Accredited requestors
Learn what accredited requestors are, their duties, types, and how to apply under the Consumer Data Right framework.
On this page
What an accredited requestor is
An accredited requestor is an organisation approved to access customer data and perform specific actions under the Consumer Data Right (CDR) framework.
There are 2 types:
- Non-intermediary: interacts directly with customers and requests data for its own services
- Intermediary: acts on behalf of other organisation (called “fourth parties”) to request and share data securely
What an accredited requestor does
For the first sector banking, with customer authorisation, accredited requestors may:
- Request data: customer account and transaction information
- Instruct payment: initiate payments under a customer’s directive
- Provide services: use data to help customers, compare products or access new tools
In the future when other sectors are added to the CDR, accredited requestors for those sectors may also be able to request product information from other companies – depending on what the regulations say.
Duties for accredited requestors
Accredited requestors must:
- become accredited by MBIE
- use data only for the agreed purpose
- keep customer data safe and secure
- follow all rules under the Customer and Product Data Act 2025
- have clear complaints processes
- act inline with the purpose and intended outcomes of the CDR regime
MBIE and the Office of the Privacy Commissioner – working together
Whilst the CDR is enabled by the Customer and Product Data Act 2025, as with all activity, organisations must also fulfil their obligations under the Privacy Act 2020. The CDR specifies how organisations must meet their storage and security obligations under the Privacy Act, and how organisations should treat requests for customer data, which can include personal information.
The Ministry of Business, Innovation and Employment (MBIE) is responsible for sector designation, accreditation of data recipients and oversight of regulated data services. The Office of the Privacy Commissioner (OPC) regulates breaches of the CDR regime that involve personal information.
We work closely together to monitor compliance, support participants, and take action if any rules are broken.
Who can be accredited
Currently, only participants in the banking sector can be accredited. Service providers that want to access banking customer data or enable payment actions can apply.
In the future when other sectors are added, companies from those sectors can then apply.
How to recognise an accredited requestor
To make sure you’re dealing with a trusted participant, there are 2 things to do:
- Look for the official Consumer Data Right Accredited Requestor logo: it should be visible on their website, communications, and application
- Check the Register of Participants: this is the official list of all data holders and accredited requestors
If you can’t find the logo or the organisation isn’t listed in the register, don’t share your data and contact MBIE for guidance via the Contact us about CDR page.
Check the register
View the Register of Participants to see current accredited requestors and data holders, their contact details and complaints processes.
Classifications of accredited requestors
Organisations can apply for one or more classifications of accreditation:
- Non-intermediary – Data: request CDR data for their own customers
- Intermediary – Data: request CDR data for someone else’s customers
- Non-intermediary – Payments: instruct payments for their own customers
- Intermediary – Payments: instruct payments for someone else’s customers
How to become accredited
To become accredited an application must be submitted along with required evidence for assessment by MBIE, and the relevant processing fee paid.
Assessment includes:
- Organisation and product details, including authorisation processes
- Fit and proper person checks for the applicant including senior managers and directors
- Product and data security evidence
- Liability cover (insurance, guarantee, or financial resource arrangement)
- Dispute resolution and clear complaints processes.
Additional requirements for intermediaries:
- Due diligence and monitoring of fourth parties
- Security and privacy provisions in contracts
- Anti-Money Laundering (AML)/Know Your Customer (KYC) checks (either by requiring fourth parties to have a New Zealand bank account or by undertaking further checks)
- Data handling practices.
MBIE may request more details or consult other authorities.
If approved, you will be added to the Register of Participants and will be directed to complete onboarding with data holders before active participation.
Before you apply
If you’re considering becoming an accredited requestor, make sure you understand the requirements and obligations under the Consumer Data Right (CDR). Before starting your application, read:
- Accreditation Guidelines – explains the application process, criteria, and what evidence you’ll need to provide
Download CDR Accreditation Guidelines:
Consumer Data Right Accreditation Guidelines [PDF 207KB]
As the CDR grows, additional documents to support participants will produced and added to the list above. These documents will help you prepare a complete application and understand your ongoing responsibilities under the Customer and Product Data Act 2025.
Ready to apply?
Access the online Accredited Requestor Application Form to start the process:
Need help? We’re here to support you
The CDR team is available to support & guide organisations through the accreditation process. We will work with you to answer questions about obligations and help you navigate the accreditation process.
Join our mailing list
If you want to get updates about regulations and standards related to the CDR, email us to join our mailing list.