New Zealand’s “Consumer Data Right” (CDR) is set to become a reality on 1 December 2025, when the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations (Designation Regulation) and the Customer and Product Data (General Requirements) Regulations 2025 take effect. These Regulations will formally designate the banking sector as the first sector under the Customer and Product Data Act 2025, setting out requirements for designated banks who hold designated customer data to share that data with accredited third parties.

New Zealand’s open banking revolution begins 1 December 

The new framework will reshape the landscape for New Zealand’s major banks, requiring them to adapt their operations, technology, and customer engagement practices to meet the rigorous standards of the CDR. The shift is not just procedural; it marks a fundamental transformation in the way that data is managed and shared.

What is the Consumer Data Right?

The CDR is intended to give customers greater choice control over their own data, and make it easier to switch providers or use new services that make use of their data. Customers can request a data holder to share certain data with accredited third parties. For example, in banking, customers of a major bank could request their transaction history as part of the process of switching banks.

For a deeper dive into what the CDR is and its implications, see our earlier articles: Simpson Grierson - Advancing a Consumer Data Right - the Customer and Product Data Bill  and Simpson Grierson - Navigating the Customer and Product Data Bill: What you need to know and how to prepare.

What do the Regulations do?

From 1 December 2025, ASB, ANZ, BNZ and Westpac will become designated data holders, with Kiwibank joining on 1 June 2026.

Customers will be able to request that these banks share certain data (such as name, contact details, account numbers and types, balances, and up to two years’ transaction history) with accredited providers (such as payment service providers and other financial product/service providers). Importantly, banks are prohibited from charging any fees for providing these data transfers.

Accredited providers must meet strict standards for security, insurance and dispute resolution, so customers remain protected while having more control and choice in how they make payments and who they share financial information with.

How will the CDR operate in practice?

The technical and operational aspects (how data is shared, in what format, how requests are made, and the like) will be governed by common standards and system design.

The country’s largest banks and technology firms have been collaborating through the API Centre, which was established in 2019 by Payments NZ (a bank-owned governance organisation that oversees New Zealand’s core payment systems), to develop a voluntary data-sharing framework. These regulations are intended to ensure that open banking will occur in a secure and regulated way, in line with the Commerce Commission’s 2024 recommendations to boost banking sector competition.

The Ministry of Business, Innovation and Employment (MBIE) has concluded its consultation on the draft Customer and Product Data Standards 2025, which establishes the technical and operational requirements for the secure sharing of banking customer and product data under the Act. MBIE is expected to finalise the standards and publish them on its website shortly.

How does the CDR interact with privacy?

The CDR interacts closely with privacy laws because it involves sharing personal information between entities. The Privacy Act 2020 will continue to apply to all personal information shared as part of a CDR request. The customers’ rights of access and correction under the Privacy Act will apply to information shared, and banks can refuse a request to share information if it would breach their obligations under the Privacy Act.

The CDR requires explicit customer consent before data can be shared with accredited third parties. The consent must be informed - customers must know what data is being shared, with whom, and for what purpose.

Next Steps

Major banks have been preparing for the new regulation for some time now, by building or updating their systems to enable customers to request access to their data, to interface with accredited requestors and to implement the open banking standards necessary to practically effect a CDR.

Experience overseas (in particular in Australia and the UK) suggests that there is a large degree of complexity involved in implementing open banking and data sharing arrangements at scale, including aligning technical systems, accreditation, data-standards, consent frameworks and the like. Data quality, consent design, ease of use and third-party ecosystem readiness have been identified as critical for success. In this regard, the substantial work already undertaken through the API Centre should serve the sector well.

One open question is how well utilised the CDR will be in New Zealand. The UK has seen a strong adoption of open banking: according to a press release by Open Banking Limited, it reached 15.16 million users in July - about one in three adults - and services were used a record 2.04 billion time.^[1] By contrast, in Australia uptake has been much lower than expected, with a survey by the Australian Banking Association finding that only 0.31% of banking customers had taken advantage of the CDR at the end of 2023.^[2] The experience in Australia suggests that merely making data sharing possible does not guarantee consumers or third parties will use it; the experience in the UK suggesting widespread education campaigns for the public and a clear consumer value proposition help to ensure the substantial investments being made by industry players to facilitate data access are well utilised.