Imagine checking your business account on a Monday morning and finding $7,650 missing. Not because you spent it, but because Z Energy debited the wrong account. That is what happened to at least one commercial customer, according to NZ Herald reporting on the fuel retailer’s billing errors. In a separate incident, 16 commercial Z Card holders were overcharged after being billed at the previous week’s higher pricing.
For a small business running tight on cashflow, $7,650 vanishing overnight is not an inconvenience. It is a missed payroll, a bounced supplier payment, or a broken trust relationship with your bank. And the uncomfortable truth is that the system is designed to let it happen.
Z Energy has form on this
The $7,650 debit sits within a pattern. In 2018, Z’s Z Card Online portal was taken offline after a security vulnerability allowed anyone to view another account holder’s private details simply by changing the account number in the URL. The site’s source code showed it was built in 1999, meaning the flaw had potentially existed for nearly two decades. Then-CEO Mike Bennetts acknowledged it was “certainly a security breach.” The system stayed offline for roughly four months.
In a separate incident, Z reversed inflated Airpoints bonuses after a backend error credited customers with far more than intended. One customer had a $64 bonus reversed and replaced with 64 cents. In May 2023, Fair Go reported that Z’s Sharetank app defaulted to premium 95 fuel, causing customers to unknowingly purchase the wrong grade, with Z’s own terms blocking refunds.
This is a company that posted a half-year net profit of $70 million for the six months to 30 June 2024, with tens of thousands of commercial customers. These are not startup growing pains. They are systemic failures in a mature, profitable business.
The real problem is who your bank trusts more
The Z Energy incidents are symptoms of a deeper structural flaw. Under New Zealand’s Preferred Initiator Direct Debit model, banks delegate responsibility for verifying account authority to third-party organisations. A company like Z Energy initiates a debit, and your bank processes it without independently checking whether the amount or account is correct. You find out when you check your balance.
In May 2026, CAFCA published an investigation into systemic direct debit failures. CAFCA spokesperson James Ayers called it “a clear abdication of banks’ fiduciary duty to their customers,” noting that the direct debit framework is overseen by Payments NZ, a company owned by the banks themselves. “That is an unacceptable conflict of interest,” Ayers said, “akin to a skulk of foxes guarding the hen house.”
Ayers identified the core vulnerability: the current framework has created “a third-party transaction loophole with multiple points of failure that can be readily exploited by fraudsters.” CAFCA is calling for mandatory bank-level verification of all direct debit transactions and independent oversight of Payments NZ. Given the banking industry earns approximately $10 billion in pre-tax profits each year from a population of five million, the resources exist.
Getting your money back is your problem
If a wrongful debit hits your account, the recovery process is slow and weighted against you. In 2013, the Banking Ombudsman published a case note on direct debit errors confirming that while banks have processes for unauthorised transactions, the burden of detection falls on customers after funds have already left their account.
The worst-case scenario played out publicly. In July 2025, NZ Herald reported that Auckland businessman Mark Graham accidentally sent $11,500 to the wrong ASB account after transposing digits. ASB refused to confirm the recipient’s identity for two years, citing privacy. After five years of Disputes Tribunal proceedings and private investigators, the tribunal ruled the recipient had been “unjustly enriched” and ordered restitution of $13,139.46. As of July 2025, Graham had still not received the money. Police declined to investigate, calling it a civil matter.
Payments infrastructure built for 1960
In May 2025, RNZ reported that New Zealand bank account numbers date back to the 1960s computerisation era. Financial columnist Janine Starks put it bluntly: “In Asia Pacific, there’s only New Zealand, Papua New Guinea, North Korea and Laos which have failed to invest and make the switch to instant payments. We now lag the UK by 15 years and Australia by five to six.”
New Zealanders made 166 million electronic card transactions in January 2025 alone, totalling $9.3 billion. Direct debits add a further layer of automated transactions that occur without any cardholder action and without the same real-time visibility. The volume is enormous. The safeguards are not.
What every business owner should do this week
Review every active direct debit authority on your business accounts. Most firms have more than they realise. Set up real-time transaction alerts. Understand your bank’s dispute window, because most require notification within a defined period. Know that the Banking Ombudsman exists and is free to use. And ask yourself whether large recurring payments to fuel cards, utilities, and suppliers should be on direct debit at all, or whether invoice-triggered payments with an approval step are worth the minor friction.
Z Energy’s $7,650 error will eventually get resolved. The question for every SME owner is whether you will know about the next one before your payroll bounces.
Sources
- NZ Herald: Z Energy apologises for accidentally overcharging
- Stuff: Offline – Z Energy Z Card Online security vulnerability (2018-06)
- NZ Herald: Z Energy reverses Airpoints bonuses after massive error
- 1News: Calls for more help for app users who buy wrong petrol (2023-05-09)
- NZX: Z Energy Half Year Report 30 June 2024 (2024-08-26)
- NZ Herald: Auckland man loses $11.5k in account transfer error (2025-07-05)
- RNZ: New Zealand banks unable to catch all mistaken transfers through human error (2025-05-15)
- Stats NZ: Electronic card transactions January 2025 (2025-02-12)