Customer and Product Data (General Requirements) Regulations 2025
Checking for alerts... Loading...
2025/229
Customer and Product Data (General Requirements) Regulations 2025
Cindy Kiro, Governor-General
Order in Council
At Wellington this 13th day of October 2025
Present:
Her Excellency the Governor-General in Council
These regulations are made under section 131 of the Customer and Product Data Act 2025—
(a)
on the advice and with the consent of the Executive Council; and
(b)
on the recommendation of the Minister of Commerce and Consumer Affairs made in accordance with sections 132 and 137 of that Act.
Contents
Regulations
1 Title
These regulations are the Customer and Product Data (General Requirements) Regulations 2025.
2 Commencement
(1)
These regulations come into force on 1 December 2025.
(2)
However, regulation 6 comes into force on 1 June 2026.
3 Overview
(1)
These regulations prescribe general requirements relating to regulated data services provided under the Act.
(2)
See also the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025, which—
(a)
designate certain banks and other deposit takers for the purposes of section 6 of the Act (which relates to data holders); and
(b)
designate certain customer data about bank accounts and other accounts as designated customer data; and
(c)
designate making certain payments as designated actions; and
(d)
set the classes of accreditation that may be granted in relation to those designation regulations.
(3)
This regulation is only a guide to the general scheme and effect of these regulations and the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025.
4 Interpretation
In these regulations, unless the context otherwise requires,—
Act means the Customer and Product Data Act 2025
acting as an intermediary has the meaning set out in regulation 4(2) and (3) of the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025
applicant means an applicant to be accredited as an accredited requestor
contract of insurance means a contract of insurance as defined in section 7 of the Insurance (Prudential Supervision) Act 2010
electronic facility has the meaning set out in regulation 4(1) of the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025
intermediary service means the service provided by A to B as referred to in regulation 4(2) of the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025
liability of the applicant means any liability of an applicant to pay compensation, damages, costs, or any other amount to any customers and any data holders under any of the following:
(a)
a compensatory order made under section 78 of the Act:
(b)
an award of damages under section 103 of the Privacy Act 2020 if the proceedings relate to any interference with the privacy of a customer that involves any personal information provided to the applicant under the Act.
5 Transitional, savings, and related provisions
The transitional, savings, and related provisions set out in Schedule 1 have effect according to their terms.
System to enable individual to act on behalf of customer to authorise data requests
6 System to enable individual to act on behalf of customer to authorise data requests
(1)
For the purposes of section 31(1) of the Act, a data holder must have a system in place to enable a customer to do the following:
(a)
approve an individual (acting alone) to act on the customer’s behalf to give an authorisation under the Act in respect of requests under section 15 of the Act:
(b)
revoke that approval:
(c)
notify the data holder of that approval or the revocation of that approval.
(2)
The system must allow the customer to give an approval under subclause (1)(a) separately from the customer approving an individual to act on their behalf to do any of the following:
(a)
give an authorisation under the Act in respect of requests under section 19 of the Act:
(b)
instruct the data holder to perform an action otherwise than under the Act relating to authorising payments or opening or closing accounts:
(c)
agree to any change to account access:
(d)
agree to any change to the terms and conditions of an account.
Data holder must give accredited requestor access to system
7 Data holder must give accredited requestor access to system
(1)
This regulation applies, for the purposes of section 31(1) of the Act, if—
(a)
a person (A) becomes an accredited requestor; and
(b)
A gives a written notice to a data holder that states that A has become an accredited requestor.
(2)
The data holder must, within 20 working days after receiving the technical information,—
(a)
give A access to the system to enable A to make requests under the Act; and
(b)
make available to A all other information that is reasonably necessary to enable A to make those requests.
(3)
If, for the purposes of receiving the technical information, the data holder receives information that it considers is incomplete, the data holder must, as soon as practicable, notify the accredited requestor about what further information is still required.
(4)
In this regulation and regulation 8,—
system means the system that the data holder operates under section 27 of the Act
technical information means the information that the data holder reasonably requires to enable it to give A access to the system (for example, digital certificates required by the data holder’s system to identify an accredited requestor)
working day means a day of a week other than—
(a)
a Saturday, a Sunday, Waitangi Day, Good Friday, Easter Monday, Anzac Day, the Sovereign’s birthday, Te Rā Aro ki a Matariki/Matariki Observance Day, and Labour Day; and
(b)
a day in the period commencing with 25 December in a year and ending with 15 January in the following year; and
(c)
if Waitangi Day or Anzac Day falls on a Saturday or a Sunday, the following Monday.
