CLOSE
TEAMINSIGHTSCAREERSAboutServicesContact
Tech
I
August 18, 2025

Open banking regulations released for consultation

Kyra Vince

Special Counsel – Knowledge

Simon Martin

Partner

Andrew Dentice

Partner

Kyra Vince

Special Counsel – Knowledge

Simon Martin

Partner

The Ministry of Business, Innovation and Employment (MBIE) has now released two draft sets of regulations under the new Customer and Product Data Act 2025 (the Act) for consultation.

Back in May, the Minister of Commerce and Consumer Affairs, Scott Simpson, announced that Cabinet had approved banking as the first sector to be designated under the Act. The Act leaves much of the important sector-specific detail to be dealt with in regulations or standards, so these exposure drafts are an important step towards open banking being operational in New Zealand.

MBIE has stated that the draft regulations relate to what data and payments banks need to provide under the Act. Standards will also be made under the Act to cover how designated data and payments initiation is provided (which is proposed to incorporate version 2.3 of the Payments NZ API Centre's API standards).

The open banking regime is set to commence on 1 December 2025 for ANZ, ASB, BNZ and Westpac so the timeline for consultation on the draft regulations is tight – feedback is officially open until 5pm, 29 August 2025 to enable the regulations to be implemented by the end of September. (MBIE has flagged that it will receive late submissions but may not be able to take any suggestions into account.)

Two different sets of regulations have been published for consultation:

  • The Customer and Product Data (Banking and Other Deposit Taking) Regulations 2025 specify which data and data holders are designated under the Act.
  • The Customer and Product Data (General Requirements) Regulations 2025 prescribe general requirements relating to regulated data services provided under the Act, such as accreditation criteria and notification requirements.

In its statement releasing the exposure drafts, MBIE points out that the scope of the banking designation has been “further refined” since Cabinet’s announcement earlier this year so that it more closely aligns with the API Centre’s API standards for Account Information and Payment Initiation. Specifically:

  • Customer data is designated where it relates to a mandatory API endpoint under the standards. This is somewhat narrower than the scope described in the Cabinet paper from April 2025, which was to apply to customers who had digital access – via online or mobile banking – to designated account types. The “mandatory API endpoint” approach limits the designated data to only what is made available through required (mandatory) API interfaces.
  • Reducing the designation of bank statements to those first made available in the previous six months, rather than the previous two years earlier suggested. This change is expressly subject to public consultation.

The draft regulations are not especially detailed, and the Government will presumably rely heavily on the Payments NZ API Centre’s API standards to flesh out the authorisation, confirmation, and verification processes. For example, there is no additional information about how data holders and accredited requestors can deal with joint customers (as contemplated by section 21 of the Act). The Banking and Other Deposit-Taking Regulations limit payment initiation to payments that do not require the authorisation of two or more persons, and that seems to be the end of the consideration of joint accounts at this stage. The fees to become accredited are yet to be prescribed, as are the annual levies payable by data holders and accredited requestors, the form for infringement and reminder notices, and the CPD reliability and availability requirements.

Interestingly, the entire “Charges in connection with regulated data services” section in the General Requirements Regulations is currently “under consideration”. Cabinet had previously announced that the regulations would set out requirements restricting the fees banks could impose on accredited requestors. Bank charges to accredited requestors for action initiation requests were not to exceed 5 cents per payment request. For customer data requests, bank charges were not to exceed 1 cent per successful API call, or a maximum of $5 per month per customer for near-real-time access to transaction records. MBIE now says that the previously agreed caps on banks’ charges for API access are not included because the Government is giving “further consideration” to the matter.

We’ll be watching the evolution of the regulations closely. If you’d like any help understanding how the regulations might impact your business – or in making a submission on the draft regulations – get in touch.

No items found.

