Since 2023, New Zealand's Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) has been undergoing a major three-stage overhaul. This is reshaping the regulatory landscape for reporting entities.
This article summarises the key changes across all three stages – including those already in force, such as the Department of Internal Affairs (DIA) becoming the sole AML/CFT supervisor from today, and those expected to be implemented in the near future.
Who needs to read it? Why?
If you are a reporting entity under the AML/CFT Act, these changes affect you. The reforms touch everything from customer due diligence (CDD) to supervision and enforcement. You need to review your AML/CFT programme, risk assessment, and processes to ensure they reflect the new requirements.
What does it cover?
The AML/CFT reforms respond to the Financial Action Task Force (FATF)'s recommendations in New Zealand's Mutual Evaluation Report. The reforms aim to strengthen New Zealand's international standing by updating legislation, regulations, and supervisory practice.
The changes have been rolled out in three stages, as set out below.
Stage 1: Amendments to AML/CFT Regulations
Stage 1 came into force in tranches between 2023 and 2025, amending the AML/CFT regulations and updating guidance. It introduced a proportionate approach to customer risk ratings. Reporting entities must now risk-rate new customers to determine whether standard CDD or enhanced CDD is required. Entities have some flexibility in designing their risk-rating model, but the process must be objective.
Key regulatory amendments include:
-
a requirement to risk-rate new customers, record the rating, review it during ongoing CDD, and update it where appropriate;
-
bringing online marketplaces within the scope of the AML/CFT regime;
-
new CDD requirements for legal persons and legal arrangements; and
-
clarifying the treatment of virtual asset transfers, including circumstances in which such transfers are treated as wire transfers, and introducing specific AML/CFT compliance obligations for virtual asset service providers (VASPs).
The updated beneficial ownership and CDD guidelines formalise a risk-based approach designed to cut compliance costs. These changes indicate the broader legislative agenda for targeted, proportionate CDD rather than tick-box compliance. The regulatory amendments are discussed further here.
In response to the changes, the DIA continues to update its guidance on CDD, identity verification, KYC, compliance programme requirements, and customer risk-rating processes. An explanation of the new Identity Verification Code of Practice (IVCOP) requirements is available here. Changes to the AML/CFT programme and enhanced CDD guidance are discussed here.
Stage 2: Technical changes and DIA as single supervisor
The Statutes Amendment Act 2025 came into force on 27 November 2025, making technical changes to the AML/CFT Act. It simplifies and clarifies AML/CFT obligations, reducing compliance costs for lower-risk activities. Key changes include:
-
longer timeframes for suspicious activity and prescribed transaction reporting;
-
address verification no longer required in all cases when conducting enhanced CDD – verification of a customer's address now only required according to the level of risk involved; and
-
a clearer definition of "occasional transaction” – now specifying that cheque deposits must be “made at a registered bank or non-bank deposit taker.”
The Statutes Amendment Act is discussed further here.
The Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2026 came into force on 19 May 2026, further simplifying obligations and embedding the risk-based approach to compliance. The main changes are:
-
a new “money or value transfer” service definition;
-
a tighter definition of 'beneficial owner';
-
reduced customer verification requirements for ‘low-risk trusts’, where risks are mitigated through standard CDD and enhanced CDD;
-
a shift to risk-based politically exposed persons (PEP) identification, requiring determination "according to the level of risk involved" rather than the previous "reasonable steps" standard;
-
a prohibition on ordering institutions ordering international wire transfers that do not include required originator and beneficiary information;
-
a requirement for reporting entities' risk assessments to incorporate risk assessments produced by the DIA and the Financial Intelligence Unit (FIU);
-
new record production requirements, including specified timeframes for compliance with notices to produce records; and
-
an extended 'civil liability act' definition, now including failure to comply with suspicious activity reporting, risk assessment, AML/CFT programme and annual report requirements.
The Amendment Act is discussed in more detail here.
