Regulated open banking guidance

Who can apply for accreditation

Explains who can apply, the role accreditation plays in the CDR, and the types of participants it is designed for.

What the application process involves

Sets out the main steps in the accreditation process, including what applicants can expect from MBIE and when.

What information applicants need to provide

Clarifies the information and supporting material needed to assess an application, including how this helps MBIE determine whether the accreditation criteria are met.

How MBIE assesses an application

Explains how MBIE reviews applications, including how we consider completeness, eligibility, and whether the applicant can meet the relevant accreditation requirements.

What happens after accreditation is granted

Explains what accreditation means in practice, including next steps for applicants and how accreditation relates to onboarding and participation in a regulated sector.

Status: Published

Accredited requestors

What fees and levies apply under the CDR

Explains the types of fees and levies that may apply to participants, what they relate to, and when they may be payable.

Who is responsible for paying fees and levies

Clarifies which participants are required to pay, and how payment responsibilities may differ depending on the participant’s role and status.

When fees and levies are charged

Sets out when fees and levies are likely to arise, including at application, during accreditation, and through ongoing participation in the CDR.

How fees and levies are calculated and invoiced

Explains how charges are determined, how participants will be notified, and what they can expect from MBIE’s invoicing and payment processes.

What to do if a participant has questions about fees or levies

Explains how participants can seek clarification where they are unsure about a charge, payment timing, or how the fees and levies framework applies to them.

Status: Published

Fees and levies for Consumer Data Right

Role of MBIE accreditation and how it differs from data holder onboarding

Clarifies that accreditation provides baseline regulatory assurance, but does not replace onboarding, technical enablement, or other steps a data holder may still lawfully need to complete.

Participant roles within regulated open banking

Explains the roles of data holders, accredited requestors, intermediaries, downstream parties, and consumers, and how those roles affect obligations and accountabilities.

Treatment of intermediaries and fourth-party risk

Explains how MBIE expects participants to think about intermediary models, outsourced functions, and risk management where other parties are involved in delivering regulated services.

What information a data holder can reasonably request during onboarding

Explains the limits on information requests in a regulated environment, including the distinction between information needed for lawful risk or operational purposes and information that would go beyond the regulated access framework.

Permitted scope of screening and due diligence by data holders

Provides guidance on what a reasonable, proportionate, and risk-based onboarding approach may look like.

Use, and prohibition, of bilateral or commercial arrangements in onboarding

Makes clear that regulated access must not be made conditional on agreeing to separate bilateral or commercial terms.

How data holders should engage with applicants pending accreditation

Clarifies what engagement may be appropriate before accreditation is granted, and what remains outside the regulated CDR framework until accreditation is in place.

Managing onboarding disputes and escalation pathways

Explains when issues should be worked through directly, when MBIE expects early engagement, and what information is useful if escalation is needed.

Status: In progress

Prioritisation rationale: This is prioritised first because onboarding is the main gateway into regulated participation. If participants do not have clarity about the relationship between accreditation, onboarding, due diligence, and participant roles, implementation can stall early and friction can quickly arise between data holders and accredited requestors.

How CDR obligations interact with other legal obligations

Explains that CDR obligations sit alongside, and do not override, other legal obligations that participants must continue to meet.

Accreditation and other risk or integrity obligations

Clarifies that accreditation does not replace any separate legal or regulatory obligations participants may have under other CDRs.

What to do when an integrity concern is identified

Provides guidance on expected responses where fraud, sanctions concerns, suspicious activity, or other integrity issues arise during onboarding or ongoing participation.

Pausing onboarding or service provision because of legal or integrity concerns

Clarifies when a pause may be justified, what should be documented, and when MBIE expects to be informed.

Avoiding unnecessary duplication while still meeting other obligations

Explains MBIE’s expectation that participants should avoid introducing friction or duplicative processes that are not needed to manage genuine legal, risk, or operational concerns.

Status: In progress

Prioritisation rationale: This is prioritised early because participants must continue to meet other legal and regulatory obligations regardless of the CDR. Uncertainty here can prevent onboarding from progressing, justify pauses in service delivery, and create inconsistent participant practices if MBIE’s expectations are not clear.

Scope of payment initiation under regulated open banking

Explains what payment-related actions sit within the regulated framework, what does not, and how action initiation differs from data sharing.

