Open Banking & API access¶
| Code | PAY-010 |
| Domain | Payments & Settlement |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD06 |
| Review date | 2027-04-08 |
Regulations: Consumer Data Right (CDR) — Open Banking · Payments NZ Rules¶
Purpose¶
This policy establishes the bank's obligations and operating standards for participation in Open Banking frameworks in New Zealand and Australia. It covers the bank's role as a Data Holder under the Australian Consumer Data Right (CDR), participation in the Payments NZ API standards programme, customer consent management, access logging, and the governance of any commercial API access programme the bank operates.
Scope¶
This policy applies to all systems that expose customer data or payment initiation capabilities to third-party providers (TPPs), accredited data recipients (ADRs), or commercial API subscribers. It applies in both NZ and AU jurisdictions. It covers the full lifecycle of Open Banking access: consent creation, data sharing, payment initiation, consent withdrawal, and audit.
Policy statements¶
The bank shall comply with all CDR Data Holder obligations under the Competition and Consumer (Consumer Data Right) Rules 2020 and associated Consumer Data Standards (CDS) technical standards issued by Data Standards Body (DSB).
The bank shall participate in the Payments NZ API standards programme in accordance with the current version of the Payments NZ Open Banking API Standards. Participation tiers and timing shall be determined by the CTO and Chief Payments Officer in consultation with the Board.
The bank shall not share customer data with any third party via Open Banking channels without a valid, active customer consent record. Consent shall specify the data scope, the recipient, and the expiry date. Consent shall be revocable by the customer at any time with immediate effect.
The bank shall implement a consent management interface accessible to customers via the mobile app and internet banking. Customers shall be able to view all active consents, the data scope of each, the recipient identity, and the expiry date. Customers shall be able to revoke any consent with a single action.
All API requests made by third parties against customer data or payment functions shall be logged with: the requesting party identity, the consent reference, the data scope accessed, the timestamp, and the response code. Logs shall be immutable and retained for a minimum of seven years.
The bank shall implement rate limiting, authentication, and abuse detection on all Open Banking API endpoints. Access by any third party that exceeds consent scope, operates without a valid consent reference, or exhibits anomalous request patterns shall be blocked and flagged.
Where the bank operates a commercial API access programme (paid API subscriptions for fintechs and SaaS platforms), access shall be governed by a commercial agreement that specifies permitted use cases, data scope limitations, rate limits, and audit rights. Commercial API access shall not expand the data scope beyond what the underlying customer consent permits.
The bank shall report to the ACCC (AU) and the FMA (NZ) on Open Banking participation status as required by each regulator. Incidents involving unauthorised data access or consent scope violations shall be notified to the relevant regulator within the timeframes specified in the applicable rules.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-061 | Open banking API platform | GATE |
Enforces customer consent scope at the API layer — all third-party data requests blocked without valid, active consent. |
| MOD-084 | Open banking data access — data recipient | GATE |
Customer consent for open banking data retrieval is validated against the MOD-049 consent store before any request is made to the external Data Holder — no retrieval without explicit, in-scope, profile-appropriate consent |
Part of Payments & Settlement · Governance overview
Compiled 2026-05-22 from source/entities/policies/PAY-010.yaml