Article Link

Dowload Resource

Dowload Resource

Insights

Tech
August 18, 2025

Open banking regulations released for consultation

Andrew Dentice

Partner

Kyra Vince

Special Counsel – Knowledge

Simon Martin

Partner

The Ministry of Business, Innovation and Employment (MBIE) has now released two draft sets of regulations under the new Customer and Product Data Act 2025 (the Act) for consultation.

Back in May, the Minister of Commerce and Consumer Affairs, Scott Simpson, announced that Cabinet had approved banking as the first sector to be designated under the Act. The Act leaves much of the important sector-specific detail to be dealt with in regulations or standards, so these exposure drafts are an important step towards open banking being operational in New Zealand.

MBIE has stated that the draft regulations relate to what data and payments banks need to provide under the Act. Standards will also be made under the Act to cover how designated data and payments initiation is provided (which is proposed to incorporate version 2.3 of the Payments NZ API Centre's API standards).

The open banking regime is set to commence on 1 December 2025 for ANZ, ASB, BNZ and Westpac so the timeline for consultation on the draft regulations is tight – feedback is officially open until 5pm, 29 August 2025 to enable the regulations to be implemented by the end of September. (MBIE has flagged that it will receive late submissions but may not be able to take any suggestions into account.)

Two different sets of regulations have been published for consultation:

  • The Customer and Product Data (Banking and Other Deposit Taking) Regulations 2025 specify which data and data holders are designated under the Act.
  • The Customer and Product Data (General Requirements) Regulations 2025 prescribe general requirements relating to regulated data services provided under the Act, such as accreditation criteria and notification requirements.

In its statement releasing the exposure drafts, MBIE points out that the scope of the banking designation has been “further refined” since Cabinet’s announcement earlier this year so that it more closely aligns with the API Centre’s API standards for Account Information and Payment Initiation. Specifically:

  • Customer data is designated where it relates to a mandatory API endpoint under the standards. This is somewhat narrower than the scope described in the Cabinet paper from April 2025, which was to apply to customers who had digital access – via online or mobile banking – to designated account types. The “mandatory API endpoint” approach limits the designated data to only what is made available through required (mandatory) API interfaces.
  • Reducing the designation of bank statements to those first made available in the previous six months, rather than the previous two years earlier suggested. This change is expressly subject to public consultation.

The draft regulations are not especially detailed, and the Government will presumably rely heavily on the Payments NZ API Centre’s API standards to flesh out the authorisation, confirmation, and verification processes. For example, there is no additional information about how data holders and accredited requestors can deal with joint customers (as contemplated by section 21 of the Act). The Banking and Other Deposit-Taking Regulations limit payment initiation to payments that do not require the authorisation of two or more persons, and that seems to be the end of the consideration of joint accounts at this stage. The fees to become accredited are yet to be prescribed, as are the annual levies payable by data holders and accredited requestors, the form for infringement and reminder notices, and the CPD reliability and availability requirements.

Interestingly, the entire “Charges in connection with regulated data services” section in the General Requirements Regulations is currently “under consideration”. Cabinet had previously announced that the regulations would set out requirements restricting the fees banks could impose on accredited requestors. Bank charges to accredited requestors for action initiation requests were not to exceed 5 cents per payment request. For customer data requests, bank charges were not to exceed 1 cent per successful API call, or a maximum of $5 per month per customer for near-real-time access to transaction records. MBIE now says that the previously agreed caps on banks’ charges for API access are not included because the Government is giving “further consideration” to the matter.

We’ll be watching the evolution of the regulations closely. If you’d like any help understanding how the regulations might impact your business – or in making a submission on the draft regulations – get in touch.

No items found.

Article Link

Dowload Resource

Dowload Resource

Insights

Get in Touch

Phone +64 9 220 5600Fax +64 9 220 5650info@hgmlegal.com
Mail
PO Box 105-900
Auckland City
Auckland 1143
New Zealand
Physical
Level 16
45 Queen Street
Auckland 1010
New Zealand
© 2025 Hudson Gavin Martin
Privacy PolicyTerms of Use
Site Credit