Scope boundaries and prioritisation for payment-related change

Clarifies which types of payment issues MBIE expects to address through guidance or standards, and which broader business or data quality issues remain outside regulatory scope.

Authorisation and confirmation requirements for payments

Clarifies MBIE’s expectations about customer authorisation, confirmation, and the controls needed before a payment instruction is acted on.

Payee set-up, verification, and payment instruction integrity

Addresses questions about payee details, payment instruction handling, and where verification or other safeguards may still be needed.

Fraud controls in payment initiation

Explains how participants should think about fraud controls in a CDR context, including where controls are necessary and how they should be applied in a way that remains consistent with the regulated access framework.

Status: In progress

Prioritisation rationale: Payments are prioritised early because they involve direct operational and consumer risk. Participants are likely to need prompt clarity on the scope of payment initiation, the controls needed before a payment is acted on, and how payment obligations differ from data-sharing obligations before services can be offered with confidence.

Expected payment outcomes, limits, and equivalence of service

Providing guidance on the expected outcomes of regulated payment initiation, including payment limits, operational constraints, and the principle that regulated services should work in a way that supports meaningful consumer use.

Allocation of responsibility and liability when something goes wrong

Explaining how existing legal and contractual frameworks may apply when a payment fails, is delayed, is unauthorised, or is processed incorrectly, and making clear that the CDR does not create a standalone liability CDR.

Reliance on accreditation in payment contexts

Clarifying what assurance accreditation is intended to provide, and where participants may still need to maintain additional controls because of the nature of the payment activity involved.

Consumer protection, remediation, and dispute pathways for payment issues

Providing guidance on how participants should think about remediation where payment-related harm occurs, including how participant handling should interact with existing complaint and dispute arrangements.

Status: In progress

Prioritisation rationale: This follows core payments scope because participants are likely to want early clarity on practical outcomes, responsibility, liability, remediation, and fraud controls if something goes wrong. These issues affect risk allocation, consumer protection, and participant willingness to proceed with payment-related services.

CDR Standards principles

The high-level principles that guide how MBIE develops, manages, and updates CDR standards over time.

Managing standards version divergence and migration

Provides guidance on version alignment, compatibility, minimum baselines, and how participants should approach transition periods.

Change management and future standards evolution

Clarifies how MBIE expects participants to prepare for standards changes and manage impacts on interoperability and consumer outcomes.

Standards roadmap visibility and release cadence

Explains how MBIE expects to provide forward visibility of standards change, likely sequencing, and indicative release planning to support participant resourcing and delivery alignment.

How standards issues, guidance needs, and compliance concerns interact

Explains how participants should raise issues that may require standards change, guidance, or compliance follow-up, including where a matter may involve more than one of these.

Status: In progress

Will be done as part of the CDR operations guidance, but added for visibility to banking participants.

Prioritisation rationale: Standards and technical implementation remain important throughout early regulated open banking, but the need for guidance here often becomes more specific once implementation is underway. This priority recognises that some technical matters may be addressed through standards processes, while MBIE guidance is most useful where regulatory interpretation or implementation expectations need to be made clearer.

Standards implementation expectations for early regulated open banking

Explains the relationship between legal obligations, standards requirements, and practical implementation choices.

Testing, assurance, and readiness for go-live and change

Addresses expectations about testing, defect management, communication, and readiness where technical change could affect regulated services.

Outages, API reliability, and operational performance

Provides guidance on participant expectations where regulated services are unavailable, degraded, or materially less reliable than other banking channels.

Operational reporting and issue escalation

Explains how participants should raise recurring technical issues and how MBIE may distinguish between a standards matter, a guidance issue, and a potential compliance concern.

Status: Pending

Prioritisation rationale: This is prioritised in the middle of the roadmap because standards settings are important to all participants, but many questions are about how standards are managed and changed over time, rather than about immediate entry into the CDR. Guidance is likely to be most useful where participants need clarity on version alignment, migration, and how standards issues are raised and addressed.

Use of smartphone, app-based, and alternative authentication methods

Clarifying how participants should think about customer authentication approaches, including whether smartphone-only or app-only methods create access, usability, or compliance issues for some customer groups.

Authentication flow design and completion outcomes

Providing guidance on acceptable approaches to customer authentication, including redirect models, decoupled flows, hybrid flows, and the extent to which implementation choices support or undermine usable access.

