Open Banking on Both Sides of the Tasman

Australia and New Zealand both have Consumer Data Right regimes. They started in different places, they're moving at different speeds, and they're converging on the same destination: a banking system where the customer — not the incumbent — decides who sees their data and who moves their money. Here's the story, the calendar, and the bit most banks are still missing.

The point of all this

For most of banking history, the customer's data has been the bank's data. Statements, transaction histories, balances, product holdings — locked behind logins, released grudgingly, and weaponised to hold customers in place. Switch banks? Re-enter twelve months of expenses by hand. Get a loan from a non-incumbent? Hand over a stack of PDFs and wait three days. Want a single view of your financial life? Build it yourself in a spreadsheet.

Open Banking — and the broader Consumer Data Right behind it — exists to break that. The principle is simple: your data is yours, and if you want to share it with another regulated party to get a better deal or a better experience, the institution holding it has to hand it over. Cleanly, securely, in a standard format, at no cost to the recipient.

That's the why. The what and the when is where it gets interesting.

Two regimes, one direction of travel

Australia got there first. The Consumer Data Right launched in banking in July 2020, anchored in Part IVD of the Competition and Consumer Act 2010 — an economy-wide framework intended to roll across banking, energy, telecommunications and beyond, sector by sector. Six years in, banking and energy are live, and non-bank lenders are next.

New Zealand took the opposite approach: wait, watch, learn from the UK and Australia, then ship something deliberately simpler. The Customer and Product Data Act 2025 became law in March 2025 and went live in banking on 1 December 2025. One regulator (MBIE) instead of three. Industry-led API standards already battle-tested through the Payments NZ API Centre instead of a new technical stack built from scratch. And — critically — payment initiation included from day one, not bolted on years later.

What Australian Data Holders owe right now

If you're an unrestricted ADI, you already know the drill. Consumer Data Standards-compliant APIs covering product reference data and consumer data — accounts, balances, transactions, payees, direct debits, scheduled payments, products across transaction accounts, savings, term deposits, credit cards, personal loans, home loans and business finance. FAPI 1.0 Advanced Profile with Authorization Code Flow for consent and authorisation. A consent dashboard that lets customers grant, amend and revoke. CDR Privacy Safeguards on top of the Privacy Act, enforced by the OAIC.

Compliance is not optional, and the rule book has not stopped moving. The Consumer Data Standards are at v1.36.0 as of December 2025, and the OAIC's CDR Regulatory Strategy was refreshed in February 2026 to set out enforcement priorities for the year.

The real action over the next eighteen months is the non-bank lender expansion. Product data obligations commence 13 July 2026. Consumer data sharing obligations commence 9 November 2026 for initial providers (loan books above $10B) and 10 May 2027 for large providers ($500M–$10B and 500+ customers). For any NBL still treating CDR as next year's problem: it isn't. Initial providers should already be in discovery. Large providers comfortably hit May 2027 with scoping in H1 2026 — but only if scoping starts in H1 2026.

There's more on the horizon. Action initiation is legislated (Treasury Laws Amendment (Consumer Data Right) Act 2024) but no specific action types — payments, switching, account opening — have yet been declared by the Minister. Expect Treasury to consult on which actions land first. A full ban on screen scraping has been signalled. Digital ID integration with CDR authorisation flows is on the agenda.

Translation: the Australian regime is about to get bigger, broader, and more demanding.

What New Zealand Data Holders owe right now

If you're ANZ, ASB, BNZ or Westpac NZ, you've been live since 1 December 2025. That means an Account Information API and a Payment Initiation API conformant to the NZ Banking Data API Specification v2.3.3, with the NZ Banking Data Security Profile applied. Designated customer data covers customer name and contact details, account numbers and types, balances, two years of transaction history, and fees and interest charges across savings, transaction, credit card and lending accounts in NZD where the customer has digital access.

The Payment Initiation obligation is the big one. Domestic NZD payments via BECS, single-customer authorisation, with payment limits no lower than what you set for your own online banking. You cannot charge an accredited requestor for any of this, and you have to onboard new requestors within 20 working days of written notice — a hard service level Australia never imposed.

Kiwibank is on a phased timeline: payment initiation APIs by 1 June 2026, account information APIs by 1 December 2026.

Beyond the Big 4 plus Kiwibank, other deposit-takers can opt in voluntarily. Expect more to do so as the ecosystem matures and customer expectations harden — and watch for partial exceptions on historical statement data lapsing through 2026 and 2027 (some ASB lending exceptions cease 1 June 2026; some Westpac historical statement exceptions cease 1 January 2027). The full designated data set is the default state, exceptions are temporary.

At a glance: what differs

Two roads, one destination. And the destination is not "compliance achieved." It's a banking system where the customer is the centre of the data graph, not the bank.