8 Data holder must give accredited requestor details of required technical information on request
(1)
This regulation applies, for the purposes of section 31(1) of the Act, if an accredited requestor (A) gives a written notice to a data holder asking the data holder about what technical information is required for the purposes of regulation 7.
(2)
The data holder must make available to A details of what technical information is required for those purposes.
(3)
The data holder must comply with subclause (2) as soon as practicable but, in any event, within 3 working days after it receives the written notice.
Charges for providing regulated data services
9 Prohibition on charging for providing regulated data services
(1)
For the purposes of section 31(1) of the Act, a data holder must not charge any amounts for providing a regulated data service.
(2)
However, this regulation does not apply to any of the following:
(a)
a charge agreed between a data holder and an accredited requestor for a higher level of performance than is required under the Act:
(b)
if this paragraph applies, a charge agreed by a data holder and an accredited requestor for a data holder to act as referred to in subclause (3)(c):
(c)
an ordinary charge in relation to making a payment from an account as referred to in regulation 8 of the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025.
(3)
Subclause (2)(b) applies if—
(a)
the standards permit a data holder to provide a regulated data service or otherwise respond to a request (to act) in 2 or more alternative ways; and
(b)
by default, a data holder chooses to act in one of those ways; and
(c)
the data holder and an accredited requestor agree that the data holder will act in one of the other ways permitted by the standards.
(4)
In subclause (2)(c), ordinary charge means a charge that, under the terms and conditions of the customer’s account, would be payable by the customer if the payment were made through an electronic facility otherwise than under the Act.
Reporting to chief executive and customers
10 Accredited requestors must comply with requirements for making information available
Regulations 11 and 12 apply for the purposes of section 33 of the Act.
11 Accredited requestors must report details of certain matters to chief executive
(1)
If any of the following occurs, the accredited requestor must, as soon as practicable, send a report containing details of the matter to the chief executive:
(a)
the accredited requestor becomes aware or has reasonable grounds to believe that—
(i)
the accredited requestor is, or is likely to become, subject to an insolvency event (as defined in section 6(4) of the Financial Markets Conduct Act 2013); or
(ii)
a director of the accredited requestor is adjudicated bankrupt or is likely to be adjudicated bankrupt (whether in New Zealand or overseas):
(b)
the accredited requestor becomes aware that a relevant proceeding or action has been commenced or taken against any of the following:
(i)
the accredited requestor:
(ii)
a director or senior manager of the accredited requestor:
(c)
a director or senior manager of the accredited requestor—
(i)
resigns, is removed, or otherwise ceases to hold the office or position; or
(ii)
is appointed, employed, or engaged:
(d)
the accredited requestor proposes to change its name or its legal structure (for example, by virtue of an amalgamation):
(e)
the accredited requestor proposes to enter into a major transaction (as defined in section 129 of the Companies Act 1993 applied to an accredited requestor whether or not it is a company):
(f)
the accredited requestor becomes aware that a transaction or an arrangement has been entered into, or it is likely that a transaction or an arrangement will be entered into, that will result or has resulted in a person obtaining or losing control of the accredited requestor:
(g)
the accredited requestor becomes aware of any material change to any contract of insurance, contract of guarantee, or other arrangement referred to in regulation 15(2).
(2)
In subclause (1)(b), relevant proceeding or action means—
(a)
a civil or criminal proceeding or regulatory action (whether in New Zealand or overseas) in relation to the contravention, or involvement in the contravention, of any of the following:
(i)
the Act (unless the proceeding or action is taken by the chief executive):
(ii)
any legislation referred to in Schedule 1 of the Financial Markets Authority Act 2011:
(iii)
the Privacy Act 2020:
(iv)
(v)
any overseas law that regulates data services, the financial markets, privacy, fair conduct and practices in trade, or other matters that are substantially similar to the matters regulated under the legislation referred to in subparagraphs (i) to (iv); or
(b)
a regulatory or disciplinary action for a breach of a professional or an industry code of conduct or the rules of a financial product market (whether in New Zealand or overseas).
(3)
In subclause (1)(f), control has the same meaning as in clause 48 of Schedule 1 of the Financial Markets Conduct Act 2013.
12 Accredited requestors must periodically notify customer about authorisations
(1)
This regulation applies if—
(a)
a customer (C) (or a secondary user on their behalf) has given an authorisation to an accredited requestor; and
(b)
the authorisation has not ended.
