There has been a recent wave of changes to the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) and more changes are expected, as part of the Government’s overhaul of the AML/CFT regime. 

From 1 June 2025, the final phase of the Government’s changes to AML/CFT regulations (which commenced in three stages from 30 June 2023) was implemented. This creates a new requirement to risk-rate customers and a requirement for online marketplaces to comply with the AML/CFT Act. 

Additionally, the Government is rapidly progressing the first two stages of its three-part programme of regulatory reforms (which we discussed last year). This includes two Bills (currently before Parliament) that will amend many key AML/CFT obligations, the consolidation of the Department of Internal Affairs (DIA) as the single AML/CFT supervisor, and a new funding model which will require reporting entities to pay levies. 

The third and final instalment stage of reforms proposed in the November 2022 AML/CFT Statutory Review Report still requires policy decisions by Cabinet but may result in a further reform Bill early next year. 

Who needs to read it? Why?

The changes by regulation, which took place on 1 June 2025, will affect all reporting entities and need to be implemented immediately. 

The changes via the two bills still before Parliament will also be important to all reporting entities who should be preparing for their impact now. 

Reporting entities currently supervised by the Financial Markets Authority (FMA) and Reserve Bank of New Zealand (RBNZ) should also monitor the developments of the upcoming single supervisory model which will see all reporting entities being supervised by the DIA, as they will want to know how and when this transfer will occur. 

Finally, all reporting entities will be concerned to understand what levies they may be subject to under the new levy-based funding model, and how these will be calculated. 

What does it cover?

Stage 1: Current regulations and legislation

The final phase of the Anti-Money Laundering and Countering Financing of Terrorism (Requirements and Compliance) Amendment Regulations 2023 introduced:

• a new requirement to risk rate new customers that applies to all reporting entities – they should therefore carefully read the newly released guidance; and
• for financial institutions who operate an online marketplace, the new application of the AML/CFT Act to online marketplaces. 

New risk-rating guidance

Effective from 1 June 2025, all reporting entities must risk-rate new customers and keep a record of the rating, review the rating when conducting ongoing customer due diligence (CDD), and should update the rating where appropriate. In support of this, the DIA has released guidance to help reporting entities comply with the new risk rating obligation.

According to the guidance, the DIA considers that “implicitly, the Act has always contained a requirement to risk-rate customers. The explicit requirement to do so formalises this existing obligation.” Importantly, the guidance emphasises that the risk-rating process should be flexible and will depend on the reporting entity’s risk assessment, such as the types of customers and countries it deals with and the products and services it offers. For smaller businesses “with a small number of customers, and that offer a single or more limited range of products or services, the risk-rating process or model can be straightforward”. However, a more sophisticated methodology may be required for businesses “with a larger customer base and/or a more complex range of products and service”, such as scorecards or matrix-based tools that assign weightings to different risk factors. 

A customer’s risk-rating should inform the intensity and frequency of ongoing CDD and account monitoring conducted on the customer and should inform any controls implemented to mitigate ML/TF risks. Reporting entities should review and update risk ratings where appropriate, during ongoing CDD and account monitoring. 

New online marketplaces guidance

Effective from 1 June 2025, online marketplaces are regulated under the AML/CFT Act and must comply with its provisions. This is in recognition of the ML/TF risks associated with online marketplaces, such as through the use of fictitious accounts and sales for money laundering. The DIA has released guidance to support financial institutions that operate as providers of online marketplaces.

An online marketplace is "a process that is operated online to enable members of the public to conclude contracts for the sale and purchase of goods or the provision and acquisition of non-financial services". The guidance identifies the main financial activities carried out by online marketplaces, that are now subject to the requirements under the AML/CFT Act, as:

• transferring money or value for, or on behalf of, a customer; and
• issuing or managing the means of payment.

However, the DIA has granted online marketplaces a partial exemption from the AML/CFT Act requirements. According to the guidance, this applies “in relation to a customer, if their respective transactions do not exceed NZD10,000 in any consecutive 12-month rolling period. This means that CDD (and any ongoing CDD, account monitoring or enhanced CDD) or any prescribed transaction reporting requirements are only required when a customer reaches the NZD10,000 transaction threshold.” However, this does not exempt online marketplaces from their suspicious activity reporting obligations under the Act. 

