The Department of Internal Affairs (DIA) has published a new Identity Verification Code of Practice 2026 (the new Code) issued under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the Act).
The new Code follows a discussion paper released by the DIA last year seeking submissions on updating the Amended Identity Verification Code of Practice 2013 (the 2013 Code) and is intended to support modern identification practices and technologies. We discussed this here.
The new Code will apply from 1 July 2026, but parts of the certified copies pathway will not come into force until 1 July 2027 (refer below).
The new Code is available here and a fact sheet on the changes can be found here.
Who needs to read it? Why?
All reporting entities relying on the safe harbour conferred under the 2013 Code should read the new Code and incorporate it into their CDD procedures, policies and controls (PPCs) in their AML/CFT Programme.
Reporting entities that continue to accept documents or use the electronic sources they currently do under the 2013 Code will be compliant with the 2026 Code (other than relating to certified copy requirements from 1 July 2027 – refer below).
What has changed?
The following outlines the main changes between the new Code and the 2013 Code.
General changes include:
-
Extended application to high-risk customers: Unlike the 2013 Code, the new Code now applies to high-risk customers who are natural persons, in addition to low- and medium-risk customers;
-
No repeated wire transfer originator verification: A reporting entity relying on the new Code does not need to conduct identity verification on a wire transfer originator if it has already done so as part of CDD on that person as a customer, unless there are reasonable grounds to doubt the adequacy or veracity of the previous verification; and
-
Standard exception handling processes: The new Code now explicitly permits reporting entities to maintain a standard process for common exceptions and to implement risk management procedures (such as transaction restrictions and additional account monitoring) alongside making an exception, with an explicit requirement that exceptions handling procedures have appropriate escalation PPCs in place.
New Code establishes four pathways to identity verification:
-
Pathway 1: Face-to-face verification using physical documents – which enables verification of a customer's name and date of birth by sighting original physical identity documents in person. The new Code introduces an explicit requirement for a visual comparison of the photograph on the identity document to the customer presenting it, as well as making minor changes to this pathway to improve useability.
-
Pathway 2: Digital Identity Services Trust Framework (DISTF) – this is a new pathway which enables verification through an accredited DISTF service, which provides Information Assurance (confirming the accuracy of a person's identity) and Binding Assurance (confirming the person being dealt with is the genuine holder of that identity). The new Code provides two options for using this new pathway.
-
Pathway 3: Other electronic identity verification – this pathway enables remote (non-face-to-face) verification of a customer's name and date of birth from electronic sources. A verified RealMe identity can be used as a single electronic source providing both Information Assurance and Binding Assurance (as was the case under the 2013 Code). The DIA Confirmation Service, an equivalent overseas government body source, and an embedded e-passport microchip may each be used as a single reliable and independent source without a second corroborating source (removing the previous requirement under the 2013 Code), but a separate linking mechanism (Binding Assurance) is still required.
-
Pathway 4: Receiving certified copies of identity documents – this pathway allows a reporting entity to accept copies of identity documents certified by a trusted referee as under the 2013 Code, but makes some significant changes including: extending the certification period from three months to twelve months; requiring the photograph on the certified copy to be clearly visible; and requiring a visual comparison for certified copies presented face to face. From 1 July 2027, reporting entities will be allowed to receive a certified copy in person, by post, or by any other means of delivery (including electronically), subject to enhanced assurance procedures where there are reasonable grounds for concern that a copy may not be genuine.
New reduced verification requirements for beneficial owners and persons acting on behalf of customers permitted in certain circumstances:
-
the extent of verification steps required depends on the level of risk associated with the customer;
-
reduced verification steps are possible where the person is a beneficial owner or person acting on behalf of a customer that is: a legal person or legal arrangement; rated as low or medium risk; and the customer has two or more beneficial owners, or qualifies for simplified CDD under section 18(1) or (3) of the Act;
-
a reporting entity wanting to apply reduced verification steps must have appropriate risk-based PPCs in its AML/CFT programme, which include what the reduced steps are and when they may be taken; and
-
reduced verification steps are not permitted where there are grounds to report a suspicious activity.
What next?
If you have any questions regarding the new Code or are considering how these changes may affect your business, please contact one of our experts.
This article was co-authored by Sarah Waller (Law Clerk) and Leanne Chew (Solicitor), in our Financial Services team.
Key contacts
Speak with one of our experts.
