Skip to content

NZ: AML/CFT Act 2009
Regulator RBNZ
Jurisdiction NZ
Status live
Applicability Platform

The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 is the primary AML/CFT legislation in New Zealand. It requires reporting entities (including registered banks) to establish and maintain an AML/CFT programme, conduct customer due diligence, monitor transactions, and report suspicious activity and cross-border cash and wire movements. RBNZ is the primary supervisor for banks; DIA supervises non-bank financial institutions; FMA supervises securities dealers.

The Act has been amended several times since 2009. Significant amendments include the 2017 Amendment Act (Phase 2 expansion), 2019 Amendment Act (AML/CFT Amendment Act), and the Financial Markets (Conduct of Institutions) Amendment Act 2022. Section references in this register are indicative — refer to the Act as amended for precise statutory language.

Compliance register

This register maps every material obligation under the Act to the platform control or institutional process that satisfies it. It is the static traceability layer for the Totara compliance report — dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.

Scope legend

Symbol Meaning
🤖 Automated Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case.
📊 Evidenced Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG.
🏛 Institutional Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process.
N/A Obligation does not apply to this deployment configuration.

Build legend

Symbol Meaning
Module built and deployed
🔨 Module planned — not yet built (build_status: Not started)
Uncontrolled gap — no module attributed

Part 2 — AML/CFT Programme (ss.56–60)

Ref Obligation Scope Policy Platform controls Build
S.56 Establish and maintain a written AML/CFT programme covering risk assessment, policies, procedures, and controls 📊 Evidenced AML-001 MOD-037 (AUTO) — annual programme report auto-generated from operational data; MOD-047 (LOG) — every compliance decision logged; MOD-150 (LOG) — operational risk register provides the programme evidence base 🔨
S.57 Conduct and maintain a business-wide risk assessment 🤖 Automated AML-001 MOD-039 (AUTO) — customer risk scores computed continuously; MOD-150 (CALC) — risk domain aggregation and RAF dashboard 🔨
S.58 Ensure relevant employees are trained on AML/CFT obligations; maintain training records 🏛 Institutional AML-010 LMS is an institutional system — not platform scope. Platform captures staff access-control consent acknowledgements via MOD-049 (LOG) as a supporting evidence input only.
S.59 Designated Business Group (DBG) arrangements with RBNZ approval N/A Single-entity reporting entity model — DBG not applicable to this platform deployment.
S.60 Submit annual AML/CFT report to supervisor (RBNZ) 🤖 Automated AML-001 MOD-037 (AUTO) — annual compliance report data sourced and structured from operational systems; MOD-047 (LOG) — provides the audit evidence base for the report 🔨

Part 3 — Customer Due Diligence (ss.6–35)