(2)
The accredited requestor must give C a written notice about the scope of the authorisation—
(a)
within 12 months after the time at which the authorisation was given; and
(b)
subsequently, at least once every 12 months since the last notice was given under this regulation.
(3)
A notice must be given by delivering or sending it to—
(a)
the address (including an electronic address) specified by C for the purpose; or
(b)
the actual or last known address (including an electronic address) for C, if—
(i)
paragraph (a) does not apply; or
(ii)
the accredited requestor knows that the address referred to in paragraph (a) is not correct.
(4)
A notice may include information about more than 1 authorisation given by C to the accredited requestor.
(5)
The notice must include information about how C (or a secondary user on C’s behalf) may end the authorisation under section 40 of the Act.
Accreditation of requestors
13 Application for accreditation or for renewal
(1)
This regulation applies for the purposes of sections 109(f) and 117 of the Act.
(2)
An application must, in addition to complying with section 109(a) to (e) of the Act, be made—
(a)
using an internet site maintained by or on behalf the chief executive; and
(b)
in the manner specified in a notice under subclause (3).
(3)
The chief executive may, by notice, prescribe—
(a)
the form that must be used in connection with an application; and
(b)
requirements with which information, evidence, or documents that are provided in connection with the application must comply.
(4)
In this regulation, application means an application under section 108 or 117 of the Act.
(5)
A notice made under this regulation is secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements).
| Legislation Act 2019 requirements for secondary legislation referred to in subclause (3) | ||||
| Publication | The maker must publish it in accordance with the Legislation (Publication) Regulations 2021, unless it is published by PCO | LA19 ss 69, 73, 74(1)(aa) | ||
| Presentation | The Minister must present it to the House of Representatives, unless it is excluded by section 114(2) of the Legislation Act 2019 | LA19 s 114 | ||
| Disallowance | It may be disallowed by the House of Representatives, unless it is excluded by section 115 of the Legislation Act 2019 | LA19 ss 115, 116 | ||
| This note is not part of the Act. | ||||
14 Accreditation matters relating to Financial Service Providers (Registration and Dispute Resolution) Act 2008
(1)
This regulation applies for the purposes of section 112(2)(e) of the Act.
(2)
The chief executive must be satisfied that,—
(a)
if the applicant is required to be registered under the Financial Service Providers (Registration and Dispute Resolution) Act 2008, the applicant is registered under that Act; and
(b)
if the applicant is required to be a member of an approved dispute resolution scheme under Part 3 of that Act, the applicant is a member of such a scheme.
15 Accreditation matters relating to cover for liabilities
(1)
This regulation applies for the purposes of section 112(1)(a) and (2)(e) of the Act.
(2)
The chief executive must be satisfied that the applicant has entered into, or will enter into, 1 or more of the following contracts or arrangements in order to provide a reasonable level of cover, whether by way of indemnity or otherwise, for the liability of the applicant:
(a)
a contract of insurance:
(b)
a contract of guarantee under which a person agrees to answer for the whole or any part of the liability of the applicant:
(c)
an arrangement maintained by the applicant to set aside financial resources to cover a potential liability (for example, an arrangement commonly referred to as self-insurance).
(3)
The chief executive must, in relation to the requirement in subclause (2), have regard to the following:
(a)
the nature and extent of the services that the applicant will provide in relation to requests that it will make under section 15 or 19 of the Act (or both):
(b)
the terms and conditions of each contract, and the nature and extent of each arrangement, that the applicant is relying on for the purposes of subclause (2), including—
(i)
the extent to which the liability of the applicant is covered by the contract or arrangement:
(ii)
the sum or sums insured (or any limit on the amounts that may be paid under the contract or arrangement):
(iii)
a term that excludes or limits the liability of an insurer or a guarantor to indemnify, or to answer for the liability of, the applicant:
(iv)
in the case of a contract of insurance, a term that describes the basis on which claims may be settled or that specifies any contributory sum due from, or amount to be borne by, the applicant in the event of a claim under the contract (see also paragraph (c)):
(v)
in the case of a contract of guarantee, a term that describes the basis on which rights may be exercised under the guarantee:
(vi)
a term relating to the extent of coverage under a contract of insurance or of guarantee if more than 1 contract covers the liability of the applicant (for example, an “other insurance”
clause):
(c)
whether the applicant has sufficient financial resources to meet any contributory sum due from, or amount to be borne by, the applicant as referred to in paragraph (b)(iv):
(d)
what law governs each contract or arrangement that the applicant is relying on for the purposes of subclause (2):
(e)
in the case of a contract of insurance, the nature and extent of prudential supervision that applies to the insurer.
