Regulatory Influencer: New Zealand Unlocks Open Banking with Customer and Product Data Bill

The Customer and Product Data Bill, introduced by the New Zealand Parliament in May 2024, aims to enhance consumer data rights by enabling individuals and businesses to share their financial data with authorised third parties securely. The aim of the bill is to foster competition, innovation and choice, and set data-sharing standards that will keep New Zealand’s financial sector modern and in line with global trends, empowering consumers with better financial products, while maintaining strict privacy and security protections.

Expected to come into force 2026, the framework underwent its second reading agreement in March 2025, once again throwing a spotlight on the significant obligations it, if passed, will place on payment service providers regarding customer data access, sharing and security. 

The Bigger Picture:

Open banking in New Zealand focuses on improving access to customer data, to support a more competitive and consumer-oriented financial system.

When institutions like banks or payment service providers (PSPs) make services accessible to consumers, data is created. This “customer data” can consist of account histories, transaction records or information on product usage. 

The Ministry of Business, Innovation, and Employment has stated that customer data can potentially improve the lives of many people, but limited accessibility means many individuals are prevented from unlocking its full value. With open banking, consumers gain access to personalised financial products, improved budgeting tools and more competitive lending options, while businesses can streamline payments and access better financial insights. 

The bill aims to achieve better interest rates, lower fees, and innovative financial tools tailored to individual needs by breaking down data silos and fostering competition. Ultimately, this shift empowers consumers with greater future control over their financial lives, fostering a more competitive and customer-centric financial sector in New Zealand.

Additionally, open banking aims to support fintech growth by encouraging collaboration between traditional banks and financial service providers. The collaboration between fintech firms and banks enables fintech firms to offer products such as automated savings apps, real-time financial insights and alternative lending solutions, which rely on secure access to banking data. Through application programming interfaces (APIs), banks and PSPs can securely share customer data (with explicit consent) with third parties, fostering an ecosystem where consumers have more choices and businesses can leverage advanced financial technologies.

 As New Zealand implements this framework through the bill, strict data security measures and consumer consent protocols will ensure that collaboration occurs within a safe and regulated environment, maintaining trust while driving financial innovation. Once in effect, the framework sets out obligations for PSPs, such as sharing designated customer data with accredited requestors once the customer has authorised the request, operating a secure electronic system to process regulated data requests, and maintaining a record of all data requests (including timestamps, authorisation details and data handling actions).

It is important to note that New Zealand’s effort to regulate open banking is part of a larger push to promote data-sharing within the Oceanic region. In February 2020, the Australian Government passed the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR). The rules provide the framework for how the CDR operates and define the elements for consent, outline the accreditation framework and elaborate on the scheme's privacy aspects. 

Why Should You Care?

PSPs must pay close attention to the bill due to the significant obligations it places on them regarding customer data access, sharing and security. The bill establishes a CDR framework that mandates PSPs, as data holders, provide designated customer data upon valid requests from accredited requestors, assuming the customer has provided explicit authorisation.

Key obligations under this bill include:

• Providing customer data upon request: PSPs must supply designated customer data to accredited requestors once a customer has authorised the request. This means implementing secure and efficient systems to handle and process data sharing in compliance with the bill's requirements.
• Implementing secure and standardised systems: PSPs must operate an electronic system that allows for the receipt and processing of regulated data requests. This system must meet technical and performance standards related to security, identity verification, reliability and accessibility.
• Verifying the requestor's identity: Before disclosing customer data, PSPs must verify the identity of the person making the request to prevent fraud and unauthorised access.
• Ensuring explicit and informed customer authorisation: PSPs must ensure that customers explicitly authorise any request before data is shared. Customers must also be reasonably informed about the scope, purpose and implications of granting authorisation. 
• Maintain detailed record-keeping: PSPs must keep records of all customer data requests, including the time of request, authorisation details and how data was handled. These records must be retained for at least five years after the last request.
• Potential penalties for non-compliance: Failure to comply with the bill can result in pecuniary penalties, with different tiers of fines based on the severity of the violation. These penalties can be substantial if a PSP fails to follow authorisation, security, or data handling rules.

Next steps:

With the Customer and Product Data Bill set to establish a CDR framework in New Zealand, registered financial service providers must take proactive steps to ensure compliance and readiness for open banking. The bill introduces a regulatory structure for data sharing, requiring financial institutions to prepare for new obligations, while creating opportunities for innovation and customer engagement.

To prepare for the proposed reforms, PSPs can take the following proactive measures: 

• Understand accreditation requirements: PSPs that wish to access and utilise customer data must apply to become an accredited requestor. The bill outlines a rigorous process, requiring applicants to demonstrate good character, robust data security measures and compliance with data handling regulations. Providers should assess their organisational structure, security frameworks and compliance policies to ensure they meet these accreditation criteria.
• Develop secure and standardised data-sharing systems: Under the bill, financial institutions classified as data holders must share customer data upon authorised requests via secure electronic systems. These systems must meet prescribed technical and performance standards, including identity verification, security measures and reliability requirements. Providers should invest in API development, cybersecurity enhancements and system reliability testing to ensure seamless and compliant data-sharing processes.
• Establish customer consent and privacy protocols: The bill mandates that customer data can only be shared with explicit authorisation, ensuring that customers are well-informed about who is accessing their data and for what purpose. PSPs should refine their customer consent processes, ensuring they are transparent, easy to understand and fully compliant with Privacy Act 2020 protections. This includes implementing user-friendly consent dashboards and clear opt-in or opt-out mechanisms.
• Prepare for compliance and reporting obligations: The bill imposes strict record-keeping requirements on data holders and accredited requestors. Providers must maintain detailed data requests, authorisations and transaction records, ensuring compliance with dispute resolution and regulatory oversight. Establishing internal compliance teams and automated reporting systems will be critical to meeting these obligations effectively.
• Strengthen fraud protection and consumer protection measures: Data holders can refuse requests if they suspect fraud, deception or financial harm to a customer. Providers should enhance their fraud detection mechanisms, implement real-time monitoring systems and educate customers on secure data-sharing practices to prevent misuse of open banking services.

The Customer and Product Data Bill marks a significant step towards establishing a secure, standardised, consumer-driven open banking framework in New Zealand. By enforcing strict data-sharing protocols, requiring robust security measures and promoting transparency in customer consent, the bill ensures that PSPs and other financial service providers will operate within a regulated and trustworthy ecosystem. Although compliance may require substantial investment in infrastructure, security and governance, it also presents an opportunity for innovation, fostering competition and enhancing customer experiences.

Following the agreed second reading on March 6, 2025, the bill will move to the Committee of the Whole House stage, where it will be examined in detail, and members can propose amendments. Depending on the discussions and any changes made, the bill will then proceed to the report stage and third reading before receiving Royal Assent. PSPs should take this time to review and take proactive measures to prepare for the new obligations, before they potentially come into effect.