CBN Customer Information and Privacy Policy
Customer Information and
Privacy Policy
Last updated: 8 April 2026
1. Purpose
CBN NZ is committed to protecting customer information as a core part of delivering financial
advice and related services.
This policy sets out how customer information is collected, used, disclosed, stored, and
managed in accordance with:
• Privacy Act 2020, including IPP3A (effective 1 May 2026)
• Financial Markets Conduct Act 2013 (FMC Act)
• Financial Services Legislation Amendment Act 2019 (FSLAA)
• Code of Professional Conduct for Financial Advice Services (in particular Standard 5)
The purpose of this policy is to:
• ensure customer information is handled lawfully, transparently, and securely
• support consistent practices across CBN NZ and its Authorised Bodies
• embed privacy obligations into the advice and service process
• support good client outcomes through clear and informed use of information
This policy must be read alongside:
• Record-Keeping Policy
• Information Security Policy
• Data Retention Schedule
2. Scope
This policy applies to:
• all Authorised Bodies operating under the CBN NZ licence
• all financial advisers, employees, and contractors
• any person handling customer information on behalf of CBN NZ
It applies to all customer information handled in connection with:
• providing financial advice
• arranging or managing insurance products
• claims support and administration
• premium funding and related services
• compliance, regulatory reporting, and oversight
cbn.auAuthorised Bodies remain responsible for ensuring their own practices, systems, and staff
comply with this policy and applicable law.
3. Key Principles
CBN NZ applies the following principles when handling customer information:
• Information is collected for a clear, lawful, and defined purpose
• Customers understand how their information is obtained, used, and shared
• Only information necessary for the service being provided is collected and used
• Information is protected against loss, misuse, or unauthorised access
• Disclosure is controlled, proportionate, and transparent
• Practices support fair treatment of clients and informed decision-making
Privacy is not a standalone obligation. It is part of delivering competent advice, maintaining
trust, and meeting conduct obligations.
4. What Is Customer Information
Customer information includes any information about an identifiable individual or entity that is
collected, created, or held in connection with services provided by CBN NZ or its Authorised
Bodies.
This includes, but is not limited to:
Personal information
• name, contact details, date of birth
• identification documents
• financial position including income, assets, liabilities, and expenses
Business or entity information
• company, trust, or partnership details
• directors, shareholders, trustees, and beneficial owners
• financial and operational information
Advice and service records
• fact finds, needs analysis, and risk assessments
• advice documents and recommendations
• meeting notes, file notes, and correspondence
Insurance-related information
• policy details, endorsements, and exclusions
• claims history and supporting documentation
• premium and payment arrangements
Sensitive information
2• medical or health information
• claims evidence such as police or loss reports
Compliance information
• identity and address verification
• authority verification and control structures
• due diligence and risk assessment information
Derived or analytical information
• risk profiles
• suitability assessments
• internal summaries and analysis
Customer information includes both information provided directly by the client and information
obtained from third parties.
5. Collection of Customer Information
Customer information will only be collected where necessary to:
• provide financial advice or services
• arrange or administer insurance or related products
• support claims or policy servicing
• meet legal, regulatory, or compliance obligations
At the point of collection, or as soon as reasonably practicable, customers must be informed:
• what information is being collected
• why it is required
• how it will be used
• who it may be shared with
This is typically achieved through:
• Scope of Advice communication
• Privacy Policy disclosure
• supporting client engagement communications
Information must not be collected on a speculative, excessive, or unclear basis.
6. Indirect Collection (IPP3A – effective 1
May 2026)
Where customer information is collected from a third party rather than directly from the client,
advisers must ensure the client is clearly informed:
• where the information was obtained from
3• why the adviser is contacting them
• how the information will be used
This applies to common scenarios including:
• referral arrangements and introducers
• insurer or underwriting information
• claims-related third-party information
• data provided through business or distribution partners
This disclosure must occur at or before initial engagement and must be clear, accurate, and not
misleading.
Where indirect collection is a regular feature of a business model, advisers must ensure this is
consistently explained and supported through their standard client communications.
7. Use of Customer Information
Customer information will only be used for purposes that are:
• directly related to providing financial advice or services
• reasonably expected by the customer
• required or permitted by law
This includes use for:
• assessing client needs and suitability
• obtaining and comparing insurance terms
• arranging and managing policies
• supporting claims
• meeting compliance and regulatory requirements
Information must not be used for unrelated purposes unless:
• the customer has provided informed consent, or
• the use is otherwise authorised by law
Use of information must remain consistent with what the client has been told and what they
would reasonably expect.
8. Disclosure of Customer Information
CBN NZ may disclose customer information where this is necessary to provide financial advice
or related services, administer insurance arrangements, support claims, meet regulatory
obligations, or where otherwise permitted or required by law.
Disclosure must always be connected to a clear and legitimate business purpose and be
proportionate to that purpose. Only the information reasonably necessary for that purpose
should be shared.
