New AML/CFT programme guidelines: What New Zealand compliance professionals need to know
In October 2024, the Department of Internal Affairs (DIA), Financial Markets Authority (FMA), and Reserve Bank of New Zealand (RBNZ) issued updated guidance on Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) programmes.
This update incorporates regulatory changes introduced in mid-2023 and 2024, giving reporting entities in New Zealand a clear direction for robust AML/CFT compliance.
Here’s an overview to help your team align with the latest requirements and industry best practices.
A Risk-Based Approach is Front and Centre
The updated guidelines emphasise the importance of a risk-based approach, prompting reporting entities to tailor AML/CFT programmes to their specific risk profiles.
Supervisors have stressed that businesses must assess and adapt programmes in line with the distinct money laundering (ML) and terrorism financing (TF) risks they face. This may mean directing more resources to high-risk clients or transactions, while maintaining a lighter oversight on low-risk scenarios.
The focus remains on identifying, assessing, and managing risks unique to each business. This approach not only supports regulatory compliance but also ensures that AML/CFT resources are used effectively.
Updated Customer Due Diligence (CDD) Standards
Customer due diligence (CDD) continues to be fundamental to AML/CFT programmes, and the updated guidelines introduce refined standards across three levels of CDD—standard, simplified, and enhanced.
Standard CDD
Applied to most customers, this level requires verification of essential details like name, date of birth, and address, covering beneficial owners and anyone acting on the customer’s behalf. For more on beneficial ownership and standard CDD requirements, see Phase 2 NZ AML Customer Due Diligence changes.
Simplified CDD
Reserved for low-risk clients, such as government bodies, simplified CDD reduces verification requirements, focusing on representatives and authorised signatories.
Enhanced CDD
Required in higher-risk situations, enhanced CDD involves more detailed checks, including verifying the source of a customer’s funds or wealth, particularly for complex clients, high-value transactions, or customers from high-risk jurisdictions.
The guidelines recommend regular review and updates to CDD, especially for higher-risk clients. This approach ensures CDD remains responsive to changes in a client’s risk profile or transaction behaviour.
Account Monitoring and Ongoing CDD Requirements
The updated guidelines place renewed emphasis on account monitoring and ongoing CDD. All reporting entities need systems to detect unusual or suspicious activity, with all flagged transactions reviewed promptly to determine if reporting is required.
Ongoing CDD involves regular reviews of customer information, ensuring that any changes in a customer or business relationship that may necessitate additional due diligence measures are addressed. Account monitoring operates alongside CDD, focusing on tracking customer account activity and transaction patterns to spot unusual or suspicious behaviour.
Supervisors recommend that CDD and account monitoring procedures leverage one another; for instance, a CDD review may trigger further transaction monitoring if a significant change in the customer’s status or risk profile is detected. Reviews should be scheduled according to a customer’s risk level, with higher-risk clients reviewed more frequently.
Account monitoring systems, whether manual, electronic, or a combination, must detect complex or unusually large transactions as well as unusual patterns. Supervisors recommend setting monitoring rules that:
- Address specific risks identified in your risk assessment.
- Establish risk-based thresholds reflecting the activities, products, and countries involved.
- Prioritise high-risk alerts and manage repeated flags.
- Define response times for alert review, actions, and reporting.
Whatever system you select, its effectiveness should be regularly evaluated to minimise false positives and ensure compliance, with ongoing updates to address emerging risks and new transaction types.
Enhanced Record-Keeping Standards
To support audit readiness and regulatory checks, the updated guidelines emphasise thorough record-keeping. Reporting entities must retain complete records of customer information, transaction histories, and any completed CDD. These records, required for a minimum of five years, should be easily accessible and organised, making it straightforward to respond to any audit or investigation request.
This update also requires detailed logs of account monitoring activities, escalations, and actions taken in response to flagged transactions. The guidelines suggest that the implementation of digital documentation solutions can streamline this process, ensuring records remain secure and accessible.
Guidance on Third-Party Reliance and Outsourcing
Many businesses use third-party providers to support elements of their AML/CFT processes, but the updated guidelines clarify that ultimate responsibility remains with the reporting entity. Compliance teams should actively oversee third-party providers by conducting regular reviews or audits and ensuring adherence to required AML/CFT standards.
The guidelines also recommend frequent testing and updates for AML software or third-party solutions. This includes tools for transaction monitoring or identity verification, which must be vetted for accuracy and reliability in detecting and managing ML and TF risks.
Ongoing Reviews and Independent Audits
Compliance programmes require ongoing assessment. According to the updated guidelines, AML/CFT programmes should undergo regular internal reviews and independent audits every three years (or more frequently if risk levels change). This process helps identify any gaps or areas for improvement, ensuring programmes stay responsive to changes in the business and regulatory landscape.
Audits should be conducted by qualified professionals who understand AML/CFT compliance and the business’s specific complexities.
For further details, the full 52-page guideline is available on the DIA, FMA, and RBNZ websites. We encourage all reporting entities to review their compliance programmes and processes based on this updated guidance.
About First AML
First AML streamlines the entire anti-money laundering onboarding and compliance process. Backed by real expertise, its cloud-based KYC Passport allows complex entities to share their verification across multiple companies and geographies, at their discretion.
Making an otherwise complex and manual onboarding process simple for clients and cost effective and compliant for businesses, First AML delivers efficiency and time savings, protecting reputations, and enabling companies to be on the right side of history in the face of global threats.
Keen to find out more? Book a demo today! No time for a long demo? No problem. See what First AML can do for your business in 2 minutes – watch the short demo here.