All Posts

Fri, 24 Oct 2025

NZ’s open banking regulations are here, marking the start of regulated data access

New Zealand has crossed the line. The Ministry of Business, Innovation and Employment (MBIE) has released the final regulations that switch on regulated open banking under the Customer and Product Data Act 2025. These regulations move Aotearoa to a mandated framework with firm dates, fee settings, and practical carve-outs - making data portability a legal right.

The headline changes

1. No API fees to access bank data or initiate payments

Banks are prohibited from charging customers or accredited requestors for open banking access. The government initially floated fee caps, but the final decision is a full prohibition to remove barriers to entry and align with international best practice.

2. Clear go-live dates for the big five

ANZ, ASB, BNZ, and Westpac must be live by 1 December 2025. Kiwibank will support payments by 1 June 2026 and full account data services by 1 December 2026.

From 1 December 2025, other deposit takers can opt in voluntarily.

3. Specified customer channels for day-one access

Open banking must be available through existing customer interfaces — ANZ goMoney, ASB Mobile Banking, BNZ Internet Banking, and Westpac One — by the December 2025 deadline.

4. Time-limited technical exceptions

Short, targeted extensions recognise integration constraints for certain data types, such as historic statements or loan histories.

Examples include:

  • ANZ statements delayed until 1 April 2026
  • Westpac legacy statements delayed until 1 January 2027
  • ASB loan histories available by 1 June 2026

5. Cost recovery through accreditation and levies

To fund the regime, MBIE will recover costs via accreditation fees and annual levies, rather than per-API charges.

Application fees are set at NZD $1,500 for non-intermediary and $2,000 for intermediary accreditation.

6. Primary and secondary users

The regulations define a primary user (typically the account owner) and secondary users (such as delegated signatories or authorised representatives). Data holders must ensure that both primary and eligible secondary users can provide, manage, and revoke consents for data sharing, maintaining transparency and control across shared or joint accounts.

7. Data holders must connect within 20 working days

Once an accredited requestor provides the required notice and information, data holders must enable API access within 20 working days.
This codifies a clear service expectation and helps accredited requestors plan integration timelines with confidence.

8. Payment initiation included from day one

The framework goes beyond “read-only” access. Accredited requestors can not only retrieve account and transaction data but also initiate payments on behalf of customers, once accredited and authorised.

This marks a major step toward action initiation and open finance, enabling fintechs to offer direct bank-to-bank payments without card rails.

9. Dual-authorisation accounts temporarily excluded

Accounts requiring two or more people to authorise a transaction — such as business or trust accounts - are out of scope for now.
MBIE has deferred these “multi-party” payment scenarios to a later phase to avoid operational complexity during the initial rollout.

What this unlocks for product teams

  • Zero-marginal-cost access for ADRs enables more use cases, from personal finance to credit assessment, without the barrier of per-API fees.
  • Predictable launch windows allow product teams to align sprints and onboarding with the December 2025 and 2026 milestones.
  • Faster connections once accredited: data holders must provide access promptly after notification, supporting rapid go-to-market for fintechs.

How Fiskil helps you deliver

Fiskil’s Data API abstracts away the complexity of bank-specific integrations so your team can move fast while staying compliant.

  • Banking API: securely link accounts, balances, transactions, and statements, with feature flags for MBIE’s temporary exclusions.
  • Income API: verify income sources and stability for onboarding or lending workflows.
  • Energy API: extend open data capabilities beyond banking, mirroring Australia’s established Consumer Data Right framework.

For data holders, Fiskil’s Data Provider platform delivers managed infrastructure with built-in consent management, uptime SLAs, and standards-aligned schemas - keeping you current as the New Zealand standards evolve.

Looking across the Tasman

Australia’s Consumer Data Right (CDR) continues to expand across sectors - from banking to energy and non-bank lending - with clear parallels to New Zealand’s new framework.

For organisations operating trans-Tasman, adopting interoperable APIs and a consistent consent architecture now will reduce future compliance friction.

Fiskil helps financial and energy institutions simplify compliance, accelerate integration, and build the next generation of open data experiences. Learn more about our open banking solutions.

Posted by

Coco Armstrong

Coco Armstrong

Share this post