NZ: CoFI Act 2022
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
Platform |
The Conduct of Financial Institutions Act 2022 (CoFI) came into force on 31 March 2025. It
requires banks, insurers, and non-bank deposit takers to obtain a Financial Institution Licence
from the FMA and to maintain a Fair Conduct Programme. CoFI focuses on institutional conduct
— how the institution treats its customers — rather than individual adviser obligations, which
are governed by the Financial Advice Provider regime under the Financial Markets Conduct Act.
The Financial Markets Authority (FMA) is the regulator. A Financial Institution Licence must be
held to carry on a financial institution business in New Zealand.
The fair conduct principles are: treat customers fairly; no unfair pressure or undue influence;
manage conflicts of interest; do not engage in misleading or deceptive conduct. These principles
apply to the institution's own conduct and to that of any person acting on its behalf (including
distributors and representatives).
Compliance register
This register maps every material obligation under CoFI to the platform control or institutional
process that satisfies it.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Financial Institution Licence
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Obtain and maintain a Financial Institution Licence from the FMA to carry on a financial institution business in NZ |
🏛 Institutional |
GOV-004 |
Licensing is an institutional governance obligation owned by the board and General Counsel. Platform audit logs provide evidence of control environment for licence applications and renewals |
— |
| Annual attestation — board attests to the FMA that the Fair Conduct Programme is fit for purpose and operating effectively |
🏛 Institutional |
CON-001 |
MOD-053 (LOG) — complaint register and IDR metrics feed the board attestation evidence pack. MOD-083 (LOG) — agent interaction logs evidence conduct standard compliance |
🔨 |
Fair Conduct Programme
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Establish and maintain a documented Fair Conduct Programme covering: products and services, distribution, complaints, remuneration and incentives, and training |
🏛 Institutional |
CON-001 |
Fair Conduct Programme design and board approval are institutional. MOD-083 (AUTO) — real-time CoFI obligations surfaced to customer-facing agents based on interaction type and customer vulnerability signals |
🔨 |
| Fair Conduct Programme must be publicly available |
🏛 Institutional |
CON-001 |
Publication is institutional. Platform provides no control over this obligation |
— |
| Senior managers must be accountable for conduct obligations in their area of responsibility |
🏛 Institutional |
CON-001, GOV-004 |
Senior manager accountability is institutional governance. MOD-047 (LOG) — agent action log provides the audit trail for conduct events within each senior manager's area |
🔨 |
Fair conduct principles
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Treat customers fairly throughout the product lifecycle |
🤖 Automated |
CON-001 |
MOD-040 (AUTO) — at-risk customers proactively identified and contacted; fair conduct met before customer disengages. MOD-083 (AUTO) — compliance coaching nudges surfaced to agents in real time during customer interactions; warnings raised when an agent action would violate a policy control |
🔨 |
| No unfair pressure, undue influence, or unconscionable conduct |
🤖 Automated |
CON-001 |
MOD-051 (AUTO) — automated customer-configured actions executed exactly as configured, no discretionary deviation. MOD-105 (GATE) — product eligibility evaluation considers existing exposure, customer segment, and product complexity tier, ensuring products are not offered to unsuitable customers |
🔨 |
| Manage conflicts of interest — do not let conflicts result in customer harm |
📊 Evidenced |
GOV-007 |
MOD-083 (AUTO) — compliance coaching nudges logged against the interaction record; training and coaching evidence available for regulatory review. MOD-140 (GATE) — chart of accounts changes require four-eyes approval; proposer cannot be approver |
🔨 |
| No misleading or deceptive conduct in relation to products or services |
🤖 Automated |
CON-001, CON-004 |
MOD-050 (GATE) — disclosure enforcement gate ensures the correct regulated disclosure is presented and acknowledged before product acceptance; no bypass path. MOD-107 (CALC) — product recommendation ranking model periodically tested for demographic fairness |
🔨 |
Customer conduct obligations
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Identify and make provision for customers in vulnerable circumstances |
🤖 Automated |
CON-003 |
MOD-053 (AUTO) — vulnerable customer flags visible in every agent view; special handling applied automatically. MOD-065 (AUTO) — routes customers who meet hardship criteria into the hardship assessment workflow |
🔨 |
| Complaints handling must meet prescribed standards including appropriate escalation and resolution timeframes |
🤖 Automated |
CON-002 |
MOD-053 (ALERT) — IDR SLAs enforced automatically; agent cannot ignore a case past SLA without triggering escalation. MOD-083 (AUTO) — IDR complaint obligations surfaced to the agent in real time |
🔨 |
Distributor obligations
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Representatives and distributors are included in the licence obligations; the financial institution is responsible for their conduct |
🏛 Institutional |
CON-001 |
Distributor governance and contracts are institutional. MOD-083 (LOG) — interaction logs cover distributor-channel interactions where the platform is used |
🔨 |
| Product governance — products must be designed and distributed appropriately for their target market |
🤖 Automated |
CON-006 |
MOD-155 (AUTO) — customer characteristics automatically evaluated against target market criteria; out-of-target-market distribution events detected and recorded. MOD-153 (GATE) — customer acceptance gate enforces product eligibility before activation |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| Financial Institution Licence application and renewal |
General Counsel / Board |
Platform control environment evidence from MOD-047, MOD-048, MOD-053 |
| Fair Conduct Programme design and board approval |
Chief Compliance Officer / Board |
MOD-083 CoFI obligation surfacing provides programme data inputs |
| Annual board attestation to FMA |
Board / Chief Compliance Officer |
MOD-053 IDR metrics; MOD-083 interaction logs; MOD-155 distribution event records |
| Senior manager accountability frameworks |
CEO / Chief People Officer |
MOD-047 agent action logs by business unit |
| Staff training on CoFI obligations and fair conduct principles |
Chief People Officer |
MOD-083 coaching nudge interaction logs |
| FMA regulatory engagement and examination responses |
Chief Compliance Officer |
MOD-047, MOD-048, MOD-053 provide the audit evidence base |
| Fit and proper assessment of key personnel |
Chief People Officer |
Institutional HR and governance process |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
| Licensing |
2 |
0 |
0 |
2 |
| Fair Conduct Programme |
3 |
0 |
0 |
3 |
| Fair conduct principles |
4 |
3 |
1 |
0 |
| Customer obligations |
2 |
2 |
0 |
0 |
| Distributor obligations |
2 |
1 |
0 |
1 |
| Total |
13 |
6 (46%) |
1 (8%) |
6 (46%) |
All attributed modules are currently build_status: Not started.
| Policy |
Title |
| CON-001 |
Customer Fairness & Conduct Policy |
| CON-002 |
Complaints & Internal Dispute Resolution Policy |
| CON-003 |
Vulnerable Customer Policy |
| CON-004 |
Product Disclosure & Sales Practice Policy |
| CON-006 |
Product suitability and governance |
| GOV-004 |
Fit & Proper Policy |
| GOV-007 |
Conflicts of Interest Policy |
See D04 Customer & Conduct for the full risk domain.
Official documentation
Policies referencing this standard
- CON-001 — Customer Fairness & Conduct Policy
- CON-003 — Vulnerable Customer Policy
- DT-009 — AI & algorithm policy
- GOV-004 — Fit & Proper Policy
- GOV-007 — Conflicts of Interest Policy
- PPL-001 — Code of Conduct Policy
- PPL-003 — Training & Competency Policy
Compiled 2026-05-22 from source/entities/regulations/nz-cofi-act.yaml