New AML/CFT programme guidelines: What New Zealand compliance professionals need to know

In October 2024, the Department of Internal Affairs (DIA), Financial Markets Authority (FMA), and Reserve Bank of New Zealand (RBNZ) issued updated guidance on Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) programmes.

This update incorporates regulatory changes introduced in mid-2023 and 2024, giving reporting entities in New Zealand a clear direction for robust AML/CFT compliance.

Here’s an overview to help your team align with the latest requirements and industry best practices.

A Risk-Based Approach is Front and Centre

The updated guidelines emphasise the importance of a risk-based approach, prompting reporting entities to tailor AML/CFT programmes to their specific risk profiles.

Supervisors have stressed that businesses must assess and adapt programmes in line with the distinct money laundering (ML) and terrorism financing (TF) risks they face. This may mean directing more resources to high-risk clients or transactions, while maintaining a lighter oversight on low-risk scenarios.

The focus remains on identifying, assessing, and managing risks unique to each business. This approach not only supports regulatory compliance but also ensures that AML/CFT resources are used effectively.

Updated Customer Due Diligence (CDD) Standards

Customer due diligence (CDD) continues to be fundamental to AML/CFT programmes, and the updated guidelines introduce refined standards across three levels of CDD—standard, simplified, and enhanced.

Standard CDD
Applied to most customers, this level requires verification of essential details like name, date of birth, and address, covering beneficial owners and anyone acting on the customer’s behalf. For more on beneficial ownership and standard CDD requirements, see Phase 2 NZ AML Customer Due Diligence changes.

Simplified CDD
Reserved for low-risk clients, such as government bodies, simplified CDD reduces verification requirements, focusing on representatives and authorised signatories.

Enhanced CDD
Required in higher-risk situations, enhanced CDD involves more detailed checks, including verifying the source of a customer’s funds or wealth, particularly for complex clients, high-value transactions, or customers from high-risk jurisdictions.

The guidelines recommend regular review and updates to CDD, especially for higher-risk clients. This approach ensures CDD remains responsive to changes in a client’s risk profile or transaction behaviour.

Account Monitoring and Ongoing CDD Requirements

The updated guidelines place renewed emphasis on account monitoring and ongoing CDD. All reporting entities need systems to detect unusual or suspicious activity, with all flagged transactions reviewed promptly to determine if reporting is required.

Ongoing CDD involves regular reviews of customer information, ensuring that any changes in a customer or business relationship that may necessitate additional due diligence measures are addressed. Account monitoring operates alongside CDD, focusing on tracking customer account activity and transaction patterns to spot unusual or suspicious behaviour.

Supervisors recommend that CDD and account monitoring procedures leverage one another; for instance, a CDD review may trigger further transaction monitoring if a significant change in the customer’s status or risk profile is detected. Reviews should be scheduled according to a customer’s risk level, with higher-risk clients reviewed more frequently.

Account monitoring systems, whether manual, electronic, or a combination, must detect complex or unusually large transactions as well as unusual patterns. Supervisors recommend setting monitoring rules that:

• Address specific risks identified in your risk assessment.
• Establish risk-based thresholds reflecting the activities, products, and countries involved.
• Prioritise high-risk alerts and manage repeated flags.
• Define response times for alert review, actions, and reporting.

Whatever system you select, its effectiveness should be regularly evaluated to minimise false positives and ensure compliance, with ongoing updates to address emerging risks and new transaction types.

Enhanced Record-Keeping Standards

To support audit readiness and regulatory checks, the updated guidelines emphasise thorough record-keeping. Reporting entities must retain complete records of customer information, transaction histories, and any completed CDD. These records, required for a minimum of five years, should be easily accessible and organised, making it straightforward to respond to any audit or investigation request.

This update also requires detailed logs of account monitoring activities, escalations, and actions taken in response to flagged transactions. The guidelines suggest that the implementation of digital documentation solutions can streamline this process, ensuring records remain secure and accessible.

Guidance on Third-Party Reliance and Outsourcing

Many businesses use third-party providers to support elements of their AML/CFT processes, but the updated guidelines clarify that ultimate responsibility remains with the reporting entity. Compliance teams should actively oversee third-party providers by conducting regular reviews or audits and ensuring adherence to required AML/CFT standards.

The guidelines also recommend frequent testing and updates for AML software or third-party solutions. This includes tools for transaction monitoring or identity verification, which must be vetted for accuracy and reliability in detecting and managing ML and TF risks.

Ongoing Reviews and Independent Audits

Compliance programmes require ongoing assessment. According to the updated guidelines, AML/CFT programmes should undergo regular internal reviews and independent audits every three years (or more frequently if risk levels change). This process helps identify any gaps or areas for improvement, ensuring programmes stay responsive to changes in the business and regulatory landscape.

Audits should be conducted by qualified professionals who understand AML/CFT compliance and the business’s specific complexities.

For further details, the full 52-page guideline is available on the DIA, FMA, and RBNZ websites. We encourage all reporting entities to review their compliance programmes and processes based on this updated guidance.