Which NZ industries need IPP3A compliance for lookups?

Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Open banking in NZ: privacy implications for data sharing APIs

As NZ moves toward open banking, the privacy implications of API-based financial data sharing are significant. Here is what to prepare for.

bankingopen bankingAPIfintechDEISdeis.nzNew ZealandPrivacy Act 2020

Frequently asked questions

What is the main takeaway from "Open banking in NZ: privacy implications for data sharing APIs"?: As NZ moves toward open banking, the privacy implications of API-based financial data sharing are significant. Here is what to prepare for.
Which NZ industries need IPP3A compliance for lookups?: Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

New Zealand is moving toward an open banking framework, following similar initiatives in Australia, the UK, and the EU. Open banking allows consumers to share their financial data with third-party providers through secure APIs. The privacy implications are significant.

What is open banking?

Open banking requires banks to provide APIs that allow authorised third parties — with the customer's consent — to access account information and initiate payments. This creates a new category of third-party data collection that triggers privacy obligations.

Privacy Act implications

When a third-party accesses a consumer's bank data through an open banking API:

IPP3A applies — the consumer should be aware that their data is being accessed.

IPP1 applies — the collection must be for a lawful purpose.

IPP4 applies — the collection must be fair and not unreasonably intrusive.

IPP12 may apply — if the third-party stores or processes the data overseas.

Consent management

Open banking relies on explicit, granular consent. Consumers must be able to:

See exactly what data is being shared
With whom it is being shared
For how long
Revoke consent at any time

DEIS and open banking

As open banking APIs become available in NZ, DEIS will integrate them as additional data sources. The same IPP3A compliance framework will apply — consent or notification captured for every data access, with an immutable evidence trail.