New Zealand’s vibe-coded AI problems just got a lot more serious

Something I see regularly, as co-founder and the developer behind Afterburner, keeps me up at night. Across New Zealand’s financial services sector, there are AI tools being deployed that have been built quickly, released faster, and secured almost not at all. In the industry, we’ve started calling them vibe-coded apps. They work, mostly. Until they don’t.

This matters more than most people realise right now, because New Zealand is about to open the taps.

Open banking regulations are already in force for the big four banks, with Kiwibank required to have compliant systems ready from mid-2026. When that infrastructure is fully operational, accredited third-party providers – including AI-powered mortgage and advice tools – will have access to live client financial data in ways that simply weren’t possible before. That is genuinely transformative for advisers and their clients. It is also, if we’re being honest, a significant gift to anyone looking to exploit a weakly secured system.

I started building Afterburner because I saw first-hand how financial advisers were drowning in paperwork, not because of a grand thesis about the future of fintech. The compliance documents, the handover forms to banks, the credit submissions, the recommendation letters – all of it was consuming hours every day that should have been spent with clients. So we automated it. And as we did, we learnt something important: the quality and security of an AI tool built by people who actually do the work is categorically different to one built by people who’ve only read about it.

That’s not arrogance. It’s just true. When you’re sitting beside a client discussing their borrowing capacity and you know that data is passing through your own platform, your attitude to security is entirely different to a developer who’s never had that conversation.

Which brings me to ISO 27001, and why I’m writing this.

We chose to pursue ISO 27001 certification before any regulator or partner required it of us. Not as a marketing exercise. Because we already understood that we were custodians of some of the most sensitive financial information New Zealanders hold, and we wanted to be able to demonstrate that, not just assert it. What struck me going through the process was how many AI tools currently operating in financial services would struggle to pass even a basic security review. The door isn’t just unlocked in some of these applications, it’s been left off its hinges.

The impact on our business was immediate and concrete. We had an enterprise partnership in advanced negotiation that simply could not proceed without ISO 27001. No amount of reassurance or product demonstrations could substitute for that certification. The moment we had it, the conversation changed entirely. Before accreditation: no deal. After accreditation: partnership signed.

That experience is going to become the norm, not the exception. As open banking goes live across New Zealand, the banks themselves and the large licensee groups working with advisers are going to start asking hard questions of every AI tool in their ecosystem. They would be negligent not to. The weakest link in any data-sharing chain is the one that eventually breaks, and right now that weakest link is often the third-party AI layer sitting between a bank’s API and an adviser’s workflow.

There is a broader point worth making here for the wider industry. AI is not just a productivity tool anymore. In financial advice, it is increasingly a compliance tool, a documentation tool, and in some applications a risk assessment tool. The quality of the output depends entirely on the depth of domain knowledge baked into the system. Generic AI wrappers applied to financial services processes will produce generic outputs. Worse, they will produce outputs that look authoritative and can be dangerously wrong in ways that neither the adviser nor the client will easily detect.

I built the original iterations of Afterburner to ease up my time as an employee at Float Financial Advisers, improving the quality of work I was doing and decreasing the admin workload. That proximity is our competitive advantage, not just commercially, but from a security and compliance standpoint. You build differently when you know the consequences firsthand.

New Zealand has a genuine opportunity to lead here. We have a tightly regulated advice market, a small enough ecosystem that good ideas travel fast, and an open banking timeline that creates real urgency. The question is whether we use that window to set a high bar, or whether we let vibe-coded tools proliferate until a breach forces the decision for us.

MBIE and ComCom should be thinking seriously about whether AI financial services tools deserve the same regulatory attention they give to licensed advisers. Both are handling the same sensitive consumer financial data. The standard applied to one should, logically, apply to the other.

Accreditation for AI in financial services is not a nice-to-have. As open banking goes live across New Zealand, it becomes the price of entry.