New Zealand's AML/CFT Amendment Bills - what the changes mean for your business

AML/CFT Amendment Bill ✅ Passed May 2026 - in effect now 

AML/CFT (Supervisor, Levy & Other Matters) Amendment Bill ✅ Passed May 2026 - takes effect 1 July 2026

If your business has to comply with New Zealand's anti-money laundering (AML) laws, you need to know about two new amendment bills that passed in May 2026. One is already in effect. The other kicks in on 1 July 2026. Neither is something to panic about, but both are worth understanding.

Why did the laws change?

The government has been working to update New Zealand's AML/CFT laws for a few years now. The goal is straightforward: make compliance less burdensome for honest businesses, while making the system better at catching actual financial criminals. The changes were driven by Associate Minister of Justice Hon Nicole McKee and are part of a wider reform programme.

The short version: the old rules were sometimes too rigid and repetitive, and these new laws aim to fix that.

Change 1: The AML/CFT amendment act - already in effect

This law came into effect in May 2026. It makes the compliance rules more practical and proportionate - meaning you only need to do what actually makes sense for your business's level of risk, rather than following a one-size-fits-all checklist.

What's changed?

Checking your customers' identities is now more flexible

The rules around customer due diligence (the process of verifying who your customers are) have been updated. One practical win: if you've already fully verified someone's identity once, you don't have to go through the full process again just because they also need enhanced checks. Less double-handling, same level of protection.

Verifying trust customers is now less burdensome

The rules around customer due diligence for trusts have been updated. When dealing with a trust customer, you are no longer required to separately verify the identity of beneficiaries and other trust-related individuals if you are satisfied that any risks have already been adequately mitigated through your standard and enhanced due diligence processes. This removes a layer of duplication for trust customers specifically, while still maintaining the same overall level of protection.

For higher-risk customers, the approach is now explicitly risk-based

The law has introduced a risk-based standard to how you identify whether a customer is a Politically Exposed Person (PEP). Previously you had to take "reasonable steps" - now the effort you put into PEP screening should be proportionate to the level of risk the customer presents.

This flexibility applies to the identification step only. Once a customer is confirmed as a PEP, the same obligations apply as before - including Enhanced Due Diligence and obtaining senior management approval before proceeding with the relationship.

Record-keeping requests now have clear timeframes

Previously, if a supervisor asked you to hand over records, the rules around timing were vague. Now there are clear deadlines - within 20 working days, or a date the specified in the notice. If the request is urgent, that must be stated explicitly and you'll need to comply as soon as possible.

Duplicate rules have been cut

Several regulations (like Regulation 7 on wire transfers) that said the same thing in different places have been removed. If you've ever felt like your compliance obligations were overlapping or contradicting each other, that's partly what this is addressing.

The definition of "beneficial owner" has been tidied up

A beneficial owner is the person who ultimately owns or controls a business you're dealing with. Previously, the definition was spread across separate regulations - now it sits cleanly within the main Act. In practical terms, this covers anyone who directly or indirectly owns more than 25% of shares or voting rights in an entity, or anyone who exercises ultimate control over a legal person or arrangement such as a trust or partnership.

Cash reporting now covers more types of physical value

If your business is involved in cross-border movement of value, be aware that reporting obligations now extend beyond cash to cover things like vouchers, casino chips, precious metals, and precious stones. If you move these across borders, the same reporting rules apply as with cash.

Stronger consequences for missing the basics

The law now makes it clearer that failing to file suspicious activity reports or failing to complete your risk assessment or annual AML/CFT report can result in civil liability. These have always been important obligations - this change reinforces that.

The DIA has updated its guidance to reflect all of these changes. You can find it at dia.govt.nz.

Change 2: The supervisor, levy & other matters act - takes effect 1 July 2026

This is the bigger structural change. From 1 July 2026, the way AML/CFT supervision is organised in New Zealand is fundamentally different. There are three things to know.

1. One supervisor instead of three

Right now, AML/CFT supervision is split between three government agencies - the Department of Internal Affairs (DIA), the Reserve Bank of New Zealand (RBNZ), and the Financial Markets Authority (FMA). Different businesses are supervised by different agencies depending on what sector they're in.

From 1 July 2026, the DIA takes over everything. It becomes the single AML/CFT supervisor for all New Zealand businesses - regardless of sector.

If you're currently supervised by the FMA or the RBNZ, your relationship moves to the DIA. Anything that was in place with your previous supervisor - registrations, approvals, existing undertakings - automatically carries over. You don't need to start from scratch, but you do need to familiarise yourself with how the DIA operates.

The upside is simplicity: one agency, one set of expectations, one relationship to manage.

2. A new levy is coming

To fund the ongoing work of running the AML/CFT system, all reporting entities will be required to pay an annual levy. The amount hasn't been set yet - it will be confirmed by regulation - but it is coming.

The levy will help cover the costs of running the supervisory work programme, the national AML/CFT strategy, and the administration of the regime. The Ministry of Justice will report publicly on how the money is spent each year and will periodically review whether the levy is set at the right level.

Start factoring this into your compliance budget now. The exact figure isn't known yet, but it's worth being prepared.

3. The regulator can now update the rules more quickly

Currently, if the government needs to change an AML/CFT requirement, it usually has to go through a full legislative or regulatory process - which takes time. Under the new law, the DIA will have the ability to make "rules" and issue "notices" to update specific requirements more quickly, without needing a new Act of Parliament.

This is a double-edged change. On one hand, it means the rules can stay current and keep up with how financial crime evolves. On the other hand, it means the compliance landscape could change more frequently than it has in the past.

The good news is that consultation is required before rules are made, and the DIA must publish its reasons. You won't be caught off guard by changes with no notice - but you will need to stay on top of updates from the DIA.

The bottom line for your business

These changes are largely positive for businesses that are already doing the right things. The rules are more proportionate, less repetitive, and clearer than before. But they also raise the stakes for getting the basics wrong - especially around suspicious activity reporting and risk assessments.

If you're supervised by the FMA or RBNZ, your supervision moves to the DIA on 1 July. Get familiar with the DIA's approach and guidance before then.

A levy is on its way. It's not set yet, but budget for it.

And keep an eye on updates. The DIA can now update rules more quickly than before, so subscribing to the DIA's news updates at dia.govt.nz (https://www.dia.govt.nz/AML-CFT-News) is a good habit to get into.

How APLYiD can help

AML/CFT compliance can feel overwhelming, especially when the rules are changing. APLYiD is a platform designed to make it simpler.

At its core, APLYiD helps you verify who your customers are - quickly, reliably, and in a way that fits the risk level involved. That means you're doing the right checks, on the right people, without creating unnecessary hassle for you or your customers.

As the rules shift toward a more risk-based approach, having a system that can flex with those requirements - and provide a clear record of what you've done and why - is increasingly important. Whether it's a new customer, a beneficial ownership check, or keeping your compliance records in order, APLYiD helps you stay on top of it without needing to be a compliance expert.

With the DIA becoming the sole supervisor from July and a new regulatory strategy running through to 2030, now is a sensible time to make sure your identity verification and customer due diligence processes are working for you, not against you.

For the latest guidance and updates, visit dia.govt.nz. For more on the reform programme, visit justice.govt.nz.