Significant changes to parts of New Zealand’s AML/CFT law under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (Act) have been confirmed. These changes will be implemented progressively with effect from 31 July 2023, 1 June 2024 and 1 June 2025. We explain key changes below by implementation date. The changes mostly either clarify some requirements or add to the obligations of businesses already subject to the Act (called “reporting entities”). Also, some businesses will be brought within the scope of the Act for the first time including some types of virtual asset service providers. The changes are being implemented through amendments to AML/CFT regulations. All existing reporting entities will need to update their AML/CFT compliance programmes (and, in some cases, risk assessments) as a result of the changes.

The changes follow a Ministry of Justice (MoJ) review of the Act. An additional 12 changes proposed by MoJ during earlier consultation are not going ahead at this stage because they can only be implemented through amendments to the Act (the confirmed changes are being implemented through amendment regulations). It is possible that this may occur at a later date. The deferred changes include two that have the most potential to significantly benefit a wide range of reporting entities, being a relaxation of requirements in relation to address verification, and enhanced customer due diligence (CDD) on trust customers. We consider those two changes at the end of this blog.

If you have any questions or if would like advice on any of these matters please contact Simon Papa.

This blog is in the following parts:

+ Changes coming into force on 31 July 2023

+ Changes coming into force on 1 June 2024

+ Changes coming into force on 1 June 2025

+ Key changes removed from draft regulations

This is summary information only, does not cover all changes and is not legal advice. This information takes into account AML/CFT law (including amendment regulations) as at the date of this post.

Changes coming into force on 31 July 2023

Clarification of the definition of “beneficial owner” (in force from 31 July 2023)

The definition of “beneficial owner” in the Act is being extended to include “a person with ultimate ownership or control, whether directly or indirectly” (the high-level definition used internationally). The existing definition in the Act has been recognised as being inadequate and the AML/CFT Supervisors have interpreted the existing definition to be somewhat consistent with that extended definition. So this change may not significantly impact on how reporting entities approach identifying beneficial owners. However, reporting entities should update their programmes to reflect that change.

The changes also clarify that “a person on whose behalf a transaction is conducted” is only a beneficial owner if the individual is “a person with ultimate ownership or control, whether directly or indirectly”. This is a helpful change. It means that current exemptions that address the consequences of the current wide term “a person on whose behalf a transaction is conducted” are either being removed (exemptions in respect of specified trust accounts or client funds accounts) or limited in their application (the class exemptions for managing intermediaries). Reporting entities that currently rely on such exemptions will need to carefully consider the impact of these changes and update their programmes accordingly.

Clarification of the definition of “nominee director” (in force from 31 July 2023)

Since July 2021 reporting entities have been required to check whether company customers have any “nominee directors”. The changes help to clarify that a nominee director excludes a director that is required or accustomed to follow the directions of a holding company or appointing shareholder. This recognises that this is a very common arrangement and not one likely to be designed to facilitate money laundering or terrorism financing.

Additional “legal arrangements” added (in force from 31 July 2023)

The current definition of “legal arrangements” in section 5 of the Act covers trusts, partnerships, and charitable entities only. The changes add additional types of “arrangements” being unincorporated society, fiducie, truehand and fideicomiso. The expanded definition of “legal arrangement” means that some services provided with respect to such arrangements by lawyers, accountants and other businesses will be brought within the scope of the Act. This change is also relevant to the new obligation to obtain additional CDD information about a customer that is a “legal arrangement” (coming into force on 1 June 2024, see below). This applies to all reporting entities.

Clarification of the meaning of “countries with insufficient AML/CFT systems or measures” (in force from 31 July 2023)

The Act requires that:

  • programmes include various procedures, policies, and controls in relation to; and
  • reporting entities conduct enhanced customer due diligence (“CDD“) on non-resident customers from,

countries with insufficient AML/CFT systems or measures in place” (without further defining what that means). The changes state that the term “countries with insufficient AML/CFT systems or measures in place” includes countries that have been identified by the FATF [Financial Action Task Force] as high-risk jurisdictions subject to a “Call to Action” (also known as the “black list”). While this provides some clarity, this is not an inclusive definition so additional countries may be captured also.

Expansion of “stored value instruments definition and exclusion (in force from 31 July 2023)

The Act applies to providers and managers of various types of stored value instruments (e.g. prepaid cards, gift cards, vouchers). There is an exemption from the Act for services provided in respect of defined “stored value instruments” with a value not exceeding $1,000 to $10,000 (depending on the nature of the instrument) during any 12 month period. The current definition of “stored value instruments” requires the instrument to be a “portable device” (implying some form of tangibility) such as a physical gift card or voucher. The changes replace that definition with a definition that is technology neutral. That means that the exemption will apply to some types of digital instruments such as digital gift cards and vouchers, and to some types of online accounts, but not “virtual assets” (see below). The value thresholds noted continue to apply. The changes also clarify the availability of the exemption where stored value instruments are bulk-sold to corporate customers for distribution to multiple different recipients.

