Is Open Banking Safe in New Zealand? What You Need to Know

The idea of connecting your bank account to a third-party app makes a lot of people nervous. It should — your financial data is sensitive. But [open banking](/blog/what-is-open-banking-nz) in New Zealand is actually designed to be safer than the alternatives.

Here's how it works, what the risks really are, and why it's likely more secure than what you're doing right now.

What open banking actually is

Open banking lets you give an app read-only access to your bank data — transactions, balances, and account information — through a secure API (Application Programming Interface). In New Zealand, this is facilitated by [Akahu](/blog/akahu-open-banking-nz-explained).

The critical word is read-only. No open banking connection can move your money, make payments, or change anything in your account. It can only look.

How Akahu keeps it secure

Akahu is New Zealand's primary open banking provider. Here's what they do to protect your data:

FMA regulation

Akahu is registered as a Financial Service Provider (FSP) and regulated by the Financial Markets Authority. This means they're subject to ongoing compliance requirements, regular audits, and legal accountability for how they handle your data.

You never share your password with apps

When you connect through Akahu, you log in directly on your bank's website or Akahu's secure page. The app you're connecting to (like Steady) never sees your bank password. This is fundamentally different from — and much safer than — apps that ask you to type your bank login into their own form.

Encrypted connections

All data transmitted between your bank, Akahu, and the connected app uses bank-grade encryption (TLS 1.2+). Your data can't be intercepted in transit.

Token-based access

Instead of storing your password, Akahu uses secure tokens. If you revoke access, the token is invalidated immediately. The app can no longer see your data. You can do this at any time from the Akahu dashboard.

Read-only by default

Akahu connections are read-only. No connected app can initiate payments, transfers, or any changes to your accounts. This is the single biggest safety feature.

What's safer: open banking or the alternatives?

Before open banking, people used three main methods to track their finances:

Screen scraping — Apps logged in as you and scraped the HTML of your bank's website. This required giving the app your actual bank login credentials. If the app was compromised, attackers had your full bank access. Open banking completely eliminates this risk.

Manual CSV imports — Download a CSV from your bank, upload it to the app. Secure (no live connection), but inconvenient and rarely done consistently. Your budgeting data is always out of date.

Manual entry — Type every transaction by hand. Maximally secure, but nobody actually keeps this up. The [50/30/20 rule](/blog/how-to-budget-nz-beginners) is useless if you're not tracking consistently.

Open banking is safer than screen scraping (the main alternative for automatic tracking) and more practical than manual methods.

What are the actual risks?

Data breach at the app or Akahu

Like any system that stores data, there's a theoretical risk of a breach. However, reputable apps encrypt data at rest (not just in transit) and follow security best practices. Akahu's FMA oversight adds an additional layer of accountability.

Even in a worst-case breach scenario, attackers would see your transaction history — not your bank login credentials. They couldn't access your actual bank account or move money.

Misuse of data by the app

The NZ Privacy Act 2020 restricts how apps can use your personal information. Apps must tell you what data they collect, why they collect it, and who they share it with. You have the right to request deletion at any time.

Before connecting, check the app's privacy policy. Look for clear language about data handling — not vague corporate speak. Steady's approach is detailed on our [security page](/security).

Over-sharing

Some people worry about sharing "too much" financial data. It's worth remembering: your bank already has all this data. Open banking just lets you share a copy with an app you choose, for a purpose you control, with revocable access.

How to stay safe with open banking

1. Only connect to established apps — Check if the app has a clear privacy policy, NZ-based support, and a track record. Avoid connecting to apps you've never heard of.

2. Use the minimum necessary connections — If you only need to track one account, only connect one account. You can always add more later.

3. Review your connected apps regularly — Log into the Akahu dashboard periodically and revoke access for any apps you no longer use.

4. Check what data the app accesses — Legitimate apps will tell you exactly what data they access. If an app is vague about this, that's a red flag.

5. Keep your bank login details secure — Open banking doesn't change this fundamental rule. Use strong, unique passwords for your bank accounts and enable two-factor authentication where available.

The NZ regulatory landscape

New Zealand's open banking framework is still evolving. The government has signalled support for a formal Consumer Data Right (CDR) similar to Australia's, which would create even stronger protections for consumers.

In the meantime, Akahu operates under the existing FSP framework and FMA oversight. This isn't as comprehensive as Australia's CDR or the UK's Open Banking Standard, but it provides meaningful consumer protection.

The bottom line

Open banking in New Zealand is safe — significantly safer than the screen-scraping methods it replaced. Read-only access, FMA regulation, encrypted connections, and revocable tokens mean your money and your login credentials are protected.

The bigger risk isn't connecting to an app via open banking — it's not tracking your finances at all. The financial cost of not knowing where your money goes typically far exceeds any theoretical data risk.

Learn more about [how Akahu works](/blog/akahu-open-banking-nz-explained), check [Steady's security practices](/security), or [see how Steady uses open banking](/how-it-works).