Pānui
4notify Aotearoa New Zealand · New Zealand Gazette
OFFICIAL · Reserve Bank of New Zealand · Payments NZ
Pānui No
PAN-NZ-001
Date
2026-05-27
Status
In force
Category
Banking & Payments

Strong customer authentication and PayTo: one-time-code delivery to New Zealand banks across Spark, One NZ and 2degrees

The Reserve Bank of New Zealand (Te Pūtea Matua) and Payments NZ govern the integrity of bank authentication and the rollout of PayTo-style account-to-account payments. Every high-value electronic payment relies on a second factor, and the new payment-mandate flows demand reliable confirmation delivery. 4notify routes one-time codes and PayTo confirmations over tier-1 direct connections to Spark, One NZ and 2degrees with a P50 under four seconds.

SMSPushEmail
Preamble

Section 1 — Pursuant to the Reserve Bank of New Zealand Act 2021 and the Payments NZ scheme rules, this Pānui is issued concerning the delivery of strong customer authentication one-time codes and PayTo payment-mandate confirmations across New Zealand mobile networks.

Legislative basis
Reserve Bank of New Zealand Act 2021

Establishes Te Pūtea Matua and its prudential oversight of registered banks and payment-system stability.

Payments NZ scheme rules (PayTo / Account-to-Account)

Governs payment-mandate authorisation, confirmation messaging and participant obligations for real-time account-to-account flows.

Financial Markets Conduct Act 2013

Requires fair-dealing and clear customer disclosure for payment and authentication communications.

Implementation
01

RBNZ-aware onboarding + tier-1 routing

4notify holds tier-1 direct connections with Spark, One NZ and 2degrees and is recognised by participating banks as a delivery service provider for authentication traffic.

02

Code generated in the bank's HSM

The one-time code is generated inside the bank's hardware security module; 4notify receives only the hash and the destination number — never the cleartext code.

03

60-second window + fallback chain

SMS is delivered inside a 60-second window; on a DLR failure the message escalates to push, then email. Grey-route delays are avoided entirely.

04

Seven-year audit retention

Every delivery is signed and retained for seven years, aligning with RBNZ record-keeping expectations and AML/CFT audit requirements.

Delivery envelope
json
{
  "event": "bank.sca_otp",
  "bank_id": "NZ-XXXX",
  "txn_id": "TX-2026-05-27-948210",
  "amount": 240.00,
  "currency": "NZD",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "sca_otp_nz_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/948210"
}
Sample message
SMS

ANZ: your code to authorise a $240.00 payment to M. Ngata is 482193. Valid 5 min. We will never ask you to share it.

Compliance checklist
  • Recognised delivery service provider arrangement in place with participating banks
  • Tier-1 direct connections active with Spark, One NZ and 2degrees
  • OTP P50 ≤ 4 seconds measured each quarter
  • Seven-year signed audit retention documented
The 4notify difference

4notify is the only A2P provider with simultaneous tier-1 direct connections to Spark, One NZ and 2degrees and a seven-year signed audit envelope recognised by participating banks for authentication and PayTo delivery.

Frequently asked questions
Does 4notify deliver to New Zealand banks directly or via an aggregator?

Tier-1 direct connections with Spark, One NZ and 2degrees. There is no grey-route aggregation for authentication traffic.

Are push notifications accepted as a second factor?

Yes — app-bound push is a recognised possession factor. Because it does not always meet durable-record expectations, we pair push with SMS or email for high-value PayTo mandates.

Notified by
4notify Operations Office
2026-05-27 · PAN-NZ-001

Start for free

14 days, no card required. New Zealand-hours support.

Other pānui in this edition