With the Financial Markets (Conduct of Institutions) Amendment Act 2022 (otherwise known as CoFI) coming up to its first birthday soon, the potential breadth of its application is a hot topic for 2026. The FMA will be keen to explore the new ways in which its regulatory remit has expanded.

CoFI introduces a new conduct licensing and oversight regime, targeted at consumer banking and insurance, into the Financial Markets Conduct Act 2013 regime which applies to institutions such as registered banks, licensed insurers and licensed non-bank deposit takers. CoFI focuses on conduct, culture and incentives and centres around the 'fair conduct principle' which is defined as including:

• paying due regard to consumers’ interests;
• acting ethically, transparently, and in good faith;
• assisting consumers to make informed decisions;
• ensuring that the relevant services and associated products that the financial institution provides are likely to meet the requirements and objectives of likely consumers (when viewed as a group); and
• not subjecting consumers to unfair pressure or tactics or undue influence.

The core duties under CoFI are to obtain and maintain a conduct licence, and within that to establish, implement and maintain an effective fair conduct programme with the key word being “effective” and a duty to comply with that programme. With hindsight being 20/20, the key risks arise where consumers are harmed and the FMA then reviews the entity’s fair conduct programme to ascertain whether it was “effective”.

There are a small number of obligations that extend to intermediaries as well, primarily relating to the payment of incentives in respect of sales and distribution relevant products issued by CoFI licensed entities.

Some overlap but also expansion. Many breaches of CoFI are likely to also breach the fair dealing provisions in the Financial Markets Conduct Act (FMCA). For example, for misrepresentations, the fair dealing provisions are likely to be engaged as well as the obligation under CoFI to ensure that the methods by which relevant services and products are provided operate in a manner consistent with the fair conduct principle.

However, the fair conduct principle does not stop there. CoFI may allow the FMA to identify and pursue breaches which relate specifically to failures of processes, policies, systems and controls. For instance, it could be alleged that an entity’s fair conduct programme is not “effective” relying on deficiencies in processes, policies, systems and controls as evidence. In line with this, the FMA has publicly signalled that it is particularly focussed on systems and controls, using as an example, the misapplication of multipolicy discounts due to system failures.

Australian assistance: What may constitute a breach of CoFI duties?

While there is no New Zealand case law on CoFI breaches yet, Australian case law provides a useful analogy. Under the Australian Corporations Act there is an obligation to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly. There is some helpful case law based on this provision which identifies the types of things which may trigger a breach of CoFI obligations:

• In the case of ASIC v Commonwealth Bank of Australia [1], the Commonwealth Bank of Australia (CBA) had not provided its customers with fee waivers, interest rate discounts and bonus interest as part of its AI Plus Package. In addition to admission of misleading and deceptive conduct, CBA also admitted that it breached this obligation “to do all things necessary to ensure that the financial services…were provided efficiently, honestly and fairly” as required under Australian law. If this were to occur in New Zealand, it is possible that this could constitute a CoFI breach: it could be alleged that the fair conduct programme was not effective where the methods by which products were provided did not operate in a manner consistent with the fair conduct principle. This would also be a breach of the fair dealing provisions of the FMCA.
• In that same case, the Federal Court also found that CBA’s complaints handling process was inadequate as it did not have systems in place to identify complaints about its AgriAdvantage Plus Packages. Again, this could be characterised as a CoFI breach because one of the minimum standards for the fair conduct programme is that records must be kept, to allow an assessment to be made of the financial institution’s performance in complying with the fair conduct principle and regular reporting of risks and failures.
• CoFI also may have a role to play in relation to scams. In late 2024, ASIC issued proceedings against HSBC Australia relating to inadequate controls in place to prevent and detect fraudulent payments. One may be a breach of the obligation to do all things necessary to ensure that the financial services were provided efficiently, honestly and fairly. As yet there is no decision on this case. However, it is possible that while new technology and practices are reasonably available to protect consumers from scams and implement those measures may constitute a failure to have in place an “effective” fair conduct programme. One of the requirements and objectives of likely consumers (when viewed as a group) is to have a service that is reasonably free from scams and it is possible that a failure to implement technology and practices that are readily available in the market without a good basis, could demonstrate a failure to have an effective fair conduct programme in place.
• CoFI also impacts product reviews. Failing to conduct a regular review of key indicia of distribution in circumstances where there is evidence that distribution methods were not operating in a manner consistent with the fair conduct principle may result in a breach of CoFI. ASIC brought a case against an Australian company offering credit cards where there were high levels of cancellation. The Court found that the high cancellations demonstrated that the distribution methods were not operating properly and that despite this, no review was undertaken, and the product continued to be offered. If this were to occur in New Zealand, this could be characterised as a breach of CoFI which requires effective policies, processes, systems and controls for regularly reviewing distribution methods to ensure these operate in a manner consistent with the fair conduct principle. The principles likely to be at issue are paying due regard to consumers’ interests, acting ethically, transparently and in good faith and ensuring that the relevant services/products are likely to meet the requirements and objectives of likely consumers.
• The fair conduct principle also applies to any dealings or interactions with a consumer including responding to a complaint or handling a claim for insurance. How far this obligation goes is yet to be determined. But for instance, an issue could arise in a litigation dispute where an insurer has actual knowledge that a customer or its experts have made a mistake in relation to assessing the loss and whether it could take advantage of that mistake.

However, the scope of the CoFI regime is wider than the Australian counterpart, primarily because it mandates a principle-based “fair conduct” duty across the entire product lifecycle – from design to service, performance and termination. So it is important to keep across the guidance issued by the FMA too.

What’s next

We expect that once the CoFI regime moves into its second year, the FMA will start to shift from its educative phase to a stronger focus on ensuring compliance. In its June 2025 Financial Conduct Report, the FMA made clear the 2025/26 year is focussed on banks and insurers proactively reviewing existing products and services to confirm they align with consumers’ requirements and objectives. Where harm has occurred, the FMA expects firms to take action to stop further harm and prioritise any remediation. This includes investing in improvements to controls and technology to fix the root cause.

Having given that indication, it logically follows that the 2026/27 year is likely to herald a step up in expectations by the FMA, on the basis that the regime will have been bedded in. That makes it timely to invest in training and compliance audits now to stay ahead of that increase in focus.

Footnote

[1] Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790