Open banking in NZ: privacy implications for data sharing APIs
As NZ moves toward open banking, the privacy implications of API-based financial data sharing are significant. Here is what to prepare for.
New Zealand is moving toward an open banking framework, following similar initiatives in Australia, the UK, and the EU. Open banking allows consumers to share their financial data with third-party providers through secure APIs. The privacy implications are significant.
What is open banking?
Open banking requires banks to provide APIs that allow authorised third parties — with the customer's consent — to access account information and initiate payments. This creates a new category of third-party data collection that triggers privacy obligations.
Privacy Act implications
When a third-party accesses a consumer's bank data through an open banking API:
- IPP3A applies — the consumer should be aware that their data is being accessed.
- IPP1 applies — the collection must be for a lawful purpose.
- IPP4 applies — the collection must be fair and not unreasonably intrusive.
- IPP12 may apply — if the third-party stores or processes the data overseas.
Consent management
Open banking relies on explicit, granular consent. Consumers must be able to:
- See exactly what data is being shared
- With whom it is being shared
- For how long
- Revoke consent at any time
DEIS and open banking
As open banking APIs become available in NZ, DEIS will integrate them as additional data sources. The same IPP3A compliance framework will apply — consent or notification captured for every data access, with an immutable evidence trail.
How long should you keep lookup data? A guide to data retention under the Privacy Act
NextDEIS year in review: 2025 highlights