The updated definition also has the effect of either bringing some service providers within the scope of the Act, or adding to their obligations, to the extent they are not able to rely on the exemption. For example, this may capture managers of some types of digital instruments.

Definition of “virtual asset” introduced (in force from 31 July 2023)

A definition of “virtual asset” will be introduced and is related to obligations of virtual asset service providers (see below). “Virtual asset” is defined as “a digital representation of value that can be digitally traded or transferred, and used for payment or investment purposes” but excludes a “digital representation of a fiat currency” (e.g. some types of stored value instruments) and “financial products” (e.g. some types of stable-coins). So “virtual asset” will capture some types of cryptocurrencies, NFTs and other digital assets.

Act to apply to providers of virtual asset safekeeping & administration services (in force from 31 July 2023)

The Act does not currently apply to service providers that only provide the service of safekeeping or administration of virtual assets. The changes will bring providers of such services within the scope of the Act.

Exemption for corporate trustees & nominee companies that are subsidiaries of reporting entities (in force from 31 July 2023)

The changes exempt corporate trustees, and nominee companies, that are subsidiaries of (or that are controlled by) New Zealand reporting entities. This is particularly relevant to law firms and accounting firms. To qualify for the exemption, the subsidiary must provide the relevant services on behalf of the firm, and the firm’s programme must cover the activities of the subsidiary.

Clarification of CDD requirements for designated non-financial businesses or professions (in force from 31 July 2023)

The changes clarify some obligations of designated non-financial businesses or professions (DNFBPs) (e.g. law firms & accounting firms) with respect to CDD.

A DNFBP will not, for new engagements with existing customers, be required to obtain or verify information or documents that have previously been obtained and verified, unless there are reasonable grounds to doubt the adequacy or veracity of the previously obtained information or documents, or if the DNFBP considers that the level of the risk involved requires a fresh CDD. Arguably this was already permitted but this provides helpful clarification.

A DNFBP will be able to conduct delayed CDD when an engagement transitions from a non-captured activity to a captured activity. This is equivalent to the right to delay CDD that applies when CDD is completed during customer on-boarding. The same conditions apply:

  • delayed CDD must be essential so as to not interrupt normal business practice;
  • the ML/TF risk must be effectively managed; and
  • verification of identity must be completed as soon as practicable.

Exemption for registered charities providing small loans (in force from 31 July 2023)

Registered charities will be exempted from the Act with respect to “small loans”, being one or more loans made to a single borrower where the aggregate loan amount does not exceed $6,000. The exemption only applies if the borrower is prohibited from repaying in cash.

Prohibitions on certain cash transactions (in force from 11 May 2023)

The following change is already in force as at the date of this blog and was introduced via an unrelated amendment to the Act and associated regulations. However, it is significant for some types of businesses so we note it here. From 11 May 2023 all businesses are prohibited from buying or selling any of the following items where there is a cash payment(s) of $10,000 or more (payments by cheque are also captured):

  • jewellery
  • watches
  • gold, silver, or other precious metals
  • diamonds, sapphires, or other precious stones
  • motor vehicles (within the meaning of section 6(1) of the Motor Vehicle Sales Act 2003)
  • ships (within the meaning of section 2(1) of the Maritime Transport Act 1994).

One effect of this prohibition is that some “high value dealers” are no longer subject to the Act.


Additional information to be collected when carrying out CDD on customers (in force from 1 June 2024)

Additional CDD information is required to be collected with respect to a customer that is a “legal person” (e.g. a company, an incorporated society) or a “legal arrangement” (e.g. a trust, partnership, charity, unincorporated society), being information about:

  • the customer’s legal form and proof of existence;
  • the customer’s ownership and control structure;
  • any powers that bind or regulate the customer; and
  • if the customer is a trust, the name and date of birth of the settlor(s) or protector(s) of a trust.

The changes require reporting entities to verify that information- the level of verification required will be based on the assessed risk.

While not previously expressly required, it is possible that some of this information is already required to be collected. However, we recommend that reporting entities review their programmes to check whether changes are required to ensure that that information is collected.

Additional information to be collected when carrying out enhanced customer due diligence (in force from 1 June 2024)

Reporting entities will have to obtain additional information when conducting enhanced CDD. Currently, for most types of enhanced CDD, the main requirement is to collect (and verify) information relating to the source of wealth or funds of a customer. The changes will require reporting entities to consider whether to do the following:

  • obtain further information from the customer in relation to a transaction;
  • examine the purpose of a transaction (collection of this information is currently required but there is no requirement to “examine” it);
  • conduct enhanced monitoring of a business relationship; and
  • obtain senior management approval for transactions or to continue the business relationship.