The upside, Part 1: stop being only a Data Holder

Here is the bit most banks miss. The same frameworks that make you give data away also let you receive it. In Australia you become an Accredited Data Recipient (or partner with one through the CDR Representative pathway). In New Zealand you apply to MBIE as an Accredited Data Requestor. The bar is meaningful — adequate insurance, dispute resolution membership, security and standards conformance — but it's not theoretical, and the prize is significant.

The mature use cases are well understood, and they should be table stakes by now:

• A whole-of-portfolio view. Pull a customer's external accounts into your app. ANZ Australia did this on ANZ Plus and had 15,000 customers linking external accounts inside the first year. Personal Financial Management — spending insights, budgeting, net worth — powered by a complete picture, not the slice that happens to live in your core.
• Better lending decisions. Real income, real expenses, real liabilities, in real time, sourced from the customer's actual transaction history rather than a payslip and a self-declared budget. Affordability you can actually defend.
• SME cash flow tools. Aggregate transaction feeds across every business account a customer holds, plug it into accounting and forecasting, and become the financial command centre rather than one of three apps the bookkeeper has to log into.

These capabilities are baseline. They are what a credible challenger or mid-tier looks like in 2026. If you don't have them, you are visibly behind.

The upside, Part 2: the centrepiece — Action Initiation, Payments, and Switching

This is the bit that's actually exciting, and it's where the next round of competitive separation will happen.

In New Zealand, the lever is already in your hand. A bank accredited as both a data holder and a requestor can initiate payments on behalf of customers from accounts held at other banks. That changes the game. In-app bill payments debiting whichever bank the customer prefers. Real-time payment splitting between friends. Merchant payment flows that bypass card networks and their interchange. Automated savings sweeps from external accounts. Whoever owns the initiation surface owns the customer relationship — regardless of where the deposits sit.

In Australia, the legislation is in place; the declarations aren't. When the Minister declares payment-related action types, Accredited Action Initiators will instruct Action Service Providers (typically the data holder) to process payments. Banks whose payment infrastructure can already accept CDR-initiated instructions as cleanly as a direct customer instruction will be ahead. Banks who haven't started will be scrambling, again.

And then there's App-to-App authentication — the user experience layer that turns OAuth consent flows from a friction-laden multi-screen ordeal into a tap that launches the holding bank's app, authenticates with biometrics, returns to the requestor app with consent granted. It is the single biggest unlock for consumer adoption of Open Banking, and it's where consumer-grade experiences finally start matching consumer expectations.

Then comes account switching — the ultimate test. Move the entire banking relationship: transaction account, direct debits, salary credits, scheduled payments, all of it, to a new provider with minimal friction. Both regimes have it as an aspiration. Neither has fully shipped it. New Zealand has most of the building blocks already (data sharing plus payment initiation); the missing piece is automated redirection of incoming payments and direct debits, which will require either further regulatory designation or commercial agreement between banks. Australia has it as a flagged future action type. Either way, the strategic posture is the same: build for inbound switching to be frictionless, stop competing on lock-in, start competing on quality.

Where Moroku sits in this

Moroku exists to help banks and lenders do exactly the work above — turn Open Banking from a regulatory tax into a competitive weapon. We do it across three product surfaces:

• moroku money — internet and mobile banking with single-pane-of-glass aggregation and PFM out of the box, core-agnostic and Open Banking-powered.
• moroku flow — loan origination with affordability, income verification and liability detection driven by real CDR-sourced data, not document collection.
• kanopi.one — a public utility for brokers and customers to generate consent-based affordability reports that lenders use to derive offers.

For the Mambu-powered institutions facing the consumer data deadlines on 9 November 2026 (initial providers) and 10 May 2027 (large providers), we ship the Moroku Mambu–Biza CDR Connector — a certified, pre-integrated, turnkey bridge between Mambu and Biza.io's Open Banking infrastructure, delivered as a managed service. One vendor accountable end-to-end, certification baked in, conformance evidence ready for your CISO and APRA. Six to eight weeks instead of twelve to eighteen months. Fixed economics instead of an open-ended FTE drain.

The product data phase is largely a publishing exercise. The consumer data phase is where programmes stall, because that's where data has to flow out of the core under authenticated consent with a full lifecycle and audit trail. That's the phase the connector is built for.

What to do now

If you're an Australian ADI, you already know your obligations — but ask yourself whether you're a Data Holder only, or whether you've put the pieces in place to also be a Recipient. The two together is the real position.

If you're an Australian non-bank lender, the calendar is unforgiving. Product data: July 2026. Consumer data: November 2026 or May 2027 depending on your size. Scoping needs to be happening now.

If you're a New Zealand designated bank, the question isn't whether you're compliant — it's whether you're also an Accredited Requestor, and whether you've started building products on top of payment initiation that turn the regime from cost into advantage.

And on both sides of the Tasman, the strategic question is the same. Compliance is the floor. Action initiation is the ceiling. The banks that will win the next decade are the ones who saw that distinction early and built for it.

The data monopoly is breaking either way. The question is whether you're holding the door shut or walking through it.