Legislation before Parliament

Reporting entities should also monitor the progression through Parliament of:

• the Statutes Amendment Bill; and 
• the Anti-Money Laundering and Countering Financing of Terrorism Amendment Bil (AML/CFT Amendment Bill), as both will implement significant changes to the AML/CFT regime. 

As part of the first phase of the Government’s three-part regulatory reform programme, two bills are currently before Parliament. 

Statutes Amendment Bill 

Firstly, there is the Statutes Amendment Bill. The select committee report on the Bill was due on 16 April 2025 and it is currently awaiting its second reading. In May, the Associate Minister Nicole McKee of Justice said that it is “likely to come into effect in the coming months”.

As we have previously discussed, the Bill proposes four changes to the AML/CFT Act, including amending the address verification requirement such that it “only has to be verified by a reporting entity according to the level of risk involved in the transaction” and extending the time period for reporting entities to submit prescribed transaction reports from 10 to 20 working days. 

AML/CFT Amendment Bill 

The second bill is the AML/CFT Amendment Bill. It is currently before the Select Committee, which must publish its report on it by 13 August 2025. 

The Bill proposes 26 amendments to the AML/CFT Act (which we have previously discussed), including making clear that the prohibitions applying where CDD is “unable to be conducted” in fact apply where CDD is not conducted, making clear that reporting entities must take into account guidance materials and other factors when conducting their risk assessments and updating the definitions of "beneficial owner", "designated non-financial business or profession", and "trust and company service provider". 

Stage 2: New single supervisory model and levy-based funding model

As part of the second phase of reforms, a new supervisory model and levy-based funding model will be put in place. We understand the relevant governmental agencies are already undertaking preparations to be able to move quickly once the relevant Bill is enacted and takes effect,

These reforms will require a further amendment Bill that the Associate Minister aims to have introduced by the middle of 2025. According to the Associate Minister, “Officials are currently working on the details of developing and implementing the levy, but I expect that the earliest it would be in place is by 2027.” 

Under the new supervisory model, the DIA will become the single AML/CFT supervisor, meaning that reporting entities currently supervised by the FMA and RBNZ will move to being under DIA supervision. In a recent speech, the Associate Minister said that this will “create a more efficient, effective, and risk-based supervisory structure – one that reduces unnecessary compliance costs for lower-risk businesses and transactions, removes the need for multi-supervisor coordination efforts - thereby reducing costs - and streamlines decision-making.”

The Government will also introduce a new funding model where an industry-wide levy will fund the AML/CFT regime. The details of the levy, including how it will be implemented, have not yet been finalised. However, it is intended to be designed, according to the Associate Minister, "in a way that distributes the costs in a risk appropriate and equitable way, so that it targets the highest risk sectors – such as large international banks - and does not place an undue burden on small businesses." 

The Government also plans to implement wider legislative changes in the future. Reporting entities should monitor the development and timeline of these changes. 

Stage 3: Future wider legislative changes

The third phase of the three-part regulatory reform programme will, according to the Associate Minister, “deliver wider legislative changes to implement international standards outlined by the FATF.” The relevant Bill is expected to be introduced later in this parliamentary term. 

The Associate Minister commented that these legislative changes “will have a natural flow on effect that improves New Zealand entities’ ability to carry on with business and sharpens our law enforcement tools. Importantly, it includes amendments to provide further flexibility for businesses to take a more risk-based approach to their AML/CFT obligations.”

Our view

Risk-rating

We appreciate the DIA making it clear in its guidance that there is no one-size-fits-all risk-rating process or model, and that what is appropriate will depend on the specific nature of the business, including its number of customers and its range of services. It does, however, create another obligation at the time of conducting initial and ongoing CDD and emphasises the importance of collecting sufficient information from new customers before any work is done, creating another avenue to resolve any concerns at an early stage. This reinforces the need to consider a customer's vulnerability to ML/FT risks throughout the business relationship, and the need to reassess risk profiles where appropriate – as opposed to assuming that a customer’s level of risk is static. 

