AML/CFT regulations: Four months to stage two of reforms - the final countdown

  • Legal update

    23 January 2024

AML/CFT regulations: Four months to stage two of reforms - the final countdown Desktop Image AML/CFT regulations: Four months to stage two of reforms - the final countdown Mobile Image

On 1 June 2024, the second stage of the amendment regulations under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009 (Regulations) will come into force. This follows the first stage which commenced in July 2023, and comes ahead of the third stage on 1 June 2025.

This second stage will bring in significant changes, that reporting entities (and, in particular, virtual asset service providers (VASPs)) will need to be on top of. Compliance documents and processes, as well as systems, will need to be updated. The investment of time and resources that will take, in order to be compliant on 1 June, should not be underestimated.

We have previously discussed the Regulations more generally, and the commencement of the first stage.

Who needs to read it? Why?

Reporting entities of all stripes should be following the changes under the Regulations, and in particular this stage two of the reforms, which are part of the wider suite of changes following the 2021 - 2022 Statutory Review of the AML/CFT regime. While the first stage of changes to the Regulations was, in the words of the Ministry of Justice, aimed at “provid[ing] immediate regulatory relief”, this second is framed as “introduc[ing] new obligations for entities that already have existing AML/CFT obligations”. It was deliberately timed to give reporting entities 12 months to prepare for compliance.

Reporting entities will need to be alert to these changes, and ensure they have the correct systems and processes in place to maintain compliance with their updated AML/CFT obligations as soon as they commence on 1 June.

What does it cover?

There are a number of impactful changes around VASPs, customer due diligence (CDD), and wire transfers that should be given particular focus, as well as a range of narrower adjustments to the regime.


VASPs will be paying attention to the ongoing formalisation and clarification of their treatment under the AML/CFT regime in the Regulations. These second-stage additions will mark a significant step up in the compliance and reporting systems that they will need to have in place (and reflected in their documents).

  • The deposit, withdrawal, exchange, or transfer of virtual assets will be considered transactions for the purposes of the AML/CFT Act.
  • Virtual asset to virtual asset transfers and virtual asset to fiat currency (or vice versa) transfers will be treated as wire transfers, and in particular will have to be treated as international wire transfers (unless the reporting entity is satisfied all parties are in New Zealand) – formalising what is currently supervisor expectation.
  • Virtual asset transactions for an amount of $1,000 or more (individually, or as several linked operations) outside of a business relationship will be considered occasional transactions.

This second stage also brings changes to the CDD that all reporting entities will be doing. Unless reporting entities have already been collecting this information (and sufficiently verifying it, which may not be the case for voluntary collection) and carrying out these measures, this likely represents a substantive change to CDD processes that will need to be reflected in AML/CFT compliance documents.

  • Standard CDD on legal persons and legal arrangements will have to include obtaining and verifying information relating to their legal form and proof of existence, their ownership and control structure, and any powers that bind and regulate them, as well as additional information for companies (nominee directors or shareholders). limited partnerships (nominee general partners), and trusts (settlors and protectors) – the verification required varies between these, and should be carefully considered.
  • Where enhanced CDD is required for a business relationship, a reporting entity must carry out “additional enhanced [CDD] measures” before establishing, and during, the business relationship if source of funds and/or wealth information is “not sufficient to manage and mitigate the risks of money laundering and the financing of terrorism”.
  • Ongoing CDD and account monitoring will have to (according to the level of risk) include updating and verifying customer information following the required regular reviews (including considering the adequacy of information held, and when CDD was last conducted), as well as regularly reviewing any information about designated non-financial business or profession activities.
Wire transfers and reporting

Wire transfers, and the information and reporting requirements around making them, often bring complications for reporting entities. While the Regulations have already clarified much of the uncertainty that there was around wire transfers before, this second stage of changes will pull into that regime entities that may previously not have been.

