AML/CFT: Compliance with ISO 370301 in New Zealand

AML/CFT: Compliance with ISO 370301 in New Zealand

In New Zealand, the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) provides a robust framework for authorities to respond swiftly and effectively to emerging money laundering threats. The Act empowers high-level decision-makers and regulatory bodies to adapt to new risks, particularly technological developments and evolving criminal methodologies.
Key features of the AML/CFT Act that facilitate the rapid response of interested rapid response through to rapid response include:
  • Risk-based assessment requirements that ensure reporting entities continuously evaluate and update their compliance measures
  • Flexible reporting mechanisms that can be adjusted to capture new types of suspicious transactions
  • Powers granted to supervisors to issue urgent directives when new threats are identified
The Act's framework is further strengthened by its alignment with international standards, allowing New Zealand authorities to coordinate effectively with global partners in addressing cross-border money laundering threats. This international cooperation is crucial as financial crimes increasingly transcend national boundaries.
However, the new regulations and the rate of their updates can sometimes create a confusing business environment for businesses. The cluttered and sometimes unclear regulations make compliance with AML/CFT rules puzzling — even if your organisation complies with the key regulations, the less prominent ones are easy to overlook. To add to this, the cross-jurisdictional regulations make compliance an operational nightmare, even for experienced compliance professionals who have found themselves having to navigate unfamiliar territory.
Having a clear compliance management system can help your internal compliance teams effectively achieve regulatory risk management, viewed through the ISO 37301 lens.

Key AML/CFT obligations

Meeting the AML/CFT obligations under the 2009 Act requires risk and compliance professionals to be familiar with the key terms and how they are implemented in practice. Primarily, the Act requires reporting entities to identify and manage risks associated with compliance activities. In this section, we’ll explore some key obligations and how they can be met.
Customer due diligence (CDD)
When dealing with new customers, reporting entities must demonstrate that they have taken steps to verify their identities and enquire into the purpose and intention of the business relationships.
Where the business relationship involves a potential or existing client company or trust, the reporting entity must identify the beneficial owner(s) by searching the applicable registry and verifying the identity of the person(s) making the enquiry. For example, financial advice providers and financial institutions will ask the customer for photo ID (passport, NZ driver’s license) and proof of address (utility bill).
The customer’s identity documents and proof of address must be recorded and maintained, along with any transactions, for at least five years. The records must be kept in a form that is easy to send or produce if regulators or law enforcement officers require access.
As part of initial CDD and ongoing obligations, reporting entities must undertake risk assessments on new and existing clients to identify and scope risks associated with money laundering and financing terrorist activities. Where the risk assessment or CDD indicates a risk of suspicious activity, the reporting entity must report this to the relevant authority.

Other AML/CFT instruments

The 2009 Act forms part of the overall legal framework for New Zealand’s AML/CFT initiative. Other laws, regulations and supervising bodies have been formed alongside the Act to strengthen AML/CFT efforts further.
AML/CFT regulations:
Regulations provide comprehensive guidance on implementing compliance measures, including detailed requirements for customer verification processes, methodologies for conducting risk assessments, standards for maintaining accurate records, protocols for suspicious activity reporting, and specific compliance procedures tailored to different business sectors.
Department of Internal Affairs (DIA):
The DIA serves as the primary supervisory authority for AML/CFT Act compliance, overseeing a diverse range of reporting entities including financial institutions, casinos, and designated non-financial businesses and professions.
Financial Crime Group (FCG):
The FCG consists of three units: the Financial Intelligence Unit (FIU), the Money Laundering Team (MLT), and the Asset Recovery Units (ARUs). This Group was formed to conduct activities such as analysing and sharing financial intelligence, seizing and confiscating criminal assets for law enforcement agencies, and investigating money laundering networks and their facilitators.
Reserve Bank of New Zealand (RBNZ):
The Reserve Bank supervises and enforces AML/CFT Act compliance for financial institutions under its jurisdiction—primarily banks and other financial service providers.
Financial Markets Authority (FMA):
The FMA supervises and enforces AML/CFT within the securities sector, ensuring compliance among securities issuers, financial advisers, and other entities.
Other Relevant Legislation:
The AML/CFT framework may intersect with other legislation and regulations, including the Crimes Act 1961 and Terrorism Suppression Act 2002. Together, these laws serve as a strong net for catching criminal activities and prosecuting the offenders
 

The evolving AML/CFT landscape

The AML/CFT framework continues to evolve and develop in response to changing threats and conditions.
 
