Data holders
Learn about data holders and where the data comes from in the Consumer Data Right - what they do, how sectors are designated, and their obligations under the Customer and Product Data Act.
On this page I tēnei whārangi
What is a data holder?
A data holder is an organisation in a designated sector that holds customer or product data covered by the Customer and Product Data Act 2025. An example is specific banks in the banking sector.
Data holders play a key role in the Consumer Data Right by:
- giving customers access to their own data
- sharing that data securely with accredited requestors when the customer authorises it
- undertaking specific actions if the regulations allow it and a customer has authorised it.
How an organisation becomes a data holder
Designation applies only to sectors formally brought under the CDR framework.
When a sector is first designated, organisations may be directly nominated to become data holders in regulations or be a data holder because they meet the designated criteria of one. This means they must be a data holder by law. Other organisations that meet the criteria of the sector regulations may choose to become data holders – this is called ‘opting in’.
- Banking is the first designated sector, enabling regulated open banking, with five banks nominated to become data holders – these banks are called designated data holders.
- Under the bank sector regulations, other deposit takers volunteer to be a data holder by notifying MBIE – this is called opting-in.
- Retail electricity is the next sector designated, enabling regulated open electricity as part of the CDR. The regulations for electricity may nominate organisations to be data holders – directly by naming them or because they meet specific criteria in the regulations.
- Other sectors like insurance and telecommunications may follow.
When a sector is designated, regulations specify:
- Which organisations in that sector are data holders.
- What data they must make available, for example product data, customer data or both.
- What actions they must perform when authorised by a customer. Not all sectors will have actions designated.
If your organisation operates in a designated sector and meets the criteria in the regulations, you may be a data holder and must comply with the Act, regulations, and standards.
If you are not sure whether you are or will be a data holder in a sector, email our CDR team to find out.
Responsibilities of data holders
Under the Act and supporting regulations, data holders must:
- Provide the type of data designated in the relevant sector regulations, for example product data, customer data or both.
- Provide designated customer data to an accredited requestor on a customer’s request.
- Provide designated customer data to a customer on a customer’s request.
- Perform certain designated actions (like initiating a payment) when requested and authorised by a customer.
- Operate secure electronic systems that meet technical standards.
- Comply with privacy and security requirements, and refuse requests where disclosure would create a significant risk of harm.
- Follow all rules under the Customer and Product Data Act 2025.
- Have a way for customers to contact you and a clear complaints process.
- Act inline with the purpose and intended outcomes of the CDR regime.
These obligations are set out in Part 2 of the Customer and Product Data Act 2025 and detailed in regulations and standards for each sector.
MBIE and the Office of the Privacy Commissioner – working together
Whilst the CDR is enabled by the Customer and Product Data Act 2025, as with all activity, organisations must also fulfil their obligations under the Privacy Act 2020. The CDR specifies how organisations must meet their storage and security obligations under the Privacy Act, and how organisations should treat requests for customer data, which can include personal information.
The Ministry of Business, Innovation and Employment (MBIE) is responsible for sector designation, accreditation of data recipients and oversight of regulated data services. The Office of the Privacy Commissioner (OPC) regulates breaches of the CDR regime that involve personal information.
We work closely together to monitor compliance, support participants, and take action if any rules are broken.
What it means to opt in as a data holder
If your organisation operates in a designated sector and meets the criteria set out in the regulations, you can choose to become a data holder even if you are not nominated by law. This is called opting in. Opting in means your organisation will take on the same responsibilities as other data holders under the Customer and Product Data Act 2025, including:
- providing customer and product data in line with the regulations
- undertaking actions in line with the regulations
- meeting security and privacy requirements
- complying with technical standards.
What to do if you want to opt in
If you are considering opting in, contact the Consumer Data Right (CDR) team at MBIE to discuss what this involves and the steps you need to take. We will:
- work with you to understand the obligations and technical requirements
- confirm whether your organisation meets the criteria
- guide you through the notification process.
Email our CDR team with your organisation’s details and a brief description of your interest in opting in.
Where to find the current list of data holders
MBIE maintains a Register of Participants, which includes:
- All data holders.
- All accredited requestors.
You can view the Register of Participants. It will be updated as new sectors are designated and participants join the regime.
Sign up to our newsletter
Keep up to date with the Consumer Data Right.