Open banking in New Zealand
Open banking is regulated by the Customer and Product Data Act. ANZ supports the Consumer Data Right in New Zealand as a data holder and we’re a member of the Payments NZ API Centre.
The details on this page should be read in conjunction with the API Centre’s documentation and the MBIE (Ministry of Business, Innovation and Employment) Consumer Data Right.
ANZ’s open banking services
ANZ Payment Requests
The ANZ Payment Requests service has been built to the API Centre Payment Initiation API Standard v2.3 and the Customer and Product Data (Banking and Other Deposit Taking) Standards 2025 and enables customers to initiate and consent to one-off and ongoing payments through an ANZ- approved or MBIE-accredited third party.
ANZ Data Sharing
The ANZ Data Sharing service has been built to the API Centre Account Information API Standard v2.3 and the Customer and Product Data (Banking and Other Deposit Taking) Standards 2025 and enables customers to initiate and consent to data sharing requests through an ANZ- approved or MBIE-accredited third party.
Available API endpoints
The following API endpoints are available through ANZ.
Authentication endpoints
ANZ supports a decoupled authentication flow and a redirect authentication (hybrid) flow into the ANZ goMoney mobile app.
Endpoint | |
|---|---|
Well known endpoints | GET /.well-known/openid-configuration |
Public JWK | GET /identity/oauth/keys |
Backchannel/CIBA authorise | POST /identity/oauth/bc-authorize |
Hybrid authorise | GET /identity/oauth/authorize |
Introspect endpoint | POST /identity/oauth/introspect |
Revoke endpoint | POST /identity/oauth/revoke |
Token endpoint | POST /identity/oauth/token |
Payment initiation endpoints
ANZ supports domestic payment consents and enduring payment consents.
Endpoint | |
|---|---|
Domestic payment consents | POST /domestic-payment-consents |
Domestic payment consents | GET /domestic-payment-consents/{ConsentId} |
Domestic payments | POST /domestic-payments |
Domestic payments | GET /domestic-payments/{DomesticPaymentId} |
Domestic payments | GET /domestic-payments/{DomesticPaymentId}/debtor-account |
Enduring payment consents | POST /enduring-payment-consents |
Enduring payment consents | GET /enduring-payment-consents/{ConsentId} |
Enduring payment consents | DELETE /enduring-payment-consents/{ConsentId} |
Account information endpoints
Endpoint | |
|---|---|
Account access consents | POST /account-access-consents |
Account access consents | GET /account-access-consents/{ConsentId} |
Account access consents | DELETE /account-access-consents/{ConsentId} |
Accounts | GET /accounts |
Accounts | GET /accounts/{AccountId} |
Balances | GET /accounts/{AccountId}/balances |
Transactions | GET /accounts/{AccountId}/transactions |
Party | GET /accounts/{AccountId}/party |
Party | GET /party |
Statements | GET /accounts/{AccountId}/statements |
Statements | GET / accounts/{AccountId}/statements/{StatementId} |
Statements | GET / accounts/{AccountId}/statements/(StatementId}/file |
Masked credit card number format: 1234-****-****-5678
Additional data requirements
ANZ has implemented the mandatory fields and requires use of the following optional fields:
Required field | |
|---|---|
Authorisation hint | Mobile number |
Request header | x-fapi-customer-ip-address |
Request header | x-fapi-user-agent |
Risk | MerchantCustomerIdentification |
Risk | MerchantCategoryCode |
Risk | MerchantName |
Risk | MerchantNZBN |
Risk | PaymentContextCode |
Tracking | x-fapi-interaction-id |
Restrictions
The ANZ Payment Requests and Data Sharing services are operated on the basis that a third party will undertake its activities within the following parameters:
For all services
ANZ implementation scope | |
|---|---|
Authentication | ANZ goMoney mobile app using the decoupled or redirect (hybrid) authentication flow. |
Authorisation hint | ANZ supports the use of a customer’s verified mobile number. |
Eligibility | Active ANZ customer and at least 18 years of age. |
For Payment Requests
ANZ implementation scope | |
|---|---|
Eligible debtor accounts | Individual and business and everyday transaction accounts with payment authority and funds for the payment. Accounts which require two or more signatories to authorise a payment are not eligible. |
To approve domestic payments | Seven-minute expiry time for the customer to approve the one-off payment request after the consent creation. |
To approve enduring payment consents | Seven-minute expiry time for the customer to approve the ongoing payment request after the consent creation. |
Domestic one-off payment timeframe | Third party should execute payment within 10 seconds of customer approval, and must execute within 30 seconds. |
Domestic payment | Payment status will be provided synchronously as part of payment execution. |
For Data Sharing
ANZ implementation scope | |
|---|---|
Eligible data sharing accounts | Individual and business everyday transaction accounts, savings accounts, credit card, loan or term deposit accounts. The customer authorising the data sharing consent must have account ownership authority or equivalent. |
To approve consents | 10-minute expiry time for the customer to approve the data sharing request after the consent creation. |
Data sharing use cases | Data can only be used for the specific purpose that the customer has given express and informed consent for. Any change in purpose would require the customer to provide a new express and informed consent. Individual consents must be created for each customer proposition and purpose. |
Fair use: ANZ has API rate limiting in place to protect API stability and performance for consumers.
Pricing for Payment Requests and Data Sharing
ANZ doesn’t charge MBIE-accredited third parties to use regulated open banking services. We also don’t charge ANZ-approved third parties that access our open banking services under a bilateral contract, as long as those services are used on an equivalent basis to regulated services.
ANZ doesn’t charge ANZ customers to use any open banking services.
Payment request and data sharing testing
The API Centre provides a testing sandbox for registered third party Standards Users or Community Contributors.
When a third party is approved by ANZ or accredited by MBIE they will be provided with access to ANZ’s pre-production environment and production as part of testing readiness activities.
Service outages
Planned outages
ANZ’s open banking endpoints, unless otherwise communicated, are available. We will advise third parties of any planned outages in advance.
Unplanned outages
An unplanned outage occurs when a third party request returns either:
- No response from the API gateway;
- A 5xx (server error class) response (excluding 501); or
- Authorisation flow is deemed unsuccessful.
We provide the following service for unplanned outages:
- Open banking support is available from 9am to 5pm on business days. We will actively respond, investigate, and as needed, remediate unplanned outages during these times.
- We aim to respond to third party enquiries about unplanned outages within 30 minutes (during regular support hours).
- We expect to resolve an unplanned outage of a standardised API within six hours (during regular support hours).
- We’ll provide update notices to third parties as required and/or when the outage is resolved.
This service doesn’t supersede any contractual obligations.
For more information
For more information, email us at open@anz.com.
To find out more about open banking API Standards contact the API Centre or view the MBIE Consumer Data Right website.