When poor completion rates or design defects may become a compliance issue

Explaining how MBIE may distinguish between a standards-permitted authentication approach and a defective implementation that materially prevents customers from using regulated open banking.

Customer access and inclusion in practice

Addressing participant questions about whether authentication and authorisation approaches are delivering fair and workable access across different channels and customer circumstances.

Status: Pending

Prioritisation rationale: This is prioritised here because implementation choices that are technically permitted can still undermine usable access in practice. Guidance is likely to be needed once participants begin to encounter completion issues, smartphone dependency questions, or design choices that materially affect consumer use of regulated services.

Who can authorise in regulated open banking, including business and organisational accounts

Clarifying how authorisation should work across personal, business, and other non-individual accounts, including where more than one person may have account-related authority.

Delegated authority, nominated persons, and staff with view-only or limited access

Providing guidance on how participants should approach situations where individuals can access information through an existing banking channel, but their authority to authorise CDR data sharing or payments is unclear or limited.

What an authorisation allows a person to do

Explaining that authorisation is not only about who may act, but also what that authority permits, including any limits, restrictions, conditions, or duration.

Treatment of professional trust accounts and other complex account arrangements

Clarifying where additional care may be needed because the account structure, underlying authority, or customer relationship is more complex than standard retail banking.

Status: On hold – pending outcome of current regulations consultation

Prioritisation rationale: This is included because uncertainty about who can authorise, and what they can authorise, can prevent regulated services from working in practice. These issues are especially important for business and organisational accounts, delegated authority arrangements, nominated persons, and other account settings that are more complex than simple personal banking. This topic is currently on hold while related regulatory settings are being considered.

What good participant readiness looks like

Explains the practical controls, governance, and implementation capability MBIE expects participants to have in place as regulated services go live and mature.

Minimum compliance and self-assurance expectations

Provides guidance on the kinds of internal checks, assurance activities, and evidence participants should maintain to support ongoing compliance.

How participants can identify and manage readiness gaps

Clarifies how MBIE expects participants to approach known gaps, remediation planning, and transparent engagement where issues may affect delivery or compliance.

How readiness expectations interact with guidance and supervision

Explains how readiness material complements formal legal obligations, standards, and MBIE’s supervisory approach.

Status: Pending

Longer-term direction for regulated open banking guidance

Explains how MBIE expects guidance, standards, and regulatory settings to continue developing as the sector matures.

High-level roadmap for sector uplift and maturity

Sets out the major capability uplifts and maturity steps MBIE expects to emerge across regulated open banking over time, so participants have earlier visibility of the likely direction of travel.

How future priorities will be identified

Outlines the role of participant feedback, operational experience, and emerging issues in shaping future guidance development.

How roadmap visibility will support engagement and readiness

Clarifies that this guidance is intended to support earlier planning, more informed engagement on sector development, and better preparation for future standards and operational change.

Status: Pending

Prioritisation rationale: This is later in the roadmap because the immediate priority is to support implementation of the CDR as it operates now. Longer-term maturity guidance will become more useful once there is more operational experience, clearer usage patterns, and a more established base of participants and services.

What the banking regulations and standards do

Explains the purpose of the banking-specific regulations and standards, how they fit within the wider CDR framework, and the role they play in enabling regulated open banking.

What consumers can expect from regulated open banking

Provides clear, consumer-focused information about what regulated open banking allows, the safeguards that apply, and the types of services consumers may see in practice.

How the regulations, standards, and guidance work together

Explains the difference between legal requirements, standards requirements, and guidance, so readers can understand what is mandatory and what support material is available.

Where participants and consumers can find the source documents

Points readers to the regulations, standards, and related guidance materials, while helping non-specialist readers understand which documents are most relevant to them.

How MBIE will explain updates and changes

Explains how MBIE will communicate changes to the banking regulations, standards, or supporting guidance, particularly where this may affect consumers or the way regulated services operate in practice.

Status: Pending

Prioritisation rationale: This topic is lower in the roadmap because banking participants are generally expected to already understand the regulations and standards that apply to them. Guidance in this area is more likely to be useful for consumers and other non-specialist readers who want a clearer explanation of how the regulated open banking framework works and how the key documents fit together.