  • Ordering institutions making international wire transfers of less than $1,000 will be required to ensure specified identification information about the originator and beneficiary accompanies each wire transfer, but need not verify that information unless there are grounds to report a suspicious activity.
  • Intermediary and beneficiary institutions of international wire transfers will have to, in their AML/CFT compliance programmes, address what steps they will take to identify international wire transfers lacking the required originator or beneficiary information, and what they will do in relation to those transfers.
  • The exemption for intermediary institutions from having to submit prescribed transaction reports (PTRs) will stop applying to operators of money or value transfer services (MVTS operators) that are not registered banks, so they will have to begin doing so.
  • MVTS operators that are ordering or beneficiary institutions of wire transfers outside New Zealand that are required to make a suspicious activity report will have to provide a copy of that report to the relevant financial intelligence unit in any countries affected by the suspicious activity.
  • Stage 2 clarifies that enhanced CDD must be done where there are grounds to report a suspicious activity, even where simplified CDD would otherwise apply (an approach we expect was already commonplace). That was assumed to be the case by many.
  • The enhanced CDD trigger for nominees in respect of limited partnerships will be reframed as being where the customer is a limited partnership with a nominee general partner, rather than the customer being the nominee general partner itself (which fits better with typical commercial practice).
  • Where reporting entities rely on other entities overseas for CDD purposes, they will be required to take particular steps to ensure that the standards applied are comparable to the AML/CFT Act or that the relevant other country’s risk level has been appropriate considered (as applicable).
  • Standard CDD will be required where a person seeks to conduct a transaction through a reporting entity outside of a business relationship but that is not an occasional transaction where there are grounds to report a suspicious activity.
  • Ordering institutions making international wire transfers will have to keep records of beneficiary names and account numbers or transaction reference numbers.
  • Intermediary institutions processing international wire transfers that, for technological reasons, are unable to provide any information they obtained about originators to respective beneficiary institutions will have to keep a record of that information.
  • MVTS operators will explicitly have to comply with the wire transfer requirements, and where they utilise an agent/sub-agent for wire transfers the originator or beneficiary will be their customer rather than the agent/sub-agent.
  • MVTS operators that make funds available to beneficiaries of international wire transfers by depositing physical cash into bank accounts at registered banks will be required to submit PTRs of the information they hold.
  • Reporting entities will be required to, in their AML/CFT compliance programmes, set out specified procedures, policies, and controls for the use of agents and appropriately distinguish between when they will obtain and verify source of funds information, source of wealth information, or both for enhanced CDD.
  • Reporting entities will be required to review their risk assessments to take account of any new or developing technologies or products (including any new delivery mechanisms) that they use, before they use them.
  • The record-keeping requirements with undefined retention periods will gain one of at least 5 years.
  • Prescribed transaction reports will be considered records.
  • The exemption from some record-keeping requirements for transactions outside business relationships but that are not occasional transactions will be revoked.
  • Reporting entities that, in the ordinary course of business, carry out activities of other types of reporting entity will be required to comply with the AML/CFT Act in respect of them.
  • An express reference will be added to AML/CFT supervisors being able to decline the formation of designated business groups.
  • The exemption from some parts of the regime for relevant services provided in respect of certain remittance card facilities will be revoked.
  • The amount of time in advance reports for the cross-border transportation of unaccompanied cash must be provided will be set to at least 72 hours ahead of receipt or departure (as the case may be).
  • The exclusion of pawnbrokers from being reporting entities will no longer apply to those that are high-value dealers.
  • Reporting entities will be prohibited from establishing or continuing correspondent banking relationships with banks registered in North Korea. To our understanding, this is the first instance under this regime of prohibiting relationships with entities from a prescribed country.
The Regulations in full can be found at the following links:
Our view

The bottom line is that for almost all reporting entities there will be things they need to reflect in their compliance documents and processes, as well as IT systems. This takes time, and it would be advisable to get it moving if it is not already.

We understand that, for technical reasons, adjusting automated detection and reporting systems can often have a deceptively long build period – even more so to put them in place initially. Entities affected by the widening of the wire transfer requirements, such as VASPs and non-bank intermediary institutions, will want to have this process underway to avoid time running out.

Particularly given this lead-in period, the supervisors are likely to expect full compliance come 1 June. Any uncertainties or questions around application should be addressed ahead of that.

What next?

If you have any questions about the new Regulations coming into force, the wider AML/CFT reforms, or the regime more generally, please do not hesitate to contact one of our experts.

The Regulations will also bring their last few changes on 1 June 2025. We expect the most impactful of these will be the requirement to risk rate customers for CDD. Reporting entities should be looking to build that capability into their systems, if they have not already begun doing so, to ensure they can be compliant when the time comes. (Other changes, around internet auctions and online marketplaces, are more sector-specific.)

The Regulations are just the first component of the Ministry of Justice’s wider reform agenda for the AML/CFT regime, following its 2021-2022 Statutory Review of the regime and the Financial Action Task Force’s Mutual Evaluation of New Zealand that preceded it (both of which we have previously discussed).

The other parts of the wider reform agenda arising out of the Statutory Review and other submissions are expected to move in a series of different tranches over the next few years, depending on whether they require legislative change (to the AML/CFT Act itself), further regulatory change (following additional consultation), the issuing of a code of practice or Ministerial exemption. or a change in supervisory guidance or operational practices.


This article was co-authored by Sam Short, Senior Solicitor, and William Ma, Solicitor, from our Banking and Financial Services team.