The Anti-Money Laundering and Countering Financing of Terrorism (Supervisor, Levy, and Other Matters) Amendment Act 2026 (Supervisory Levy and Other Matters Amendment Act) is in force from today, 1 July 2026. It consolidates the DIA as the sole AML/CFT supervisor and also:
-
grants the DIA new powers to make codes of practice, rules, notices and exemption notices (subject to consultation requirements), as well as new investigation powers and the ability to issue censures;
-
introduces an annual AML/CFT levy to be paid by reporting entities; and
-
requires the Minister to adopt an AML/CFT National Strategy and regulatory work programme, with mandatory triennial reviews of levy funding adequacy involving consultation with affected parties.
The annual levy will fund the DIA’s regulatory work programme and help the DIA investigate and enforce against higher-risk entities. Further details regarding the levies will be prescribed by the regulations. The DIA expects to start collecting levies from mid-2027, subject to Cabinet approval. We have previously discussed the levy proposals here and are awaiting the outcome of that consultation.
The Supervisor, Levy and Other Matters Amendment Act is discussed in more detail here.
Stage 3: Upcoming wider changes – Omnibus Amendment Bill
A further Anti-Money Laundering and Countering Financing of Terrorism (Omnibus) Amendment Bill is expected to be introduced into Parliament before the House rises for the election, and then carried over to be enacted in 2027.
The Omnibus Amendment Bill is the final package of reforms to implement the recommendations from the 2022 statutory review of the AML/CFT Act, which we discussed here.
Based on Cabinet Papers already released, the Omnibus Amendment Bill is expected, amongst other things, to:
-
refine the risk-based approach to CDD;
-
enable automatic designated business group formation for eligible entities; and
-
introduce enhanced enforcement powers for the FIU and the DIA to implement targeted financial sanctions (TFS).
The DIA has signalled that reporting entities are expected to identify, assess, and manage terrorism financing and TFS risk within their AML/CFT risk assessments and compliance programmes, having regard to the FIU's National Risk Assessment and applicable supervisor guidance.
Our view
Overall, these changes demonstrate that the regulatory landscape has shifted significantly and will continue to change. Now is the time for reporting entities to comprehensively review their risk assessments and AML/CFT programmes to ensure they comply with new and upcoming requirements.
The DIA is now the sole supervisor for all reporting entities. Entities previously supervised by the Reserve Bank of New Zealand or the Financial Markets Authority need to familiarise themselves with the DIA's guidance and enforcement approach. The DIA’s levy-funded model is designed to give it greater resources to monitor and enforce compliance. Reporting entities need to ensure that their risk assessments and AML/CFT programmes reflect the DIA's expectations, which can be expected to evolve over time. They should establish good working relationships with the DIA and understand the interaction between the DIA and the Ministry of Justice with respect to the different exemption powers each exercise.
The DIA will expect reporting entities to maintain a working familiarity with its published guidance. Notably, recent amendment legislation and updated programme guidance now require reporting entities to take into account risk assessments produced by the DIA and the FIU – including the National Risk Assessment and any applicable sector risk assessments – as mandatory inputs into their own risk assessments.
The Government is moving towards a risk-based, proportionate approach to AML/CFT compliance. While this should reduce compliance costs and enable greater flexibility, it means reporting entities will need to ensure their approach to compliance is well considered and adequately documented, so they can justify their decisions should the DIA require them to do so.
The direction of travel is clear: a risk-based, proportionate regime aligned with FATF standards, overseen by a single, better-resourced supervisor with evolving expectations. Reporting entities that take a proactive approach – investing in robust documentation, maintaining current programmes, and engaging constructively with the DIA – will be better placed to manage money laundering and terrorism financing risks and avoid enforcement action.
What next?
If you have any questions about these changes or how they affect your business, please contact one of our experts.
This article was co-authored by Leanne Chew (Solicitor), John Anayi (Law Clerk), and Sarah Waller (Law Clerk) in our Financial Services team.