Ref Obligation Scope Policy Platform controls Build
S.6 Conduct CDD before or when establishing a business relationship, processing an occasional transaction ≥ NZD 10,000, or on suspicion 🤖 Automated AML-011, AML-002 MOD-153 (GATE) — no product or facility activates until acceptance engine returns ACCEPT; threshold check applied at onboarding 🔨
S.11 Standard CDD — verify identity of natural persons using reliable, independent source documents or data 🤖 Automated AML-003, AML-002 MOD-009 (AUTO) — eIDV extracts and verifies identity from document biometrics; MOD-010 (AUTO) — CDD tier assigned by rule engine, not agent discretion; MOD-013 (GATE) — sanctions and PEP screen gates onboarding 🔨
S.12 Standard CDD — verify identity of companies: registered name, registration number, principal place of business, directors, beneficial owners ≥ 25% 🤖 Automated AML-002 MOD-134 (GATE) — all authorised signatories must pass eIDV before account activates; MOD-010 (AUTO) — company CDD tier assigned by rule 🔨
S.13 Standard CDD — verify trusts, partnerships, and other legal entities: trustees, beneficiaries, settlors, partners, and beneficial owners ≥ 25% 🤖 Automated AML-002 MOD-133 (GATE) — all trustees and beneficial owners ≥ 25% must individually pass eIDV and CDD before trust account activates; MOD-010 (AUTO) — entity CDD tier assigned by rule 🔨
S.15 Simplified CDD — permitted for prescribed low-risk customer categories 🤖 Automated AML-002 MOD-010 (AUTO) — CDD tier rule engine applies simplified tier where criteria are met; criteria are configuration, not agent discretion 🔨
S.22 Enhanced CDD — required for high-risk customers, complex structures, and any customer presenting higher ML/TF risk 🤖 Automated AML-002, AML-004 MOD-010 (AUTO) — EDD tier assigned automatically on risk trigger; MOD-012 (LOG) — EDD decisions and documentation auditable; MOD-039 (AUTO) — enhanced monitoring applied automatically to high-risk score customers 🔨
S.22A Enhanced CDD — Politically Exposed Persons: senior management approval, source of wealth verification, enhanced ongoing monitoring 🤖 Automated AML-004 MOD-010 (ALERT) — PEP detection triggers EDD tier and senior management notification automatically; MOD-153 (GATE) — PEP cannot be accepted without completed EDD on record; no override below compliance officer role 🔨
S.24 Enhanced CDD — customers from high-risk or monitored jurisdictions (FATF grey/black list) 🤖 Automated AML-004 MOD-010 (AUTO) — jurisdiction risk tier applied automatically from FATF list configuration; MOD-013 (GATE) — high-risk country flag escalates to EDD gate 🔨
S.26 Correspondent banking — conduct enhanced due diligence before establishing a correspondent relationship; no shell bank relationships 🤖 Automated AML-009 MOD-154 (GATE) — no payment may be routed through a correspondent that has not completed due diligence and received active approval in the correspondent registry; dual-approval gate (Head of Payments + CCO) required 🔨
S.28 Timing of verification — identity must be verified before or during establishment of business relationship 🤖 Automated AML-003 MOD-009 (GATE) — account cannot be activated without verified KYC; verification is synchronous, not deferred 🔨
S.31 Ongoing CDD — monitor transactions, keep documents current, conduct periodic review triggered by risk events 🤖 Automated AML-005, AML-002 MOD-011 (AUTO) — periodic CDD review completed within required timeframe, triggered automatically; MOD-016 (AUTO) — all transactions monitored continuously against typology rules; MOD-017 (AUTO) — behavioural anomaly detection without requiring a specific rule; MOD-039 (AUTO) — live risk score updates trigger monitoring tier changes 🔨
S.35 Record-keeping — retain CDD records for 5 years after the business relationship ends 🤖 Automated AML-002 MOD-002 (LOG) — immutable transaction log; MOD-012 (LOG) — CDD records retained and immutable; records cannot be deleted or altered 🔨

Part 4 — Reporting Obligations (ss.40–48)

Ref Obligation Scope Policy Platform controls Build
S.40 Suspicious Transaction Reports — file with NZ Police Financial Intelligence Unit (FIU) within 3 working days of forming suspicion; include all required particulars 🤖 Automated AML-006 MOD-018 (LOG) — alert-to-STR pipeline; every alert is actioned and its disposition recorded; MOD-037 (AUTO) — STR submission automated and tracked from creation to FIU acknowledgement; MOD-048 (LOG) — alert dismissals logged with analyst ID and reasoning 🔨
S.40A Tipping-off prohibition — must not disclose that an STR has been or may be filed, or that an investigation is underway 🤖 Automated AML-006 MOD-052 (AUTO) — SAR/STR data accessible only to compliance and legal roles; data-layer segregation enforced, not UI-layer only 🔨
S.43B Cash transaction reports — report cash transactions ≥ NZD 10,000 to RBNZ 🤖 Automated AML-008 MOD-129 (GATE) — cash transactions at or above the threshold require identity verification and are automatically submitted to the CTR workflow before posting finalises; MOD-019 (AUTO) — CTR submitted automatically, no manual extraction 🔨
S.44 / S.44B International funds transfer instructions (IFTIs) — report international wire transfers to RBNZ; include sender and recipient details 🤖 Automated AML-008 MOD-019 (AUTO) — IFTI reports submitted automatically; no manual data extraction or formatting; MOD-026 (AUTO) — threshold check applied to every cross-border event; MOD-154 (LOG) — correspondent-routed cross-border payments flagged for IFTI/CMIR evaluation 🔨
S.47 Cross-border movement reports (CMIRs) — report physical cash movements across NZ border ≥ NZD 10,000 📊 Evidenced AML-008 MOD-019 (AUTO) — CMIR reporting pipeline automated; border agency integration is external. Platform provides the reporting infrastructure; physical cash detection at the border is an NZ Customs / RBNZ process. 🔨
S.48 Adequate, accurate, and timely information on wire transfers — originator and beneficiary data included in payment messages 🤖 Automated AML-008 MOD-026 (AUTO) — originator and beneficiary data populated on every outbound wire; SWIFT/ISO 20022 message enrichment automated 🔨

Sanctions obligations (via NZ Sanctions Act 2022)

Sanctions screening obligations arise under the Russia Sanctions Act 2022 and the Autonomous Sanctions Act framework rather than directly under the AML/CFT Act, but are operationally delivered through the same AML programme. See nz-sanctions-act.

