It has been a fast few months for Anti-Money Laundering and Countering Financing of Terrorism ("AML/CFT") reform. Most notably with:
- the passage of the Statutes Amendment Bill, reducing reporting entities' address verification obligations; and
- last month's release of the AML/CFT National Strategy and Work Programme 2026–2030, which is the focus of this alert.
The incoming AML/CFT (Supervisor, Levy, and Other Matters) Amendment Bill requires the Government to publish an AML/CFT National Strategy and Work Programme – which the Minister released ahead of the Bill on 13 February.
National Strategy
With the Department of Internal Affairs ("DIA") becoming the sole supervisor in mid‑2026, the Strategy confirms a shift towards what the Minister calls a "truly risk‑based" system. It clarifies the Government’s intentions for the regime and the rationale behind the Work Programme. The National Strategy sets six strategic objectives:
- the regulatory framework is effective and efficient;
- high quality data, information and intelligence drive risk-based decision making;
- the single supervisor model is successfully implemented;
- the right tools are in place to detect and deter financial crime;
- targeted financial sanctions are embedded into the AML/CFT system; and
- the AML/CFT system is aligned with international standards and best practice.
For reporting entities, the Strategy's message is pragmatic: the Government remains focused on the ease of doing business while keeping the system effective and proportionate.
Work programme
The Work Programme is the important release for reporting entities. It outlines the initiatives that will directly affect reporting entities' customer due diligence obligations and compliance costs. While the Government has not yet provided detail on the proposals, it is helpful to see where the reform agenda is heading. The most significant proposals are summarised below.
Actions beginning in 2026/27
The Government plans to progress its existing legislative programme, including:
- reforming the requirements for customer due diligence;
- introducing Targeted Financial Sanctions obligations into the AML/CFT system;
- establishing the single supervisor;
- introducing an industry levy to fund the system; and
- reforming offences and penalties in the AML/CFT Act.
Some of the Government's planned actions are clearly focused on risk:
- the DIA will build a "risk-based supervision operating model" with "enforcement measures dependent on the level of risk";
- the DIA will also issue a new Identity Verification Code of Practice for verifying names and dates of birth in standard and enhanced due diligence, again "in accordance with a risk-based approach"; and
- the Ministry of Justice will review reporting entities' prescribed transaction reporting obligations. It will also consider ways to reduce the compliance burden while keeping useful financial intelligence flowing.
In other areas, the DIA is stepping up its supervision:
- The DIA intends that all reporting entities will be identified and registered on goAML. It plans to use existing licensing requirements and other sources to identify them. We expect this will be a significant undertaking, given the number of entities relying on exemptions or which fall outside the AML/CFT Act's territorial scope.
- Taking over from the RBNZ, the DIA will begin carrying out on- and off-site AML/CFT supervision of registered banks. The five major banks' supervision will be "regular", while other registered banks will receive on- and off-site supervision as required, with at least one onsite inspection every five years. This inspection regime may evolve following the implementation of the Deposit Takers Act.
There is also good news regarding the work on sector risk assessments and guidance. The DIA will carry out further sector risk assessments (including for online casinos), and will develop "an ongoing programme of outreach, timely guidance and training" for reporting entities.
Actions beginning in 2027/28 and beyond
The Government has flagged a meaningful reduction in the burden of simplified customer due diligence from 2027/28. The DIA plans to issue a new code of practice for simplified customer due diligence:
"empowering reporting entities to self-determine circumstances in which the money laundering and terrorism financing risks are low, and reduced or minimal customer due diligence is required."
The Government will also consider several other significant changes to the AML/CFT regime, with potentially material impacts on reporting entities, including:
- reviewing how reporting entities treat customers with nominee directors, shareholders, or general partners;
- establishing a cross-agency team dedicated to exemptions;
- creating a licensing scheme for high‑risk sectors that are not otherwise licensed;
- mandatory registration by reporting entities;
- considering changing the regime's territorial scope; and
- creating a beneficial ownership register for trusts.
One of the key issues with the existing regime has been the lack of resourcing allocated to the processing of exemptions. This has resulted in significant delays in the review of exemption applications (sometimes over a year), which can delay the release of innovative new products and services. The establishment of a dedicated cross-agency exemptions team should, if adequately resourced, alleviate some of those delays.
What's missing
While it's helpful to have clarity after so much reform activity, the release does not yet provide full operational detail. More detail on how the industry levy will work, such as how it will be calculated and when it will be reviewed, would be welcome.