreditation will introduce cost and governance burdens.
Merchants and payment facilitators will have the opportunity to integrate lower-cost payment initiation options, but may need to adjust their risk assessments depending on how providers use banking APIs.
Organisations operating in New Zealand should consider:
- Conducting an impact assessment to determine which products, data flows and customer journeys are affected by the open banking regulations.
- Mapping required API integrations and identifying technical gaps.
- Reviewing consent-management processes to ensure compliance with CPD Act standards.
- Assessing accreditation requirements if planning to act as a data requestor.
- Updating internal policies and disclosures for data sharing, permissions, liabilities and dispute handling.
- Evaluating commercial opportunities for new A2A payment flows or data-driven services.
- Training operational and customer-facing staff on the data-sharing model and consumer rights.
Both data holders and data requestors will be significantly affected by the introduction of open banking and should seek to capitalise on the opportunities it presents.
Those organisations that engage early and fully will have a competitive advantage over existing and new rivals and will be best placed to succeed in the new environment.
Next steps
- June 1, 2026: Kiwibank must be ready to provide payment services under open banking.
- December 1, 2026: Kiwibank must support full open banking services, including account information sharing and other designated data services.