Obligation Scope Policy Platform controls Build
Screen all customers and transactions against NZ financial sanctions lists 🤖 Automated AML-007 MOD-013 (GATE) — no payment to/from a confirmed sanctions match; hard gate, not advisory; MOD-014 (AUTO) — existing customers rescreened against new designations without manual trigger; MOD-015 (LOG) — false positive decisions auditable; MOD-020 (GATE) — sanctions screen is a mandatory pre-payment gate 🔨
Screen correspondent banks and intermediaries 🤖 Automated AML-007 MOD-154 (GATE) — every correspondent and named intermediary screened before routing; sanctions hit blocks payment regardless of prior approval 🔨
Proliferation financing — screen against UN Security Council PF designation lists (FATF R.7) 🤖 Automated AML-007 MOD-018 (LOG) — PF designation list coverage included in sanctions screening engine alongside OFAC/UN/NZ lists 🔨

Institutional obligations (not platform scope)

The following obligations under the Act are the responsibility of the institution, not the platform. The platform may generate evidence inputs but does not own these processes.

Obligation Owner Platform evidence input
S.58 — AML/CFT staff training programme design and delivery Chief People Officer / Chief Compliance Officer MOD-049 logs staff training consent acknowledgements
Board and senior management oversight of AML/CFT programme Board / CEO MOD-150 provides risk dashboard and board report data inputs
Designation of AML/CFT Compliance Officer Board Institutional HR record; not a platform function
Regulatory examination responses and correspondence Chief Compliance Officer MOD-037 provides examination-ready data extracts; MOD-047/MOD-048 provide audit logs
AML/CFT audits (internal and external) Head of Internal Audit MOD-047, MOD-048, MOD-002 provide the audit evidence base; audit planning and execution is institutional
Customer complaints relating to AML decisions Chief Compliance Officer MOD-053 (case management) routes complaints; human compliance officer makes final decision on any de-banking or reinstatement

Coverage summary

Area Total obligations Platform automated 🤖 Platform evidenced 📊 Institutional 🏛 N/A
AML/CFT Programme 5 2 1 1 1
Customer due diligence 9 9 0 0 0
Reporting 6 5 1 0 0
Sanctions 3 3 0 0 0
Total 23 19 (83%) 2 (9%) 1 (4%) 1 (4%)

Of the 21 platform obligations, all have attributed controls. All attributed modules are currently build_status: Not started — the compliance position will update as modules are built and deployed.

Policy Title
AML-001 AML/CFT Programme Policy
AML-002 Customer Due Diligence (CDD) Policy
AML-003 Know Your Customer (KYC) & Identity Verification Policy
AML-004 Politically Exposed Persons (PEP) Policy
AML-005 Transaction Monitoring Policy
AML-006 Suspicious Activity Reporting Policy
AML-007 Sanctions Screening Policy
AML-008 Cross-Border Transfer Reporting Policy
AML-009 Correspondent Banking & Payments Policy
AML-010 AML Training & Awareness Policy
AML-011 Customer Acceptance Policy
AML-012 Customer Risk Rating Policy
AML-013 Onboarding Fraud & Identity Integrity Policy

See D03 AML / Financial Crime for the full risk domain.

Official documentation

Policies referencing this standard

  • AML-001 — AML/CFT Programme Policy
  • AML-002 — Customer Due Diligence (CDD) Policy
  • AML-003 — Know Your Customer (KYC) & Identity Verification Policy
  • AML-004 — Politically Exposed Persons (PEP) Policy
  • AML-005 — Transaction Monitoring Policy
  • AML-006 — Suspicious Activity Reporting Policy
  • AML-008 — Cross-Border Transfer Reporting Policy
  • AML-009 — Correspondent Banking & Payments Policy
  • AML-010 — AML Training & Awareness Policy
  • AML-011 — Customer Acceptance Policy
  • AML-012 — Customer Risk Rating Policy
  • AML-013 — Onboarding Fraud & Identity Integrity Policy
  • PAY-004 — Cross-Border Payments & FX Policy
  • PPL-003 — Training & Competency Policy
  • REP-003 — AML Compliance Reporting Policy

Compiled 2026-05-22 from source/entities/regulations/nz-amlcft-act.yaml