Global Financial Regulations 2022

Financial regulations in New Zealand

Renowned for its political and social stability, rapid digitalization and deft response to the COVID-19 pandemic, New Zealand is poised to become a major regional and global fintech hub.

Country Overview

Renowned for its political and social stability, rapid digitalization and deft response to the COVID-19 pandemic, New Zealand is poised to become a major regional and global fintech hub. Its fintech sector revenue has skyrocketed by 38% since 2016,1 and the island country ranked #30 on the 2021 Global Fintech Rankings, up fifteen spots from the year before. The government eagerly supports the development and uptake of emerging technologies, and the financial sector has quickly adopted innovative banking solutions. 

Although a strict springtime lockdown in response to COVID-19 drove a 2.9% downturn in GDP in 2020,2 New Zealand’s recovery has been swift and strong. GDP in the first quarter of 2021 surged by 1.6%—three times the forecasted rate3—in part due to increased retail spending and a housing boom,4 and the International Monetary Fund (IMF) predicts that the Kiwi economy will expand by 4% in 2021.5 The health crisis has further accelerated digital transformation, and New Zealand’s relatively unscathed status has freed up government resources toward strengthening the digital economy.

New Zealand’s 2021 digital agenda focuses on a digital identity framework, cybersecurity and an investigation into a central bank digital currency (CBDC). Regulators have also been eager to boost the digitalization of government services and support small and medium-sized enterprises (SMEs) in the digitalization of business operations. The Strategy for a Digital Public Service, published in March 2020, seeks to modernize the public sector, improve customer experience and promote economic growth. In addition, the government plans to invest NZ $44 million (approximately USD $30.88 million) over the next two years toward the Digital Boost Training Programme, which will help 30,000 SMEs to bolster their digital skills and capabilities. Throughout its policies, the government emphasizes a “human-centric” approach that takes into consideration ethical implications of technology and citizen’s wellbeing and input.

Financial Regulatory Authorities

The Reserve Bank of New Zealand (RBA) is the central bank of New Zealand. The Bank’s primary functions are to maintain price stability through effective monetary policy and maintain a healthy

financial system for the country.

The Office of the Privacy Commissioner (OPC) is the primary data protection authority in New Zealand. The OPC develops and promotes personal information protection among consumers and businesses and enforces the country’s Privacy Act, last updated in 2020.

The Commission for Financial Capability (CFFC) is a British Crown agency that supports and promotes the growth of New Zealanders’ financial capability and financial health.

The Financial Markets Authority (FMA) is the financial regulatory authority in New Zealand. The government agency regulates and enforces financial regulations for all financial markets and exchanges.

The Ministry of Business, Innovation and Employment (MBIE) is a federal government agency that develops policy, advice and regulations that aim to strengthen the country’s economic growth. 

Policy, Laws and Regulations

Central Bank on Potential CBDC, 07 July 2021

The central bank issued a statement confirming that it will issue consultations from August to November 2021 seeking feedback on the future of money and payments in New Zealand, especially in response to digital innovations. Per the statement, “The first consultation will introduce and seek feedback on the broad concepts of money and cash stewardship, and outline specific topics to be covered in the rest of the series. Subsequent papers will look at the potential for a Central Bank Digital Currency (CBDC) to work alongside cash as government-backed money, issues arising from new electronic money forms including crypto assets (such as BitCoin) and stable coins (such as proposed by a Facebook-led consortium), and how the cash system might need to change to continue to meet the needs of users.” The central banks notes that a CBDC could be valuable in addressing disadvantages brought on by dwindling cash use, but it maintains that continued access to cash is critical.

Digital Identity Trust Framework, 03 May 2021

The government has approved a proposal to create a Digital Identity Trust Framework, which will establish rules for the delivery of digital identity services applicable to service, technology and information providers. In developing the framework, lawmakers will ground it on five proposed components: 

  • “Accreditation — establishing a body to accredit participants and a mechanism to demonstrate accreditation
  • Legal enforcement — establishing mechanisms to make the rules legally binding upon accredited participants
  • Governance — establishing a governing body to update and maintain the Trust Framework’s rules
  • Participants — defining the participants in a trusted digital identity system and the roles that they will play
  • Rules — the standards and legislation participants will abide by, with a focus on identification, privacy and security. These may be existing or in development”6

The rules will be composed of five areas: identification management, information and data management, security and risk management, privacy requirements and sharing tool requirements. The bill is expected to be released later in 2021.

5 Trends that Prove Digital Identity is More Relevant than Ever

5 Trends that Prove Digital Identity is More Relevant than Ever

As fraud attacks increase, the need to establish trust between a remote consumer and a financial institution becomes increasingly important. Stay up to speed as the use of digital identities grows in financial services.

Learn More

Cyber Resilience Guidance, 28 April 2021

The central bank published the Guidance on Cyber Resilience, which outlines expectations for all regulated entities regarding cyber resilience. Per the guidance, the board and senior management of regulated entities must establish a cyber resilience framework, promote a culture of cybersecurity awareness, participate in information sharing and adhere to five capability building components. The capability building components include to identify, to protect, to detect, and to respond and recover. In the case that an entity relies on a third-party service provider, the board and senior management must manage the relationship such that cybersecurity risks are mitigated. Regulated entities must inform the central bank “early in their decision-making process” if they outsource critical functions to cloud service providers. 

Privacy Act 2020 Enters into Effect, 01 December 2020

The Privacy Act 2020, which expands privacy protections for New Zealanders and imposes stricter requirements on businesses and organizations for the handling of personal information, went into effect. Should a serious data breach occur, obliged entities must notify the Office of the Privacy Commissioner and the affected individuals “as soon as possible.” The Privacy Commissioner can request an entity to confirm whether they hold an individual’s personal data, and direct the entity to provide the individual access to their data. The Privacy Commissioner may also issue notices to obliged entities requiring them to take actions toward compliance with the Privacy Act. The Act expands criminal offences, including the destruction of personal data in the knowledge that access to it has been requested, and imposes a fine of up to AUD $10,000 (approximately USD $7,400). The Act also introduced a new data localization requirement. Per principle 12, an entity may only send personal data overseas if the recipient organization or business adheres to similar protections as outlined in the Privacy Act. As with the EU’s General Data Protection Regulation (GDPR), the Privacy Act has extraterritorial effect. It applies to any business or organization “carrying on business” in New Zealand, even if it does not have a physical presence in the country.

Generali: Digital Transformation Facilitated Compliance

Generali: Digital Transformation Facilitated Compliance

See how this insurer leveraged their digital transformation and e-signature initiative to comply with a data protection law. With their e-signature tool, this carrier is able to capture consent from applicants in minutes.

Learn More


1. “Will New Zealand become a technological hub? Which are the big tech companies there?” Kalkine Media, 14 June 2021.

2. “New Zealand's economy hits record decline in 2020.” DW, 18 March 2021.

3. Withers, Tracy. “New Zealand Avoids Recession as Economic Growth Surges.” Bloomberg, 16 June 2021.

4. Menon, Praveen. “NZ economy surges as housing, retail drive post-COVID recovery.” Reuters, June 16 2021.

Raman, Nara et al. “The Land of the Long White Cloud: Turning New Zealand’s Recovery into Sustained Growth.” International Monetary Fund, 27 May 2021.

6. “Digital Identity Trust Framework.”, 12 February 2021.

*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.

Last updated: November 2021