As part of the statutory review of the AML/CFT Act, the Ministry of Justice (MoJ) unveiled a preliminary set of draft amendment regulations ("Draft Amendment Regulations”, March 1, 2023). Following public consultation on these Draft Amendment Regulations, AML/CFT amendment regulations ("Amendment Regulations") were enacted through an Order in Council on June 26, 2023.
These Amendment Regulations comprise of:
  1. AML/CFT (Requirements and Compliance) Amendment Regulations 2023
  1. AML/CFT (Prescribed Transactions Reporting) Amendment Regulations 2023
  1. AML/CFT (Exemptions) Amendment Regulations 2023
  1. AML/CFT (Definitions) Amendment Regulations 2023
  1. AML/CFT (Cross-border Transportation of Cash) Amendment Regulations 2023
The three-stage implementation of these Regulations effectively modifies existing AML/CFT regulations. The first modifications took effect on 31 July 2023. The second stage was enforced beginning in June 2024, leaving one last wave of regulatory changes on 1 June 2025.
While the 2009 Act remains unchanged, the Ministry of Justice (”MOJ”) determined that the 12 amendments that initially formed the Draft Amendment Regulations would be incorporated into the Act instead. These include further clarification on definitions, specific due diligence requirements and extensions to reporting formats.

Global AML/CFT legislative landscape

New Zealand

Public consultation on proposed changes to AML/CFT regulatons
Russia Sanctions Act 2022

European Union

  • The Single rulebook
  • 6AMLD
  • New European Anti-Money Laundering Authority

United States

  • Anti-Money Laundering Act of 2020
  • Financial Crimes Enforcement Network (FinCEN) Final Rule for Beneficial Ownership Reporting

United Kingdom

  • The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022
  • Economic Crime (Transparency and Enforcement) Act 2022

Singapore

  • Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) (Amendment) Bill 2023
  • Financial Services and Markets Act 2022

China

  • 3-year AML campaign
  • Administrative Measures for Financial Institutions on Customer Due Diligence Investigations and Keeping of Customer Identity Information and Transaction Records

Hong Kong

  • Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2022
  • Guideline on Anti-Money laundering and Counter-Financing of Terrorism

Japan

  • AML/CFT/CPF Action Plan
  • Amendments to the Foreign Exchange and Foreign Trade Act 1949

Risk mitigation

Management of compliance risk can be understood as the procedures, protocols, policies and practices that operate to ensure that an organisation is meeting its legal obligations. Essentially, the Regulations and standards represent the bare minimum that organisations must meet when conducting business.
The nature, scope and significance of regulatory risk will differ among different industries and the organisation’s products and services. These are concrete and identifiable legal requirements that have been made by law, regulations and contracts. However, effective risk mitigation planning accounts for more than mandatory stipulations required by law — organisations will usually commit to voluntary obligations, such as the soft obligations guided by the company’s values and social commitments. Committing to voluntary obligations subsequently creates additional compliance risks.
As with any risk, regulatory and compliance risks require ongoing monitoring and reassessment, particularly seeing as the AML/CFT efforts will change as the nature of money laundering and terrorism activities become increasingly sophisticated. Alongside external changes, other sources of risk can include:
  • Diversified or modified business operations, products and service offerings
  • Modifications in organisational structure/strategy
  • Economic conditions, liabilities, customer relationships
  • Mergers and acquisitions, partnerships, affiliations
  • Non-compliance and near-misses
Considering the complexity and lack of certainty inherent in the regulatory landscape, it is dangerous for organisations to take a cavalier approach to managing compliance and risk. However, establishing a risk management plan that comprehensively ensures adherence to all legal obligations and successfully mitigating or eliminating risks are significant efforts. The planning and orchestration of risk-eliminating measures, therefore requires and benefits from a well-structured compliance management system — such as the ISO 371301 — which can facilitate risk management and mitigation efforts, especially as they relate to AML/CFT.
 
at YJ Consulting today for assistance with your compliance needs. We advise on regulatory compliance and can help you develop an AML/CFT process that’s best suited for your organisation and industry.