We don’t consider it will be necessary to apply all of those measures in every case. Rather we suggest developing policies and procedures to help to identify when such measures are necessary.

Additional requirements when relying on CDD conducted by other reporting entities (in force from 1 June 2024)

The Act allows a reporting entity to rely on another unrelated reporting entity (that is not an agent of the reporting entity) (the “third party”) to conduct CDD. The changes mean that a reporting entity engaging the third party will have to take steps to satisfy itself that the third party has record keeping measures in place, and will make verification information available as soon as practicable on request (and within five working days in all cases). In addition, if the third party is overseas, then the reporting entity must consider the level of risk associated with relying on the third party.

Clarification of obligations with respect to ongoing CDD information and account monitoring (in force from 1 June 2024)

Currently, reporting entities are required to review CDD information when undertaking ongoing CDD and account monitoring. However, there is no express requirement to:

  • update customer’s records during this process (except where enhanced CDD is triggered); or
  • consider when CDD was last conducted.

The changes require that those matters are addressed, based on the level of risk. We expect that some reporting entities already do this.

The changes also clarify what “account monitoring” means for DNFBPs (e.g. law firms & accounting firms). MoJ’s interpretation is that “account monitoring” currently means monitoring of “financial transactions” only (which is more relevant for financial institutions rather than DNFBPs). The changes will require DNFBPs to regularly review non-financial activities of the customers when conducting ongoing CDD and account monitoring.

Clarification of record keeping obligations (in force from 1 June 2024)

The Act does not set out how long reporting entities should retain prescribed transaction reports, account files, business correspondence and written findings. The updates require reporting entities to keep those records for 5 years.

Extension of obligations of virtual asset service providers (in force from 1 June 2024)

Some virtual asset service providers (VASPs) are currently captured by the Act (and from 31 July 2023 some new types of VASPs are brought within the scope of the Act- see above).

The changes extend VASPs’ obligations in relation to wire transfers (including to collect and verify certain information in relation to the transfers) and prescribed transaction reporting (PTR) (including to report certain international transfers to the Financial Intelligence Unit at the Police). The changes include:

  • Extending the definition of “transaction” to include a deposit, withdrawal, exchange or transfer of a virtual asset (not just fiat currency). This recognises that virtual asset transfers reflect a transfer of value.
  • Virtual asset to virtual asset transfers, and virtual asset to fiat currency (or vice versa) transfers, are deemed to be “wire transfers”. Again, this recognises that such transfers reflect a transfer of value.
  • Specified virtual asset transfers are deemed to be “international wire transfers” unless the VASP confirms that all parties to the transfer are in New Zealand. This places the onus on the VASP to check that all parties are in NZ or to otherwise comply with PTR obligations in that regard. Some VASPs may need to update technology and/or systems in order to comply.
  • Virtual asset transactions of $1,000 or more which occur outside a business relationship are deemed to be “occasional transactions”.

Additional measures to mitigate the risks of new technologies (in force from 1 June 2024)

Reporting entities are currently required to conduct a risk assessment of their operations, products, and delivery methods. However, there is no express requirement to conduct risk assessments (and to implement appropriate mitigation measures) before launching new technology or new products. The changes require reporting entities to conduct a risk assessment before implementing a new technology or product (including its delivery mechanism). Arguably this is required currently but we suggest that reporting entities update their programmes and risk assessment to take this requirement into account.

Additional obligations in relation to prescribed transaction reporting (in force from 1 June 2024)

There are several changes designed to enhance transparency in relation to international wire transfers (including virtual asset transfers). The changes include requirements to:

  • obtain and transmit originator and beneficiary information for international wire transfers below $1,000 (currently not required);
  • keep records of the beneficiary account numbers or transaction numbers for 5 years; and
  • implement measures in compliance programmes to identify and address wire transfers lacking required information.

Requirement to provide more information about agents in programmes (in force from 1 June 2024)

A reporting entity that uses agents to support its AML/CFT activities will be required to set out in its programme additional procedures, policies, and controls relating to:

  • relevant AML/CFT functions carried out by agents (including agents that conduct CDD on behalf of the reporting entity);
  • vetting of agents who carry out functions of the reporting entity;
  • training such agents on AML/CFT matters.

Requirement to document when source of funds or source of wealth checks (or both) will be used (in force from 1 June 2024)

A reporting entity will have to state in its programme in what circumstances source of wealth or source of funds checks are required, or both. However, the Act does not explain the distinction and the updated regulations do not provide any guidance on that. Hopefully the AML/CFT Supervisors will provide guidance on this requirement to the thousands of reporting entities that need to implement it.

