Open banking information for developers
Key information about ANZ’s open banking services, such as available API endpoints, service parameters and data requirements.
Building open banking in New Zealand
ANZ is a member of the Payments NZ API Centre. We are supporting the industry-led approach to build secure open banking services in New Zealand using API standards. The details on this page should be read in conjunction with the API Centre’s documentation.
ANZ’s open banking services
ANZ Payment Requests
The ANZ Payment Requests service has been built to the API Centre Payment Initiation API Standard v2.1.3 and enables customers to initiate and consent to one-off payments through an ANZ approved third party.
ANZ Data Sharing
The ANZ Data Sharing service has been built to the API Centre Account Information API Standard v2.1.3 and enables customers to initiate and consent to data sharing requests through an ANZ approved third party.
Available API endpoints
The following API endpoints are available through ANZ.
Authentication endpoints
ANZ supports a decoupled authentication flow and a redirect authentication (hybrid) flow into the ANZ goMoney mobile app.
Endpoint | |
|---|---|
Well known endpoints | GET /.well-known/openid-configuration |
Public JWK | GET /identity/oauth/keys |
Backchannel/CIBA authorize | POST /identity/oauth/bc-authorize |
Hybrid authorize | GET/consent/authorisation |
Introspect endpoint | POST /identity/oauth/introspect |
Revoke endpoint | POST /identity/oauth/revoke |
Token endpoint | POST /identity/oauth/token |
Payment initiation endpoints
ANZ only supports domestic payment consents and does not support enduring payment consents.
Endpoint | |
|---|---|
Domestic payment consents | POST /domestic-payment-consents |
Domestic payment consents | GET /domestic-payment-consents/{ConsentId} |
Domestic payments | POST /domestic-payments |
Domestic payments | GET /domestic-payments/{DomesticPaymentId} |
Domestic payments | GET /domestic-payments/{DomesticPaymentId}/debtor-account |
Account information endpoints
Endpoint | |
|---|---|
Account access consents | POST/account-access-consents |
Account access consents | GET/account-access-consents/{ConsentId} |
Account access consents | DELETE/account-access-consents/{ConsentId} |
Accounts | GET/accounts |
Accounts | GET/accounts/{AccountId} |
Balances | GET/accounts/{AccountId}/balances |
Transactions | GET/accounts/{AccountId}/transactions |
Masked credit card number format: 1234-****-****-5678
Additional data requirements
ANZ has implemented the mandatory fields and requires use of the following optional fields:
Required field | |
|---|---|
Authorisation hint | Mobile number |
Request header | Customer IP address |
Request header | Customer agent |
Risk | Merchant customer identification |
Risk | Merchant category code |
Risk | Merchant name |
Risk | Merchant NZBN |
Tracking | x-fapi-interaction-id |
Restrictions
The ANZ Payment Requests and Data Sharing services are operated on the basis that a third party will undertake its activities within the following parameters:
For all services
ANZ implementation scope | |
|---|---|
Authentication | ANZ goMoney mobile app using the decoupled or redirect (hybrid) authentication flow. |
Authorisation hint | ANZ supports the use of a customer’s verified mobile number. |
Eligibility | Active ANZ customer and at least 18 years of age. |
For Payment Requests
ANZ implementation scope | |
|---|---|
Eligible debtor account | Everyday transaction account with payment authority and funds for the payment (includes business accounts). Accounts which require two or more signatories to authorise a payment are not eligible. |
To approve payments | Seven-minute expiry time for the customer to approve the payment after the consent creation. |
Payment types | One-off payments to businesses for payments of goods and services only. |
Domestic payment timeframe | Third party must execute payment within 10 seconds of customer approval, but no more than 30 seconds. |
Domestic payment | Payment status will be provided synchronously as part of payment execution. |
For Data Sharing
ANZ implementation scope | |
|---|---|
Eligible data sharing accounts | Everyday transaction account, savings account, credit card, loan or term deposit account. The customer authorising the data sharing consent must have account ownership authority or equivalent. |
To approve consents | 10 minute expiry time for the customer to approve the data sharing request after the consent creation. |
Data sharing use cases | Data can only be used for the specific purpose that the customer has given express and informed consent for. Any change in purpose would require the customer to provide a new express and informed consent. Individual consents must be created for each customer proposition and purpose. |
Fair usage: ANZ has API rate limiting in place to protect API stability and performance for consumers.
Payment request and data sharing testing
The API Centre provides a testing sandbox for registered third party Standards Users or Community Contributors.
When a third party is approved by ANZ they will be provided with access to ANZ’s pre-production environment and production as part of testing readiness activities.
For more information
For more information, email us at open@anz.com.
To find out more about open banking API Standards contact the API Centre.