New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) regulations have undergone significant changes in recent years. These updates are being rolled out in three phases, with the final phase taking effect on 1 June 2025. This overview will cover the key changes, who will be affected, and most importantly, what the reporting entities need to do to stay compliant.

Three Phases of Change: What’s Coming?

Phase One – Clarifications and Exemption

(Effective on 31 July 2023)

Key changes:

• Revised ‘Beneficial Owner’ Definition: The definition now clarifies that a beneficial owner is someone with ‘ultimate ownership or control' over a customer or transaction. This change will reduce the need for reporting entities to conduct due diligence on those with no direct involvement.
• Revocation of Exemptions: Exemptions related to trust accounts, client fund accounts and managing intermediaries will be revoked. Reporting entities must update their Compliance Programme to reflect these changes.
• New Regulation for Stored Value Instruments: The definition of stored value instruments now covers electronic and digital forms, ensuring that regulations are in line with current payment methods.
• Updated Transaction Reporting for DNFBPs: Designated Non-Financial Businesses and Professions (DNFBPs), such as law firms, will now be required to submit Prescribed Transaction Reports (PTRs) for certain wire transfers, even if they are not ordering, beneficiary or intermediary institutions under the AML/CFT Act.

Phase Two – Obligations on Virtual Assets and Enhanced Customer Due Diligence

(Effective on 1 June 2024)

Key changes:

• Virtual Asset Regulations: Service providers dealing with virtual assets will be subject to AML/CFT regulations. Virtual asset transactions will be treated like wire transfers and reporting entities will be required to conduct customer due diligence on virtual asset transactions over $1,000.
• Enhanced Customer Due Diligence (ECDD): Reporting entities will need to conduct more comprehensive due diligence when there is insufficient information to assess a customer’s risk. This includes evaluating the purpose of transactions, monitoring business relationships, scrutinising source of funds and wealth and applying additional checks for complex transactions.
• Third-Party Reliance: Reporting entities can no longer rely solely on third parties for customer due diligence. Information must be verified independently.
• Ongoing Monitoring: Reporting entities must monitor customer transactions and behaviours continuously to identify potentially suspicious activity.

Phase Three – A Risk-Based Compliance Approach

(Coming into effective on 1 June 2025)

• Mandatory Customer Risk Rating: Reporting entities must assess and assign a risk rating to each customer when a business relationship is established. This rating will be based on factors such as transaction patterns, geographical location and the type of services provided.
• Ongoing Risk Management: Reporting entities must continuously monitor and reassess the risk levels of customers throughout the course of the business relationship. Any changes in customer behaviour or new risk factors, the risk rating must be updated.
• Documented rationale: Reporting entities must record and justify each risk assessment decision, which will be available for audits or regulatory reviews.

Who Needs to Comply?

These changes apply to all reporting entities under the AML/CFT Act, including financial institutions, law and accounting firms, real estate agencies, high-value dealers and operators of betting or gaming services.

Why These Changes Matter

While many reporting entities already apply a risk-based approach in practice, this upcoming amendment will formally mandate customer risk assessment across the board. This aligns New Zealand’s AML/CFT framework with international standards set by the Financial Action Task Force (FATF).

Risk assessment is not merely a compliance requirement. It is a strategic tool that allows reporting entities to:

• Tailor customer due diligence and enhanced due diligence measures based on actual risk exposure
• Detect and respond to suspicious behaviour more proactively
• Demonstrate effective AML/CFT controls during audits or regulatory reviews.

How to Prepare for the Changes

1. Implement Risk Assessment Procedure: Establish a procedure for assessing and rating customer risk during onboarding. Ensure that the procedure can easily capture and update risk information as customers’ behaviours change.

2. Train Staff and Compliance Officer: Ensure staff are trained to understand and apply risk ratings appropriately. This may require upskilling those involved in customer engagement or compliance roles.

3. Review Compliance Programme: Conduct an internal review of the AML/CFT Compliance Programme to ensure it’s up to date and aligned with the new requirements. Include provisions for managing and adjusting customer risk ratings. This may require changes to internal procedures or record-keeping practices.

4. Enhance Monitoring: Ensure the procedures are capable of ongoing monitoring of customer risk, tracking changes in behaviour or transaction patterns throughout the business relationship.

By implementing effective risk assessment procedures, training staff and regularly reviewing the Compliance Programme, reporting entities can ensure compliance with the new requirements coming into force on 1 June 2025.

The clock is ticking—start preparing today!