Requirement to conduct CDD with respect to a low value transaction where there is a suspicious activity (in force from 1 June 2024)

There is no requirement currently to conduct CDD on a person seeking to conduct transactions outside of a business relationship that fall below the “prescribed thresholds”. The prescribed thresholds are $10,000 for cash transactions and $1,000 for wire transfers. The changes will require reporting entities to conduct CDD even where those transactions are below the prescribed thresholds, where there are grounds to report a suspicious activity.

Requirement for MVTS providers to provide SARs to overseas financial intelligence units (in force from 1 June 2024)

A money or value transfer service (MVTS) provider that acts as either the ordering or beneficiary institution of a wire transfer outside New Zealand will have to provide a copy of a suspicious activity report (SAR) to the Financial Intelligence Units in affected countries, if it is required to file a SAR in New Zealand.

All MVTS providers, including informal remittance service providers, subject to wire transfer obligations (in force from 1 June 2024)

The MoJ considers that the current definition of “wire transfer” in the Act does not accurately reflect the technical, legal, and practical realities of how wire transfers are conducted, making it difficult for some reporting entities to comply, especially money value or transfer service (MVTS) providers using informal remittance systems. The updated regulations state that “To avoid doubt… an operator of a [MVTS] must comply with all requirements of the Act and any regulations made under the Act relating to a wire transfer”. This does not materially address any of the issues identified by MoJ so we consider that this provides little (if any) assistance to MVTS providers.

In addition, if a MVTS provider uses an agent (or sub-agent) in relation to a wire transfer, the originator or beneficiary of the wire transfer is deemed to be the “customer” for the purposes of the Act, and not the agent or sub-agent. This is a helpful clarification.

Clarification of intermediary institutions’ exemption from prescribed transaction reporting obligations (in force from 1 June 2024)

“Intermediary institutions” in relation to wire transfers are currently exempted from filing prescribed transaction reports (reports about international wire transfers) (under section 48A of the Act). The changes mean that that exemption will cease to apply to a MVTS provider unless the MVTS provider is a registered bank. This is particularly relevant to some virtual asset service providers that only function as an intermediary institution between the sender and recipient.


Requirement to conduct customer-specific risk assessment (in force from 1 June 2025)

Reporting entities will have to risk-rate each customer when completing CDD, and to update such risk rating as part of ongoing CDD and account monitoring during the business relationship.

Such risk ratings are arguably already required by implication. Customer risk ratings are likely to be relevant in areas such as determining whether or not enhanced CDD is required on the basis of risk (section 22(1)(d) of the Act), how often ongoing CDD is conducted and whether or not electronic identity verification is appropriate.

Online auction provider exemption narrowed (in force from 1 June 2025)

The current full exemption from the Act for providers of some types of online auction services (e.g. TradeMe) will be considerably narrowed (reflecting MoJ concerns about the risk of trade-based money laundering). The exemption will only apply in relation to a customer where the value of that customer’s transactions do not exceed $10,000 in a consecutive 12-month period. Obligations in relation to suspicious activity reporting will apply with respect to all customers including those who are otherwise subject to the exemption.


Simplification of address verification

Reporting entities are required to take reasonable steps to verify that address information they obtain from individuals during CDD is “correct” (interpreted by the AML/CFT Supervisors as verifying that the stated address is where the individual currently resides). In doing that reporting entities must rely on documents, data or information issued by a “reliable and independent source” (for example obtaining utility bills or bank statements sent to the individual).

Draft regulations provided for a narrower obligation, which was to verify that the relevant residential address is “correct”, except where enhanced CDD is required. So it would only be necessary in those cases to verify if an address is “genuine”. We consider that the proposed exemption was fully justified (and in fact does not go far enough), given that address verification provides very limited value (relative to the effort required), is relatively easy to circumvent and can make it quite difficult (or impossible) for some types of people to validate their residential addresses (and therefore to access even basic banking services) including working holiday makers and students.

Requirement to verify source of wealth or funds for low-risk trusts lessened

It is currently mandatory to conduct enhanced CDD on all customers that are trusts and other “vehicles for holding personal assets” regardless of the nature of the trust or the risk the trust poses. Draft regulations provided an exemption from the obligation to verify the source of wealth or source of funds for certain “lower-risk” trusts subject to details to have been included in later regulations. This did not change the requirement to collect such information (which can be a complex undertaking in some cases). So the proposed change was a limited concession in any case. It is disappointing that a more significant relaxation of the law was not proposed, given the costs this requirement imposes (relative to the benefits) and that the Financial Action Task Force (the international body that sets relevant standards) does not mandate that enhanced CDD must be performed on all customers that are trusts.