The Ministry of Business, Innovation and Employment (MBIE) has released exposure drafts for two key regulations under the Customer and Product Data Act 2025 (the Act). These regulations are designed to implement New Zealand's Consumer Data Right (CDR), beginning with the banking sector. The release of these drafts provides the industry with insights into MBIE’s decisions on the settings of New Zealand’s formalised 'open banking' regime.

This update provides a high-level summary of the two exposure drafts: the Customer and Product Data (Banking and Other Deposit-Taking) Regulations 2025 and the Customer and Product Data (General Requirements) Regulations 2025.

Submissions on these exposure drafts close 29 August 2025, with the finalised regulations expected to be published late-September ready for a 1 December 2025 commencement.

Customer and Product Data (Banking and Other Deposit-Taking) Regulations 2025

These regulations are sector-specific and designate the banking sector as the first industry to be subject to the CDR. They build on the general requirements under the Act to provide the detailed rules for open banking.

Key provisions in the exposure draft include:

• Designated banks and timeline: The regulations will initially apply to the four major banks (ANZ, ASB, BNZ, and Westpac) from 1 December 2025. Kiwibank will follow with a phased implementation from 1 June 2026, covering payments initially and then customer data by 1 December 2026. Other deposit-takers can voluntarily opt-in to the framework.

• Designated data: The classes of customer data that must be made available includes a broad range of information from savings, transaction, credit card, and lending accounts, such as account balances, transaction history (up to two years), and details of fees and interest charges.

• Designated actions: The class of action that must be facilitated is the initiation of domestic payments in New Zealand dollars. Payments are able to be made through the “BECS” clearing system governed by Payments NZ, in which a range of New Zealand banks are participants, including the designated data holders. The designation does not currently capture payments that require the authorisation of two or more persons, which will limit its use in some personal and business situations.

• Customer and account eligibility: The designation applies only to customers who have digital access to their accounts, in practice via a bank's website or mobile application. In the case of payments, the designation is limited to where the terms and conditions of the account allow electronic payment to be made.

• Accredited requestors: Customers will not be able to request access to their customer data directly from data holders (for example, banks) using this method. Data holders are only required to deal with accredited requestors. Entities who set themselves up as accredited requestors could be entities that provide financial advice or other financial services to customers and so customers will provide their consent to the collection of their data by accredited requestors for those purposes.

• Acting as an intermediary: The draft also confirms that an accredited requestor could act as an intermediary. This is so that a number of businesses can leverage the technical arrangements that the accredited requestor has in place with the data holder(s), rather than having to obtain an accreditation or technical set up of its own. Entities that may fall within the intermediary class of accredited requestors could therefore be data aggregators or payment platforms. Examples of persons who are receiving the intermediary service from an accredited requestor would be businesses that are providing a product or service to a customer (including retail businesses) and who leverage an open banking payments system to facilitate getting paid (for example, by having a payment console at the counter or on the payment page of an online shopping experience).

Customer and Product Data (General Requirements) Regulations 2025

These regulations set out the foundational, economy-wide requirements that will apply to all designated sectors under the CDR framework. While the banking sector is the first to be designated, these rules will form a baseline for future sectors such as telecommunications and electricity.

Key provisions in the exposure draft include:

• General accreditation requirements: To become accredited, applicants must satisfy the Chief Executive of MBIE that they have adequate insurance coverage or other financial coverage that would cover their liabilities and (where relevant) they are a registered financial service provider and are a member of a dispute resolution scheme to the extent this is required under certain financial services providers legislation. The form of the application and the nature of the supporting documents that will be required to be provided is yet to be announced, but it appears likely that it would include copies of insurance policies or guarantees.

• Accreditation of intermediaries: In addition to the matters above, entities that seek accreditation under the “intermediary” class of accredited requestors will need to provide assurances about persons to whom it is providing the intermediary service, including on the suitability of that person (such as the retail business in the example above) to receive data or initiate payments through the intermediary. This includes satisfying the Chief Executive of MBIE that the intermediary has adequate processes to provide reasonable assurance that those intermediary service recipients have (amongst other things) adequate security safeguards in place, have adequate processes to address the risk of deception, and will comply with the Privacy Act 2020.

• System access: A data holder must give accredited requestors access to their systems for receiving and responding to designated data requests within 5 working days of receiving a written notice that that the accredited requestor has become accredited.

• Charges: The regulations have left a placeholder with respect to the limits and other rules around what fees the data holders (for example, banks) will be permitted to charge accredited requestors. MBIE notes that this aspect is still being considered by the Government.