16 Accreditation matters relating to acting as intermediary
(1)
This regulation applies for the purposes of section 112(1)(a) and (2)(e) of the Act.
(2)
If the application for accreditation requests acting as an intermediary as a class of accreditation, the chief executive must be satisfied that the applicant (A) has adequate processes to—
(a)
verify the identity of each person (B) to which A provides an intermediary service; and
(b)
provide reasonable assurance that B—
(i)
has adequate security safeguards in relation to the relevant data; and
(ii)
has adequate security safeguards in relation to the relevant transactions (if any); and
(iii)
has adequate processes for supporting A’s compliance with A’s obligations under the Act; and
(iv)
has adequate processes to address the risk that a relevant request will be made (wholly or in part) as a consequence of deception (see sections 16(1)(d) and 20(1)(c) of the Act); and
(v)
will comply with its obligations under the Privacy Act 2020 in connection with any relevant data and relevant transaction.
(3)
The chief executive must, in relation to the requirement in subclause (2), have regard to the following:
(a)
the nature and extent of the intermediary services that the applicant will provide:
(b)
the types of persons to whom the applicant will provide intermediary services (including the purposes for which those services may be received).
(4)
In this regulation,—
designation regulations means the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025
relevant data, in relation to B, means data that is provided to B under the intermediary service (including data referred to regulation 4(2)(a) of the designation regulations and data relating to any relevant transaction)
relevant request, in relation to B, means a request made by A under the contract with B as referred to in regulation 4(2) of the designation regulations
relevant transaction means a transaction that A facilitates as referred to in regulation 4(2)(b) of the designation regulations.
Sharing of information with certain law enforcement or regulatory agencies
17 Additional agencies with which chief executive may share information
The following are prescribed for the purposes of section 128(2)(f) of the Act:
(a)
the Financial Markets Authority:
(b)
the Registrar of Financial Service Providers appointed under section 35 of the Financial Service Providers (Registration and Dispute Resolution) Act 2008.
Schedule 1 Transitional, savings, and related provisions
Part 1 Provision relating to these regulations as made
1 Temporary modified definition of electronic facility in relation to certain banks
(1)
Clause 2 of Schedule 1 of the Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025 applies for the purposes of these regulations.
(2)
This clause applies despite regulation 4.
(3)
This clause ceases to apply on 1 June 2026.
Rachel Hayward,
Clerk of the Executive Council.
Explanatory note
This note is not part of the regulations but is intended to indicate their general effect.
These regulations prescribe various general requirements relating to the Customer and Product Data Act 2025 (the Act). Most of the regulations come into force on 1 December 2025.
The Act regulates certain data services provided by persons that are designated as data holders. Section 4 of that Act sets out an overview of the regime.
The Customer and Product Data (Designations for Banking and Other Deposit Taking) Regulations 2025 also mostly come into force on 1 December 2025. Those regulations—
designate certain banks and other deposit takers as data holders; and
designate certain data about bank accounts and other accounts as designated customer data; and
designate making certain payments as designated actions; and
set the classes of accreditation that may be granted in relation to those designation regulations.
These regulations—
require a data holder to have a system in place to enable a customer to approve an individual (acting alone) to act on the customer’s behalf to give an authorisation under the Act in respect of requests under section 15 of the Act; and
require a data holder to give an accredited requestor access to its system operated under section 27 of the Act; and
prohibit data holders from charging for regulated data services (with exceptions); and
require an accredited requestor to—
report certain information to the chief executive of the Ministry of Business, Innovation, and Employment (the chief executive); and
periodically notify customers about authorisations; and
provide matters relating to the accreditation of requestors, including additional criteria that an applicant for accreditation must meet; and
allow the chief executive to share information with the Financial Markets Authority and the Registrar of Financial Service Providers under section 128 of the Act.
Regulatory impact statement
The Ministry of Business, Innovation, and Employment produced a regulatory impact statement on 25 March 2025 to help inform the decisions taken by the Government relating to the contents of this instrument.
A copy of this regulatory impact statement can be found at—
Date of notification in Gazette: 16 October 2025.
These regulations are administered by the Ministry of Business, Innovation, and Employment.
Versions
Customer and Product Data (General Requirements) Regulations 2025
RSS feed link copied, you can now paste this link into your feed reader.