4Customer information may commonly be disclosed to:
• insurers, underwriters, and underwriting agencies for the purpose of obtaining terms,
arranging cover, underwriting risk, policy administration, renewals, endorsements, or
claims assessment
• premium funders or finance providers where a customer wishes to fund premiums by
instalment
• claims service providers, including loss adjusters, assessors, investigators, repairers,
legal advisers, or other experts involved in assessing or managing a claim
• referral partners, distribution partners, or introducers, where relevant to the customer
relationship or service pathway
• outsourced service providers who support CBN NZ or its Authorised Bodies in delivering
services, operating systems, storing data, communication, compliance oversight, or
administration
• regulatory, supervisory, dispute resolution, law enforcement, or government bodies
where required or authorised by law
• professional advisers to CBN NZ, such as legal, audit, compliance, or information
security advisers, where necessary for governance, oversight, or risk management
purposes
Before disclosing customer information, advisers and relevant staff must consider:
• whether the disclosure is necessary for the relevant purpose
• whether the customer would reasonably expect that disclosure to occur
• whether the customer has been told, through the Scope of Advice, Privacy Policy,
referral wording, or other communication, that their information will be shared in this
way
• whether the third party has direct contact with the customer, or whether additional
explanation is required so the customer is not surprised by the disclosure
• whether only the minimum necessary information is being shared
Where customer information is disclosed to a third party that does not deal directly with the
customer, reasonable steps must be taken to ensure the customer understands:
• who the information is being shared with, or the type of party involved
• why the information is being shared
• that the third party will handle the information in accordance with its own legal and
privacy obligations
• how the customer can access further information about that party’s privacy practices,
where appropriate
This is particularly important where information is shared with insurers, underwriters, premium
funders, outsourced providers, or claims-related parties who may not have direct engagement
with the customer at the point the information is first provided.
Where information has been received from a third party, and then is proposed to be disclosed
onward to another third party, advisers must ensure the customer has sufficient visibility of that
information flow. This supports compliance with the Privacy Act 2020, including IPP3A, and
broader obligations to communicate clearly and treat clients fairly.
Disclosure must not occur:
• for unrelated personal or business purposes
• out of convenience where there is no proper connection to the customer service being
provided
• in a way that is excessive, unnecessary, or inconsistent with what the customer has
been told
5• outside secure and approved systems or methods
Where practicable, disclosure should occur through approved and secure channels, and a record
should be maintained on file of key disclosures relevant to the advice or service being provided,
particularly where the disclosure is material, unusual, or involves sensitive information.
Where customer information is disclosed offshore, or accessed by offshore service providers,
appropriate due diligence and safeguards must be in place to ensure the information receives
comparable protection and the disclosure complies with the Privacy Act 2020 and CBN NZ’s
Information Security requirements.
Where consent is required, or where the intended disclosure is outside usual expectations,
consent must be obtained before the information is shared.
9. Alignment with the Advice Process
Privacy obligations are embedded within the advice process and must not be treated as a
separate step.
Before advice
• Scope of Advice is provided
• Privacy Policy is disclosed
• indirect collection is explained where applicable
During advice
• only relevant and necessary information is collected
• use of information aligns with the agreed scope of service
After advice
• records are maintained in accordance with record-keeping requirements
• information is used only for ongoing service, administration, or compliance
Advisers must ensure that privacy practices are consistent with their advice process and
documented accordingly.
10. Customer Understanding and
Transparency
CBN NZ must ensure that customers are not surprised by how their information is obtained,
used, or shared.
Advisers must take reasonable steps to ensure that:
• explanations are clear, timely, and understandable
• key information flows are visible to the customer
• the involvement of third parties is transparent
6This supports:
• informed client decision-making
• fair treatment of clients
• compliance with conduct and disclosure obligations
Where there is complexity or multiple parties involved, additional care must be taken to ensure
the client understands the arrangement.
11. Security and Storage
CBN NZ and its Authorised Bodies must take reasonable steps to protect customer information
from loss, misuse, unauthorised access, or disclosure.
This includes:
• restricting access to authorised personnel
• using secure systems and platforms
• applying appropriate access controls and authentication measures
• securing physical records where applicable
Customer information must only be stored and accessed through approved systems and
processes.
12. Access and Correction
Customers have the right to:
• request access to their personal information
• request correction of inaccurate or incomplete information
Requests must be handled in accordance with the Privacy Act, including timeframes and
permitted exceptions.
13. Retention and Disposal
Customer information must be:
• retained only for as long as required for legal, regulatory, or business purposes
• managed in accordance with the Data Retention Schedule
• securely destroyed or deleted when no longer required
Disposal must ensure that information cannot be reconstructed or accessed.
714. Privacy Breaches
All staff must report suspected or actual privacy breaches immediately.
CBN NZ will:
• contain and assess the breach
• determine the likelihood of harm
• notify affected individuals where required
• notify the Office of the Privacy Commissioner where applicable
• notify the FMA where the breach is material
Appropriate remediation and process improvements must follow any identified breach.
15. Training and Awareness
CBN NZ will ensure that:
• privacy training is completed at onboarding and refreshed annually
• advisers understand how privacy applies in practice
• updates are provided as regulatory expectations evolve
Training will focus on practical application, including real-world scenarios relevant to the
business.
16. Compliance and Monitoring
CBN NZ will monitor compliance with this policy through:
• file reviews and audits
• system and record-keeping oversight
• periodic attestations from advisers and Authorised Bodies
Where issues are identified, corrective action, additional training, or escalation may be required.
17. Review
This policy will be reviewed:
• at least annually
• when there are changes to legislation, regulation, or business operations
Version Reviewed By Approver Review
Date Key Changes
80.1 Michelle Boyd Michelle Boyd 28 May
2023 First version
2.0 Michelle Boyd Michelle Boyd 18 Nov
2024
Updated for
comprehensiveness
3.0 Michelle Boyd Michelle Boyd 8 Apr 2026 Updated per IPP3A
9