It is also a reminder that the various CDD-related obligations are interlinked and should be considered together. Like how a reporting entity's AML/CFT programme must be based on their risk assessment, its risk-rating process or model must be based on its AML/CFT programme and risk assessment. It is all part of the process of ensuring that reporting entities have full knowledge of the customer they will have a relationship with, and therefore the requirements should be considered together – rather than risk-rating (or other CDD requirements) being considered in isolation. 

Online marketplaces

The decision to bring online marketplaces within the remit of the AML/CFT Act reflects the new challenges raised by the digital economy, and the need to respond to these risks through regulation. Particularly in preparation for New Zealand's next Financial Action Task Force evaluation in 2028 or 2029, regulators are interested in identifying sectors that may pose unique ML/TF risks and ensuring that these can be monitored. 

We welcome the partial exemption that means CDD or prescribed transaction reports are only required when transactions exceed the NZD10,000 threshold. This strikes a balance between the burden of complying with the full suite of AML/CFT obligations, which can be particularly onerous on small businesses who may lack staffing or resources. At the same time, it still reduces the risk that online marketplaces are exploited for ML/TF purposes by requiring them to submit suspicious activity reports (and to keep records of these).

Statutes Amendment Bill

As we have previously discussed (here), we generally support the changes introduced as they reduce unnecessary compliance burdens. This reflects the Government's commitment to making the AML/CFT regime more risk-based and streamlined so that businesses can use a common-sense approach to compliance. 

In particular, the clarification that addresses only need to be verified according to the level of risk involved reflects the Government's intention to adopt a risk-based approach to compliance. With the introduction of the new risk-rating requirement, the decision of whether to verify a customer's address could now be based on the level of risk assigned to customers - in other words, it may only be necessary for customers who are given a high-risk rating. Nevertheless, we consider that the regulators could make it clear (such as through guidance) how exactly a reporting entity could decide that a customer's risk profile necessitates address verification.

AML/CFT Amendment Bill

As we have previously commented, we support the intention to streamline the AML/CFT regime. We strongly support the relaxation of the requirement to conduct enhanced CDD on all trusts, as under the Bill it will not be required “if the reporting entity is satisfied that doing so would not mitigate risks identified from conducting standard CDD”. This move towards a risk-based approach encourages reporting entities to focus their resources on more high-risk transactions.

Single supervisory model 

The Government has said that having a single supervisor structure will reduce unnecessary compliance costs and streamline decision-making, but we await further clarity on how exactly this will occur. 

There may be concerns about the DIA's resourcing and its ability to take on a significant number of reporting entities that are currently supervised by the FMA and RBNZ. As such, we would appreciate clear details from the DIA about the transition to this new model, to provide reassurance that the DIA can effectively monitor the AML/CFT compliance of these reporting entities and effectively manage their risks. This will provide comfort that compliance with the AML/CFT regime is not negatively affected. 

Reporting entities will be interested to know for example, whether the people they communicate with in the FMA and RBNZ will be unchanged when the DIA becomes their supervisor - and if not, how the FMA and RBNZ will transfer any information to the RBNZ. A clear timeline of when the supervisory model is expected to be implemented would also be appreciated, to minimise any confusion about when reporting entities (that are currently supervised by the FMA and RBNZ) can expect communications from the RBNZ. 

Levy-based funding model

As levy payers under the new funding model, reporting entities will likely take the view that they are entitled to an improved quality of service from the DIA. 

The DIA should clearly communicate why it is implementing this funding model and outline the benefits that will result from levies. In our view, it is important that the DIA sets levies in a way that is fair and reflective of the many types of reporting entities. We presume this will occur through a risk-based approach where reporting entities that are the most vulnerable to ML/TF risks (such as through their size or types of customers), and which the supervisors therefore spend more time dealing with, will pay the highest levies. But the exact method used to calculate the levies payable by reporting entities should be made publicly available as soon as possible, and the DIA should provide opportunities for businesses to give feedback on the proposed model. 

Crucially, the Government must ensure that the costs are distributed in an equitable way such that an undue burden is not placed on small businesses and so that the levy results in better resourcing, the effects of which must be clearly visible. As the levy is expected to be in place by 2027 at the earliest, we expect that the Government will soon provide more guidance on how the model will look like, as all reporting entities will be concerned to know what will be payable by them.

What next?

If you have any questions in relation to the recent and upcoming AML/CFT changes or are considering how these changes affect your business, please contact one of our experts.