• Reporting requirements: On an ongoing basis, accredited requestors must provide certain information. They must report to the Chief Executive of MBIE on the occurrence of specified events affecting their business, including insolvency events, major transactions, legal proceedings being taken against them, changes in the directors and positions like CEO and CFO, and changes of control. Accredited requestors must also advise customers on the details of their active authorisations every 12 months. This is so that customers are prompted to consider, and, if necessary, cancel, any long standing permission (like an automatic payment or direct debit).

Our view

The content of the draft regulations is consistent with the content anticipated in the Minister of Commerce and Consumer Affairs’ press release on 1 May 2025 at the time he announced that Cabinet had decided to designate the banking sector (see Better banking competition one step closer for Kiwis | Beehive.govt.nz).

These regulations do not provide the complete picture around how the banking designation will work. As MBIE has noted, standards will still need to be made under the Act to define the technical specifications for the electronic system that will be used to transfer data and initiate payments. However, these will be issued by the Chief Executive of MBIE and are expected to incorporate version 2.3 of the API Centre standards by reference, as has been signalled for some time. MBIE has stated that customer data has been designated where it relates to a mandatory API endpoint under these standards. It will be important, therefore, that the banks validate that the customer data designation is capable of being delivered through the technical capability offered by this version of the standard that they have geared up to deliver to. There are also details on the level of the levies and other fees that have not been determined yet.

What is not completely clear is the liability that the accredited requestor will bear in practice (if any) in relation to a person to whom it is providing the intermediary service to (let’s call them XYZ Co). One can anticipate issues arising if the Chief Executive of MBIE is provided with false and misleading due diligence materials relating to XYZ Co or, if in practice, XYZ Co fails to keep the customer data secure or fails to prevent fraudulent requests. There is no distinct liability framework under the Act that regulates the likes of XYZ Co. The accredited requestor has liability for contravening the Act, but also defences (if the contravention was due to the reasonable reliance on information supplied by another person or if the contravention was beyond its control and the accredited requestor took reasonable precautions and exercised due diligence to avoid the contravention).

Affected persons may well need to rely on existing legal protections outside of the Act (if available). For privacy breaches relating to personal information, the individual customer may have a claim against XYZ Co under the Privacy Act 2020. For other kinds of customers or data (including corporate data), the customer may have a claim against XYZ Co due to a breach of contract or breach of the common law rules around breach of confidence. The Crimes Act 1961 may also apply (through the prohibition against causing loss by deception) to the person perpetrating a fraud - if they can be identified. There remains particular uncertainty around whether customers will have accessible remedies for losses suffered as a result of scams or fraud perpetuated through mandatory payment initiation APIs - and what steps the industry will need to take to address this risk and to support confidence in the system.

In this regard, we expect the industry will be closely watching the implementation of the recently enacted Data (Use and Access) Act 2025 (UK) (and particularly the development of the smart data schemes) which, in large part, was introduced to provide a more formalised liability framework for open banking (and open data in the future) to address gaps in consumer protection and reliance on inconsistent bilateral contracts to fill the gaps in regulation under the current regime.

Next steps for data holders and accredited requestors

Banks will now be focussed on making sure that they have the processes in place to operationalise their obligations, including when they must (and when they must not) release data or accept payment instructions, how they will verify identity and customer authorisation, and what records they will need to keep to demonstrate compliance. Although the Act permits it, there are currently no regulations or standards that prescribe how identity must be verified or authorisation given (beyond what has been signalled through the requirement to use version 2.3 of the API Centre standards).

While traditional online identity verification methods, such as two-factor authentication will remain useful, more advanced and arguably more secure digital solutions may emerge as preferable alternatives. One such innovation is the use of verifiable credentials, which enable individuals to prove their identity through digitally signed, tamper-proof credentials issued by trusted accredited providers. These credentials can be stored in a secure digital wallet and shared selectively, offering both convenience and enhanced privacy protection. With the Commerce Commission identifying digital identity as a foundational enabler of open banking in its market study into the personal banking sector, and the Digital Identity Services Trust Framework Act 2023 now in place in New Zealand, verifiable credentials and other digital identity solutions are poised to become a key tool in modern identity assurance practices which will meet compliance requirements under the Act and help accelerate the uptake of CDR by supporting a secure open banking ecosystem.

Accredited requestors will want to make sure that they have robust practices in place too, including to support any defence that is necessary (as noted above) - and, from the customer’s point of view, to flush out any potential issues with a person receiving the intermediary service before harm is caused.

The exposure drafts can be found here: Consultation on exposure draft of open banking regulations under the Customer and Product Data Act | Ministry of Business, Innovation & Employment